Sophos NDR on OnLogic hardware
Sophos NDR now supports installation on OnLogic systems that we've tested and certified.
Create an NDR appliance image
Sophos NDR uses an appliance to collect data and forward it to the Sophos Data Lake for analysis.
Before you set up your hardware, you must create and download an NDR appliance installation image. You’ll deploy this ISO image as your NDR appliance later.
- In Sophos Central, go to Threat Analysis Center > Integrations.
- Find and click Sophos Network Detection and Response (NDR).
-
On the NDR page, in Data Ingest (Security Alerts), click Add Configuration.
Integration setup steps appears.
-
In Step 1 enter a name and description for the integration.
- In Step 2, select Create new appliance.
-
To create the new appliance, do as follows:
- Enter the appliance name and description. You must enter a unique name.
- In Virtual platform., select Hardware.
-
In Step 3, exclude specific domains and protocols from checking. For example, you might do this if you have a domain that causes false positives.
You can set up your exclusions later, but you must enter an exclusion list name now.
- Enter Exclusion list name.
- To exclude a domain, click Domain exclusions. Enter the domain name, for example
sophos.com
, and click Add. -
To exclude a protocol, click Protocol exclusions. You can enter information in either or both of the fields:
- In the first field, enter a master protocol. For example,
TCP
orUDP
. - In the second field, enter a sub-protocol (website). For example,
facebook
.
We don't recommend excluding a master protocol completely. Only do this if a high-traffic protocol that isn't usually risky, like a routing protocol, generates too much data.
Note
You can export your exclusions as a JSON file. You can also upload exclusions to the list from a JSON file you've exported previously.
- In the first field, enter a master protocol. For example,
-
Click Add.
-
Click Save.
A pop-up shows you the Sophos Appliance Manager credentials. Make a note of them. You'll need Appliance Manager to access and troubleshoot appliances.
Your new integration now shows in the Configured NDR integrations list.
-
To download the image, click the three dots in the Actions column and select Download image. You may have to wait for the image to become available for download.
Create USB installation media
You must copy the ISO image to a USB drive. The instructions below describe how to do this using a third-party tool called balenaEtcher.
- Click the following link to download balenaEtcher using the appropriate installer for your operating system: Download. Go through the installation process.
-
Insert a USB stick into your computer or laptop.
Note
Make sure that the USB drive does not contain data you want saved.
-
Start the balenaEtcher application, as follows:
- Click on Flash from file
- Using the file selection dialog, select the NDR appliance ISO image you downloaded from Sophos Central.
- If you see a warning regarding a missing partition table, click Continue.
- Click Select target
-
Select the USB drive on which to install the ISO image.
Note
Use caution when selecting the USB device because this will erase all data currently on the drive.
-
Click Select 1.
- Click Flash.
- Accept any User Access Control messages.
Flashing progress will be displayed on the left panel.
Once the process is complete, you can exit balenaEtcher.
Install and connect system
- Unbox the OnLogic hardware.
-
Connect the following cables and peripherals to the OnLogic device:
- Power cables to the power supplies.
- HDMI Monitor: A VGA connection can be used via USB-C to VGA adapter (not included)
- USB Keyboard.
- Management Network cable to the top network interface port.
- Capture Network cable to the bottom network interface port.
Begin installation
- Insert the installation USB drive you created earlier into any available USB port of the OnLogic device.
- Power on the OnLogic device, or press
Ctrl+Alt+Delete
to reboot the OnLogic device. -
In the boot menu, use the arrow keys to select Install Sophos NDR -- NUC/OnLogic Models, then press Enter.
The system will take some time to boot. You must wait for the installer to finish loading. The installer is ready when you see the Network connections screen appear.
Configure network interfaces
Configure management IP address
Identify the interface to be used for the management network and connection to Sophos Central.
Configure this interface with an IP address, default gateway, and DNS address. DHCP configuration is possible but not recommended, because the IP address of the appliance may change during a future reboot.
- Use the arrow keys to select the management interface, then press Enter.
- Select Edit IPv4, then press Enter.
- Press Enter on the IPv4 method, then select Manual.
- Enter the subnet for the interface in CIDR notation.
- Enter the IP address for the interface in the Address field.
- Enter the default gateway in the Gateway field.
- Enter the DNS server or servers in the Name servers field.
- Optional: Enter a domain in the Search domains field.
- Use the arrow keys to select Save, then press Enter.
Configure capture interfaces
You configure the capture interfaces (SPAN settings) after installation using the Appliance Manager web UI. See SPAN settings.
For now, disable all remaining network interfaces, as follows:
- Use the arrow keys to select the interface, then press Enter.
- Select Edit IPv4, then press Enter.
- Use the arrow keys to select Disabled, then press Enter.
- Use the arrow keys to select Save, then press Enter.
Installation process
The system is now ready to partition disks and begin the installation process.
Use the arrow keys to select Continue, then press Enter. This confirms the disk partitioning and installation.
Software installation will take some time. Installation is complete when you see the Install complete! message at the top of the screen.
Complete installation
When the installation is complete, use the arrow keys to select Reboot Now, then press Enter.
The exit process will pause and require you to remove the installation media.
Remove the USB drive from the system and press Enter to continue the exit and reboot process.