Elastic Agents on Multiple Subnets

[craigsmooth]

Version

2.4.60

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

airgap

Hardware Specs

Exceeds minimum requirements

CPU

16

RAM

128 GB

Storage for /

5 TB

Storage for /nsm

10 TB

Network Traffic Collection

tap

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Can someone provide some guidance on the deployment of Elastic Agents in a segmented network where there are multiple VLANs and site-to-site tunnels where the agents might not have "line of sight" access to the SO Manager? Do the agents need direct connectivity to the manager or can they be configured to ship their logs through a forward node? Also, if we have agents on networks where there is NAT translation, how do we configure the fleet agent settings when we need to have the agents use multiple different IPs to reach the manager based on what subnet they are on? Thanks for any guidance.

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[cm-ops]

Are you able to deploy a standalone fleet node? https://docs.securityonion.net/en/2.4/architecture.html#elastic-fleet-standalone-node

[craigsmooth]

So I guess I'm a little confused about that node type. Is that just for managing the agents? Do the actual agents send logs to the manager? Is there a list of documented ports that need to be opened for each of these scenarios? Thank you!
Agent----> PORTS --->Fleet
Agent----> PORTS --->Manager
Fleet ----> PORTS ---> Agent
Manager---> PORTS --->Agent

[craigsmooth]

Thanks I think that setting would work. We won't have control over the environment's DNS so we will need to use IP addresses. So, it looks like I can use an IP in that field? If we had a scenario where we needed to use multiple IPs due to NAT in order for agents to see the manager. Do I just add multiple FQDN fields with each IP? Thank you @cm-ops

[craigsmooth]

So if I add a custom FQDN for a different network segment that uses NAT...
Elastic Agent (192.168.246.100) ---> Firewall Outside Interface (192.168.246.214:8220) --- NAT --- Firewall Inside Interface (172.30.1.1) ---> SO Mgr (172.30.1.102:8220). I get the following error when trying to run the agent installer:
Error: fail to enroll: fail to execute request to fleet-server: x509: certificate is valid for 172.30.1.102, not 192.168.246.214.
Is there any way to make this work through NAT?
Thank you.

[cm-ops]

Did you regenerate the installer after adding the FQDN?

[craigsmooth]

Yes, I actually found the following post that was extremely helpful and solved our issue:
#12583 (comment)