SO 2.4.60 on ESXI - Login page missing with 403 forbidden error

[hoschmidt2020]

Version

2.4.60

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

airgap

Hardware Specs

Exceeds minimum requirements

CPU

5

RAM

20

Storage for /

128

Storage for /nsm

128

Network Traffic Collection

other (please provide detail below)

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

Yes, there are additional clues in /opt/so/log/ (please provide detail below)

Detail

I've been attempting to setup SecurityOnion 2.4.60 hosted on an ESXI server. I am installing from an ISO in our datastore. The machine is setup with plenty memory, cores, and space and both NICS are E1000. The subsequent port group that the SO instance is connected to has MAC changes and promiscuous mode enabled along with VLAN trunking set to 0-4094.

I am setting up a manager node for a distributed installation. The SO instance is set to be air gapped. The IP of the SO instance is statically set to 192.168.2.50. The allowed IPs was set to be the subnet 192.168.2.0/24.

I am able to access the SO webpage from another Ubuntu machine on the same 192.168.2.0/24 network, however the webpage is missing the login boxes. Sometimes a Forbidden 403 banner will pop up other times it won't.

I have attempted to use different browsers and OSs, which have not worked, and I have also tried to designate a single allowed IP during configuration which has also not worked.

Funnily enough when I installed a version of SO 2.3.22 with practically the same configuration I was able to access the webpage without issue, however with this current version I am unable to see the login page.

nginx had the following in error.logs, but the timing is unrelated to the login attempt times and I don't believe it is relevant.

In nginx's access.logs I didn't find anything interesting. I am unable to copy paste out of the environment unfortunately, so screenshots will have to suffice.

Any help would be greatly appreciated, I can provide additional details as necessary.

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[dougburks]

Are there any network devices between the browser machine and Security Onion manager that might be interfering with the network traffic?

Do you have any browser plugins installed that may be interfering?

Have you tried an incognito browser window?

Have you tried Google Chrome or other chromium-based browser?

Have you checked other logs in /opt/so/log/soc/ for additional clues?

2.4.60 is a few months old, have you tried a more recent version like 2.4.80?
https://blog.securityonion.net/2024/06/security-onion-2480-now-available.html

[hoschmidt2020]

No network devices between the two machines, although there is a pfSense firewall on the LAN but there's a temporary ANY rule in place so that wouldn't cause issues.

No browser plugins in either Firefox or Edge that I tried.

Incognito had the same results.

Chrome browser does in fact work! That's an interesting conundrum.

I will likely upgrade to 2.4.80 in the future, just haven't gotten around to uploading it to our datastore.

Wish I had tried that sooner, thanks for the help!

[dougburks]

Our official browser recommendation can be found in the documentation at https://docs.securityonion.net/en/2.4/soc.html:

We recommend chromium-based browsers such as Google Chrome. Other browsers may work, but fully updated chromium-based browsers provide the best compatibility.