5. Setting up the Greenbone Security Manager

This chapter provides specific setup guides and troubleshooting for all current GSM appliances:

  • GSM 5400/6500 → Chapter 5.1
  • GSM 400/450/600/650 → Chapter 5.2
  • GSM 150 → Chapter 5.3
  • GSM 35 → Chapter 5.4
  • GSM 150V/CENO/DECA/TERA/PETA/EXA → Chapter 5.5
  • GSM 25V → Chapter 5.6
  • GSM ONE/MAVEN → Chapter 5.7

5.1. GSM 5400/6500

This setup guide shows the steps required to put a GSM 5400 or 6500 appliance into operation.

The following checklist can be used to monitor the progress:

Step Done
Power supply established (2 connectors)  
Networking cables connected  
Console access established  
Keyboard layout selected  
IP address configured  
DNS server configured  
SSH service enabled (optional)  
SSL certificate created  
Web user account created  
GOS selfcheck run  

5.1.1. Installing the Appliance

The GSM 5400 and GSM 6500 are 19-inch mountable and require two rack units (RU). Rack holders for the installation in a 19-inch rack are supplied.

For cabling GSM 5400 and GSM 6500 appliances have corresponding connectors at the front and back:

  • Front:
    • 1 RS-232 serial port, Cisco compatible, suitable cable is enclosed
    • 2 USB 2.0 ports
    • 2 RJ45 Ethernet ports, labeled “MGMT”, for management
    • Up to 4 optional modules with additional Ethernet ports (RJ45, SFP, SFP+ or XFP)
  • Back:
    • 1 VGA port
    • 2 USB 3.0 ports
    • 2 USB 2.0 ports
    • 2 power supplies

The installation requires either a monitor and a keyboard or a serial console connection and a terminal application.

5.1.2. Utilizing the Serial Port

The enclosed console cable is used for utilizing the serial port. Alternatively, a blue Cisco console cable (rollover cable) can be used.

To access the serial port a terminal application is required. The application needs to be configured to a speed of 9600 bits/s (Baud).

In Linux the command screen can be used in the command line. It is sufficient to run the command providing the serial port.

Tip

When starting a command, it may be necessary to hit Return several times to get a command prompt.

screen /dev/ttyS0  #(for serial port)
screen /dev/ttyUSB0 #(for USB adapter)

Quit the command by entering CTRL-a \.

In Microsoft Windows the PuTTY application can be used. After starting it, the options as shown in Fig. 5.1 and the appropriate serial port have to be selected.

_images/putty_serial.png

Fig. 5.1 Setting up the serial port in PuTTY

5.1.3. Starting the Appliance

Once the appliance is fully wired, a connection to the appliance using the console cable is achieved and the terminal application (PuTTY, screen or similar) is set up, the appliance can be started.

The appliance will boot and after short time – depending on the exact model – the first messages will be displayed in the terminal application.

5.1.4. Performing a General System Setup

All GSM appliances share the same way of basic configuration and readiness check.

Note

Follow the steps described in Chapter 7. Afterwards, continue with logging into the web interface.

5.1.5. Logging into the Web Interface

The main interface of the GSM is the web interface, also called Greenbone Security Assistant (GSA). The web interface can be accessed as described in Chapter 8.1.

5.2. GSM 400/450/600/650

This setup guide shows the steps required to put a GSM 400, GSM 450, GSM 600 or GSM 650 appliance into operation.

The following checklist can be used to monitor the progress:

Step Done
Power supply established (1 connector)  
Networking cables connected  
Console access established  
Keyboard layout selected  
IP address configured  
DNS server configured  
SSH service enabled (optional)  
SSL certificate created  
Web user account created  
GOS selfcheck run  

5.2.1. Installing the Appliance

The GSM 400, GSM 450, GSM 600 and GSM 650 are 19-inch mountable and require one rack unit (RU). Rack holders for the installation in a 19-inch rack are supplied.

For cabling GSM 400, GSM 450, GSM 600 and GSM 650 appliances have corresponding connectors at the front and back:

  • Front:
    • 1 RS-232 serial port, Cisco compatible, suitable cable is enclosed
    • 2 USB 3.0 ports
    • 6 RJ45 Ethernet ports
    • 2 SFP Ethernet ports
  • Back:
    • 1 VGA port
    • 1 power supply

The installation requires either a monitor and a keyboard or a serial console connection and a terminal application.

5.2.2. Utilizing the Serial Port

The enclosed console cable is used for utilizing the serial port. Alternatively, a blue Cisco console cable (rollover cable) can be used.

To access the serial port a terminal application is required. The application needs to be configured to a speed of 9600 bits/s (Baud).

In Linux the command screen can be used in the command line. It is sufficient to run the command providing the serial port.

Tip

When starting a command, it may be necessary to hit Return several times to get a command prompt.

screen /dev/ttyS0  #(for serial port)
screen /dev/ttyUSB0 #(for USB adapter)

Quit the command by entering CTRL-a \.

In Microsoft Windows the PuTTY application can be used. After starting it, the options as shown in Fig. 5.2 and the appropriate serial port have to be selected.

_images/putty_serial.png

Fig. 5.2 Setting up the serial port in PuTTY

5.2.3. Starting the Appliance

Once the appliance is fully wired, a connection to the appliance using the console cable is achieved and the terminal application (PuTTY, screen or similar) is set up, the appliance can be started.

The appliance will boot and after short time – depending on the exact model – the first messages will be displayed in the terminal application.

5.2.4. Performing a General System Setup

All GSM appliances share the same way of basic configuration and readiness check.

Note

Follow the steps described in Chapter 7. Afterwards, continue with logging into the web interface.

5.2.5. Logging into the Web Interface

The main interface of the GSM is the web interface, also called Greenbone Security Assistant (GSA). The web interface can be accessed as described in Chapter 8.1.

5.3. GSM 150

This setup guide shows the steps required to put a GSM 150 appliance into operation.

The following checklist can be used to monitor the progress:

Step Done
Power supply established (1 connector)  
Networking cables connected  
Console access established  
Keyboard layout selected  
IP address configured  
DNS server configured  
SSH service enabled (optional)  
SSL certificate created  
Web user account created  
GOS selfcheck run  

5.3.1. Installing the Appliance

The GSM 150 is 19-inch mountable and requires one rack unit (RU). The optional RACKMOUNT150 kit provides the rack holders for installing the appliance in a 19-inch rack.

For stand-alone appliances four self-sticking rubber pads have to be mounted on the corresponding bottom side embossments.

For cabling the GSM 150 appliance has corresponding connectors at the front and back:

  • Front
    • 1 RS-232 serial port, Cisco compatible, suitable cable is enclosed
    • 2 USB 3.0 ports
    • 1 HDMI port
    • 4 RJ45 Ethernet ports
  • Back:
    • 1 power supply

The installation requires either a monitor and a keyboard or a serial console connection and a terminal application.

5.3.2. Utilizing the Serial Port

The enclosed console cable is used for utilizing the serial port. Alternatively, a blue Cisco console cable (rollover cable) can be used.

To access the serial port a terminal application is required. The application needs to be configured to a speed of 9600 bits/s (Baud).

In Linux the command screen can be used in the command line. It is sufficient to run the command providing the serial port.

Tip

When starting a command, it may be necessary to hit Return several times to get a command prompt.

screen /dev/ttyS0  #(for serial port)
screen /dev/ttyUSB0 #(for USB adapter)

Quit the command by entering CTRL-a \.

In Microsoft Windows the PuTTY application can be used. After starting it, the options as shown in Fig. 5.3 and the appropriate serial port have to be selected.

_images/putty_serial.png

Fig. 5.3 Setting up the serial port in PuTTY

5.3.3. Starting the Appliance

Once the appliance is fully wired, a connection to the appliance using the console cable is achieved and the terminal application (PuTTY, screen or similar) is set up, the appliance can be started.

The appliance will boot and after short time – depending on the exact model – the first messages will be displayed in the terminal application.

5.3.4. Performing a General System Setup

All GSM appliances share the same way of basic configuration and readiness check.

Note

Follow the steps described in Chapter 7. Afterwards, continue with logging into the web interface.

5.3.5. Logging into the Web Interface

The main interface of the GSM is the web interface, also called Greenbone Security Assistant (GSA). The web interface can be accessed as described in Chapter 8.1.

5.4. GSM 35

This setup guide shows the steps required to put a GSM 35 sensor appliance into operation.

The following checklist can be used to monitor the progress:

Step Done
Power supply established (1 connector)  
Networking cables connected  
Console access established  
Keyboard layout selected  
IP address configured  
DNS server configured  
SSH service enabled (optional)  
SSL certificate created  
Scan user account created  
GOS selfcheck run  

5.4.1. Installing the Appliance

The GSM 35 is 19-inch mountable and requires one rack unit (RU). The optional RACKMOUNT35 kit provides the rack holders for installing the appliance in a 19-inch rack.

For stand-alone appliances four self-sticking rubber pads have to be mounted on the corresponding bottom side embossments.

For cabling the GSM 35 appliance has corresponding connectors at the front and back:

  • Front
    • 1 RS-232 serial port, Cisco compatible, suitable cable is enclosed
    • 2 USB 3.0 ports
    • 1 HDMI port
    • 4 RJ45 Ethernet ports
  • Back:
    • 1 power supply

The installation requires either a monitor and a keyboard or a serial console connection and a terminal application.

5.4.2. Utilizing the Serial Port

The enclosed console cable is used for utilizing the serial port. Alternatively, a blue Cisco console cable (rollover cable) can be used.

To access the serial port a terminal application is required. The application needs to be configured to a speed of 9600 bits/s (Baud).

In Linux the command screen can be used in the command line. It is sufficient to run the command providing the serial port.

Tip

When starting a command, it may be necessary to hit Return several times to get a command prompt.

screen /dev/ttyS0  #(for serial port)
screen /dev/ttyUSB0 #(for USB adapter)

Quit the command by entering CTRL-a \.

In Microsoft Windows the PuTTY application can be used. After starting it, the options as shown in Fig. 5.4 and the appropriate serial port have to be selected.

_images/putty_serial.png

Fig. 5.4 Setting up the serial port in PuTTY

5.4.3. Starting the Appliance

Once the appliance is fully wired, a connection to the appliance using the console cable is achieved and the terminal application (PuTTY, screen or similar) is set up, the appliance can be started.

The appliance will boot and after short time – depending on the exact model – the first messages will be displayed in the terminal application.

5.4.4. Performing a General System Setup

All GSM appliances share the same basic configuration and readiness check.

However, since the GSM 35 is a dedicated sensor, some setup steps differ from those of other appliances:

  • A scan user account has to be created instead of a web administrator account.
  • The master key has to be exchanged with the sensor.

Note

Follow the steps described in Chapter 7.

Add the scan user account instead of a web administrator account. Afterwards, continue with the Chapter 16 to exchange the keys with the master.

The GSM 35 sensor does not offer any web interface. The sensor is solely managed by the master. Logging into the sensor is possible by using the console and SSH from the master.

If the communication between master and sensor fails, the rule set of any internal firewall governing the network connection may be adjusted.

5.5. GSM 150V/CENO/DECA/TERA/PETA/EXA

This setup guide shows the steps required to put a GSM 150V/CENO, DECA, TERA, PETA or EXA appliance into operation.

The following checklist can be used to monitor the progress:

Step Done
VMware ESXi installed  
Integrity verified (optional)  
OVA file imported  
Virtual machine settings checked  
Keyboard layout selected  
IP address configured  
DNS server configured  
SSH service enabled (optional)  
SSL certificate created  
Web user account created  
GOS selfcheck run  

5.5.1. Setup Requirements

This section lists the requirements for successfully deploying a GSM 150V/CENO, DECA, TERA, PETA or EXA appliance. All requirements have to be met.

5.5.1.1. Resources

The virtual appliances require at least the following resources:

GSM 150V/CENO:

  • 2 virtual CPUs
  • 8 GB RAM
  • 32 GB hard disk

GSM DECA:

  • 4 virtual CPUs
  • 8 GB RAM
  • 140 GB hard disk

GSM TERA:

  • 6 virtual CPUs
  • 8 GB RAM
  • 140 GB hard disk

GSM PETA:

  • 8 virtual CPUs
  • 16 GB RAM
  • 140 GB hard disk

GSM EXA:

  • 12 virtual CPUs
  • 24 GB RAM
  • 140 GB hard disk

5.5.1.2. Supported Hypervisor

While a GSM 150V/CENO/DECA/TERA/PETA/EXA can be run on various hypervisors, currently only VMware hypervisors are officially supported.

Each GSM 150V/CENO/DECA/TERA/PETA/EXA virtual machine is delivered in hardware version 9 format. For VMware ESXi/ESX version 5.1 or higher is required.

5.5.1.3. Verification of Integrity

Note

The integrity of the virtual appliance can be verified. On request the Greenbone Networks Support provides an integrity checksum.

To request the checksum contact the Greenbone Networks Support via e-mail (support@greenbone.net) including the subscription number.

The integrity checksum can be provided via phone or via support portal at https://support.greenbone.net. Specify the preferred channel in the e-mail.

The local verification of the checksum depends on the host operating system.

On Linux systems the following command for calculating the checksum for the GSM 150V/CENO/DECA/TERA/PETA/EXA can be used:

sha256sum GSM-150V-5.0.4-gsf201906301.ova

Note

The commands for the other GSM types differ according to the GSM type and the GSF subscription key.

On Microsoft Windows systems an appropriate program has to be installed first.

Tip

Rehash may be used which can be found at http://rehash.sourceforge.net.

To calculate the checksum, use:

rehash.exe -none -sha256 C:\<path>\GSM-150V-5.0.4-gsf201906301.ova

Note

The commands for the other GSM types differ according to the GSM type and the GSF subscription key.

If the checksum does not match the checksum provided by the Greenbone Network support, the virtual appliance has been modified and should not be used.

5.5.2. Deploying the Appliance

The virtual appliance is provided by Greenbone Networks in the Open Virtualization Appliance (OVA) format.

Each GSM 150V/CENO/DECA/TERA/PETA/EXA is activated using a unique subscription key.

Note

Cloning the GSM 150V/CENO/DECA/TERA/PETA/EXA and using several instances in parallel is not permitted and can result in inconsistencies and unwanted side effects.

To deploy a GSM 150V/CENO/DECA/TERA/PETA/EXA, it has to be imported into the hypervisor of choice as follows:

Note

The example features VMware ESXi, but is also applicable for VMware vSphere.

The figures show the installation of a GSM 150V. The installation of a GSM CENO, DECA, TERA, PETA or EXA is carried out equivalently. File names used in the example differ based on the GSM type and the GSF subscription key.

  1. Install VMware ESXi for the current operating system.

  2. Open the web interface of the VMware ESXi instance and log in.

  3. Click Virtual Machines in the left column (see Fig. 5.5).

    _images/vmware_1.png

    Fig. 5.5 Importing a new virtual machine

  4. Click create_register_vm Create / Register VM.

  5. Select Deploy a virtual machine from an OVF or OVA file and click Next (see Fig. 5.6).

    _images/vmware_2.png

    Fig. 5.6 Selecting the creation type

  6. Enter a name for the virtual machine in the input box.

  7. Click Click to select files or drag/drop, select the OVA file of the appliance and click Next.

  8. Select the storage location in which to store the virtual machine files and click Next.

  9. Adjust the deployment options as required and click Next.

    Note

    The default deployment settings may be used.

  10. Check the configuration of the virtual machine (see Fig. 5.7).

    Tip

    Settings can be changed by clicking Back and adjusting them in the respective dialog.

    _images/25v-150v_setup_vmware_readycomplete.png

    Fig. 5.7 Checking the configuration of the virtual machine

  11. Click Finish.

    → The appliance is imported. This can take up to 10 minutes.

    Important

    Do not refresh the browser while the virtual machine is being deployed.

  12. When the appliance is imported, click Virtual Machines in the left column.

  13. Select the appliance in the list (see Fig. 5.8).

    _images/vmware_3.png

    Fig. 5.8 Imported virtual machine

  14. Click vm_poweron Power on.

5.5.3. Performing a General System Setup

All GSM appliances share the same way of basic configuration and readiness check.

Note

Follow the steps described in Chapter 7. Afterwards, continue with logging into the web interface.

5.5.4. Logging into the Web Interface

The main interface of the GSM is the web interface, also called Greenbone Security Assistant (GSA). The web interface can be accessed as described in Chapter 8.1.

5.6. GSM 25V

This setup guide shows the steps required to put the GSM 25V appliance into operation.

The following checklist can be used to monitor the progress:

Step Done
VMware ESXi installed  
Integrity verified (optional)  
OVA file imported  
Virtual machine settings checked  
Keyboard layout selected  
IP address configured  
DNS server configured  
SSH service enabled (optional)  
SSL certificate created  
Scan user account created  
GOS selfcheck run  

5.6.1. Setup Requirements

This section lists the requirements for successfully deploying the GSM 25V appliance. All requirements have to be met.

5.6.1.1. Resources

The virtual appliance requires at least the following resources:

  • 2 virtual CPUs
  • 4 GB RAM
  • 16 GB hard disk

5.6.1.2. Supported Hypervisor

While the GSM 25V can be run on various hypervisors, currently only VMware hypervisors are officially supported.

Each GSM 25V virtual machine is delivered in hardware version 9 format. For VMware ESXi/ESX version 5.1 or higher is required.

5.6.1.3. Verification of Integrity

Note

The integrity of the virtual appliance can be verified. On request the Greenbone Networks Support provides an integrity checksum.

To request the checksum contact the Greenbone Networks Support via e-mail (support@greenbone.net) including the subscription number.

The integrity checksum can be provided via phone or via support portal at https://support.greenbone.net. Specify the preferred channel in the e-mail.

The local verification of the checksum depends on the host operating system.

On Linux systems the following command for calculating the checksum for the GSM 25V can be used:

sha256sum GSM-25V-5.0.4-gsf201906301.ova

On Microsoft Windows systems an appropriate program has to be installed first.

Tip

Rehash may be used which can be found at http://rehash.sourceforge.net.

To calculate the checksum, use:

rehash.exe -none -sha256 C:\<path>\GSM-25V-5.0.4-gsf201906301.ova

If the checksum does not match the checksum provided by the Greenbone Network support, the virtual appliance has been modified and should not be used.

5.6.2. Deploying the Appliance

The GSM 25V is provided by Greenbone Networks in the Open Virtualization Appliance (OVA) format.

Each GSM 25V is activated using a unique subscription key.

Note

Cloning the GSM 25V and using several instances in parallel is not permitted because and can result in inconsistencies and unwanted side effects.

To deploy the GSM 25V, it has to be imported into the hypervisor of choice as follows:

Note

The example features VMware ESXi, but is also applicable for VMware vSphere.

The figures show the installation of a GSM 150V. The installation of a GSM 25V is carried out equivalently. File names used in the example differ based on the GSM type and the GSF subscription key.

  1. Install VMware ESXi for the current operating system.

  2. Open the web interface of the VMware ESXi instance and log in.

  3. Click Virtual Machines in the left column (see Fig. 5.9).

    _images/vmware_1.png

    Fig. 5.9 Importing a new virtual machine

  4. Click create_register_vm Create / Register VM.

  5. Select Deploy a virtual machine from an OVF or OVA file and click Next (see Fig. 5.10).

    _images/vmware_2.png

    Fig. 5.10 Selecting the creation type

  6. Enter a name for the virtual machine in the input box.

  7. Click Click to select files or drag/drop, select the OVA file of the appliance and click Next.

  8. Select the storage location in which to store the virtual machine files and click Next.

  9. Adjust the deployment options as required and click Next.

    Note

    The default deployment settings may be used.

  10. Check the configuration of the virtual machine (see Fig. 5.11).

    Tip

    Settings can be changed by clicking Back and adjusting them in the respective dialog.

    _images/25v-150v_setup_vmware_readycomplete.png

    Fig. 5.11 Checking the configuration of the virtual machine

  11. Click Finish.

    → The appliance is imported. This can take up to 10 minutes.

    Important

    Do not refresh the browser while the virtual machine is being deployed.

  12. When the appliance is imported, click Virtual Machines in the left column.

  13. Select the appliance in the list (see Fig. 5.12).

    _images/vmware_3.png

    Fig. 5.12 Imported virtual machine

  14. Click vm_poweron Power on.

5.6.3. Performing a General System Setup

All GSM appliances share the same basic configuration and readiness check.

However, since the GSM 25V is a dedicated sensor, some setup steps differ from those of other appliances:

  • A scan user account has to be created instead of a web administrator account.
  • The master key has to be exchanged with the sensor.

Note

Follow the steps described in Chapter 7.

Add the scan user account instead of a web administrator account. Afterwards, continue with the Chapter 16 to exchange the keys with the master.

The GSM 25V sensor does not offer any web interface. The sensor is solely managed by the master. Logging into the sensor is possible by using the console and SSH from the master.

If the communication between master and sensor fails, the rule set of any internal firewall governing the network connection may be adjusted.

5.7. GSM ONE/MAVEN

This setup guide shows the steps required to put a GSM ONE or MAVEN appliance into operation.

The following checklist can be used to monitor the progress:

Step Done
VirtualBox installed  
Integrity verified (optional)  
OVA file imported  
Virtual machine settings checked  
Keyboard layout selected  
IP address configured  
DNS server configured  
SSH service enabled (optional)  
SSL certificate created  
Web user account created  
GOS selfcheck run  

5.7.1. Setup Requirements

This section lists the requirements for successfully deploying a GSM ONE or MAVEN appliance. All requirements have to be met.

5.7.1.1. Resources

The virtual appliance requires at least the following resources:

  • 2 virtual CPUs
  • 4 GB RAM
  • 16 GB hard disk

5.7.1.2. Supported Hypervisor

While a GSM ONE/MAVEN can be run on various hypervisors, currently only Oracle VirtualBox version 5.2 or higher is officially supported.

5.7.1.3. Verification of Integrity

Note

The integrity of the virtual appliance can be verified. On request the Greenbone Networks Support provides an integrity checksum.

To request the checksum contact the Greenbone Networks Support via e-mail (support@greenbone.net) including the subscription number.

The integrity checksum can be provided via phone or via support portal at https://support.greenbone.net. Specify the preferred channel in the e-mail.

The local verification of the checksum depends on the host operating system.

On Linux systems the following command for calculating the checksum for a GSM ONE/MAVEN can be used:

sha256sum GSM-ONE-5.0.4-gsf201906301.ova

Note

The command for the GSM MAVEN differs according to the GSM type and the GSF subscription key.

On Microsoft Windows systems an appropriate program has to be installed first.

Tip

Rehash may be used which can be found at http://rehash.sourceforge.net.

To calculate the checksum, use:

rehash.exe -none -sha256 C:\<path>\GSM-ONE-5.0.4-gsf201906301.ova

Note

The command for the GSM MAVEN differs according to the GSM type and the GSF subscription key.

If the checksum does not match the checksum provided by the Greenbone Network support, the virtual appliance has been modified and should not be used.

5.7.2. Deploying the Appliance

The virtual appliance is provided by Greenbone Networks in the Open Virtualization Appliance (OVA) format.

Each GSM ONE/MAVEN is activated using a unique subscription key.

Note

Cloning the GSM ONE/MAVEN and using several instances in parallel is not permitted and can result in inconsistencies and unwanted side effects.

To deploy a GSM ONE/MAVEN, it has to be imported into the hypervisor of choice as follows:

Note

The figure shows the installation of a GSM ONE. The installation of a GSM MAVEN is carried out equivalently. File names used in the example differ based on the GSM type and the GSF subscription key.

  1. Install Oracle VirtualBox for the current operating system.

    Note

    VirtualBox is often included with Linux distributions.

    Should this not be the case and or a version of Microsoft Windows is used, VirtualBox is available at https://www.virtualbox.org/wiki/Downloads.

  2. Start VirtualBox.

  3. Select File > Import Appliance... in the menu bar.

  4. Click import_vbox and select the OVA file of the appliance (see Fig. 5.13).

    _images/vbox_import.png

    Fig. 5.13 Importing the OVA file of the appliance

  5. Check the configuration of the virtual machine in the window Appliance settings (see Fig. 5.13).

    Values can be changed by double clicking into the input box of the respective value.

    Note

    If possible, select 4096 MB RAM (memory) for optimal configuration of the virtual appliance.

  6. Click Import.

    → The appliance is imported. This can take up to 10 minutes.

    When the appliance is imported, it is displayed in the list Tools in VirtualBox.

  7. Select the appliance in the list and click Start.

5.7.3. Performing a General System Setup

All GSM appliances share the same way of basic configuration and readiness check.

Note

Follow the steps described in Chapter 7. Afterwards, continue with logging into the web interface or with troubleshooting.

5.7.4. Logging into the Web Interface

The main interface of the GSM is the web interface, also called Greenbone Security Assistant (GSA). The web interface can be accessed as described in Chapter 8.1.