Prerequisites
Have a running MSP Console instance that is reachable on HTTPS from the Internal Scanner that is to be deployed.
Configure a FQDN for the MSP Console that can be resolved by the Internal Scanner.
Allow access from the Scanner to the Console Machine over HTTPS, TCP/15671, TCP/15672, TCP/5671, TCP/5672
Note: Restricting traffic would should inaccurate Scan Results as not all ports would be reachable
Attention: Scanning over VPN or Firewall may produce overhead and performance issues. Make sure to configure scans to run outside business hours.
Deployment
Create a Storage Location
Browse to GCP > Cloud Storage
Click Create Bucket and follow the instructions
Name your bucker. This requires a globally unique name. e.g: example_name_footprint_is-1
Choose where to store your data. This depends on how many scanners you wish to deploy and how often. For this guide, we may pick a single Region: us-east1(South Carolina)
Choose a default storage class for your data: Standard or Nearline (as you may not deploy scanners daily)
Choose how to access objects: You may restrict data from being accessed from the Internet. The virtual disk itself has no company confidential information so this is purely optional. For the purpose of this guide, we will pick a Uniform without enforcement of public access prevention on this bucket. If you intend to store other information on the same bucket, please restrict access accordingly.
Choose how to protect object data: None
Click Create
Import virtual disks
Import virtual disks by Transfer Data
Click Transfer Data
Click Transfer Data in
Select URL list as the Source type and Google Cloud Storage as Destination Type
In Choose a source tab insert https://update.codacloud.net/gcloud/is-vhd.txt
In Choose a destination tab select the bucket / folder where you want to store the image
In Choose when to run job keep the settings to run once and start now
In Choose settings you can keep the same settings
Click Create
Import virtual disks by Upload Folder (Optional, only if Transfer Data didn’t work)
Download source image and unzip the files locally. (VHD Full Image)
Click Upload Files. Pick the image of choice (e.g.: IS-Full.vhd).
Import virtual disks by CLI (Optional, only if Transfer Data or Upload Folder didn’t work)
Download source images and unzip the files locally. (VHD Full Image)
Install gcloud CLI
Upload the image to bucket storage (Upload objects to bucket)
Create an image (Template for all Internal Scanners)
Go to Create an Image page. Compute Engine > Storage > Images.
Select Create Image and pick a Name
Enable Compute Engine API
Under Source, select Virtual disk (VMDK, VHD,..). Make sure to Enable Cloud Build API
For image import to work, Cloud Build service account must be granted compute.admin and iam.serviceAccountUser roles. Press the Grant button.
Browse to or manually input the storage location for the Cloud Storage file (defined in the previous chapter II).
Select the operating system that is available on the imported disk. You can also make the following changes:
You can choose to Install guest packages. Google recommends that you install the guest environment. For more information about the guest environment, see guest environment.
Pick the Ubuntu 20.04 Environment. It may also be auto-detected. We are using the BYOL licensing option.
(Optional) Specify additional properties for your image. For example, you can organize this image as part of an image family.
Click Create to import the image.
Create the virtual machine
Browse to GCP > Compute Engine > VM Instances
Click Create Instance
Give it a Name
Pick Region and Zone
Select a Machine family “General Purpose” and assign it to E2 Series (e-2-standard-2) or higher. Minimal hardware requirements are 2 vCPU, 8 GB RAM, and 80-100 GB disk
Make sure to select Boot Disk and click Change in order to add the previously created image and at least 80-100 GB of disk. The image should be found in Custom Images
Make sure to open Firewall port tcp/8080 from your Management Subnet for the Initial Setup of the Internal Scanner.
Setup the Internal Scanner
Browse to the public IP of the droplet on port 8080 with protocol HTTP.(e.g.: http://<public_ip_address>:8080)
Once connected make sure to pick a name for the scanner, and add the console URL/FQDN and token. You can find those in your Footprint Console in Agentless Scan Surface > Setup Scanners. The external IP (public_ip_address) is found in Network interfaces > External IP
Once everything is setup the Internal Scanner should appear as Active in your Agentless Scan Surface > Deployed Scanners
Start scanning
Comments
0 comments
Please sign in to leave a comment.