Workload Security Agent Requirements

04/15/2024 Contributors

You must install an Agent in order to acquire information from your data collectors. Before you install the Agent, you should ensure that your environment meets operating system, CPU, memory, and disk space requirements.

Storage Workload Security is not available in Cloud Insights Federal Edition.

Component	Linux Requirement
Operating system	A computer running a licensed version of one of the following: Red Hat Enterprise Linux 7.x, 8.x 64-bit, SELinux CentOS 7.x 64-bit, SELinux CentOS 8 Stream, SELinux Ubuntu 20 through 22 64-bit Rocky 8.x 64-bit, Rocky 9.x 64-bit, SELinux SUSE Linux Enterprise Server 15 SP3, SUSE Linux Enterprise Server 15 SP4, SELinux on SUSE 15 SP3 This computer should be running no other application-level software. A dedicated server is recommended.
Commands	'unzip' is required for installation. Additionally, the 'sudo su –' command is required for installation, running scripts, and uninstall.
CPU	4 CPU cores
Memory	16 GB RAM
Available disk space	Disk space should be allocated in this manner: /opt/netapp 35 GB (minimum) Note: It is recommended to allocate a little extra disk space to allow for the creation of the filesystem. Ensure that there is at least 35 GB free space in the filesystem. If /opt is a mounted folder from a NAS storage, make sure that local users have access to this folder. Agent or Data collector may fail to install if local users do not have permission to this folder. see the troubleshooting section for more details.
Network	100 Mbps to 1 Gbps Ethernet connection, static IP address, IP connectivity to all devices, and a required port to the Workload Security instance (80 or 443).

Component

Linux Requirement

Operating system

A computer running a licensed version of one of the following:

Red Hat Enterprise Linux 7.x, 8.x 64-bit, SELinux
CentOS 7.x 64-bit, SELinux
CentOS 8 Stream, SELinux
Ubuntu 20 through 22 64-bit
Rocky 8.x 64-bit, Rocky 9.x 64-bit, SELinux
SUSE Linux Enterprise Server 15 SP3, SUSE Linux Enterprise Server 15 SP4, SELinux on SUSE 15 SP3

This computer should be running no other application-level software. A dedicated server is recommended.

Commands

'unzip' is required for installation. Additionally, the 'sudo su –' command is required for installation, running scripts, and uninstall.

CPU

4 CPU cores

Memory

16 GB RAM

Available disk space

Disk space should be allocated in this manner:
/opt/netapp 35 GB (minimum)

Note: It is recommended to allocate a little extra disk space to allow for the creation of the filesystem. Ensure that there is at least 35 GB free space in the filesystem.

If /opt is a mounted folder from a NAS storage, make sure that local users have access to this folder. Agent or Data collector may fail to install if local users do not have permission to this folder. see the troubleshooting section for more details.

Network

100 Mbps to 1 Gbps Ethernet connection, static IP address, IP connectivity to all devices, and a required port to the Workload Security instance (80 or 443).

Please note: The Workload Security agent can be installed in the same machine as a Cloud Insights acquisition unit and/or agent. However, it is a best practice to install these in separate machines. In the event that these are installed on the same machine, please allocate disk space as shown below:

Available disk space

50-55 GB
For Linux, disk space should be allocated in this manner:
/opt/netapp 25-30 GB
/var/log/netapp 25 GB

Additional recommendations

It is strongly recommended to synchronize the time on both the ONTAP system and the Agent machine using Network Time Protocol (NTP) or Simple Network Time Protocol (SNTP).

Cloud Network Access Rules

For US-based Workload Security environments:

Protocol	Port	Source	Destination	Description
TCP	443	Workload Security Agent	<site_name>.cs01.cloudinsights.netapp.com <site_name>.c01.cloudinsights.netapp.com <site_name>.c02.cloudinsights.netapp.com	Access to Cloud Insights
TCP	443	Workload Security Agent	gateway.c01.cloudinsights.netapp.com agentlogin.cs01.cloudinsights.netapp.com	Access to authentication services

Protocol

Port

Source

Destination

Description

TCP

443

Workload Security Agent

<site_name>.cs01.cloudinsights.netapp.com
<site_name>.c01.cloudinsights.netapp.com
<site_name>.c02.cloudinsights.netapp.com

Access to Cloud Insights

TCP

443

Workload Security Agent

gateway.c01.cloudinsights.netapp.com
agentlogin.cs01.cloudinsights.netapp.com

Access to authentication services

For Europe-based Workload Security environments:

Protocol	Port	Source	Destination	Description
TCP	443	Workload Security Agent	<site_name>.cs01-eu-1.cloudinsights.netapp.com <site_name>.c01-eu-1.cloudinsights.netapp.com <site_name>.c02-eu-1.cloudinsights.netapp.com	Access to Cloud Insights
TCP	443	Workload Security Agent	gateway.c01.cloudinsights.netapp.com agentlogin.cs01-eu-1.cloudinsights.netapp.com	Access to authentication services

Protocol

Port

Source

Destination

Description

TCP

443

Workload Security Agent

<site_name>.cs01-eu-1.cloudinsights.netapp.com
<site_name>.c01-eu-1.cloudinsights.netapp.com
<site_name>.c02-eu-1.cloudinsights.netapp.com

Access to Cloud Insights

TCP

443

Workload Security Agent

gateway.c01.cloudinsights.netapp.com
agentlogin.cs01-eu-1.cloudinsights.netapp.com

Access to authentication services

For APAC-based Workload Security environments:

Protocol	Port	Source	Destination	Description
TCP	443	Workload Security Agent	<site_name>.cs01-ap-1.cloudinsights.netapp.com <site_name>.c01-ap-1.cloudinsights.netapp.com <site_name>.c02-ap-1.cloudinsights.netapp.com	Access to Cloud Insights
TCP	443	Workload Security Agent	gateway.c01.cloudinsights.netapp.com agentlogin.cs01-ap-1.cloudinsights.netapp.com	Access to authentication services

Protocol

Port

Source

Destination

Description

TCP

443

Workload Security Agent

<site_name>.cs01-ap-1.cloudinsights.netapp.com
<site_name>.c01-ap-1.cloudinsights.netapp.com
<site_name>.c02-ap-1.cloudinsights.netapp.com

Access to Cloud Insights

TCP

443

Workload Security Agent

gateway.c01.cloudinsights.netapp.com
agentlogin.cs01-ap-1.cloudinsights.netapp.com

Access to authentication services

In-network rules

Protocol	Port	Source	Destination	Description
TCP	389(LDAP) 636 (LDAPs / start-tls)	Workload Security Agent	LDAP Server URL	Connect to LDAP
TCP	443	Workload Security Agent	Cluster or SVM Management IP Address (depending on SVM collector configuration)	API communication with ONTAP
TCP	35000 - 55000	SVM data LIF IP Addresses	Workload Security Agent	Communication from ONTAP to the Workload Security Agent for Fpolicy events. These ports must be opened towards the Workload Security Agent in order for ONTAP to send events to it, including any firewall on the Workload Security Agent itself (if present).
TCP	7	Workload Security Agent	SVM data LIF IP Addresses	Echo from Agent to SVM Data LIFs
SSH	22	Workload Security Agent	Cluster management	Needed for CIFS/SMB user blocking.

Protocol

Port

Source

Destination

Description

TCP

389(LDAP)
636 (LDAPs / start-tls)

Workload Security Agent

LDAP Server URL

Connect to LDAP

TCP

443

Workload Security Agent

Cluster or SVM Management IP Address (depending on SVM collector configuration)

API communication with ONTAP

TCP

35000 - 55000

SVM data LIF IP Addresses

Workload Security Agent

Communication from ONTAP to the Workload Security Agent for Fpolicy events. These ports must be opened towards the Workload Security Agent in order for ONTAP to send events to it, including any firewall on the Workload Security Agent itself (if present).

TCP

Workload Security Agent

SVM data LIF IP Addresses

Echo from Agent to SVM Data LIFs

SSH

Workload Security Agent

Cluster management

Needed for CIFS/SMB user blocking.

System Sizing

See the Event Rate Checker documentation for information about sizing.

Workload Security Agent Requirements

Creating your file...

Additional recommendations

Cloud Network Access Rules

In-network rules

System Sizing