April 2020

April 25, 2020:

Download up to 1 million traffic flows

Download up to 1 million traffic flows using Flow Explorer. CSV download operations display the status of the download when they are in progress, and you can cancel them if you don't want to download the flows. 

April 21, 2020:

CT-Bridge as an Agent Proxy

An adaptation of the CT-Bridge that relays communication between the assets and Xshield, over One network interface.

  • Relay communication between agents and Xshield – Agent Proxy relays heartbeat, policy update, and telemetry data between the agents and Xshield over a secure HTTPS connection with a mutual TLS 1.2 handshake, and on TCP port 443. Although agents are connected to Agent Proxy over their own connections, Agent Proxy maintains limited connections with Xshield to send and receive data.

    Agent Proxy can be implemented irrespective of whether you are beginning to use Xshield or have been using Xshield for a while.

    • For deployments at their early stages, Agent Proxy can be implemented before the agents are deployed on the assets. When agents are installed, you specify the FQDN of Agent Proxy. Assets are registered through Agent Proxy and thereafter Agent Proxy relays communication between the assets and Xshield.

      Agent Proxy can be implemented irrespective of whether you are beginning to use Xshield or have been using Xshield for a while.

    • For deployments that have been in use for a while, Agent Proxy can be plugged into the existing ecosystem.

      • After Agent Proxy is configured successfully, Xshield sends the FQDN of Agent Proxy to the existing agents. In a matter of a few minutes, agents smoothly fail over to using Agent Proxy to communicate with Xshield.

      • When new assets (agents) are added, you specify the FQDN of Agent Proxy (as a CLI command) during the installation. Assets are registered through Agent Proxy and thereafter Agent Proxy relays communication between the assets and Xshield.

      • If new assets are added by installing agents from the UI, Xshield sends the FQDN of Agent Proxy, and the new assets smoothly fail over to using Agent Proxy to communicate with Xshield..

      • Note: For both type of Agent Proxy deployments, the Agent Proxy FQDN must be resolvable and reachable to agents.

  • Automatic failover to direct communication with Xshield and fallback – if Agent Proxy is unreachable to agents or is manually disabled from the Xshield UI, the agents fail over to Xshield and start to communicate with Xshield directly. When Agent Proxy is reachable, the agents fallback to using Agent Proxy. The agents can cache up to 10 MB of data, if both Agent Proxy and Xshield are unreachable.

  • Limited communication with Xshield – Agent Proxy aggregates heartbeat and policy data from the agents for a threshold time interval OR a maximum number of messages from agents and sends them as One message to Xshield. Xshield responds with One message to Agent Proxy. Agent Proxy de-multiplexes the data and sends them to the individual agents.

    See Agent Proxy services and command reference, for more details about the aggregation interval and the maximum messages aggregated.

    Telemetry data from the agents is forwarded as-is to Xshield.

  • Spool telemetry data – if Agent Proxy cannot reach Xshield, it spools the telemetry data collected from the assets and sends it to Xshield when Xshield is reachable.

    See Prerequisites, to calculate the minimum sizing required to spool telemetry data.

  • Upgrade and decommission agents through Agent Proxy – agents can be upgraded, and assets can be decommissioned from Xshield and through Agent Proxy.

  • Upsize OVA when more assets are added – the initial sizing used for OVA can be increased, based on the number of assets, the frequency of communication, and Agent Proxy’s reachability metrics with Xshield.

    For example, if Xshield is unreachable for a long time, Agent Proxy needs additional storage to spool data.

  • Monitor Agent Proxy statistics by using CLI commands – Agent Proxy statistics can be monitored by running some CLI show commands.

    See Agent Proxy services and Command Reference for more details.

  • Exclude assets in the Suspended state from policy computations - enable the Suspended assets policy feature on the Account Settings page to specify how ColorTokens Xshield must compute policies on assets in the Reachable state, when assets go to the Suspended state.

    If you enable this switch, ColorTokens Xshield deletes the policies associated with suspended assets, from other reachable assets. This will block communication between reachable assets and suspended assets.

  • Contain east-west propagation of suspicious activity on assets - move workloads to Quarantine mode when you detect suspicious activity on them, and investigate and remediate the impact of the activity.

    In the Quarantine mode, ColorTokens Xshield isolates the affected workloads from other assets by:

    • Deleting all access policies with the exception of corporate policies, from the workloads in the Quarantine mode.

    • Deleting all access policies (associated with the workloads in the Quarantine mode) from other workloads and endpoints managed by ColorTokens Xshield.

    ColorTokens Xshield also moves the workloads in the Quarantine mode to the quarantine workload group and you cannot see them in their original workload group. On the Visualizer page, the affected workloads are listed in the Private Managed entity group.

    After you remediate the affected workloads, move them to Unquarantine mode. This restores the workloads to their original state, that is, all access policies are restored on the affected assets and all access policies previously associated with the affected workloads are restored on the applicable assets.

Agent uninstallation password

To protect agents from unintended and rogue uninstallations, set an uninstallation password on the Xshield UI. This password acts as a layer of authorization to decommission the asset. So, end users and local administrators with administrative privileges cannot uninstall the agents, without presenting the password.

Quarantine templates

Quarantine templates contain the east-west propagation of suspicious activities in your network.Quarantine templates restrict communication on 'quarantined assets' using inbound and outbound policies. 

You apply a Quarantine template to an asset when you see suspicious activities on the asset and move it to the 'Quarantine' mode. In the Quarantine mode, the asset only uses corporate policies and the policies in the Quarantine template; all other policies are deleted from the asset.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.