Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class
727 views

Do all ethernet interfaces of an ArcSight Express appliance bound by a single IP address?

Jump to solution

Hello there,

We are in the process of procuring HP ArcSight Express Appliance (AE-7526 Server).  Got stuck in the prerequisites gathering.  As per the data sheet, the appliance has 4 Ethernet interfaces (4 x 10/100/1000 Mbps).  Going by the quick installation guide (first boot wizard), the screenshot shows configuration of only eth0 interface with IP address, Subnet Mask etc.

From this should I infer,

HP ArcSight Express Appliance needs only one IP Address?  & this IP Address is mapped to an ethernet interface bundle of four?

OR

Each interface is independent from each other & only eth0 is primarily configured during First Boot Wizard? (this should not be the case, as I dont see any reason for the existence of rest of the ethernet interfaces if only eth0 is used)

This is my encounter with Express.  Thank you. !

Labels (1)
0 Likes
1 Solution

Accepted Solutions
Fleet Admiral
Fleet Admiral

4 ports available on the appliance, only 1 used as a minimum for Express. You could use the others for a mixture of things. Such as using one for "out of band management" of the appliance, a different one for a SmartConnector on a different network and so on. BUT, one IP is used for the Express system itself, and you must make sure that it is a resolvable name to IP - this is what will be used for the of the certificates for the system and it will include the hostname in there too.... and don't change it (though you can, its not simple to update).

When setting up Express (or ESM for that matter), don't give it multiple addresses. Just one, set it up and complete the install (certs and everything) and then add the other interfaces. it makes your life so much easier.

View solution in original post

0 Likes
7 Replies
Cadet 1st Class
Cadet 1st Class

* 1 IP addrs is enough for Arc manager!  Even thou by using hostname as a manager-name is best-practice forever.

It doesn't matter which Ethernet port u use. multiple ehternet ports are useful for different scenario depends on environment!

One IP and One ethernet port - is enough to complete ur installation!

make it simple!

regards,

0 Likes
Fleet Admiral
Fleet Admiral

4 ports available on the appliance, only 1 used as a minimum for Express. You could use the others for a mixture of things. Such as using one for "out of band management" of the appliance, a different one for a SmartConnector on a different network and so on. BUT, one IP is used for the Express system itself, and you must make sure that it is a resolvable name to IP - this is what will be used for the of the certificates for the system and it will include the hostname in there too.... and don't change it (though you can, its not simple to update).

When setting up Express (or ESM for that matter), don't give it multiple addresses. Just one, set it up and complete the install (certs and everything) and then add the other interfaces. it makes your life so much easier.

View solution in original post

0 Likes
Fleet Admiral
Fleet Admiral

Quick reference of one such scenario:

0 Likes
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

Thank you for the helpful answers.  Bonding is interesting but I am not going to venture it out now

Bull's eye! This is what I needed for the assignment. Thank you!

0 Likes

Paul,

I know that ArcSight Express 3.0 and 4.0 has always used 1 IP address and 1 NIC -- and I have opened tickets before with HP ArcSight Support to ask about utilizing the other NICs for both redundancy sake and increased bandwidth.

AS requested at the HP Protect roadmap panel in 2012, 2013, and again in 2014 --- why won't HP support teaming or bonding or something in the documentation and in supported knowledge bases, and Professional services engagements to set this up.

Because I have asked and have always been told - by HP nope won't be supported - recommended to not be done at all - can't help with that ---- and won't guarantee the next Upgrade or release won't break what you have set up

---------------------- use case below --------------------------- if you run everything below here you can over run this 1 NIC -- easily

If Express is going to host Manager, Connector Manager, Web Dashboards and Web Console access - with Unlimited WEB users  - 1 NIC may not be sufficient for said application to function properly

Now - Express is EPS limited I know the max license is like 7,000 EPS or something like that  --- most users probably have a 1250/2500 eps or a 2500/5000 eps  -- license

However - you have Connector Manager on host.domain. :6443 - which just in the License has 1 Management interface and 1 container with 4 possible connectors --- by the way this smart connector can have the Windows Unified connector on it - the recommended max for a WUC is like 40 servers  -- and you can add more than 1 of these ------

You also have the Web Console - host.domain : 8443 - which has access to a limited web version of the console client, health, configurations, licensing, authentication, external auth and Dashboards ---with unlimited users

And ArcSight Web at host.domain. :9443 ---- which is more feature rich than dashboards but limits some of the web pieces - with Unlimited users

Along with Every MC Appliance - Connector Appliance - Logger - TRM -  calling across the same nic sending in events to be analyzed -----

0 Likes
Fleet Admiral
Fleet Admiral

Ok, personal comments here - so not official by any stretch.....

I hate the term "not supported". Its negative, counter-productive and if it was up to me, I would ban the use of that phrase..... Lets be honest here, if its possible, you can do it. Just don't necessarily call the support team to solve why it might not quite work! Its a fine line and sometimes we get it right and sometimes we get it wrong. I feel that in a lot of cases around "not supported" comments, we get it wrong. Network interface teaming is one, as is things around specific configurations. Its an OS configuration. Its like configuring Red Hat or CentOS to SNMP - its "not supported" as such, but not because it doesnt work, its because we just turn that feature on. In fact, if we were to do this correctly, we would remove EVERYTHING from the OS and only give it enough capability to what we provide - hence locking the system, application, platform and everything. Then we could truly enforce the whole "not supported" and it would go away.

However, we don't. We provide login to the appliance and you have a complete functional OS underneath that you can do things with. You can make the configuration settings, change things, add things and do what you want - we can't stop you, we can't prevent you. But if you install something like WebMin, we won't support it - because its not our product, but you can pretty damn sure it will work!!! Again, I would love to ban the whole "not supported" thing. How about call it "don't call us" or something?

In this case, its something that I have fought for many times and its not something that I can win either. The issue is that to make something "supported" we need to provide a simple, audit-able, controllable and tested way to make this a valid configuration option. For example, it needs to be an option in the first boot wizard and we need to provide a complete mechanism to manage, configure and "support" this. Since we don't do this, and there are no plans to add it, the official answer is that it is "not supported". Specifically, there are some issues with this setup process - certificate naming, resolution, IP address allocation and licensing. If we get it wrong, it has a massive impact on everything there and the system will not function. So technically its an OS feature, but since we don't provide full management for this OS feature - its "not supported".

Of course, its an OS feature. You can do what you want on the appliance and make the customizations that you need. Be aware of the potential conflicts and issues and make sure you make the configuration settings carefully. You can't call support on why network teaming doesnt work, since its an OS feature (and not an Express feature), but its there and it DOES WORK. However, clearly, should the appliance burn in a terrible inferno - it will get replaced. When it is, it will be as standard as a normal appliance. It won't have teaming setup and it won't be ready to run out of the box. You will have to manage that configuration change, setup and configuration process yourself - so it does undermine the use of an appliance somewhat.


If you are good with that though, it does work and I know a few customers who are happy to sign off on the risks involved. So your choice, but just be aware, don't call us on this feature - its not that its "not supported" but more a case that you can't really call us to fix it.

Now, all that said, if it was my call? I wouldnt do it - mainly because I would be using different interfaces to different parts of the solution. But this is a whole different world of non-standard configurations! My preference is to use different interfaces for connectors for example and use Console access on a different port. That way you can start to separate and segregate things better and make it neater from a security point of view - but again, totally "not supported" but it works!!!

Doesn't help I am sure, but hopefully you can see the thinking, background and why we are here!

Oh, and the development team are working hard on the next version and a common architecture moving forward. That means updated appliances (we need to get on the latest Gen 9 Proliants, they are SCREAMERS!) and most likely an updated set of capabilities. No idea what the plans are, but its in action and moving forward. Lets see and fingers crossed we can finally ban this whole "not supported' thing....

😉

0 Likes

Yes - As Paul has stated Bonding the Express or ESM NIC is part of the OS level of the Operating system that HP has certified the Software can run on -

Even the HP ArcSight = PDF on how to bond those interfaces states on appliances it is not an HP supported configuration for ----- APPLIANCES ----- on user owned hardware it is function of the core OS and is useable.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.