Installing Axonius Gateway
  • 28 Mar 2024
  • 5 Minutes to read
  • Dark
    Light
  • PDF

Installing Axonius Gateway

  • Dark
    Light
  • PDF

Article Summary

Notes
  • This functionality is currently applicable only for Axonius-hosted (SaaS) customers.
  • Axonius Gateway is only required to connect adapters whose sources are only accessible by an internal network. Configuring and installing the Axonius Gateway is not required to connect adapters that are accessible to the internet.

Axonius Gateway enables establishment of a link between an internal network and the Axonius-hosted (SaaS) instance.

The Axonius-hosted (SaaS) instance resides in the cloud and is not part of your organization's internal network. Axonius securely fetches data from the organization's data sources, known as adapters. To connect adapters that are only accessible by an internal network, you must configure and install an Axonius Gateway on a server that has access to those sources.


To establish the link between the Axonius-hosted (SaaS) instance and an internal network, you need to:

  1. Provision a server to be used as the Gateway server
  2. Install Docker Engine on the Gateway server
  3. Add a new Gateway Connection
  4. Install the Gateway installation package
  5. Configure and connect adapters to use an Axonius Gateway

1. Provision a server to be used as the Gateway server:

Provision a server that meets the following network requirements either by a direct connection or by HTTPS proxy:

  • Access to the internet via TCP port 443 from the Gateway server.
  • Access to the sources of the adapters that will be connected using this Gateway.
  • The folder/opt/axonius must be writeable.
Note:

If you are using the Palo Alto firewall, you must use 'OpenVPN APP-ID' for destination port 443 in order to establish the Gateway.

Note:

If you are using an IDS or DPI on your system, define the destination port protocol/profile as OpenVPN (and not HTTPS) in order to establish the Gateway.

The server hardware requirements are:

  • An Intel x86 based architecture processor
  • At least 1 GB of free disk space
  • At least 1 GB of RAM dedicated to the Gateway container
Note:

For added security, when running Axonius Gateway on an AWS EC2 instance, we recommend disabling version 1 of AWS' Instance Metadata API (IMDSv1), as Axonius Gateway is fully-compatible with IMDSv2.

2. Install Docker Engine on the Gateway server

Install any Linux distribution that supports Docker on the provisioned server (the Gateway server).

  1. Install the Docker Engine software on the Gateway server.
  2. Verify Docker is running: sudo systemctl enable docker; sudo systemctl start docker
Note:

The Axonius Gateway container and installer have been tested and certified on Ubuntu and on CentOS, but may be also supported on Debian and RedHat.

Note:

Axonius recomends Podman for customers who want to use RHEL8 or 9. Refer to Podman Installation.
For other architectures you may be able to install to CentOS package. Refer to Install Docker Engine on CentOS.

3. Add a new Gateway Connection

To add a new Gateway connection:

  1. On the Gateway page, click Add Gateway.
    AddGateways

  2. The New Gateway Connection drawer appears.
    NewGateway%20Connection

  3. Specify the following Gateway settings:

    • Gateway name (optional, default: Gateway_x) - Specify an indicative name for the Gateway connection or use the system default. The Gateway name can always be changed.

Gatewayemaiol

  • Gateway status notification
    • Notify by email when gateway is disconnected
    • Notify by email when gateway is connected

Choose one or both of these options to send email notifications to the recipients defined when a Gateway is disconnected or connected. When you choose one of the options, the Recipient Email Address field is displayed.
Recipient Email Address - Specify a list of email addresses to be notified when the Axonius Gateway disconnects or is connected, depending on the notification options that you chose.

* Proxy settings (optional, default: empty) - To configure a proxy service to be used by the Axonius Gateway, select the Use Proxy checkbox. Once enabled, configure the Proxy address and Proxy port fields. Proxy user name and Proxy password are optional fields for proxy services.

  1. Click the Create and Download button.
    • A Gateway record is added to the table.
    • The Gateway installation package is downloaded.

4. Install the Gateway installation package

  1. Copy the Gateway installation package to the Gateway server.
  2. Execute the Gateway installation package as the “root” user. For example:
chmod +x axonius_gateway_launcher_T-1.sh
./axonius_gateway_launcher_T-1.sh

When the installation package has finished successfully, it shows the following message: “The Axonius Gateway has been successfully installed.”

After the installation finishes, refresh the Gateways page and track the Gateway record status on the Connection Status field.

Note:
  • To prevent the Axonius Gateway from restarting automatically when the Docker Engine starts up, execute the command: ./axonius_gateway_launcher.sh no_auto_start.
  • To uninstall the Axonius Gateway, execute the following command: ./axonius_gateway_launcher.sh uninstall

5. Configure and connect adapters to use an Axonius Gateway

Note:

Axonius Gateway is only required if the source for the adapter is only accessible by an internal network.
Gateway should not be selected if the source for the adapter is accessible from the internet.

  1. Open the Adapters page. Click the image.png icon on the left navigation panel.
  2. Search for and click the relevant adapter. The Adapter Connections page opens displaying the list of configured connections.
  3. Add a new connection. click Add Connection. The Adapter Connection Configuration dialog opens.
  4. Populate the required information.
  5. Select the requested Gateway Connection on the Gateway Name field. Click Save.
  6. To save your changes and to establish a connection to the adapter connection using the configured credentials, click Save and Fetch.

Gateway Installation Best Practices

In order to ensure the principle of least privilege it is necessary to install the Gateway in a secure location within your network. This should ideally be a DMZ or protected network where traffic in and out of the subnet can be strictly controlled. The default policy for traffic originating from your Axonius Gateway should be blocked. The ports and protocols required for the operation of an Axonius Gateway are listed on the table below, and only these connections should be permitted through your firewall. Replace * with your Axonius Hosted ID:

Source IPDestinationPortApplicationNote
Gateway Server IP*.on.axonius.comTCP/443HTTPSGUI Access. Required for fetching the Gateway container.
Gateway Server IPtun-*.on.axonius.comTCP/443OpenVPNGateway Connection
Gateway Server IPInternal SystemsVariousVariousAdapter Data sources. Add one rule per adapter connection, using the correct destination IP/Port/Protocol



For more details about configuring adapter connections, see:



Was this article helpful?

What's Next
Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.