- 15 Sep 2024
- 5 Minutes to read
- Print
- DarkLight
- PDF
Installing Axonius Gateway
- Updated on 15 Sep 2024
- 5 Minutes to read
- Print
- DarkLight
- PDF
Axonius Gateway is only required to connect adapters whose sources are only accessible by an internal or segregated network. Configuring and installing the Axonius Gateway is not required to connect adapters that are accessible to the internet for Axonius-hosted, or the same network as the Axonius primary node, for Customer-hosted (on-premise / private cloud).
Deployment, installation and maintenance of the server, underlying OS and the Docker Engine are the responsibility of the customer.
The Axonius Gateway can run on any Linux distribution that supports Docker/Podman
Axonius Gateway enables establishment of a link between an internal network and the primary Axonius instance, which may be an Axonius-hosted (SaaS) instance or Customer-hosted (on-premise / private cloud).
The Axonius-hosted (SaaS) instance resides in the cloud and is not part of your organization's internal network. Axonius securely fetches data from the organization's data sources, known as adapters. To connect adapters that are only accessible by an internal network or segregated network (for Customer-hosted (on-premise / private cloud)), you must configure and install an Axonius Gateway on a server that has access to those sources.
To establish the link between the primary Axonius instance and an internal/segregated network, you need to:
- Provision a server to be used as the Gateway server
- Install Docker Engine on the Gateway server
- Add a new Gateway Connection
- Install the Gateway installation package
- Configure and connect adapters to use an Axonius Gateway
1. Provision a server to be used as the Gateway server:
Provision a server that meets the following network requirements either by a direct connection or by HTTPS proxy:
- Access to the internet via TCP port 443 from the Gateway server.
- Access to the sources of the adapters that will be connected using this Gateway.
- The folder
/opt/axonius
must be writeable.
If you are using the Palo Alto firewall, you must use 'OpenVPN APP-ID' for destination port 443 in order to establish the Gateway. If you are using an IDS or DPI on your system, define the destination port protocol/profile as OpenVPN (and not HTTPS) in order to establish the Gateway.
The server hardware requirements are:
- An Intel x86 based architecture processor
- At least 1 GB of free disk space
- At least 1 GB of RAM dedicated to the Gateway container
For added security, when running Axonius Gateway on an AWS EC2 instance, we recommend disabling version 1 of AWS' Instance Metadata API (IMDSv1), as Axonius Gateway is fully-compatible with IMDSv2.
2. Install Docker Engine on the Gateway server
Install any Linux distribution that supports either Docker or Podman container engines. Axonius recommends using Docker for Debian-based OS Distributions such as Ubuntu and using Podman for RHEL/CentOS distributions, however the tunnel installation will detect and use whatever container engine is installed.
- Install a container engine (Docker or Podman)
- If using Docker as your container engine, ensure that it is started and enabled to run on boot:
sudo systemctl enable --now docker
3. Add a new Gateway Connection
To add a new Gateway connection:
From System Settings under the System category select Gateways, the Gateways page opens.
On the Gateway page, click Add Gateway.
The New Gateway Connection drawer appears.
Specify the following Gateway settings:
Gateway name (default: Gateway_x) - Specify an indicative name for the Gateway connection or use the system default. The Gateway name can always be changed.
Gateway status notification
- Notify by email when gateway is disconnected
- Notify by email when gateway is connected
Choose one or both of these options to send email notifications to the recipients defined when a Gateway is disconnected or connected. When you choose one of the options, the Recipient Email Address field is displayed.
- Recipient Email Address - Specify a list of email addresses to be notified when the Axonius Gateway disconnects or is connected, depending on the notification options that you chose.
Proxy settings (optional) - To configure a proxy service to be used by the Axonius Gateway, select the Use Proxy checkbox. Once enabled, configure the Proxy address and Proxy port fields. Proxy user name and Proxy password are optional fields for proxy services.
Set Backup Gateway - Under Backup Gateway, select one or more Gateways in the list to act as backup Gateways if the primary Gateway is unavailable.
Set as default Gateway connection - When selected, this Gateway is used by the system to connect to servers that are only accessible by an internal network such as LDAP servers and SMTP servers.
Click Create and Download.
- A Gateway record is added to the table.
- The Gateway installation package is downloaded.
4. Install the Gateway installation package
- Copy the Gateway installation package to the Gateway server.
- Execute the Gateway installation script. For example:
sudo chmod +x axonius_gateway_launcher_T-1.sh
sudo ./axonius_gateway_launcher_T-1.sh
When the installation package has finished successfully, it shows the following message: “The Axonius Gateway has been successfully installed.”
After the installation finishes, refresh the Gateways page and track the Gateway record status on the Connection Status field.
To uninstall the Axonius Gateway, execute the following command: ./axonius_gateway_launcher.sh uninstall
5. Configure and connect adapters to use an Axonius Gateway
Axonius Gateway is only required to connect adapters whose sources are only accessible by an internal or segregated network
Gateway should not be selected if the source for the adapter is accessible from the internet or from your network.
- Open the Adapters page. Click the icon on the left navigation panel.
- Search for and click the relevant adapter. The Adapter Connections page opens displaying the list of configured connections.
- Add a new connection. click Add Connection. The Adapter Connection Configuration dialog opens.
- Populate the required information.
- Select the requested Gateway Connection on the Gateway Name field. Click Save.
- To save your changes and to establish a connection to the adapter connection using the configured credentials, click Save and Fetch.
Gateway Installation Best Practices
In order to ensure the principle of least privilege it is necessary to install the Gateway in a secure location within your network. This should ideally be a protected network where traffic in and out of the subnet can be strictly controlled. The default policy for traffic originating from your Axonius Gateway should be blocked. The ports and protocols required for the operation of an Axonius Gateway are listed on the table below, and only these connections should be permitted through your firewall. Replace * with your Axonius Hosted ID:
Axonius-hosted (SaaS)
Source IP | Destination | Port | Application | Note |
---|---|---|---|---|
Gateway Server IP | *.on.axonius.com | TCP/443 | HTTPS | GUI Access. Required for fetching the Gateway container. |
Gateway Server IP | tun-*.on.axonius.com | TCP/443 | OpenVPN | Gateway Connection |
Gateway Server IP | Internal Systems | Various | Various | Adapter Data sources. Add one rule per adapter connection, using the correct destination IP/Port/Protocol |
Customer-hosted (on-premise / private cloud)
Source IP | Destination | Port | Application | Note |
---|---|---|---|---|
Gateway Server IP | Primary Axonius IP | TCP/2212 | OpenVPN | Gateway Connection |
Gateway Server IP | Primary Axonius IP | TCP/443 | HTTPS | Required for fetching the Gateway container |
For more details about configuring adapter connections, see: