Using Advanced Threat Defense clusters

When you configure clusters, you use the primary node to manage the configuration for the cluster, and Advanced Threat Defense uses the secondary nodes as backup.

Certain configurations can only be done using the primary node. When you save these configurations, the primary node sends a snapshot of its current configuration as a file to all secondary nodes. The secondaries save these settings in their database. This synchronization process does not affect the file analysis capabilities of an Advanced Threat Defense Appliance.

The primary node has the latest version of the configuration file. If the version of the configuration file does not match between the primary and a secondary node, the primary node pushes the configuration file automatically to that secondary. The primary node overrides the synchronized configurations on the secondary nodes.

When treated as part of a cluster, the secondary nodes are transparent to users and integrated products.

  • It is possible for you to use a secondary Advanced Threat Defense directly for file submission and report retrieval. But, you are not allowed to modify any of the synchronized configurations.
  • Both files and URLs submitted for analysis are distributed to achieve load-balancing.
  1. Factor in the following when you decide on the primary node.
    • Use the primary node's IP address to submit files and to manage the configuration.
    • Products such as Network Security Platform, Web Gateway and Email Gateway must be integrated with the primary node's IP address. Since the result and report retrieval is through the primary, connection between the integrated products and the secondary nodes is not mandatory. With 3.4.2 release, Cluster IP is point of contact for these integrated products, if user chooses to configure a Backup node.
  2. Make sure that the integrated products are configured to use the primary node. This includes the integrated McAfee products and third-party applications or scripts that use the Advanced Threat Defense REST APIs. With 3.4.2 release Cluster IP address is point of contact for these integrated products, if user chooses to configure a backup node.
Advanced Threat Defense Appliance clusters

How are the individual files in a .zip file analyzed by an Advanced Threat Defense cluster?

When you submit a file or URL, Advanced Threat Defense assigns it a unique job ID and a task ID. These IDs are incremental integers. When you submit a .zip file, the component files are extracted and analyzed separately. The job ID for all component files of a .zip file is the same as that of the .zip file's job ID. But, the task ID varies for each component file.

When you submit a .zip file to an Advanced Threat Defense cluster, the primary node identifies the node to which it distributes the next file and sends the entire .zip file to that node. The node that received the .zip file extracts the component files and analyses them. This applies to .zip files within a .zip file as well.

  • If a Sensor submits the .zip file, Advanced Threat Defense generates a cumulative report for the entire .zip file. That is, one report for one .zip file is sent to the Manager when it queries for the report. In Web Gateway, .zip files are supported for Web Gateway 7.6.0 and later.
  • If you submit a .zip file to the primary node, using its web interface for example, individual reports are generated for the component files in the .zip file.

Then the primary node extracts the component files in the zip and distributes them all to the same node for analysis. The primary polls the corresponding secondary for analysis status and results using unique task ID.

How to upgrade the Advanced Threat Defense software for the nodes in a cluster?

Following is the recommended procedure to upgrade the Advanced Threat Defense software for the nodes in a cluster:

  1. In a typical load-balancing scenario, first upgrade software of Backup node. The node remains a part of the cluster, but due to version mismatch incoming samples are not submitted to this node. The samples are distributed only between Primary and secondary nodes. The status column of Backup node in the Load-balancing page displays the following message:

    Node is on different software version

  2. Upgrade secondary nodes. After you upgrade more than 50 percent of the secondary nodes, upgrade Primary node.
  3. Since Primary node remains down during upgrade, Backup node takes over the Active role and distributes the incoming samples between Backup node (Active) and the upgraded secondary nodes. Even after the upgrade of Primary node, Backup node continues to assume the Active role.
  4. Upgrade the remaining secondary nodes.
Important: Do not select Reset Database when you upgrade any of the nodes. If this option is selected for the primary node, the cluster goes down after upgrade. If the Reset Database option is selected for a secondary node, it breaks away from the cluster after upgrade.
Important: Administrator needs to click Sync All Nodes tab when the nodes upgraded to 3.4.8 or later have different Max Wait-Time Threshold values configured. This synchronizes the Max Wait-Time Threshold value among all nodes. The Max Wait-Time Threshold value assigned for Primary node is configured to all nodes in the cluster.
Important: Using Troubleshooting page, when you delete the previously analyzed reports from all nodes present in the Advanced Threat Defense cluster, it is recommended to do so in a sequential manner. The reports present in all secondary nodes need to be deleted first and the reports present in Primary or Active node at the last.

Syslog events for Load Balancing

Syslog events are generated for state transition happening for Primary/Backup nodes. These events are generated in 5-minutes interval, once the state is changed.

Below is a sample output for syslog event generated when state of Primary/Backup node changes from Active to Health Bad and the opposite way:

Dec 13 02:20:01 MATDMIC1U-014 ATD2ESM[771]: {"LB Alert": {"ATD IP": "10.213.***.**", "Timestamp": "2014-12-13 10:17:39", "Old State": "ACTIVE", "New State": "HEALTH BAD"}

Dec 13 10:00:02 MATDMIC1U-014 ATD2ESM[23873]: {"LB Alert": {"ATD IP": "10.213.***.***", "Timestamp": "2014-12-13 17:55:37", "Old State": "HEALTH BAD", "New State": "ACTIVE"}}

Similarly, syslog events are generated for the following scenarios:

  • When Primary/Backup node has Load-Balancing services status Down / Up
  • When Load-Balancing node state changes from Active to Down and the opposite way
  • When there is a configuration mismatch on Backup node from Primary node
  • When there is an SW version mismatch on Backup node from Primary node