Skip to main content

Hi!

 

We recently deployed 2 HyperScale X Reference Architecture clusters at a customer, and found out that:

 

  1. Ransomware Protection is not enabled by default
  2. Linux Firewall is not enabled by default

 

In my opinion, in current times, it is strange that by default the solution is so insecure.

Why are the firewall and ransomware protection not enabled by default? And will that be addressed in a future release?

Hi @Patrick Dijkgraaf 

Ransomware protection by default for HSX is being worked on and should be available in future releases.

For enabling firewalld, you can add the regkey sHSEnableFirewall Y in /etc/CommvaultRegistry/Galaxy/Instance001/MediaAgent/.properties

It will enable firewalld by default from next boot. Ensure you meet the firewall requirements.

https://documentation.commvault.com/11.24/expert/132961_firewall_port_requirements_for_hyperscale_x_reference_architecture.html


Hi @R Anwar 

Thanks for the fast response! Good to know this is being worked on!

Regarding the firewall requirements, I see that for Commvault Distributed Storage (CDS), a HUGE amounts of ports are required…! This is probably only required on the Storage network, right? And not on the Data Protection network?

 


Anyone able to confirm? Thanks!


@R Anwar , can you confirm?  I’ll reach out to some other people internally to see if I can confirm for you @Patrick Dijkgraaf !


Hi @Patrick Dijkgraaf 

Yes, these port requirements for CDS is on the Storage Pool network.

 


Hello @Mike Struening , @R Anwar  and @Patrick Dijkgraaf ,


In our case, Hyperscale X Reference, 3 Nodes from HPE, In Health report, I see the following NEEDS ATTENTION about Platform Hardening.

Does anyone have an idea what is this?

Thank you in advance,
Nikos


Hello @Mike Struening , @R Anwar  and @Patrick Dijkgraaf ,


In our case, Hyperscale X Reference, 3 Nodes from HPE, In Health report, I see the following NEEDS ATTENTION about Platform Hardening.

Does anyone have an idea what is this?

Thank you in advance,
Nikos


 

I sent a follow-up response.

Performance hardening fixed by disabling root access!

 

Best regards,
Nikos


Hi!

 

We recently deployed 2 HyperScale X Reference Architecture clusters at a customer, and found out that:

 

  1. Ransomware Protection is not enabled by default
  2. Linux Firewall is not enabled by default

 

In my opinion, in current times, it is strange that by default the solution is so insecure.

Why are the firewall and ransomware protection not enabled by default? And will that be addressed in a future release?

With the release of HyperScale X Platform v3 all platform hardening features are enabled by default during initial deployment and when new nodes are added to an existing cluster. Just make sure your using our v3 media (the version number list at the end will start with 3, for example 3.2408)

For existing clusters deployed on v2 these options can be enabled manually following our documentation here: https://documentation.commvault.com/2024e/expert/configuring_immutability_on_hyperscale_x.html

Additionally when you upgrade nodes from v2 to v3 these features are automatically enabled as part of the upgrade process, even if they were not previously enabled.


Reply