NetBackup Flex Appliance Getting Started and Administration Guide

Last Published:
Product(s): Appliances (6.2, 6.1, 6.0)
Platform: Flex Appliance OS
  1. Product overview
    1.  
      Introduction to Flex Appliance
    2.  
      Flex Appliance terminology
    3.  
      About the Flex Appliance documentation
  2. Release notes
    1.  
      Flex Appliance 6.0 new features, enhancements, and changes
    2.  
      Flex Appliance 6.1 new features, enhancements, and changes
    3.  
      Flex Appliance 6.2 new features, enhancements, and changes
    4.  
      Supported update paths to this release
    5.  
      Operational notes
    6.  
      Flex Appliance 6.0 release content
    7.  
      Flex Appliance 6.1 release content
    8.  
      Flex Appliance 6.2 release content
  3. Getting started
    1.  
      Initial configuration guidelines and checklist
    2.  
      Performing the initial configuration
    3.  
      Adding a node
    4.  
      Accessing and using the Flex Appliance Shell
    5.  
      Accessing and using the Flex Appliance Console
    6.  
      Setting the date and time for appliance nodes
    7.  
      Common tasks in Flex Appliance
  4. Managing network settings for instances
    1.  
      Creating a network bond
    2.  
      Editing a network bond
    3.  
      Deleting a network bond
    4.  
      Configuring or editing a network interface
    5. Managing the appliance Fibre Channel ports
      1.  
        Viewing the devices that are connected to the Fibre Channel ports
  5. Managing users
    1.  
      Overview of the Flex Appliance default users
    2. Managing Flex Appliance Console users and tenants
      1.  
        Adding a tenant
      2.  
        Editing a tenant
      3.  
        Removing a tenant
      4.  
        Adding a local user to the Flex Appliance Console
      5.  
        Connecting a remote user domain to the Flex Appliance Console
      6.  
        Editing a remote user domain in the Flex Appliance Console
      7.  
        Importing a remote user or user group to the Flex Appliance Console
      8.  
        Managing single sign-on (SSO)
      9.  
        Managing identity providers (IDPs)
      10.  
        Importing a single sign-on user or user group to the Flex Appliance Console
      11.  
        Managing user authentication with smart cards or digital certificates
      12.  
        Changing a local user password in the Flex Appliance Console
      13.  
        Expiring local user passwords in the Flex Appliance Console
      14.  
        Unlocking a user account in the Flex Appliance Console
      15.  
        Managing open sessions
      16.  
        Removing user or service accounts from the Flex Appliance Console
    3.  
      Changing the password policy
    4.  
      Changing the hostadmin user password in the Flex Appliance Shell
    5.  
      Changing the sysadmin user password in the Veritas Remote Management Interface
    6. Managing multifactor authentication
      1.  
        Configuring or reconfiguring multifactor authentication
      2.  
        Enforcing multifactor authentication
      3.  
        Resetting multifactor authentication
      4.  
        Disabling multifactor authentication
    7. Using Flex Appliance Console accounts for API automation
      1.  
        Managing personal API tokens
      2.  
        Managing service accounts
  6. Using Flex Appliance
    1. Managing the repository
      1.  
        Adding files to the repository
      2.  
        Removing files from the repository
    2.  
      Creating application instances
    3.  
      Managing application instances from Flex Appliance and NetBackup
    4. Managing application instances from Flex Appliance
      1.  
        Resizing instance storage
      2.  
        Editing instance network settings
      3.  
        Assigning Fibre Channel ports to an instance
      4.  
        Unassigning Fibre Channel ports from an instance
      5. Managing application add-ons on instances
        1.  
          Installing application add-ons
        2.  
          Uninstalling application add-ons
        3.  
          Changing the application add-on installation order
        4.  
          Updating an application add-on to a newer revision
      6.  
        Clearing a configuration error status on an application instance
      7.  
        Deleting an application instance
    5. Upgrading application instances
      1.  
        Warnings and considerations for instance rollbacks
    6.  
      Updating an application instance to a newer revision
    7. About Flex Appliance updates
      1.  
        Updating Flex Appliance
      2.  
        Updating the firmware
    8.  
      Changing the BIOS password
    9.  
      Locating the node serial number
  7. Remote replication
    1.  
      About remote replication
    2.  
      Pairing appliances for remote replication
    3.  
      Creating a replica
    4. Managing remote replication
      1.  
        Remote replication best practices
      2.  
        Monitoring remote replication
      3.  
        Editing the replication network
      4.  
        Repairing a lost connection between paired appliances
      5.  
        Pausing and resuming replication
      6.  
        Resolving discrepancies between an active and a replica instance
      7.  
        Changing the replication role of an instance
      8.  
        Unlinking active and replica instances
      9.  
        Forgetting a paired appliance
  8. Appliance security
    1.  
      Security overview
    2. About lockdown mode
      1.  
        Changing the lockdown mode
    3.  
      Using a sign-in banner
    4.  
      Using an external certificate
    5. Using network access control
      1.  
        Changing the SSH port
    6.  
      Recommended settings for the remote management (IPMI) port
  9. Monitoring the appliance
    1.  
      Registering an appliance
    2. Configuring alerts
      1. About AutoSupport and Call Home
        1.  
          Configuring Call Home
      2.  
        Configuring email alerts
      3.  
        Configuring SNMP alerts
      4.  
        Setting the threshold values for disk usage alerts
    3.  
      Viewing performance metrics
    4.  
      Monitoring the appliance from the System Health Insights portal
    5. Viewing the hardware status
      1.  
        Viewing node information
      2.  
        Viewing storage shelf information on a 53xx appliance
      3.  
        Viewing storage shelf information on a 52xx appliance
    6.  
      Viewing hardware faults
    7.  
      Viewing system data
    8.  
      Clearing the hardware status
    9.  
      Forwarding logs
    10.  
      Providing access for external monitoring
    11.  
      Revoking access for external monitoring
  10. Reconfiguring the appliance
    1.  
      Reconfiguring the appliance network
    2.  
      Changing DNS or Hosts file settings
    3.  
      Shutting down the appliance
    4.  
      Performing a factory reset
    5.  
      Performing a reimage
    6.  
      Recovering storage data after a factory reset or a reimage
    7.  
      Performing a storage reset
    8.  
      Removing a node
    9.  
      Viewing or resetting the storage shelf order on a 52xx appliance
  11. Troubleshooting guidelines
    1.  
      General troubleshooting steps
    2.  
      Unlocking access in lockdown mode
    3. Gathering logs
      1.  
        Deleting logs

Security overview

Flex Appliance includes multiple features to ensure the security of your data. Each element of the appliance is tested for vulnerabilities using both industry standards and advanced security products. These measures ensure that exposure to unauthorized access and resulting data loss or theft is minimized.

Flex Appliance also uses the Security Technical Implementation Guide (STIG) template to meet security requirements per the Defense Information Systems Agency (DISA) profile.

The security features in this release include but are not limited to the following:

  • OS security hardening, including Security-Enhanced Linux (SELinux).

  • Forced password changes during initial configuration to make sure that the default password does not remain active on the system.

  • The ability to set your own password policy, including the option to use STIG for validation.

    See Changing the password policy.

  • No root access from the Flex Appliance Console.

  • Lockdown mode and WORM storage support, which let you set additional access restrictions and block data deletion during a specified retention period.

    Lockdown mode also restricts root access from the Flex Appliance Shell.

    See About lockdown mode.

  • The ability to add a sign-in banner that appears before a user signs in to the Flex Appliance Console and the Flex Appliance Shell.

    See Using a sign-in banner.

  • Support for external certificates.

    See Using an external certificate.

  • Support for multifactor authentication, including the ability to enforce it for all Flex Appliance Console users.

    See Managing multifactor authentication.

  • Session timeouts that automatically sign users out of the Flex Appliance Console and the Flex Appliance Shell after 10 minutes of inactivity.

  • Conformance to the Federal Information Processing Standards (FIPS) 140-2.

  • Password protection in the Flex Appliance Console that locks local user accounts after three sign-in attempts with incorrect passwords. If a security administrator account becomes locked, it is unlocked automatically after 30 minutes. If a different local user account becomes locked, that user and a security administrator must work together to unlock it.

  • Sign-in protection in the Flex Appliance Console that locks user accounts with multifactor authentication for 15 minutes after three sign-in attempts with incorrect codes.

  • Login protection in the Flex Appliance Shell that locks the hostadmin account for 15 minutes after three login attempts with incorrect passwords or multifactor authentication codes.

  • Password protection that restricts access to the GRUB menu except with assistance from Technical Support. If you need to edit GRUB, contact Technical Support and ask your representative to reference article 100048098.

  • Support for Transport Layer Security (TLS) anonymous authentication versions 1.3 and 1.2 for all connections to the appliance except for SNMP connections. Version 1.3 is used by default, while version 1.2 is available for backwards compatibility.

    SNMP connections use the User-based Security Model (USM).

  • Mandatory access controls that limit resource access only to those programs and activities that require it, regardless of their system privileges.

  • A built-in firewall that blocks all access except for the ports that are required for backup and management.

  • Namespaces that partition system resources into distinct, isolated compartments. Each instance gets its own "view" of these resources, which prevents processes within one instance from seeing or interfering with processes or resources in another instance or on the appliance.

    Instances are also assigned limited-service privileges that define which executables and system calls are allowed without the need for elevated system privileges. Moreover, NetBackup services are separated from the backup images that are stored on WORM instances.

Also note the following information regarding the appliance security:

  • IP forwarding is enabled in Flex Appliance by design; it is used to facilitate network communication between application instances and external networks.

  • Simultaneous multithreading (smt) is enabled by default on the 53xx appliance.

    The following vulnerabilities affect this feature:

    • CVE-2018-12130

    • CVE-2018-12126

    • CVE-2018-12127

    • CVE-2019-11091

    You can disable smt to address these vulnerabilities; however, significant performance degradation may occur. If you want to disable smt, contact Technical Support and ask your representative to reference article 100046154.