This page covers the AI Runtime Security: Network intercept deployment
in private clouds.
This page covers the AI Runtime Security: Network intercept
deployment in private clouds.
It's deployed between the applications in
private clouds interacting with large language model (LLM) models on public clouds.
Refer to the public models support table to view a list
of public clouds we support. AI Runtime Security: Network intercept is supported on
private clouds ESXi and KVM.
You can manually deploy and bootstrap the AI Runtime Security:
Network intercept in private cloud environments. The firewall can be managed by
Strata Cloud Manager or Panorama. Strata Cloud Manager supports only Logical Router
(LR) configuration, and Panorama supports both LR and Virtual Router (VR)
configurations. Refer to the Manually Deploy and Bootstrap AI Runtime Security: Network Intercept for details.
You can manually deploy AI Runtime Security: Network
intercept in one of the following methods:
vim config/init-cfg.txt
type=static
ip-address=10.3.254.85 //
default-gateway=10.3.254.1
netmask=255.255.255.0
hostname=demo-esxi
panorama-server=cloud // For Strata Cloud managed firewall
panorama-server=10.x.x.20* // Panorama server 1 IP address, for Panorama managed firewall only
panorama-server-2=10.x.x.21* // Panorama server 1 IP address, for Panorama managed firewall only
plugin-op-commands=advance-routing:enable // For both Strata Cloud Manager and Panorama
dgname=esxi-demo
dns-primary=8.8.8.8
dns-secondary=10.55.66.11
vm-series-auto-registration-pin-id=9f72117c-e9b3-4f43-b4c2-9ab0f259e249
vm-series-auto-registration-pin-value=cb4cc73d1b6c4568b1ca1f2a3bb88ee2
Create an ISO image and boot up the private cloud
VM from this `ISO` image. This automatically bootstraps the
parameters you provided.
ManageAI Runtime Security: Network intercept deployed in private
clouds and configure interfaces, zones, security policy rules, and routers.
Refer to the configurations for the firewalls managed by Strata Cloud Manager or
managed by Panorama.
Verify Bootstrap Completion
Private Cloud: Connect to your private cloud VM (ESXi or KVM) and
run the following command to view the bootstrapped parameters:
$show system info
# Review the output for the following key values:
ip-address: <ip-address> // IP address of the AI firewall deployed in private cloud
model: AI-Runtime-Security
serial: xxxxxxxx <note this serial number>
vm-license: AI-RUNTIME-SECURITY-2
software-version: 11.2.5-h1
vm-mode: VMWare ESXi // vm-mode: KVM for KVM cloud
vm-cpuid: AIESX:F1060400FFFB8B1F (only for ESXi)
vm-cpuid: AIKVM:<number>
cloud-mode: non-cloud // For private cloud
advanced-routing: on
device-certificate-status: Valid
// Confirm the success status of the bootstrap phases
show system bootstrap status
// Look for `commitAll` jobs indicating the configurations are being forwarded to the firewall in the ESXi server
show jobs All
Strata Cloud Manager: Verify that the firewall device with the above
serial number shows as Connected and is In Sync under Workflows NGFW Setup Device Management.
Monitor and Secure Traffic in Private Clouds
Create an AI security policy rule and attach an AI security profile for the
AI Runtime Security: Network intercept managed by Strata Cloud Manager or Panorama.
Push the security configuration to the AI Runtime Security:
Network intercept to monitor the traffic against these rules. Refer to the
security push configuration steps for Panorama and Srata Cloud Manager.
Generate traffic between your server and the ESXi server secured by AI Runtime Security: Network intercept. See the system
session details to see the security policy you created earlier being
enforced on the traffic and the interfaces.
Investigate the log viewer for threat logs and AI Security logs in Strata Cloud Manager or Panorama.
