Control Center
Monitor dashboard
The Control Center dashboard is a customizable visual display providing a quick security overview of all protected endpoints and network status.
Dashboard portlets display various real-time security information using easy-to-read charts, thus allowing you to quickly identify any issues that might require your attention.
This is what you need to know about dashboard portlets:
Control Center comes with several predefined dashboard portlets.
Each dashboard portlet includes a detailed report in the background, accessible with just one click on the chart.
There are several types of portlets that include various information about your endpoint protection, such as update status, malware status, firewall activity.
Note
By default, the portlets retrieve data for the current day and, unlike reports, cannot be set for longer intervals than one month.
The information displayed via portlets refers to endpoints under your account only. You can customize each portlet's target and preferences using the dashboard.edit Edit Portlet command.
Click the chart legend entries, when available, to hide or display the corresponding variable on the graph.
The portlets are displayed in groups of four. Use the vertical scroll bar or the up and down arrow keys to navigate between portlet groups.
For several report types, you have the option to instantly run specific tasks on target endpoints, without having to go to the Network page from the left side menu to run the task (for example, scan infected endpoints or update endpoints). Use the button at the lower side of the portlet to take the available action.
The dashboard is easy to configure, based on individual preferences. You can edit portlet settings, add additional portlets, remove or rearrange existing portlets.
Refreshing portlet data
To make sure the portlet displays the latest information, click the Refresh icon on its title bar.
To update the information for all the portlets at once, click the Refresh Portlets at the top of the dashboard.
Editing portlet settings
Some portlets offer status information, while other report on security events in the last period. You can check and configure the reporting period of a portlet by clicking the Edit Portlet icon on its title bar.
Adding a new portlet
You can add other portlets to obtain the information you need.
To add a new portlet:
Log in to GravityZone Control Center.
Go to the Dashboard page from the left side menu.
Click the Add Portlet button at the upper side of the console. The configuration window is displayed.
Under the Details tab, configure the portlet details:
Type of background report
Suggestive portlet name
The time interval for the events to be reported
For more information on available report types, refer to Report Types.
Under the Targets tab, select the network objects and groups to include.
Click Save.
Removing a portlet
You can easily remove any portlet by clicking the Remove icon on its title bar. Once you remove a portlet, you can no longer recover it. However, you can create another portlet with the exact same settings.
Rearranging portlets
You can rearrange dashboard portlets to better suit your needs. To rearrange portlets:
Log in to GravityZone Control Center.
Go to the Dashboard page from the left side menu.
Drag and drop each portlet to the desired position. All other portlets between the new and old positions are moved to preserve their order.
Note
You can move portlets only within the positions already taken.
Create GravityZone security certificates
Overview
Browsers need Control Center Security certificate to recognize Control Center website as trusted. Except for Control Center Security, all other certificates are needed exclusively for managing Apple iOS devices. They are:
Communication Server certificate
Endpoint - Security Server Communication certificate
Incidents Server certificate (only available for GravityZone Elite and GravityZone Ultra)
Apple MDM Push certificate
iOS MDM Identity and Profile Signing certificate
iOS MDM Trust Chain certificate
iOS includes built-in support for third-party Mobile Device Management (MDM) solutions. Apple Inc. has very strict requirements for the MDM interface to work. Security implies authentication of both the server and the client at the time when MDM commands are issued to the device; therefore, the MDM server runs as an HTTPS server and the device needs to trust the certificate the server presents.
The Root Certificate
Digital certificates are verified using a chain of trust. A Root certificate (hereinafter known as the Root) is the top-most certificate of the tree, the private key of which is used to "sign" other certificates. All certificates immediately below the Root certificate inherit the trustworthiness of the Root certificate.
Marking Root Certificates as trusted
Several different approaches are possible to make the devices trust the SSL certificate presented by the MDM server. We will present three of them, but only two make sense as a realistic and practical deployment scenario.
Obtain a SSL certificate from a source the device already trusts.
For example, get a certificate for the specific IP or hostname of the device from a Certificate Authority like Verisign, Thawte or another major vendor. The device will trust this certificate and the management relationship can be established.
This solution is not practical for most of the Enterprise deployments.
The business has a self-signed Root certificate.
The certificate needs to be imported before the enrollment can take place.
Fortunately, Apple has foreseen this need and made it possible to include the certificates and MDM configuration into the same payload. Also, the enrollment happens in two steps:
The certificates from the payload are imported and the Root will be trusted;
The connection to the MDM server is made and the device becomes managed.
The business has an intermediate certificate obtained from a major third party.
The certificate is issued by an intermediate Certificate Authority. This certificate uses a chain of trust, which starts from the Root (already trusted by the device).
The intermediary has to be included in the profile.
Certificates for Bitdefender MDM product
Here you have a brief description of the certificates for MDM:
The Communication Server certificate is used to secure communication between the Communication Server and iOS mobile devices.
Requirements:
This SSL certificate can be signed either by your company or by an external Certificate Authority.
The certificate common name must match exactly the domain name or IP address used by mobile clients to connect to the Communication Server. This is configured as the external MDM address in the configuration interface of the GravityZone appliance console.
Mobile clients must trust this certificate. For this, you must also add the iOS MDM Trust Chain.
The Apple MDM Push certificate is required by Apple to ensure secure communication between the Communication Server and the Apple Push Notifications service (APNs) servers when sending push notifications. Push notifications are used to prompt devices to connect to the Communication Server when new tasks or policy changes are available.
Apple issues this certificate directly to your company, but it requires that your Certificate Signing Request be signed by Bitdefender. Control Center provides a wizard to help you easily obtain your Apple MDM Push certificate.
The iOS MDM Identity and Profile Signing certificate is used by the Communication Server to sign identity certificates and configuration profiles sent to mobile devices.
Requirements:
It must be an Intermediate or End-Entity certificate, signed either by your company or by an external Certificate Authority.
Mobile clients must trust this certificate. For this, you must also add the iOS MDM Trust Chain.
The iOS MDM Trust Chain certificates are required on mobile devices to ensure they trust the Communication Server certificate and the iOS MDM Identity and Profile Signing certificate. The Communication Server sends this certificate to mobile devices during activation.
The iOS MDM Trust Chain must include all intermediate certificates up to the Root certificate of your company or to the intermediate certificate issued by the external Certificate Authority. The trust chain is a concatenation of the certificates in PEM format and it doesn't have a private key.
Creating security certificates
Note
This is a simple approach, suitable for testing purposes or a deployment that is not integrated with any existing public-key infrastructure (PKI).
Generate a Root certificate
Generate a Signing certificate
Generate an SSL certificate
Generate the trust chain containing certificates from step 1 and 2
Upload them in the GravityZone Console
On a Linux OS machine with OpenSSL installed, in the same folder, create the bash scripts as root user:
Open a new file with the name mentioned in the the text editor and create the script file from the list below.
e.g.:
#vim createroot.sh
Type
:i
to switch from view mode to edit mode.Copy the commands mentioned for each file into the editor.
Save the file.
e.g.: Type the
:wq
key sequence.
The scripts names and content (must be run as root user):
createroot.sh
#!/bin/bash
openssl req -newkey rsa:2048 -days 365 -x509 -keyout rootkey.pem -out root.cer -sha256 –subj "/C=XX/O=XX/CN=XX/"
Note
Replace the Country
C=XX
, the OrganizationO=XX
and the Common NameCN=XX
suitable for you.E.g.:
"/C=RO/O=Bitdefender/CN=MDM Root/"
createssl.sh
#!/bin/bash
openssl req -new -newkey rsa:2048 -keyout sslkey.pem -out ssl.csr -sha256 -subj "/CN=$1/" -batch
openssl x509 -req -days 365 -sha256 -in ssl.csr -CA root.cer -CAkey rootkey.pem -CAcreateserial -CAserial root.serial -out ssl.cer -extfile <(printf "extendedKeyUsage = serverAuth \n subjectAltName=IP:$1")
Note
For
subjectAltName
, you can also use DNS or FQHN instead of IP.E.g.:
subjectAltName=DNS:$1
createcom.sh
#!/bin/bash
openssl req -new -newkey rsa:2048 -keyout comkey.pem -out com.csr -subj "/CN=$1/" -batch
openssl x509 -req -days 365 -in com.csr -CA root.cer -CAkey rootkey.pem -CAcreateserial -CAserial root.serial -sha256 -out com.cer
createincident.sh
#!/bin/bash
openssl req -new -newkey rsa:2048 -keyout incidentkey.pem -out incident.csr -subj "/CN=$1/" -batch
openssl x509 -req -days 365 -in incident.csr -CA root.cer -CAkey rootkey.pem -CAcreateserial -CAserial root.serial -sha256 -out incident.cer
createsvacom.sh
#!/bin/bash
openssl req -new -newkey rsa:2048 -keyout svacomkey.pem -out svacom.csr -subj "/CN=$1/" -batch
openssl x509 -req -days 365 -in svacom.csr -CA root.cer -CAkey rootkey.pem -CAcreateserial -CAserial root.serial -sha256 -out svacom.cer
createsgn.sh
#!/bin/bash
openssl req -out sgn.csr -new -newkey rsa:2048 -keyout sgnkey.pem -subj "/C=XX/O=XX/CN=XX/" -batch
openssl x509 -req -days 365 -in sgn.csr -CA root.cer -CAkey rootkey.pem -CAcreateserial -CAserial root.serial -sha256 -out sgn.cer -extfile noCA.cnf -extfile <(printf "extendedKeyUsage = serverAuth \n subjectAltName=IP:$1")
rm sgn.csr
Note
For
subjectAltName
, you can also use DNS or FQHN instead of IP.E.g.:
subjectAltName=DNS:$1
Replace the Country C=XX, the Organization O=XX and the Common Name CN=XX suitable for you.
E.g.:
"/C=RO/O=Bitdefender/CN=MDM Signing Certificate/"
createchain.sh
#!/bin/bash
cat root.cer sgn.cer >chain.pem
noCA.cnf
basicConstraints=CA:false
Generate the certificates with the use of the previously created scripts.
In bash shell, run the scripts as root user in the following order:
The Root certificate
#chmod +x createroot.sh
#./createroot.sh
Remember the password protecting the private key.
Result files: root.cer, rootkey.pem.
Control Center Security Certificate
#chmod +x createssl.sh
#./createssl.sh IP|FQHN
Provide either the IP or the Fully Qualified Host Name depending on the configuration of the server.
As always, remember the password.
Result files: the SSL certificate - ssl.cer, the private key - sslkey.pem.
Incidents Server Certificate
#chmod +x createincident.sh
#./createincident.sh IP|FQHN
Provide either the IP or the Fully Qualified Host Name depending on the configuration of the server.
As always, remember the password.
Result files: incident.cer, incidentkey.pem..
Note
Self signed certificates need to be imported on the endpoint as well.
Communication Server Certificate
#chmod +x createcom.sh
#./createcom.sh IP|FQHN
Provide either the IP or the Fully Qualified Host Name depending on the configuration of the server.
As always, remember the password.
Result files: com.cer, comkey.pem.
Endpoint - Security Server Certificate
#chmod +x createsvacom.sh
#./createsvacom.sh IP|FQHN
Provide either the IP or the Fully Qualified Host Name depending on the configuration of the server.
As always, remember the password.
Result files: svacom.cer, svacomkey.pem.
Apple MDM Push Certificate
Apple issues this certificate directly to your company, but it requires that your Certificate Signing Request be signed by Bitdefender. Control Center provides a wizard to help you easily obtain your Apple MDM Push certificate.
Note
You will need an Apple ID to obtain the certificate. If you do not have an Apple ID, you can create one here. Make sure to validate your Apple ID and set a security question before proceeding to obtain your Apple MDM Push certificate
iOS MDM Identity and Profile Signing Certificate
#chmod +x createsgn.sh
#./createsgn.sh IP|FQHN
Provide the password for the Root and be sure to remember the password protecting the private key of this certificate.
Result files: sgn.cer, sgnkey.pem.
iOS MDM Trust Chain Certificates
#chmod +x createchain.sh
#./createchain.sh
Result files: chain.pem. Also a file called root.serial is created, simply ignore it.
Upload the corresponding files into Control Center.
The upload procedure is explained in Certificates.
License management
The GravityZone security services are licensed and sold separately. Each GravityZone security service requires a valid basic license key. At least one valid license key must be provided for using GravityZone.
GravityZone is licensed with a single key for all security services.
Besides the basic security services, GravityZone also provides important protection features as add-ons. Each add-on is licensed with a separate key and you can use it only together with a basic valid license. If the main license is invalid, you will view the features settings, but you will be unable to use them.
You can choose to test GravityZone and decide if it is the right solution for your organization. To activate your evaluation period, you must enter the evaluation license keys from the registration email in Control Center.
You can choose to test GravityZone and decide if it is the right solution for your organization. To activate your evaluation period, you must enter the trial license key from the registration email in Control Center.
Note
Control Center is provided for free with any GravityZone security service.
To continue using a security service after the trial period expires, you must purchase a license key and use it to register the service.
To continue using GravityZone after the trial period expires, you must purchase a license key and use it to register the product.
GravityZone license keys can be managed from the Configuration > License page in Control Center. When your current license key is about to expire, a message will appear in the console informing you that it needs to be renewed. To enter a new license key or view the current license details, go to the Configuration > License page from the left side menu.
GravityZone license key can be managed from the License page in Control Center. When your current license key is about to expire, a message will appear in the console informing you that it needs to be renewed. To enter a new license key or view the current license details, go to the License page.
Entering your license keys
GravityZone license registration can be done online or offline (when internet connection is not available). In both cases, you need to provide a valid license key for each security service you want to use.
GravityZone license registration can be done online or offline (when internet connection is not available). In both cases, you need to provide a valid license key.
For offline registration, you will also need the offline registration code associated to the license key.
You can enter several license keys for the same service, but only the last key that you enter will be active.
To license your GravityZone security services, to change an existing license key, or to enter a separate key for an add-on:
To change the current license key or to register an add-on:
Log in to Control Center using a company administrator account.
Go to the Configuration > License page from the left side menu.
Click the Add button at the upper side of the table.
Select the registration type and type in the license key:
Online. In this case, enter a valid license key in the License key field. The license key will be checked and validated online.
Offline, when an internet connection is not available. In this case, you need to provide the license key and also its registration code.
Note
If the license key is not valid, a validation error is displayed as tool-tip over the License key field.
Click Add. The license key will be added to the License page, where you can check its details.
Click Save to apply the changes. Control Center restarts and you need to log in again to view the changes.
Note
You can use the add-ons as long as a compatible basic license is valid. Otherwise you will view the features, but you will be unable to use them.
Checking current license details
To view your license details:
Log in to Control Center using a company administrator account.
Go to the Configuration > License page from the left side menu.
In the table, you can view details about the existing license keys.
License key
Security service the license key applies to
License key status
Important
Only one license key can be active at a time for a specific service.
Expiry date and remaining license period
Important
When license expires, the protection modules of the installed agents are disabled. As a result, endpoints are no longer protected and you cannot perform any scan task. Any new installed agent will enter in trial period.
License usage count
Resetting the license usage count
You can find out information about your license key's usage count in the License page, under the Usage column.
If you need to update the usage information, select the license key that you want and click the Reset button at the upper side of the table.
If you need to update the usage information, select the license key and click the Reset button at the upper side of the table.
Deleting license keys
You can choose to delete invalid or expired license keys from the License page.
Warning
Deleting a license key will remove the corresponding security service from Control Center. You will not be able to install and manage protection offered by that service, on the endpoints in your network. Nevertheless, the endpoints remain protected as long as the license key is valid.
If you enter a new valid license key that includes the previously deleted service, it will re-enable all features of that service in Control Center.
To delete a license key:
Log in to Control Center using a company administrator account.
Go to the Configuration > License page from the left side menu.
Select the license key you want to remove and click the Delete button at the upper side of the table.
Click Save to apply the changes. Control Center restarts and you need to log in again to view the changes.