Understanding Remote Agent Hosting in Private Networks for Google SecOps SOAR

Question

Hello Community,I am trying to clearly understand the design and deployment model of Google SecOps SOAR Remote Agents, specifically when the target systems (for example, FortiGate firewalls or other on-prem security tools) are hosted inside a private customer network. I would like clarification on the following points:	Hosting Model			Do we need to create a VM in the customer private network to host remote agent?						Is the Remote Agent always expected to run on a dedicated VM or server inside the customer’s private network?						Is this the recommended and supported architecture for interacting with internal devices such as firewalls, AD, or other non-internet-exposed systems?					Allowing Access for Remote Agent to Google Publisher and Firewall

Eoved · Answer

Hello,1.You can create the agent on a Linux server (RHEL 8.7 / clean CentOS 7.9) or using Docker/Podman.You can, and it might not be a “hard” technical requirement.This is the recommended way to respond via SOAR with security tools and devices within your local environment.References:https://docs.cloud.google.com/chronicle/docs/soar/working-with-remote-agents/remote-agents-architecture-overviewhttps://docs.cloud.google.com/chronicle/docs/soar/working-with-remote-agents/requirements-and-prerequisites2.The most critical part of this design is that communication is outbound only (from your network to Google).You do not need to open any incoming ports from the internet.You need to allow outbound traffic over port 443 from your agent to your instance URL (publisher only).It also supports proxy configurations.References:https://docs.cloud.google.com/chronicle/docs/soar/working-with-remote-agents/data-flows-and-protocols

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded