This article will explain the various status indicators displayed in the RocketCyber console as they relate to agent connectivity.
How does the RocketAgent communicate with the cloud?
The RocketAgent utilizes two different communication channels to connect with the RocketCyber cloud.
1. WebSocket via Port 443/SSL
The RocketAgent maintains a persistent connection with the RocketCyber cloud via a websocket connection. This communication channel is used for the following types of communication:
- Agent Status Indication
- Threat Intelligence Request / Response
- Command & Control Actions (Log Uploads/Agent Restart/Check For Updates/Isolation etc)
2. REST Endpoints via HTTPS
The RocketAgent utilizes various REST API Endpoints to perform tasks such as:
- Posting detections from RocketApps
- Downloading updates
- Retrieving settings
What are the different status indicators?
|Green||ONLINE||Indicates the agent has a persistent web socket connection to the RocketCyber Cloud|
|Yellow||OFFLINE||Indicates the agent has lost its web socket connection to the server.|
|Red||ISOLATED||Indicates the agent has been isolated from communicating on the network except for its connection to the RocketCyber Cloud.|
What can cause an agent to go offline?
Agents can display an offline status in the dashboard for a variety of reasons.
- The machine / operating system has been powered down or suspended.
- Agent has been stopped or uninstalled
- Network connectivity issues
- Agent is in process of installing updates and restarting
What happens when the agent shows an offline status?
If the agent goes offline due to network connectivity issues but the agent service is still running, rest assured it is still actively monitoring the system for threats. The agent is designed to recover from any network connectivity issues automatically. There should be no manual intervention required to bring it back online.
If the network connectivity issue is only related to the web socket connection then the agent will continue to post detections to the cloud as they are encountered. The command and control operations such as log requests, agent updates, isolation will be queued until the device re-establishes its web socket connection.Once the connection is re-established the queued messages will be delivered to the agent.
If the network connectivity issues inhibits the posting of detections to the RocketCyber cloud via the REST endpoint APIs, detections will be cached locally and posted to the cloud as soon as connectivity is restored.