Deploy Decoy VMs with the Deployment Wizard

Use the Deception > Deployment Wizard page to create and deploy Decoy VMs on your network. Decoy VMs appear as real endpoints to hackers and can collect valuable information about attacks.

To deploy Decoys on the network:

Go to Deception > Deployment Wizard.
Click + to add a Decoy VM.

Configure the following:

Name	Specify the name of the deployment profile. Maximum 15 characters using A‑Z, a-z, 0-9, dash, or underscore. No duplicate profile names.
Appliance Name	Destination of the Decoy VM. This can be local (manager) or remote client (remote appliance). This column only shows in Central Management mode on manager.
Available Deception OSes	Select a Deception OS. The OS you select determines the services that are available.
Available Deception Decoys	This only supports SCADAV3 deception OS. The decoy you select determines the specific services set.
Selected Services	Displays the services available for the Deception OS you selected. Services for Windows include RDP, SMB, NBNSSpoofSpotter (responder tool detection), and TCPLISTENER. Services for SCADA include HTTP, FTP, TFTP, SNMP, MODBUS, S7COMM, BACNET, IPMI, TRICONEX, GUARDIAN-AST, ENIP, DNP3, and IEC104. Services for Ubuntu include SSH, SAMBA, TCPLISTENER, HTTP, HTTPS, and GIT. Services for medical OS include Infusion Pump (Telnet), Infusion Pump (FTP), PACS, PACS-WEB, and DICOM server Services for POS OS include POS-WEB. Services for ERP OS include ERP-WEB. Services for FortiGate include SSLVPN. Services for Cisco Router include Telnet, HTTP, SNMP and CDP Services for HP Printer include Jet-direct, Printer-Web and SNMP Services for IP Camera include Camera-Web, UPnP, SNMP and RTSP
Automate Lures	Select one or more tag names to automate lure generation and to generate related contents. Selecting any and all generate random content. Click Generate Lures to automatically generate lures and list them in the panes below. Click Clear to delete the lures on this page.

If applicable, click Generate lures or Add Lure for the service and configure the following:

Username

Specify the username for the decoy. Maximum 64 characters using A-Z, a-z, 0-9, or @.

Do not set the username of the lures to be the same as existing usernames in the decoy, such as administrator for RDP/SMB services on Windows, or root for SSH/SAMBA services on Linux.

Password

Specify the password for the decoy in 1-32 non-unicode characters.

Sharename

This option is only available for SAMBA (Ubuntu) or SMB (Windows). Specify a Sharename in 3-63 characters using a-z, 0-9, or dash.

Update or Cancel

Click Update to save the username and password. Click Cancel to discard the username and password. Click Delete to delete an existing lure.

For windows - NBNSSpoofSpotter:

Username	Maximum 64 characters using A-Z, a-z, 0-9, @, dash, underscore, or period.
Password	1-32 characters using A-Z, a-z, 0-9, or -!@#$%(~)^&?<>:\|+;*/,."'_
Domain (optional)	Domain can only contain characters a - z, A - Z, 0 - 9 and "." .
Hostname	Hostname can only contain characters a - z, A - Z, 0 - 9, "-" and "_".
Interval(sec)	Enter a valid integer between 60-3600.

For Ubuntu:

TCP Listener	Separate multiple ports with `,.`
HTTP Listening Port	1-65535. Default is 80.
HTTPS Listening Port	1-65535. Default is 443.
Username	Maximum 64 characters using A-Z, a-z, 0-9, @, dash, underscore, or period.
Password	1-32 characters using A-Z, a-z, 0-9, or -!@#$%(~)^&?<>:\|+;*/,."'_
HTTPS SSL Certificate	Optional. Upload using default settings is supported.

For GIT users:

Username	Maximum 64 characters using A-Z, a-z, 0-9, @, dash, underscore, or period.
Password	1-32 characters using A-Z, a-z, 0-9, or -!@#$%(~)^&?<>:\|+;*/,."'_
Repository Name	1-100 characters using a-z, A-Z, 0-9, dash, or underscore.

For GIT repository import:

URL	Cannot be empty. Permitted characters are a-z, A-Z, 0-9, space, or -@#~?:./_=.
Username	Maximum 64 characters using A-Z, a-z, 0-9, @, dash, underscore, or period.
Password	Optional. Can be empty.

For GitHub repository import:

URL	Cannot be empty. Permitted characters are a-z, A-Z, 0-9, space, or -@#~?:./_=.
Token	Permitted characters are a-z, A-Z, 0-9, or period.

For SCADAV3:

FTP Banner	Permitted characters are a-z, A-Z, 0-9, dash, underscore, or space.
SNMP	Permitted characters are a-z, A-Z, 0-9, dash, underscore, or space.
Page title	Permitted characters are a-z, A-Z, 0-9, dash, underscore, or space.
Module type	Permitted characters are a-z, A-Z, 0-9, dash, underscore, or space.
PLC name	Permitted characters are a-z, A-Z, 0-9,dash, underscore, or space.
Plant Identification	Permitted characters are a-z, A-Z, 0-9, dash, underscore, or space.
Serial number	Permitted characters are a-z, A-Z, 0-9, dash, underscore, or space.

For ERP (CRM):

Username	Maximum 64 characters using A-Z, a-z, 0-9, @, dash, underscore, or period.
Password	1-32 characters. Permitted characters are a-zA-Z0-9-!@#$%(~)^&?<>:\|+;*/,."'_

For medical:

Username	Maximum 64 characters using A-Z, a-z, 0-9, @, dash, underscore, or period.
Password	1-32 characters. Permitted characters are a-zA-Z0-9-!@#$%(~)^&?<>:\|+;*/,."'_
PACS System Name	1-16 characters. Cannot start with digit. Permitted characters are a-z, A-Z, 0-9, dash, or underscore.
PACS Listening Port	1-65535. Default is 80.
DICOM Listening Port	1-65535. Default is 4242.
DICOM Server Name	1-16 characters. Cannot start with digit. Permitted characters a-z, A-Z, 0-9, dash, or underscore.

For POS:

Listening Port	1-65535. Default is 80.
Username	Maximum 64 characters using A-Z, a-z, 0-9, @, dash, underscore, or period.
Password	1-32 characters. Permitted characters are a-zA-Z0-9-!@#$%(~)^&?<>:\|+;*/,."'_

For FortiGate:

SSLVPN Listening Port	1-65535. Default is 10443.
Username	Maximum 64 characters using A-Z, a-z, 0-9, @, dash, underscore, or period.
Password	1-32 characters. Permitted characters are a-zA-Z0-9-!@#$%(~)^&?<>:\|+;*/,."'_
SSLVPN Bookmarks Name	1-15 characters. Permitted characters are a-z, A-Z, 0-9, dash, underscore, period, or space.
SSLVPN Bookmarks URL	Cannot be empty. Permitted characters are a-z, A-Z, 0-9, space, or -@#~?:./_=.

For Cisco Router (Telnet/HTTP):

Username	Maximum 64 characters using A-Z, a-z, 0-9, @, dash, underscore, or period.
Password	1-32 characters. Permitted characters are a-zA-Z0-9-!@#$% (~)^&?<>:\|+;*/,."'_

For HP Printer (HTTP):

Username	Maximum 64 characters using A-Z, a-z, 0-9, @, dash, underscore, or period.
Password	1-32 characters. Permitted characters are a-zA-Z0-9-!@#$% (~)^&?<>:\|+;*/,."'_

For IP Camera (HTTP):

Username	Maximum 64 characters using A-Z, a-z, 0-9, @, dash, underscore, or period.
Password	1-32 characters. Permitted characters are a-zA-Z0-9-!@#$% (~)^&?<>:\|+;*/,."'_

To launch the decoy VM immediately, enable Launch Immediately.
To reset the decoy VM after it detects incidents, enable Reset Decoy and specify the Reset Interval value in seconds.
Click Next.
Specify the DNS and Hostname. The Hostname can start with an English character or a digit, and must not end with a hyphen. Maximum 15 characters using A-Z, a-z, 0-9, or hyphen (case-sensitive). Other symbols, punctuation, or white space are not allowed. The Hostname cannot conflict with decoy names.
Click Add Interface.
Select the Deploy Interface. Set this to the VLAN or subnet added in Set up the Deployment Network

Configure the following settings in the Add Interface for Decoy pane:

Addressing Mode	Select Static or DHCP. Static allows you to configure the IP address for all the decoys. DHCP allows the decoys to receive IP address from the DHCP server. If you select DHCP, IP Count is automatically set to 1 and all other fields are not applicable.
Network Mask	This field is set automatically.
Gateway	Specify the gateway.
MAC Address OUI	The first three octets of the MAC address for the device vendor. Only the xx:xx:xx format is supported.
IP Count	Specify the number of IP addresses to be assigned, up to 24 ( for both STATIC and DHCP).
Min	The minimum IP address in the IP range.
Max	The maximum IP address in the IP range.
IP Ranges	Specify the IP range between Min and Max.

Click Done.
To deploy the decoys on the network, click Deploy.
To save this as a template in Deception > Deployment Wizard, click Template.

Deploy Decoy VMs with the Deployment Wizard

Use the Deception > Deployment Wizard page to create and deploy Decoy VMs on your network. Decoy VMs appear as real endpoints to hackers and can collect valuable information about attacks.

To deploy Decoys on the network:

Go to Deception > Deployment Wizard.
Click + to add a Decoy VM.

Configure the following:

Name	Specify the name of the deployment profile. Maximum 15 characters using A‑Z, a-z, 0-9, dash, or underscore. No duplicate profile names.
Appliance Name	Destination of the Decoy VM. This can be local (manager) or remote client (remote appliance). This column only shows in Central Management mode on manager.
Available Deception OSes	Select a Deception OS. The OS you select determines the services that are available.
Available Deception Decoys	This only supports SCADAV3 deception OS. The decoy you select determines the specific services set.
Selected Services	Displays the services available for the Deception OS you selected. Services for Windows include RDP, SMB, NBNSSpoofSpotter (responder tool detection), and TCPLISTENER. Services for SCADA include HTTP, FTP, TFTP, SNMP, MODBUS, S7COMM, BACNET, IPMI, TRICONEX, GUARDIAN-AST, ENIP, DNP3, and IEC104. Services for Ubuntu include SSH, SAMBA, TCPLISTENER, HTTP, HTTPS, and GIT. Services for medical OS include Infusion Pump (Telnet), Infusion Pump (FTP), PACS, PACS-WEB, and DICOM server Services for POS OS include POS-WEB. Services for ERP OS include ERP-WEB. Services for FortiGate include SSLVPN. Services for Cisco Router include Telnet, HTTP, SNMP and CDP Services for HP Printer include Jet-direct, Printer-Web and SNMP Services for IP Camera include Camera-Web, UPnP, SNMP and RTSP
Automate Lures	Select one or more tag names to automate lure generation and to generate related contents. Selecting any and all generate random content. Click Generate Lures to automatically generate lures and list them in the panes below. Click Clear to delete the lures on this page.

If applicable, click Generate lures or Add Lure for the service and configure the following:

Username

Specify the username for the decoy. Maximum 64 characters using A-Z, a-z, 0-9, or @.

Do not set the username of the lures to be the same as existing usernames in the decoy, such as administrator for RDP/SMB services on Windows, or root for SSH/SAMBA services on Linux.

Password

Specify the password for the decoy in 1-32 non-unicode characters.

Sharename

This option is only available for SAMBA (Ubuntu) or SMB (Windows). Specify a Sharename in 3-63 characters using a-z, 0-9, or dash.

Update or Cancel

Click Update to save the username and password. Click Cancel to discard the username and password. Click Delete to delete an existing lure.

For windows - NBNSSpoofSpotter:

Username	Maximum 64 characters using A-Z, a-z, 0-9, @, dash, underscore, or period.
Password	1-32 characters using A-Z, a-z, 0-9, or -!@#$%(~)^&?<>:\|+;*/,."'_
Domain (optional)	Domain can only contain characters a - z, A - Z, 0 - 9 and "." .
Hostname	Hostname can only contain characters a - z, A - Z, 0 - 9, "-" and "_".
Interval(sec)	Enter a valid integer between 60-3600.

For Ubuntu:

TCP Listener	Separate multiple ports with `,.`
HTTP Listening Port	1-65535. Default is 80.
HTTPS Listening Port	1-65535. Default is 443.
Username	Maximum 64 characters using A-Z, a-z, 0-9, @, dash, underscore, or period.
Password	1-32 characters using A-Z, a-z, 0-9, or -!@#$%(~)^&?<>:\|+;*/,."'_
HTTPS SSL Certificate	Optional. Upload using default settings is supported.

For GIT users:

Username	Maximum 64 characters using A-Z, a-z, 0-9, @, dash, underscore, or period.
Password	1-32 characters using A-Z, a-z, 0-9, or -!@#$%(~)^&?<>:\|+;*/,."'_
Repository Name	1-100 characters using a-z, A-Z, 0-9, dash, or underscore.

For GIT repository import:

URL	Cannot be empty. Permitted characters are a-z, A-Z, 0-9, space, or -@#~?:./_=.
Username	Maximum 64 characters using A-Z, a-z, 0-9, @, dash, underscore, or period.
Password	Optional. Can be empty.

For GitHub repository import:

URL	Cannot be empty. Permitted characters are a-z, A-Z, 0-9, space, or -@#~?:./_=.
Token	Permitted characters are a-z, A-Z, 0-9, or period.

For SCADAV3:

FTP Banner	Permitted characters are a-z, A-Z, 0-9, dash, underscore, or space.
SNMP	Permitted characters are a-z, A-Z, 0-9, dash, underscore, or space.
Page title	Permitted characters are a-z, A-Z, 0-9, dash, underscore, or space.
Module type	Permitted characters are a-z, A-Z, 0-9, dash, underscore, or space.
PLC name	Permitted characters are a-z, A-Z, 0-9,dash, underscore, or space.
Plant Identification	Permitted characters are a-z, A-Z, 0-9, dash, underscore, or space.
Serial number	Permitted characters are a-z, A-Z, 0-9, dash, underscore, or space.

For ERP (CRM):

Username	Maximum 64 characters using A-Z, a-z, 0-9, @, dash, underscore, or period.
Password	1-32 characters. Permitted characters are a-zA-Z0-9-!@#$%(~)^&?<>:\|+;*/,."'_

For medical:

Username	Maximum 64 characters using A-Z, a-z, 0-9, @, dash, underscore, or period.
Password	1-32 characters. Permitted characters are a-zA-Z0-9-!@#$%(~)^&?<>:\|+;*/,."'_
PACS System Name	1-16 characters. Cannot start with digit. Permitted characters are a-z, A-Z, 0-9, dash, or underscore.
PACS Listening Port	1-65535. Default is 80.
DICOM Listening Port	1-65535. Default is 4242.
DICOM Server Name	1-16 characters. Cannot start with digit. Permitted characters a-z, A-Z, 0-9, dash, or underscore.

For POS:

Listening Port	1-65535. Default is 80.
Username	Maximum 64 characters using A-Z, a-z, 0-9, @, dash, underscore, or period.
Password	1-32 characters. Permitted characters are a-zA-Z0-9-!@#$%(~)^&?<>:\|+;*/,."'_

For FortiGate:

SSLVPN Listening Port	1-65535. Default is 10443.
Username	Maximum 64 characters using A-Z, a-z, 0-9, @, dash, underscore, or period.
Password	1-32 characters. Permitted characters are a-zA-Z0-9-!@#$%(~)^&?<>:\|+;*/,."'_
SSLVPN Bookmarks Name	1-15 characters. Permitted characters are a-z, A-Z, 0-9, dash, underscore, period, or space.
SSLVPN Bookmarks URL	Cannot be empty. Permitted characters are a-z, A-Z, 0-9, space, or -@#~?:./_=.

For Cisco Router (Telnet/HTTP):

Username	Maximum 64 characters using A-Z, a-z, 0-9, @, dash, underscore, or period.
Password	1-32 characters. Permitted characters are a-zA-Z0-9-!@#$% (~)^&?<>:\|+;*/,."'_

For HP Printer (HTTP):

Username	Maximum 64 characters using A-Z, a-z, 0-9, @, dash, underscore, or period.
Password	1-32 characters. Permitted characters are a-zA-Z0-9-!@#$% (~)^&?<>:\|+;*/,."'_

For IP Camera (HTTP):

Username	Maximum 64 characters using A-Z, a-z, 0-9, @, dash, underscore, or period.
Password	1-32 characters. Permitted characters are a-zA-Z0-9-!@#$% (~)^&?<>:\|+;*/,."'_

To launch the decoy VM immediately, enable Launch Immediately.
To reset the decoy VM after it detects incidents, enable Reset Decoy and specify the Reset Interval value in seconds.
Click Next.
Specify the DNS and Hostname. The Hostname can start with an English character or a digit, and must not end with a hyphen. Maximum 15 characters using A-Z, a-z, 0-9, or hyphen (case-sensitive). Other symbols, punctuation, or white space are not allowed. The Hostname cannot conflict with decoy names.
Click Add Interface.
Select the Deploy Interface. Set this to the VLAN or subnet added in Set up the Deployment Network

Configure the following settings in the Add Interface for Decoy pane:

Addressing Mode	Select Static or DHCP. Static allows you to configure the IP address for all the decoys. DHCP allows the decoys to receive IP address from the DHCP server. If you select DHCP, IP Count is automatically set to 1 and all other fields are not applicable.
Network Mask	This field is set automatically.
Gateway	Specify the gateway.
MAC Address OUI	The first three octets of the MAC address for the device vendor. Only the xx:xx:xx format is supported.
IP Count	Specify the number of IP addresses to be assigned, up to 24 ( for both STATIC and DHCP).
Min	The minimum IP address in the IP range.
Max	The maximum IP address in the IP range.
IP Ranges	Specify the IP range between Min and Max.

Click Done.
To deploy the decoys on the network, click Deploy.
To save this as a template in Deception > Deployment Wizard, click Template.

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

Administration Guide

Deploy Decoy VMs with the Deployment Wizard