Use the Deception > Deployment Wizard page to create and deploy Decoy VMs on your network. Decoy VMs appear as real endpoints to hackers and can collect valuable information about attacks.
- Go to Deception > Deployment Wizard.
- Click + to add a Decoy VM.
- Configure the following:
Specify the name of the deployment profile. Maximum 15 characters using A‑Z, a-z, 0-9, dash, or underscore. No duplicate profile names.
Destination of the Decoy VM. This can be local (manager) or remote client (remote appliance).
This column only shows in Central Management mode on manager.
Available Deception OSes
Select a Deception OS. The OS you select determines the services that are available.
Available Deception Decoys
This only supports SCADAV3/IoT deception OS. The decoy you select determines the specific services set.
Displays the services available for the Deception OS you selected.
Services for Windows include RDP, SMB, NBNSSpoofSpotter (responder tool detection), TCPLISTENER, ICMP, IIS(HTTP), and IIS(HTTPS).
Services for SCADA include HTTP, FTP, TFTP, SNMP, MODBUS, S7COMM, BACNET, IPMI, TRICONEX, GUARDIAN-AST, ENIP, DNP3, KAMSTRUP, and IEC104.
Services for Medical OS include Infusion Pump (Telnet), Infusion Pump (FTP), PACS, PACS-WEB, and DICOM server
Services for POS OS include POS-WEB.
Services for ERP OS include ERP-WEB.
Services for FortiGate include SSLVPN.
Services for Cisco Router include Telnet, HTTP, SNMP and CDP.
Services for HP Printer include Jetdirect, Printer-WEB and SNMP.
Services for SAP include SAP ROUTER, SAP DISPATCHER and SAP WEB
Services for IoT include SNMP, Jetdirect, Printer-WEB, Telnet, HTTP, CDP, TP-LINK WEB, CWMP, IP Camera-WEB, UPnP and RTSP.
Services for IP Camera include IP Camera-Web, UPnP, SNMP and RTSP.
CentOS include SSH, SAMBA, TCPLISTENER, HTTP, HTTPS, GIT, and ICMP.
Select one or more tag names to automate lure generation and to generate related contents. Selecting any and all generate random content.
Click Generate Lures to automatically generate lures and list them in the panes below.
Click Clear to delete the lures on this page.
- If applicable, click Generate lures or Add Lure for the service and configure the lure settings. See, Lure Settings.
- To launch the decoy VM immediately, enable Launch Immediately.
- To reset the decoy VM after it detects incidents, enable Reset Decoy and specify the Reset Interval value in seconds.
- Click Next.
- Specify the DNS and Hostname. The Hostname can start with an English character or a digit, and must not end with a hyphen. Maximum 15 characters using A-Z, a-z, 0-9, or hyphen (case-sensitive). Other symbols, punctuation, or white space are not allowed. The Hostname cannot conflict with decoy names.
- Click Deploy Into Network.
- Select the Deploy Interface. Set this to the VLAN or subnet added in Set up the Deployment Network
- Configure the following settings in the Add Interface for Decoy pane:
Select Static or DHCP.
DHCP allows the decoys to receive IP address from the DHCP server. If you select DHCP, IP Count is automatically set to 1 and all other fields are not applicable.
This field is set automatically.
Specify the gateway.
The first three octets of the MAC address for the device vendor. Only the xx:xx:xx format is supported.
Specify the number of IP addresses to be assigned, up to 24 ( for both STATIC and DHCP).
The minimum IP address in the IP range.
The maximum IP address in the IP range.
Specify the IP range between Min and Max.
- Click Done.
- To deploy the decoys on the network, click Deploy.
- To save this as a template in Deception > Deployment Wizard, click Template.