After Installation

Adjust firewall rules using so-allow

Depending on what kind of installation you did, the Setup wizard may have already walked you through adding firewall rules to allow your analyst IP address(es). If you need to allow other IP addresses, you can manually run so-allow.


  • Verify services are running:

    sudo so-status

Data Retention

  • Review the Curator and Elasticsearch sections to see if you need to change any of the default index retention settings.


  • Full-time analysts may want to connect using a dedicated Analyst VM.
  • Any IDS/NSM system needs to be tuned for the network it’s monitoring. Please see the Tuning section.
  • Configure the OS to use your preferred NTP server.