diff --git a/salt/common/tools/sbin/so-allow b/salt/common/tools/sbin/so-allow
index 71c8f8c9b..c6d3d6bf0 100755
--- a/salt/common/tools/sbin/so-allow
+++ b/salt/common/tools/sbin/so-allow
@@ -89,7 +89,7 @@ if [ "$SKIP" -eq 0 ]; then
     echo "[p] - Wazuh API - port 55000/tcp"
     echo "[r] - Wazuh registration service - 1515/tcp"
     echo ""
-    echo "Please enter your selection (a - analyst, b - beats, o - osquery, w - wazuh):"
+    echo "Please enter your selection:"
     read -r ROLE
     echo "Enter a single ip address or range to allow (example: 10.10.10.10 or 10.10.0.0/16):"
     read -r IP
@@ -127,16 +127,16 @@ salt-call state.apply firewall queue=True
 if grep -q -R "wazuh: 1" $local_salt_dir/pillar/*; then
     # If analyst, add to Wazuh AR whitelist
     if [ "$FULLROLE" == "analyst" ]; then
-          WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf"
-          if ! grep -q "<white_list>$IP</white_list>" $WAZUH_MGR_CFG ; then
-                  DATE=$(date)
-                  sed -i 's/<\/ossec_config>//' $WAZUH_MGR_CFG
-                  sed -i '/^$/N;/^\n$/D' $WAZUH_MGR_CFG
-                  echo -e "<!--Address $IP added by /usr/sbin/so-allow on \"$DATE\"-->\n  <global>\n    <white_list>$IP</white_list>\n  </global>\n</ossec_config>" >> $WAZUH_MGR_CFG
-                  echo "Added whitelist entry for $IP in $WAZUH_MGR_CFG."
-		  echo
-                  echo "Restarting OSSEC Server..."
-                  /usr/sbin/so-wazuh-restart
-          fi
-     fi
+        WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf"
+        if ! grep -q "<white_list>$IP</white_list>" $WAZUH_MGR_CFG ; then
+            DATE=$(date)
+            sed -i 's/<\/ossec_config>//' $WAZUH_MGR_CFG
+            sed -i '/^$/N;/^\n$/D' $WAZUH_MGR_CFG
+            echo -e "<!--Address $IP added by /usr/sbin/so-allow on \"$DATE\"-->\n  <global>\n    <white_list>$IP</white_list>\n  </global>\n</ossec_config>" >> $WAZUH_MGR_CFG
+            echo "Added whitelist entry for $IP in $WAZUH_MGR_CFG."
+        echo
+            echo "Restarting OSSEC Server..."
+            /usr/sbin/so-wazuh-restart
+        fi
+    fi
 fi
diff --git a/salt/motd/files/package_update_reboot_required.jinja b/salt/motd/files/so_motd.jinja
similarity index 86%
rename from salt/motd/files/package_update_reboot_required.jinja
rename to salt/motd/files/so_motd.jinja
index 6d94fc613..4b22eb56c 100644
--- a/salt/motd/files/package_update_reboot_required.jinja
+++ b/salt/motd/files/so_motd.jinja
@@ -1,4 +1,9 @@
 {% set needs_restarting_check = salt['mine.get']('*', 'needs_restarting.check', tgt_type='glob') -%}
+{% set url = salt['pillar.get']('manager:url_base') -%}
+
+
+Access the Security Onion web interface at https://{{ url }}
+(You may need to run so-allow first if you haven't yet)
 
 {%- if needs_restarting_check %}
   {%- set minions_need_restarted = [] %}
diff --git a/salt/motd/init.sls b/salt/motd/init.sls
index 4dae979bf..06ad270a1 100644
--- a/salt/motd/init.sls
+++ b/salt/motd/init.sls
@@ -1,5 +1,5 @@
-package_update_reboot_required_motd:
+so_motd:
   file.managed:
     - name: /etc/motd
-    - source: salt://motd/files/package_update_reboot_required.jinja
+    - source: salt://motd/files/so_motd.jinja
     - template: jinja
diff --git a/salt/thehive/init.sls b/salt/thehive/init.sls
index 07eff0939..062637855 100644
--- a/salt/thehive/init.sls
+++ b/salt/thehive/init.sls
@@ -116,6 +116,7 @@ cortexscript:
     - source: salt://thehive/scripts/cortex_init
     - cwd: /opt/so
     - template: jinja
+    - hide_output: True
 
 so-thehive:
   docker_container.running:
@@ -135,3 +136,4 @@ thehivescript:
     - source: salt://thehive/scripts/hive_init
     - cwd: /opt/so
     - template: jinja
+    - hide_output: True
diff --git a/salt/thehive/scripts/cortex_init b/salt/thehive/scripts/cortex_init
index 1d0fe29f0..90980da9c 100644
--- a/salt/thehive/scripts/cortex_init
+++ b/salt/thehive/scripts/cortex_init
@@ -1,11 +1,11 @@
 #!/bin/bash
-{% set MANAGERIP = salt['pillar.get']('static:managerip', '') %}
-{%- set CORTEXUSER = salt['pillar.get']('static:cortexuser', '') %}
-{%- set CORTEXPASSWORD = salt['pillar.get']('static:cortexpassword', '') %}
-{%- set CORTEXKEY = salt['pillar.get']('static:cortexkey', '') %}
-{%- set CORTEXORGNAME = salt['pillar.get']('static:cortexorgname', '') %}
-{%- set CORTEXORGUSER = salt['pillar.get']('static:cortexorguser', '') %}
-{%- set CORTEXORGUSERKEY = salt['pillar.get']('static:cortexorguserkey', '') %}
+# {%- set MANAGERIP = salt['pillar.get']('static:managerip', '') %}
+# {%- set CORTEXUSER = salt['pillar.get']('static:cortexuser', 'cortexadmin') %}
+# {%- set CORTEXPASSWORD = salt['pillar.get']('static:cortexpassword', 'cortexchangeme') %}
+# {%- set CORTEXKEY = salt['pillar.get']('static:cortexkey', '') %}
+# {%- set CORTEXORGNAME = salt['pillar.get']('static:cortexorgname', '') %}
+# {%- set CORTEXORGUSER = salt['pillar.get']('static:cortexorguser', '') %}
+# {%- set CORTEXORGUSERKEY = salt['pillar.get']('static:cortexorguserkey', '') %}
 
 default_salt_dir=/opt/so/saltstack/default
 
diff --git a/salt/thehive/scripts/hive_init b/salt/thehive/scripts/hive_init
index 69ff72fa7..a8307c0d6 100755
--- a/salt/thehive/scripts/hive_init
+++ b/salt/thehive/scripts/hive_init
@@ -1,8 +1,8 @@
 #!/bin/bash
-{% set MANAGERIP = salt['pillar.get']('static:managerip', '') %}
-{%- set THEHIVEUSER = salt['pillar.get']('static:hiveuser', '') %}
-{%- set THEHIVEPASSWORD = salt['pillar.get']('static:hivepassword', '') %}
-{%- set THEHIVEKEY = salt['pillar.get']('static:hivekey', '') %}
+# {%- set MANAGERIP = salt['pillar.get']('static:managerip', '') %}
+# {%- set THEHIVEUSER = salt['pillar.get']('static:hiveuser', 'hiveadmin') %}
+# {%- set THEHIVEPASSWORD = salt['pillar.get']('static:hivepassword', 'hivechangeme') %}
+# {%- set THEHIVEKEY = salt['pillar.get']('static:hivekey', '') %}
 
 thehive_init(){
     sleep 120
diff --git a/setup/so-functions b/setup/so-functions
index 03265c1e4..f4f5d9ba1 100755
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -398,7 +398,7 @@ checkin_at_boot() {
 }
 
 check_requirements() {
-	local eval_or_dist=$1
+	local standalone_or_dist=$1
 	local node_type=$2 # optional
 	local req_mem
 	local req_cores
@@ -407,12 +407,12 @@ check_requirements() {
 	readarray -t nic_list <<< "$(ip link| awk -F: '$0 !~ "lo|vir|veth|br|docker|wl|^[^0-9]"{print $2}' | grep -vwe "bond0"  | sed 's/ //g')"
 	local num_nics=${#nic_list[@]}
 	
-	if [[ "$eval_or_dist" == 'eval' ]]; then
+	if [[ "$standalone_or_dist" == 'standalone' ]]; then
 		req_mem=12
 		req_cores=4
 		req_nics=2
 		req_storage=100
-	elif [[ "$eval_or_dist" == 'dist' ]]; then
+	elif [[ "$standalone_or_dist" == 'dist' ]]; then
 		req_mem=8
 		req_cores=4
 		req_storage=40
@@ -420,7 +420,7 @@ check_requirements() {
 		if [[ "$node_type" == 'fleet' ]]; then req_mem=4; fi
 	fi
 
-	if (( $(echo "$free_space_root < $req_storage" | bc -l) )) && [[ $setup_type == 'network' ]]; then
+	if (( $(echo "$free_space_root < $req_storage" | bc -l) )); then
 		whiptail_requirements_error "disk space" "${free_space_root} GB" "${req_storage} GB"
 	fi
 
@@ -939,18 +939,6 @@ manager_pillar() {
 			"  mtu: $MTU" >> "$pillar_file"
 	fi
 
-	case $REDIRECTINFO in
-		'IP')
-			REDIRECTIT="$MAINIP"
-			;;
-		'HOSTNAME')
-			REDIRECTIT=$HOSTNAME
-			;;
-		*)
-			REDIRECTIT="$REDIRECTHOST"
-			;;
-	esac
-
 	printf '%s\n'\
 		"  elastalert: 1"\
 		"  nids_rules: $RULESETUP"\
@@ -1004,14 +992,14 @@ manager_static() {
 		"  broversion: $BROVERSION"\
 		"  ids: $NIDS"\
 		"  managerip: $MAINIP"\
-		"  hiveuser: hiveadmin"\
-		"  hivepassword: hivechangeme"\
+		"  hiveuser: $WEBUSER"\
+		"  hivepassword: $WEBPASSWD1"\
 		"  hivekey: $HIVEKEY"\
-		"  cortexuser: cortexadmin"\
-		"  cortexpassword: cortexchangeme"\
+		"  cortexuser: $WEBUSER"\
+		"  cortexpassword: $WEBPASSWD1"\
 		"  cortexkey: $CORTEXKEY"\
 		"  cortexorgname: SecurityOnion"\
-		"  cortexorguser: soadmin"\
+		"  cortexorguser: $WEBUSER"\
 		"  cortexorguserkey: $CORTEXORGUSERKEY"\
 		"  fleet_custom_hostname: "\
 		"  fleet_manager: False"\
@@ -1656,6 +1644,20 @@ set_node_type() {
 	esac
 }
 
+set_redirect() {
+	case $REDIRECTINFO in
+		'IP')
+			REDIRECTIT="$MAINIP"
+			;;
+		'HOSTNAME')
+			REDIRECTIT="$HOSTNAME"
+			;;
+		*)
+			REDIRECTIT="$REDIRECTHOST"
+			;;
+	esac
+}
+
 set_updates() {
 	if [ "$MANAGERUPDATES" = '1' ]; then
 		if [ "$OS" = 'centos' ]; then
diff --git a/setup/so-setup b/setup/so-setup
index c84e0dfe5..e96b7edb6 100755
--- a/setup/so-setup
+++ b/setup/so-setup
@@ -165,8 +165,8 @@ elif [ "$install_type" = 'HELIXSENSOR' ]; then
 	is_helix=true
 fi
 
-if [[ $is_eval ]]; then
-	check_requirements "eval"
+if [[ $is_manager && $is_sensor ]]; then
+	check_requirements "standalone"
 elif [[ $is_fleet_standalone ]]; then
 	check_requirements "dist" "fleet"
 elif [[ $is_sensor && ! $is_eval ]]; then
@@ -333,6 +333,8 @@ else
 	FLEETNODEPASSWD1=$WEBPASSWD1
 fi
 
+if [[ $is_manager ]]; then whiptail_so_allow; fi
+
 whiptail_make_changes
 
 if [[ -n "$TURBO" ]]; then
@@ -367,7 +369,10 @@ if [[ $is_manager && ! $is_eval ]]; then
 	add_soremote_user_manager >> $setup_log 2>&1
 fi
 
-set_main_ip >> $setup_log 2>&1
+{
+	set_main_ip;
+	set_redirect;
+} >> $setup_log 2>&1
 
 host_pillar >> $setup_log 2>&1
 
@@ -376,8 +381,6 @@ if [[ $is_minion ]]; then
 	copy_ssh_key >> $setup_log 2>&1
 fi
 
-
-
 # Begin install
 {
 	# Set initial percentage to 0
@@ -622,16 +625,17 @@ success=$(tail -10 $setup_log | grep Failed | awk '{ print $2}')
 
 if [[ $success != 0 ]]; then SO_ERROR=1; fi # evaluate success first so it doesn't check against the output of so-allow
 
-if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then 
-	IP=$ALLOW_CIDR so-allow -$ALLOW_ROLE >> $setup_log 2>&1
-fi
-
 if [[ -n $SO_ERROR ]]; then 
 	SKIP_REBOOT=1
 	whiptail_setup_failed
 else 
 	whiptail_setup_complete
-	if [[ $THEHIVE == 1 ]]; then check_hive_init; fi
+	if [[ $THEHIVE == 1 ]]; then check_hive_init >> $setup_log 2>&1; fi
+fi
+
+if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then 
+	echo "Running so-allow -${ALLOW_ROLE} for ${ALLOW_CIDR}"
+	IP=$ALLOW_CIDR so-allow -$ALLOW_ROLE >> $setup_log 2>&1
 fi
 
 install_cleanup >> $setup_log 2>&1
diff --git a/setup/so-variables b/setup/so-variables
index 1123562d9..07f7aa71b 100644
--- a/setup/so-variables
+++ b/setup/so-variables
@@ -28,7 +28,7 @@ mkdir -p /nsm
 filesystem_nsm=$(df /nsm | awk '$3 ~ /[0-9]+/ { print $2 * 1000 }')
 export filesystem_nsm
 
-free_space_root=$(df -Pk / | sed 1d | grep -v used | awk '{ print $4 / 1048576 }' | awk '{ printf("%.0f", $1) }')
+free_space_root=$(df -Pk /nsm | sed 1d | grep -v used | awk '{ print $4 / 1048576 }' | awk '{ printf("%.0f", $1) }')
 export free_space_root
 
 mkdir -p /root/installtmp/pillar/minions
diff --git a/setup/so-whiptail b/setup/so-whiptail
index 17a75504a..0650dd256 100755
--- a/setup/so-whiptail
+++ b/setup/so-whiptail
@@ -252,7 +252,8 @@ whiptail_create_web_user() {
 	[ -n "$TESTING" ] && return
 
 	WEBUSER=$(whiptail --title "Security Onion Install" --inputbox \
-	"Please enter an email address to create an administrator account for the web interface." 10 60 3>&1 1>&2 2>&3)
+	"Please enter an email address to create an administrator account for the web interface. \
+	This will also be used for TheHive, Cortex, and Fleet" 10 60 3>&1 1>&2 2>&3)
 
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
@@ -435,9 +436,7 @@ whiptail_homenet_sensor() {
 		whiptail_check_exitstatus $exitstatus
 
 		export HNSENSOR
-
 	fi
-
 }
 
 whiptail_install_type() {
@@ -1028,7 +1027,21 @@ whiptail_setup_complete() {
 
 	[ -n "$TESTING" ] && return
 
-	whiptail --title "Security Onion Setup" --msgbox "Finished $install_type install. Press Ok to reboot." 8 75
+	if [[ -n $ALLOW_CIDR ]]; then
+		local sentence_prefix="Access"
+	else
+		local sentence_prefix="Run so-allow after reboot to access"
+	fi
+
+	read -r -d '' message <<- EOM
+		Finished ${install_type} install
+
+		${sentence_prefix} the web interface at https://${REDIRECTIT}
+
+		Press ENTER to reboot
+	EOM
+
+	whiptail --title "Security Onion Setup" --msgbox "$message" 12 75
 }
 
 whiptail_setup_failed() {
@@ -1050,6 +1063,29 @@ whiptail_shard_count() {
 
 }
 
+whiptail_so_allow() {
+
+	[ -n "$TESTING" ] && return
+
+	whiptail --title "Security Onion Setup" \
+	--yesno "Do you want to run so-allow to allow access to the web tools?" \
+	8 75
+
+	local exitstatus=$?
+
+	if [[ $exitstatus == 0 ]]; then
+		ALLOW_CIDR=$(whiptail --title "Security Onion Setup" \
+		--inputbox "Enter a single ip address or range (in CIDR notation) to allow" \
+		10 75 3>&1 1>&2 2>&3)
+		local exitstatus=$?
+		
+		export ALLOW_ROLE='a'
+		export ALLOW_CIDR
+	fi
+
+	whiptail_check_exitstatus $exitstatus
+}
+
 whiptail_strelka_rules() {
 
         [ -n "$TESTING" ] && return
@@ -1066,7 +1102,6 @@ whiptail_strelka_rules() {
                 export STRELKARULES
 
         fi
-
 }
 
 whiptail_suricata_pins() {
@@ -1098,17 +1133,17 @@ whiptail_manager_updates() {
 	local update_string
 	update_string=$(whiptail --title "Security Onion Setup" --radiolist \
 	"How would you like to download OS package updates for your grid?:" 20 75 4 \
-	"MANAGER" "Manager node is proxy for updates." ON \
+	"MANAGER" "Manager node is proxy for updates" ON \
 	"OPEN" "Each node connects to the Internet for updates" OFF 3>&1 1>&2 2>&3 )
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
 
 	case "$update_string" in
 		'MANAGER')
-			MANAGERUPDATES='1'
+			export MANAGERUPDATES='1'
 			;;
 		*)
-			MANAGERUPDATES='0'
+			export MANAGERUPDATES='0'
 			;;
 	esac