NX_SAG_7.6.0

NX SeriesSystem Administration Guide

Release 7.6

FireEye and the FireEye logo are registered trademarks of FireEye, Inc. in the United

States and other countries. All other trademarks are the property of their respective

owners.

FireEye assumes no responsibility for any inaccuracies in this document. FireEye reserves

the right to change, modify, transfer, or otherwise revise this publication without notice.

Copyright © 2015 FireEye, Inc. All rights reserved.

NX Series System Administration Guide

Release 7.6.1

Revision 1

FireEye Contact Information:

Website: www.fireeye.com

Support Email: [email protected]

Support Website: csportal.fireeye.com

Phone:

United States: 1.877.FIREEYE (1.877.347.3393)

United Kingdom: 44.203.106.4828

Other: 1.408.321.6300

© 2015 FireEye 1

CONTENTS

Preface 12

Before You Begin 13

CHAPTER 1: Getting Started 14

Deployment Modes 14

Management Path 14

FIPS 140-2 and Common Criteria Compliance 16

CHAPTER 2: Initial Configuration 17

Configuring Initial Settings Using the Serial Console Port 17

Using aWindows or Mac Laptop 18

Using a Linux System 18

Using a Terminal Server 19

Configuring Initial Settings Using the LCD Panel 19

Configuring Initial Settings Using a Keyboard and Monitor 20

Configuration Wizard Steps 21

Configuring the IPMI Interface 24

CHAPTER 3: User Interfaces 26

The Web UI 26

Browser Support 26

Screen Resolution Requirements 27

Logging in to theWebUI 27

NX SeriesWebUI Tabs 28

PDFGeneration 28

The Dashboard 29

The Command Line Interface 29

The LCD Display 30

Navigating the LCD Menus 30

LCD Panel Menus 31

The IPMI Interface 33

CHAPTER 4: Operational Mode Configuration 36

Configuring Inline Mode Using the Web UI 36

Configuring Inline Mode Using the CLI 38

Configuring Inline Proxy Mode Using the Web UI 40

Configuring Inline ProxyModeWith OneNX Series Appliance 40

Configuring Inline ProxyModeWith TwoNX Series Appliances 41

Configuring Inline Proxy Mode Using the CLI 43

Configuring Inline ProxyModeWith OneNX Series Appliance 44

Configuring Inline ProxyModeWith TwoNX Series Appliances 45

Configuring Inline Multi-Proxy Mode Using the Web UI 46

Configuring InlineMulti-ProxyModeWith OneNX Series Appliance 47

Configuring InlineMulti-ProxyModeWith TwoNX Series Appliances 48

Configuring Inline Multi-Proxy Mode Using the CLI 50

Configuring InlineMulti-ProxyModeWith OneNX Series Appliance 51

Configuring InlineMulti-ProxyModeWith TwoNX Series Appliances 53

Configuring TAP Mode Using the Web UI 54

Configuring TAP Mode Using the CLI 55

Configuring Port Mirroring (SPAN) Mode Using the Web UI 56

Configuring Port Mirroring (SPAN) Mode Using the CLI 58

CHAPTER 5: Network Administration 60

Basic Network Configuration 60

Contents

2 © 2015 FireEye

Configuring Basic Network SettingsUsing theWebUI 61

Configuring Basic Network SettingsUsing the CLI 62

Updating the IPMI Firmware 62

Updating the IPMI Firmware Using the CLI 63

IP Filtering 64

Enabling IP Filtering Using the CLI 66

CHAPTER 6: The DTI Network 67

Introduction 67

Threat Intelligence 67

Automatic License Updates 68

SystemHealth Monitoring and Software Updates 69

DTI Network Communication 69

Validating DTI Access 70

Validating DTI AccessUsing theWebUI 70

Validating DTI AccessUsing the CLI 71

Updating Security Content 72

Updating Security Content Using theWebUI 72

Updating Security Content Using the CLI 73

Configuring Automatic Security Updates 74

Configuring Automatic Security Content UpdatesUsing theWebUI 74

Configuring Automatic Security Content UpdatesUsing the CLI 75

Configuring Automatic System Information Updates 77

Configuring Automatic System Information UpdatesUsing theWebUI 77

Configuring Automatic System Information UpdatesUsing the CLI 78

Changing the Active DTI Source 79

Changing the Active DTI Source Using theWebUI 81

Contents

© 2015 FireEye 3

Changing the Active DTI Source Using the CLI 82

Overriding the Managed Appliance DTI Source 83

Overriding theManaged Appliance DTI Source Using theWebUI 83

Overriding theManaged Appliance DTI Source Using the CLI 84

Configuring DTI Credentials 86

Configuring DTI Credentials Using the CLI 86

CHAPTER 7: CM Series Platform Integration 87

Configuring Secure Shell (SSH) Authentication 87

Creating a Public KeyUsing the CLI 89

Configuring User Authentication Using the CLI 90

Obtaining a Host KeyUsing theWebUI 92

Obtaining a Host KeyUsing the CLI 93

Importing a Host Key into the Global Host-KeysDatabase Using the CLI 94

Enabling Strict andGlobal Host-KeyChecking Using the CLI 96

Sending a Management Request to the CM Series Platform 98

Preparing an Appliance to Send aManagement Request 98

Sending aManagement Request Using theWebUI 99

Sending aManagement Request Using the CLI 100

Changing the Address Type for DTI Network Service Requests 102

Configuring Single-Port CM Series Communication Using the CLI 103

CHAPTER 8: Setting Date and Time 105

Manual Time Configuration 105

Setting the Date and TimeUsing theWebUI 105

Setting the Date and TimeUsing the CLI 106

NTP Server Configuration 108

Configuring NTP Servers Using theWebUI 108

Configuring NTP Servers Using the CLI 109

Contents

4 © 2015 FireEye

Time Zone Configuration 110

Setting the Time Zone Using theWebUI 111

Setting the Time Zone Using the CLI 111

DTI Server Time Synchronization 112

CHAPTER 9: LicenseManagement 114

Automatic License Updates 115

How it Works 115

Enabling Automatic License Updates 116

Using the Licensing Service 117

Forcing License Updates 118

Manual License Installation 119

Installing LicensesUsing theWebUI 119

Removing LicensesUsing theWebUI 120

Installing LicensesUsing the CLI 120

Removing LicensesUsing the CLI 122

Viewing License Notifications Using the Web UI 123

CHAPTER 10: Upgrading Your Appliance 124

Upgrading the Appliance Using the Web UI 125

Select an Update Source 126

Check for Available Update Software 127

Download the Software 127

Install the Software Update 127

Reload or Refresh the Appliance 128

Validate the Software Updates 128

Upgrading the Appliance Using the CLI 128

Download and Install the Appliance Software Image 129

Restart the Appliance and Accept the EULA 129

Contents

© 2015 FireEye 5

DownloadGuest Images 130

Install DownloadedGuest Image Profiles 132

Verify the Upgrade 132

Configuring Auto-Mounting on a USB Device 133

Enabling or Disabling Auto-Mounting on a USB Device Using the CLI 133

Configuring HTTP Access to Install Guest ImagesUsing the CLI 134

Mounting or Unmounting a USB Device Using the CLI 136

CHAPTER 11: Configuring SNMP 137

Retrieving SNMP Data 137

Configuring Access to SNMP Data 138

Downloading theMIB 138

Sending Requests for SNMP Information 140

Sending Traps 141

Enabling and Configuring Traps 141

Logging TrapMessages 142

CHAPTER 12: Customizing LoginMessages 143

Customizing Login Messages Using the Web UI 144

Customizing Login Messages Using the CLI 146

CHAPTER 13: Configuring System Email Settings 148

Configuring the Mail Server 149

Configuring theMail Server Using theWebUI 149

Configuring theMail Server for Health CheckNotificationsUsing the CLI 150

Configuring theMail Server for Scheduled Reports Using the CLI 152

Adding and Removing Email Recipients 153

Adding and Removing Email Recipients Using theWebUI 154

Adding and Removing Email Recipients Using the CLI 155

Contents

6 © 2015 FireEye

Configuring System Events 157

Configuring SystemEvent NotificationsUsing theWebUI 157

Configuring SystemEvent NotificationsUsing the CLI 158

Configuring Auto Support for System Event Notifications 160

Configuring Auto Support for SystemEvent NotificationsUsing the CLI 160

CHAPTER 14: Managing Logs 162

Managing Logs Using the Web UI 162

Managing Logs Using the CLI 163

CHAPTER 15: System Health and Performance 166

Checking System Health and Status 167

Checking SystemHealth Using theWebUI 167

Checking SystemHealth Using the CLI 170

Deployment Verification 174

Checking DTI ServicesUsing theWebUI 174

Checking Alert Detection 175

Checking Network Deployment 179

Utilization and Performance Checks 187

Viewing Utilization Statistics Using theWebUI 188

Viewing Utilization Statistics Using the CLI 189

CHAPTER 16: AAA 190

Authentication 191

User Accounts 192

Managing Your Own Account 195

Local AccessControl 199

Configuring Password Validation Policies 200

Configuring Password Change Policies 207

Contents

© 2015 FireEye 7

Defining the Authentication Order 212

Local Overrides of Remote User Mappings 213

Mapping Remote Users to Default Local Users 214

Configuring a RADIUS Server 215

Configuring a TACACS+ Server 216

LDAP Server Configuration 217

Example: Configuring Authentication 220

Authorization 221

Roles 221

Capabilities 222

Assigning RolesUsing theWebUI 228

Assigning RolesUsing the CLI 228

Accounting 229

Managing Audit Logs 230

CHAPTER 17: CertificateManagement 232

System Self-Signed Server Certificate 232

HTTPS Server Certificates 232

Certificate Authority (CA) Client Certificates 232

Viewing Certificates 232

Viewing Certificates Using theWebUI 233

Viewing Certificates Using the CLI 235

Regenerating the System Self-Signed Certificate 239

Regenerating the SystemSelf-Signed Certificate Using theWebUI 239

Regenerating the SystemSelf-Signed Certificate Using the CLI 240

Managing HTTPS Certificates 241

Managing HTTPS Certificates Using theWebUI 242

Managing NamedCertificates Using the CLI 243

Contents

8 © 2015 FireEye

Downloading Certificates 247

Downloading a Certificate Using the CLI 248

Activating Named Certificates 248

Activating NamedCertificates Using theWebUI 249

Activating NamedCertificates Using the CLI 249

Defining Default Certificate Attributes 250

Certificate Attributes 251

Defining Default Certificate AttributesUsing the CLI 252

Adding Supplemental CA Certificates 254

Adding Supplemental CA Certificates Using theWebUI 254

Adding Supplemental CA Certificates Using the CLI 255

Renaming a Certificate 256

Renaming a Certificate Using the CLI 257

Improving Certificate Security 257

Improving Certificate Security Using the CLI 258

CHAPTER 18: Backing Up and Restoring the Appliance Database 259

Database Backup and Restore Introduction 259

Viewing the Last Backup and Restore Results 260

Viewing the Last Backup and Restore Results Using theWebUI 261

Viewing the Last Backup and Restore Results Using the CLI 261

Estimating the Space Needed for the Backup File 262

Estimating the Space Needed for the Backup File Using theWebUI 262

Estimating the Space Needed for the Backup File Using the CLI 263

Backing Up the Database 263

Backing Up the Appliance Database Using theWebUI 264

Backing Up the Database Using the CLI 265

Contents

© 2015 FireEye 9

Scheduling Automatic Backups 267

Scheduling Automatic BackupsUsing the CLI 267

Downloading Backup Files 271

Downloading Backup Files Using theWebUI 271

Uploading Backup Files 271

Uploading Backup Files Using theWebUI 272

Restoring the Database from a Backup File 272

UsageGuidelines for Restoring the Database 273

Restoring the Database from a Backup File Using theWebUI 273

Restoring the Database from a Backup File Using the CLI 274

Deleting Previous Backup Files 276

Deleting Previous Backup Files Using theWebUI 276

Deleting Previous Backup Files Using the CLI 277

CHAPTER 19: Configuring Network Address Translation (NAT) 278

Address Mapping 278

CMSeries Platform Initiates Connection 279

Appliance Initiates Connection 281

Configuring and Activating an Accessible DTI Server Address 284

Configuring and Activating an Accessible DTI Server AddressUsing the CLI 285

Switching to Single-Port or Dual-Port Communication in a NAT Deployment 287

Sending a Management Request in a NAT Deployment 289

Preparing an Appliance to Send aManagement Request in a NAT Deployment 290

Sending aManagement Request in a NAT Deployment Using the ApplianceWebUI 291

Sending aManagement Request in a NAT Deployment Using the Appliance CLI 292

Configuring Global Host-Key Authentication in a NAT Deployment 295

GLOSSARY 297

Contents

10 © 2015 FireEye

INDEX 304

Contents

© 2015 FireEye 11

Release 7.6

Preface

This guide provides an overview of the FireEye NX Series appliance and describes how to use

both the Web user interface (Web UI) and the command-line interface (CLI) to configure and

manage the appliance's network administration features. It is intended for system administrators

responsible for deploying, operating, and maintaining the appliance.

The NX Series Threat Management Guide is intended for security and forensics analysts. It describes

how to configure analysis policies, view analysis results, and generate reports.

These guides are also intended for security and information technology (IT) managers and

personnel interested in learning more about FireEye technologies.

© 2015 FireEye 12

Before You Begin

Before you configure the appliance:

l Read the Release Notes for the current release.

l Collect the following information from your network administrator:

l Static IP address, subnet mask, and default gateway address for the appliance

management interface. (You do not need this information if Dynamic Host

Configuration Protocol (DHCP) will be used on the management interface.)

l IP address for each Domain Name System (DNS) server (if DNS name resolution

will be used).

l IP address for each Network Time Protocol (NTP) server (if NTP synchronization

will be used).

l Telnet or SSH client on the remote system (if the appliance will be managed

remotely).

System Administration Guide Before You Begin

13 © 2015 FireEye

Release 7.6 Deployment Modes

CHAPTER 1: Getting Started

Advanced targeted attacks use the Internet as a primary threat vector to compromise key

systems, perform reconnaissance on existing defenses, establish long-term control and access to

networked systems, and extract data. The FireEye NX Series appliance stops Web-based attacks

that traditional and next-generation firewalls (NGFW), IPS, AV, and Web gateways miss. The

NX Series appliance protects against zero-day Web exploits and multi-protocol callbacks to keep

sensitive data and systems safe.

Deployment ModesYou can deploy the NX Series appliance on your network in either inline mode or out-of-band

mode. Each mode provides various options and offers specific costs and benefits. FireEye

strongly recommends using one of the inline deployment modes. An appliance deployed inline

can automatically block attacks and callbacks to Command and Control (CnC) servers. With

inline deployment, recovering from a malware attack is faster and less resource-intensive. For

information about the deploying the NX Series appliance in your network, see the NX Series

Hardware Administration Guide for your appliance model and Operational Mode Configuration

on page 36.

Management PathFireEye appliances can download security content and software updates from the FireEye

Dynamic Threat Intelligence (DTI) network. With a two-way content license, the appliance can

also upload threat intelligence information to the DTI network.

CM Series Platforms and Standalone Appliances That Receive DTI Updates

The CM Series platform and standalone appliances use the ether1 port to communicate with the

DTI network. In the default configuration, where you receive updates from the DTI network

(cloud.fireeye.com), allow outbound access to all IP addresses on the following ports:

l DNS (UDP/53)

l HTTPS (TCP/443)

Management interface ether1 requires a static IP address or reserved DHCP address and subnet

mask.

© 2015 FireEye 14

Appliances That Restrict Outbound Access to Certain IP Addresses

If your security policy requires that you restrict outbound access to certain IP addresses, you

cannot use the DTI network. Instead, point to staticcloud.fireeye.com for DTI updates, and

allow access to the *incapdns.net domain.

To configure and access staticcloud.fireeye.com:

1. Enter the following command from the appliance CLI:

hostname (config) # fenet dti source default DTI

2. Add the following block of IP addresses to the firewall:

l 199.16.196.0/22

To allow access to *incapdns.net:

1. Allow access to the *.incapdns.net domain at the proxy device.

2. Add the following block of IP addresses to the firewall:

l 199.83.128.0/21

l 198.143.32.0/19

l 149.126.72.0/21

l 103.28.248.0/22

l 45.64.64.0/22

l 185.11.124.0/22

l 192.230.64.0/18

Appliances with Domain-based Proxy ACL Rules

If your configuration includes domain-based proxy ACL rules, allow access to *.fireeye.com.

Appliances Connected to the CM Series Platform

For appliances connected to the CM Series platform, use only a static IP address and subnet

mask. The appliance should use the ether1 port to communicate with the CM Series platform.

Do not use ZeroConf on the primary interface.

To enable IPv6 routing for the management network, use the Configuration Wizard or see the

FireEye CLI Reference for information about the ipv6 enable command, interface ipv6 command,

or the configuration jump-start command.

System Administration Guide CHAPTER 1: Getting Started

15 © 2015 FireEye

Release 7.6 FIPS 140-2 and CommonCriteria Compliance

Integrated CM Communications Protocol and Port Configurations

Establish SSH connectivity from the CM Series platform to each managed appliance. See the

Hardware Administration Guide for details about the port and protocol configuration.

FIPS 140-2 and CommonCriteria ComplianceUse the Settings: Compliance page to configure compliance features. For details and for

information about how to display the page, see the FIPS 140-2 and Common Criteria Addendum.

© 2015 FireEye 16

Release 7.6 Configuring Initial Settings Using the Serial Console Port

CHAPTER 2: Initial Configuration

The management interface is the port through which the appliance is managed and administered.

It is also the port through which integration of the CM Series platform and a managed appliance

is managed. With the single-port address type (described in Changing the Address Type for

DTI Network Service Requests on page 102), the management interface is also the port

through which a managed appliance requests and downloads software updates from the

DTI network.

Initial settings need to be configured to set up the management interface, and to allow access to

the network, change the default administrator password, and so on. The following initial

configuration methods are available:

l Serial console port—You can connect a Windows or Mac laptop, a Linux system, or a

terminal server to the serial port on the back of the appliance to log in to the CLI and

configure the initial settings. See Configuring Initial Settings Using the Serial Console

Port below.

l LCD panel—A liquid-crystal display (LCD) panel on the front of most appliance models

has navigation buttons and menus you use to select initial settings. See Configuring

Initial Settings Using the LCD Panel on page 19.

l KVM and VGAmonitor—You can use a keyboard, mouse, and VGA monitor connected

directly to the appliance to log in to the CLI and configure the initial settings. See

Configuring Initial Settings Using a Keyboard and Monitor on page 20.

Configuring Initial Settings Using the Serial Console PortIt is recommended that you use the serial console port for the initial configuration. If you are not

using a terminal server, you need to be physically near the appliance to use the serial port. The

serial port is on the back of the appliance. See yourHardware Administration Guide to view the port

location.

The serial port uses the following settings:

l Baud rate: 115200

l Data bits: 8

l Stop bits: 1

© 2015 FireEye 17

l Parity: None

l Flow control: XON/XOFF

You can access the serial port and configure initial settings as described in the following topics:

l Using a Windows or Mac Laptop below

l Using a Linux System below

l Using a Terminal Server on the facing page

Using aWindows or Mac Laptop

Because laptops do not usually have a serial port, you need a USB-to-serial cable to connect the

laptop to the serial port (DB-9) of the appliance. FireEye uses Prolific Technology Inc. adapters.

To configure initial settings from a Windows or Mac laptop:

1. Connect the cable to the serial port of the appliance and the USB port on the laptop.

2. Use a serial application (such as PuTTY) to establish a connection. Specify the COM port

assigned to the USB-to-serial cable.

3. When prompted, enter the default username (admin) and password (admin) for the

administrator.

4. You are asked to accept the End User License Agreement (EULA). Enter y to accept the

terms of the agreement.

5. Enter y when you are prompted to use the Configuration Wizard for initial configuration.

Then respond to the prompts as described in Configuration Wizard Steps on page 21.

6. After you answer the questions, the wizard summarizes your answers. To change an

answer, enter the step number. Press Enter to save changes.

Using a Linux System

You can use a serial cable or a USB-to-serial cable to connect the Linux machine to the serial port

of the appliance. FireEye uses Prolific Technology Inc. adapters.

To configure initial settings from a Linux system:

1. Connect the cable to the serial port of the appliance and to the Linux machine.

2. From a command prompt, establish a connection. If you are using a USB-to-serial cable,

specify the COM port assigned to it.


administrator.

System Administration Guide CHAPTER 2: Initial Configuration

18 © 2015 FireEye

https://www.fireeye.com/company/legal.html

Release 7.6 Configuring Initial Settings Using the LCD Panel







Using a Terminal Server

To configure initial settings from a terminal server:

1. Set the terminal server to a baud rate of 115200.

2. Plug one end of a serial cord into the serial port (DB-9) on the appliance and plug the

other end into the terminal server.

3. In a Telnet application (such as PuTTY), enter the host name or terminal server IP

address, the terminal server port number that the appliance is using, and the appliance port

number.


administrator.







Configuring Initial Settings Using the LCD PanelAn LCD panel is available on the front of most appliance models.

To configure initial settings from the LCD panel:

1. Press the center button to access the Networkmenu and respond to the prompts:

a. Hostname—Specify the hostname for the system.

b. DHCP enabled—Enter yes to use dynamic host configuration protocol (DHCP).

Enter no to manually configure your IP address and network settings. If you entered

yes, proceed to the IPv6 enabled step.

© 2015 FireEye 19



c. Static IP address—Enter the IP address for the Ethernet 1 (management interface)

port.

d. Netmask—Enter the network mask.

e. Default gateway—Enter the gateway IP address for the management interface.

f. Primary DNS—Enter the primary DNS server IP address.

g. Domain name—Enter the domain name for the management interface; for

example, it.acme.com.

h. IPv6 enabled—Enter "yes" to enable IPv6 protocol, which changes network

IP routing from IPv4 to IPv6. If you enter "no," proceed to the Admin net login

step.

i. SLAAC enabled—Enter "yes" to enable IPv6 autoconfig on the ether1

(management interface) port.

j. Admin net login—Enter "yes" to enable the administrator to log in to the system

remotely. Enter "no" to disable remote access.

2. Press the left or right arrow button until you reach the LCDmenu. At the Password

prompt, enter a password used to access the LCD panel. (This is not the password used to

access the appliance Web UI or CLI.)

3. Press the left or right arrow button until you reach the Config Options menu. At the

Reset admin password prompt:

a. Press the center button to reset the password used by the permanent admin user to

log in to the appliance CLI or Web UI. (This is not the password used to access the

LCD panel.)

b. A randomly generated password is displayed. After you memorize it, press the

center or exit button to dismiss the display.

After the initial configuration, you can change to a password of your choice using the

appliance Web UI or CLI.

Configuring Initial Settings Using a Keyboard andMonitorYou can connect keyboard, video, and mouse (KVM) cables to the appliance and then log in to

the appliance CLI to perform the initial configuration. See yourHardware Administration Guide to

view the port locations.

To configure initial settings using a keyboard and monitor:

1. Plug in a VGA monitor and a keyboard.


permanent "admin" user.


20 © 2015 FireEye

Release 7.6 ConfigurationWizard Steps




Then respond to the prompts as described in Configuration Wizard Steps below.



ConfigurationWizard StepsThe configuration wizard is typically used to perform the initial configuration of the system. See

Initial Configuration on page 17 for information about running the wizard before the

management interface is configured. After the management interface is configured, an

administrator can use the configuration jump-start CLI command to run the wizard.

The following table describes the questions the configuration wizard prompts you to answer as it

moves through the wizard steps. As noted in the table, the wizard skips some steps based on

your answers to previous steps.

Press CTRL+C to exit the configuration wizard.

Step Response

Hostname? Enter the hostname for the appliance.

Admin password? Enter a new administrator password. The new password must be from 8–32characters. If you do not change the password, the administrator will be unable to login to the appliance.

Confirm adminpassword?

Re-enter the new administrator password.

Enable remote accessfor ‘admin’ user?

Enter yes to enable the administrator to log in to the appliance remotely. Enter no todisable remote access.

Use DHCP on ether1interface?

Enter yes to use Dynamic Host Configuration Protocol (DHCP) to configure theappliance IP address and other network parameters. Enter no to manually configureyour IP address and network settings. (If you enter yes, the zeroconf and staticIP addressing steps are skipped.)

Use zeroconf onether1 interface?

Enter yes to use zero-configuration (zeroconf) networking. Enter no to specify a staticIP address and network mask. (If you specify yes, the next step is skipped.)NOTE: Do not use zeroconf on the primary interface.

Primary IP address Enter the IP address for the management interface in A.B.C.D format and enter the

© 2015 FireEye 21


Step Response

and masklen? network mask, for example: 1.1.1.2/12.

Default gateway? Enter the gateway IP address for the management interface.

Primary DNS server? Enter the IP address of the DNS server.

Domain name? Enter the domain for the management interface; for example: it.acme.com.

Enable IncidentResponse orCompromiseAssessment? *

Enter yes to configure an Incident Response or Compromise Assessmentdeployment. (If you enter yes, the next four steps are performed automatically, andthe "Enable NTP?" and "Enable IPv6?" steps are skipped.)

Enable fenet service? Enter yes to enable access to the DTI network. (If you enter no, the next three stepsare skipped.)

Enable fenet licenseupdate service?

Enter yes to enable the licensing service to automatically download your licensesfrom the DTI network and install them.

Sync appliance timewith fenet?

Enter yes to synchronize the appliance time with the DTI server time. If you enabledthe licensing service, synchronization prevents a feature from being temporarilyunlicensed due to a time gap. The wizard makes three attempts to perform this stepbefore it gives up and moves to the next step.

Update licenses fromfenet?

Enter yes to download and install your licenses. The wizard makes three attempts toperform this step before giving up and moving on to the next step.

Enable NTP? Enter yes to enable automatic time synchronization with one or more Network TimeProtocol (NTP) servers. Enter no to manually set the time and date on the appliance.(This step is skipped if you entered yes in the "Sync appliance time with fenet?" or"Enable Incident Response or Compromise Assessment?" step.)

Enable FaaS VPN? * Enter yes to enable the appliance to connect to FireEye as a Service over theInternet using a secure SSL VPN connection. (This step is skipped if no MD_ACCESS license is installed. This step is performed automatically if you entered yesin the "Enable Incident Response or Compromise Assessment?" step.)

Set time(<hh>:<mm>:<ss>)?

Enter the appliance time. (This step and the next step are skipped if you entered yesin the "Sync appliance time with fenet?" or "Enable NTP?" step.)

Set date(<yyyy>/<mm>/<dd>)?

Enter the appliance date.

Enable IPv6? Enter yes to enable IPv6 protocol, which changes network IP routing from IPv4 toIPv6. (This step and the next two steps are skipped if you entered yes in the "Enable


22 © 2015 FireEye

Release 7.6 ConfigurationWizard Steps

Step Response

Incident Response or Compromise Assessment?" step. This step and the next twosteps will be automatically performed if you entered yes in the “Enable FaaS VPN”step.)

Enable IPv6autoconfig (SLAAC)on ether1 interface?

Enter yes to enable IPv6 autoconfig on the ether1 (management interface) port. (Thisstep is skipped if you entered no in the "Enable IPv6?" step.)

Enable DHCPv6 onether1 interface?

Enter yes to use DHCPv6 to configure IPv6 hosts with IP addresses. (This step isskipped if you entered no in the "Enable DHCP?" or "Enable IPV6?" step.)

Mirror traffic to a PXappliance? *

Enter yes to use port mirroring to forward NX Series traffic to the PX Series appliancein an Incident Response deployment. If you enter no, you must manually configureyour PX Series appliance to receive the proper traffic. (This step is skipped if youentered no in the "Enable Incident Response or Compromise Assessment?" step.)

IMPORTANT: FireEye recommends using port mirroring in an Incident Responsedeployment.

Interface pair to mirrortraffic to PX? *

Enter the NX Series interface pair or pairs whose traffic will be forwarded to thePX Series appliance.

If multiple mirror ports are already configured, this skip and the next step are skipped.If a single mirror port is already configured for one or more pairs, that pair or pairs areprovided as the default for this step.

IMPORTANT: FireEye recommends using the default pair (A) if you are configuring anew appliance. Otherwise, manual configuration steps may be required.

Interface to mirrortraffic to PX? *

Enter the NX Series port that will forward the traffic to the PX Series capture port. Donot specify a port that belongs to an interface pair you entered in the previous step.

If a single mirror port is already configured, it is provided as the default for this step.

IMPORTANT: FireEye recommends using the default port (pether6) if you areconfiguring a new appliance. Otherwise, manual configuration steps may berequired.

Enable forensicanalysis? *

Enter yes to perform full packet capture and analysis on the mirrored traffic.

IP address of PX * Enter the IP address of the PX Series appliance. (This step is skipped if you enteredno in the "Enable forensic analysis?" step.)

Product license key? Enter the product license key you obtained from FireEye, or press Enter to install a15-day evaluation license. (This step and the next step are skipped if you entered

© 2015 FireEye 23

Step Response

yes in the "Enable fenet license update service?" step and if licenses weresuccessfully installed as a result.)

Security-contentupdates key?

Enter the security-content license key you obtained from FireEye, or press Enter toskip this step and install the license later.

A support license is also required for the appliance software. See LicenseManagement on page 114 for details.

* This step is included in NX Series Release 7.6.1 and later.

Configuring the IPMI InterfaceUse the commands in this section to configure the IPMI interface.

See The IPMI Interface on page 33 for information about using the IPMI interface

after it is configured.

To configure the IPMI port:

1. Plug one end of an Ethernet cable into the IPMI port and the other end into an

administrative computer or terminal server.

2. If you want to configure a static IP address for the IPMI interface, do the following:

a. Log in to the appliance CLI.

b. Enable the CLI configuration mode:

hostname > enablehostname # configure terminal

c. If DHCP was previously configured for IPMI, change to the static method:

hostname (config) # ipmi lan ipsrc static

d. Configure the IP address for the IPMI interface:

hostname (config) # ipmi lan ipaddr ipAddress

e. Configure the netmask for the IPMI interface:

hostname (config) # ipmi lan netmask netmask

f. Configure the default gateway for the IPMI interface:

hostname (config) # ipmi lan defgw ipAddress


24 © 2015 FireEye

Release 7.6 Configuring the IPMI Interface

3. If you want to configure DHCP:

a. Make sure that DHCP is enabled on your network:

hostname (config) # show ip dhcp

b. Enable DHCP:

hostname (config) # ipmi lan ipsrc dhcp

4. By default, the username used to log in to the IPMI Web UI is ADMIN. Configure the

password:

hostname (config) # ipmi user set password password

5. Save your changes:

hostname (config) # write memory

To view the IPMI configuration:

1. Enter the CLI enable mode:

hostname # enable

2. Display the configuration. For example:

hostname (config) # show ipmi interfaceIPMI LAN Settings----------------------------------------Admin Shut Down : noShut Down : noIP Address Source : Static AddressIP Address : 192.168.42.27Subnet Mask : 0.0.0.0Default Gateway IP : 0.0.0.0

To revert to the default configuration:

1. Enter the CLI configuration mode:

hostname > enablehostname > configure terminal

2. Revert to the default configuration:

hostname (config) # ipmi lan ipsrc static



It is important to use the latest IPMI firmware available for your system. For details, see

Updating the IPMI Firmware on page 62.

© 2015 FireEye 25

Release 7.6 TheWebUI

CHAPTER 3: User Interfaces

Before you begin to set up the appliance on your network, you should first take the time to

familiarize yourself with the basic user interfaces.Before you begin to set up the appliance on

your network, you should first take the time to familiarize yourself with the basic user interfaces.

There are four user interfaces available on the appliance:There are four user interfaces available

on the appliance:

l Web UI—A Web based UI used to configure and manage the appliance. For details, see:

l The Web UI below

l The Dashboard on page 29

l CLI—A Command Line Interface used to configure and manage the appliance. For

details, see The Command Line Interface on page 29.

l LCDDisplay— The LCD display and associated controls can be used to initially set up

the appliance. It can also be used to check system status and make certain configuration

changes. For details, see The LCDDisplay on page 30.

l IPMI Interface— The IPMI Interface allows you to access the appliance and perform

recovery activities in the event that it becomes unresponsive. For details, see The

IPMI Interface on page 33.

TheWebUIThe appliance Web UI uses HTTPS to provide a secure connection for configuring the

appliance. The Web UI functions you have access to depend on the privileges granted by your

role.

You access the Web UI by directing a Web browser to the management port's IP address or

hostname using HTTPS. The IP address and hostname are set during the initial configuration of

the appliance. The hostname must be resolved by a DNS server if you use it to access the Web

UI.

Browser Support

Use one of the following browsers on the computer from which you plan to access the Web UI:

© 2015 FireEye 26

l Internet Explorer 9.0 or higher on current versions of Windows

l Firefox 15 or higher on current versions of Windows and Mac

l Google Chrome 13.0 or higher on current versions of Windows and Mac

Screen Resolution Requirements

The Web UI supports the following screen resolutions:

1152 x 864 pixels 1440 x 900 pixels

1280 x 800 pixels 1600 x 900 pixels

1280 x 1024 pixels 1680 x 1050 pixels

1360 x 768 pixels 1920 x 1080 pixels

1366 x 768 pixels 1920 x 1200 pixels

Logging in to theWebUI

The user name for the default administrator is admin. The default password (admin) must

be changed to a password of 8 to 32 characters before this user can log in to the Web UI

and create other users. If this has not been done, see Initial Appliance Configuration

for instructions.

To log in to the Web UI:

1. Open a Web browser and enter https://appliance in the address line, where appliance is

the IP address or hostname of the appliance. For example, if the configured IP address of

the appliance is 10.1.0.1, enter https://10.1.0.1.

2. On the login page, enter the user name and password your administrator provided.

System Administration Guide CHAPTER 3: User Interfaces

27 © 2015 FireEye

Release 7.6 TheWebUI

NX SeriesWebUI Tabs

This section describes the NX Series Web UI tabs.

l Dashboard—Shows a high-level view of the threat intelligence gathered by the NX Series

appliance. Within many panels on the Dashboard, you can click blue buttons and text links

to drill down to critical threat information affecting your network.

l Alerts—Provides expandable levels of detailed information about the hosts that are

infected in the network, callback activity (botnet servers), and malware attacks.

l IPS Events—Displays all IPS events and IPS alerts (MVX-correlated IPS events)

detected by the IPS-enabled appliance.

l Summaries—Displays summaries of observed infections, malware, charts, and Web

analysis priorities.

l Filters—Allows you to filter events based on source and target IP addresses, date, and

occurrence range. These filters allow you to simplify the event listing by showing only the

events of interest on the Alerts and Summaries pages.

l Settings—Provides options for configuring the appliance.

l Reports—Allows you to generate or schedule consolidated executive summary reports,

callback server reports, infected host trends reports, alert details reports, and malware

activity reports.

l About—Network administration information and controls:

o Health Check—Displays appliance and system health information.

o Deployment Check—Provides network connectivity, detection verification, and

network deployment checks.

o Log Manager—Allows you to create, download, upload, and delete log archives.

o Update—Allows you to view and update security content, software image, and

guest images versions.

PDFGeneration

Some Web UI pages, such as those that display analysis results, have a Print PDF button at the

top right side of the page that allows you to save the content of the page to PDF so it can be

printed or saved. Only the content that is visible on the page is included in the PDF output. For

example, if an item on the page is not expanded, the details about that item are not displayed and

will not be included in the PDF output. Depending on your Web browser settings, the generated

PDF opens in the Web browser or is downloaded to your computer.

© 2015 FireEye 28

The amount of time needed to generate the PDF depends on the current load on the system. By

default, the system will try to generate the PDF using Standard Processing Time, the fastest

way possible. If the PDF generation times out, you can try again using other options by clicking

the arrow on the button and then selecting Extra Processing Time orHeavy Processing

Time, where heavy processing time takes the longest.

TheDashboard

The Dashboard page of the NX Series Web UI provides a high-level view of the threat

intelligence gathered by appliance. Within many panels on the Dashboard, you can click blue

buttons and text links to drill down to critical threat information affecting your network.

For details about the Dashboard, see the NX Series Threat Management Guide.

The Command Line InterfaceThe appliance includes a standard command-line interface (CLI) that can be used to configure,

manage, and monitor the appliance.

To log into the CLI using a terminal window or SSH client:

1. Using the SSH protocol, log in to the appliance using the management interface’s

IP address or hostname.

$ ssh username@ipAddress | hostName

2. When prompted, enter your password.

Password: password

The hostname > prompt is displayed after you are logged in.


29 © 2015 FireEye

Release 7.6 The LCD Display

The LCDDisplayAn LCD panel is available on the front of most appliance models. You can perform the initial

configuration of the appliance using the LCD panel, as described in Configuring Initial

Settings Using the LCD Panel on page 19. You can use the LCD panel to perform other basic

configuration tasks as well.

Navigating the LCD Menus

The following illustration of the LCD panel shows how to use the navigation buttons to

configure settings. For details about the menus, see LCD Panel Menus on the next page.

On some models, you need to remove the front panel to access the LCD panel navigation

buttons.

To remove the front panel:

1. Unscrew the front panel to unlatch it.

© 2015 FireEye 30

2. Remove the front panel.

LCDPanel Menus

The LCD panel has four menus: Network Menu below, Config Options Menu on the facing

page, LCD Panel Menus above, and Restart Options Menu on page 33.

See Navigating the LCD Menus on the previous page for information about

moving through the menus and selecting options.

Network Menu

The following table provides information about the Networkmenu.


31 © 2015 FireEye

Release 7.6 The LCD Display

Prompt Description

Hostname Hostname for the appliance.

DHCP enabled Enter “yes” to use DHCP on the ether1 (management interface) port. Enter “no” to manuallyconfigure your IP address and network settings.

Static IPaddress

This prompt is available if DHCP is disabled. Enter the IP address for the ether1(management interface) port.

Netmask This prompt is available if DHCP is disabled. Enter the network mask.

Default gateway This prompt is available if DHCP is disabled. Enter the gateway IP address for themanagement interface.

Primary DNS This prompt is available if DHCP is disabled. Enter the Primary DNS server IP address.

Domain name This prompt is available if DHCP is disabled. Enter the domain name for the managementinterface; for example, it.acme.com

IPv6 enabled Enter “yes” to enable IPv6 protocol, which changes the network IP routing from IPv4 to IPv6.

SLAAC enabled This prompt is available if IPv6 is enabled. Enter “yes” to enable IPv6 autoconfig on theether1 (management interface) port.

Admin net login Enter “yes” to enable the administrator to log in to the appliance remotely. Enter "no" todisable remote access.

Config Options Menu

The following table provides information about the Config Options menu.

Prompt Description

Save settings Saves changes made during a session so they will persist after a reboot.

Revert to factorydefaults

Reverts the appliance to its factory default settings, which include user name andpassword, and network configuration information.

Reset adminpassword

Resets the admin password for accessing the appliance itself. (This does not set thepassword for accessing the LCD panel.) The new password is randomly generated. TheLCD will display the password. When you have memorized it, press a button to move to thenext prompt or menu. You can change to a password of your choice using the applianceCLI or Web UI after the basic configuration is complete.

LCD Menu

The following table provides information about the LCDmenu.

© 2015 FireEye 32

Prompt Description

Password Sets a password for LCD panel access. (This does not set the password for accessing theappliance.)

Brightness Sets the LCD panelʼs level of brightness from 0 to 9, with 9 being the brightest.

Contrast Sets the LCD panelʼs level of contrast between the background and text from 0 to 9, with 9being the highest contrast.

Restart Options Menu

The following table provides information about the Restart Options menu.

Prompt Description

Reboot system Restarts the system.

Halt system Brings the system down to its lowest state while remaining on.

Next boot loc Specifies disk partition (1 or 2) to boot from during the next reboot.

The IPMI InterfaceThe FireEye Intelligent Platform Management Interface (IPMI) allows you to perform the

following tasks remotely from a Web browser:

l Cycle the power on your appliance when it is unresponsive.Cycle the power on your

CM Series platform when it is unresponsive.

The IPMI is active even if the appliance was powered down from the appliance

CLI or from the power button on the front panel, as long as the main power is on.

l Reset the server.

l Access the serial console when the management interface is unavailable or unresponsive.

l Check the status of server sensors.

The IPMI interface uses a network connection to the IPMI port of the appliance and is accessed

through a secure Web browser session. (The standard IPMI interface allows connections using

third-party tools such as Supermicro s̓ IPMIView; however, all such external access to the

IPMI interface from the appliance is disabled.)

The IPMI remote control cannot perform a graceful power down of the appliance.


33 © 2015 FireEye

Release 7.6 The IPMI Interface

To log in to the IPMI interface:

1. Open a Web browser and navigate to the IP address that was configured for the IPMI

interface.

The IPMI interface requires an HTTPS connection.

2. Log in to the IPMI Web UI using ADMIN as the username and the password that was

configured for the IPMI user.

See Configuring the IPMI Interface on page 24 for configuration information.

To cycle power or reset the server:

1. Click Remote Control and then Power Control.

2. Select the option you need and then click Perform Action.

To access the serial console:

Use the IPMI Web UI to access the serial console only during a power or system reset

or when the system is not otherwise responding on the management interface.

© 2015 FireEye 34

1. Click Remote Control and then Console Redirection.

2. Click Launch Console.

You might be prompted to install a Java program to launch the console, which could

require changes to your Java security settings. If your security policy does not allow this,

and if your appliance uses a recent IPMI firmware version, you can instead open ports on

the firewall. To view the installed and available firmware versions, click System and then

System Information, or follow the instructions in Updating the IPMI Firmware on

page 62.

To check the status of server sensors:

1. Click Server Health and then Sensor Readings.

2. Click options at the bottom of the page as needed.


35 © 2015 FireEye

Release 7.6 Configuring InlineMode Using theWebUI

CHAPTER 4: Operational Mode Configuration

After deploying the NX Series appliance in your network, you need to configure the system to

operate accordingly.

You can configure your system for each of the deployment types below from either the Web UI

or the CLI.

Inline

l Configuring Inline Mode Using the Web UI below

l Configuring Inline Mode Using the CLI on page 38

Inline Proxy

l Configuring Inline Proxy Mode Using the Web UI on page 40

l Configuring Inline Proxy Mode Using the CLI on page 43

Inline with Multiple Proxies

l Configuring Inline Multi-Proxy Mode Using the Web UI on page 46

l Configuring Inline Multi-Proxy Mode Using the CLI on page 50

Test Access Point (TAP)

l Configuring TAP Mode Using the Web UI on page 54

l Configuring TAP Mode Using the CLI on page 55

Switch Port Analyzer (SPAN)

l Configuring Port Mirroring (SPAN) Mode Using the Web UI on page 56

l Configuring Port Mirroring (SPAN) Mode Using the CLI on page 58

Configuring InlineMode Using theWebUIUse the Settings: Interfaces - Operational Modes page to configure inline mode.

In inline mode, you can configure the appliance with one or two network port pairs. The

following example shows one network port pair.

© 2015 FireEye 36

The following example shows two network port pairs.

Operational modes for inline deployment are described in the following table.

Mode Description

Block Blocks malicious traffic (recommended).

l FS Open—In case of failure, all traffic passes through (recommended).

l FS Close—In case of failure, all traffic is blocked. (Use this setting only if

the device is actively monitored).

Monitor Monitors the traffic and generates alerts on malicious events.

Bypass Forced bypass wherein the NX Series appliance neither blocks nor analyzes traffic.

For details about inline deployment, refer to the FireEye Hardware Administration Guide for your

appliance model.

System Administration Guide CHAPTER 4: Operational Mode Configuration

37 © 2015 FireEye

Release 7.6 Configuring InlineMode Using the CLI

Prerequisites

l Operator or Admin access

To configure inline mode:

1. Click the Settings tab.

2. Click Inline Operational Modes on the sidebar.

3. Select a blocking option for each available port pair. (Inline Block FS Open is

recommended).

4. Click Update: Operational Modes.

Configuring InlineMode Using the CLIUse the CLI commands in this topic to set the following options to configure inline blocking

mode.

Setting Description

Operational Mode The inline deployment has three operational modes. It is highlyrecommended that you set your appliance to inline blocking mode.

If you set the operational mode to block traffic, input

a fail-safe setting (block open or block close).

l block—Blocks malicious traffic (recommended).

l open—In case of failure, all traffic passes

through (recommended).

l close—In case of failure, all traffic is blocked.

(Use this setting only if the device is actively

monitored).

l monitor—Monitors the traffic and generates alerts on

malicious events.

l bypass—Forced bypass wherein the NX Series

appliance neither blocks nor analyzes traffic.

Policy Type The following policy types are supported:

l mixed—Applies both local and global policies, and the

local policy overrides the global policy (recommended).

l global—Applies FireEye-defined global policy to the

specified interface.

© 2015 FireEye 38

Setting Description

l local—Applies user-defined local policy to the


l none—Does not apply any policy. No policy is used.

For details about inline deployment, refer to the Hardware Administration Guide for your appliance

model.

Prerequisites


To configure inline mode:

1. Enable the CLI configuration mode:

hostname > enable

hostname # configure terminal

2. Configure pair A (interfaces A1 and A2) in inline block mode. Enter the policymgr

interface command.

hostname (config) # policymgr interface A op-mode block fail-safe open policy-type mixed

hostname (config) # policymgr interface A re-configure



4. (Optional) Configure pair B (interfaces B1 and B2) in inline block mode. Enter the

policymgr interface command.

hostname (config) # policymgr interface B op-mode block fail-safe open policy-type mixed

hostname (config) # policymgr interface B re-configure



6. Check your configuration. Enter the show policymgr interfaces command.

hostname (config) # show policymgr interfaces

Policy enabled: yes

Interface A

Active : yes op mode : block (blocking) fail-safe: open policy : mixed


39 © 2015 FireEye

Release 7.6 Configuring Inline Proxy Mode Using theWebUI

tolerance: 1

Ports : pether3 pether4

Interface B Active : yes op mode : block (blocking) fail-safe: open

policy : mixed tolerance: 1 Ports : pether5 pether6

Configuring Inline Proxy Mode Using theWebUIInline proxy deployment requires two network port pairs. This can be accomplished using an

NX Series appliance with two port pairs, or one port pair from each of two NX Series appliances.

For details about inline proxy deployment, refer to the Hardware Administration Guide for your

appliance model.

Prerequisites


Configuring Inline ProxyModeWith OneNXSeries Appliance

Use the Settings: Interfaces - Operational Modes page for inline proxy mode to configure a

deployment with one NX Series appliance with two network port pairs. Interface A connects the

LAN-facing switch or router (A1) to the proxy server (A2). Interface B connects the LAN-facing

switch or router (B1) to the Internet-facing switch or router (B2).


© 2015 FireEye 40

Mode Description



l FS Close—In case of failure, all traffic is blocked. (Use this setting only if the

device is actively monitored).



Use the Settings: Interfaces - Whitelists page for inline whitelists to configure interface A2 to

allow incoming traffic from the proxy server to pass through unblocked.

To configure interface A and interface B:



3. Select a blocking option for pair A and pair B. (Inline Block FS Open is recommended).


5. Select Inline Whitelists on the sidebar. Enter the information for the proxy server and

then click Add Whitelist.

Configuring Inline ProxyModeWith TwoNXSeries Appliances

Use the Settings: Interfaces - Operational Modes page for inline proxy mode to configure a

deployment with two NX Series appliances with one network port pair each. NX Appliance1

connects to the proxy offline, and NX Appliance2 is between a LAN-facing switch or router and

an Internet-facing switch or router.


41 © 2015 FireEye

Release 7.6 Configuring Inline Proxy Mode Using theWebUI


Mode Description



l FS Close—In case of failure, all traffic is blocked. (Use this setting only if the

device is actively monitored).





To configure NX Appliance1:



3. Select a blocking option for pair A. (Inline Block FS Open is recommended).


© 2015 FireEye 42








Configuring Inline Proxy Mode Using the CLIInline proxy deployment requires two network port pairs. This can be accomplished using an

NX Series appliance with two port pairs, or one port pair from each of two NX Series appliances.

Use the CLI commands in this topic to set the following options to configure inline blocking

mode for a proxy deployment.

Setting Description

Operational Mode The inline deployment has three operational modes. It is highlyrecommended that you set your appliance to inline blocking mode.








monitored).


malicious events.









43 © 2015 FireEye

Release 7.6 Configuring Inline Proxy Mode Using the CLI

Setting Description




For details about inline proxy deployment, refer to the Hardware Administration Guide for your

appliance model.

Prerequisites


Configuring Inline ProxyModeWith OneNXSeries Appliance

Use the CLI commands in this topic to configure deployment with one NX Series appliance with

two network port pairs. Interface A connects the LAN-facing switch or router (A1) to the proxy

server (A2). Interface B connects the LAN-facing switch or router (B1) to the Internet-facing

switch or router (B2).

To configure interface A and interface B:


hostname > enable


2. Configure pair A (interfaces A1 and A2) and pair B (B1 and B2) in inline block mode.

Enter the policymgr interface command.



hostname (config) # policymgr interface B op-mode block fail-safe open policy-type mixed

hostname (config) # policymgr interface B re-configure



4. Configure interface A2 to allow incoming traffic from the proxy server to pass through

unblocked. Enter the policymgr network host command.

hostname (config) # policymgr network host Proxy_IP_address interface A2 allow

where interface A2 is the proxy server. where Proxy_IP_address is the IP address of the

server.

© 2015 FireEye 44





Policy enabled: yes

Interface A Active : yes op mode : block (blocking) fail-safe: open policy : mixed tolerance: 1 Ports : pether3 pether4

Interface B Active : yes op mode : block (blocking) fail-safe: open policy : mixed tolerance: 1 Ports : pether5 pether6

Configuring Inline ProxyModeWith TwoNXSeries Appliances

Use the CLI commands in this topic to configure a deployment with two NX Series appliances,

each with one network port pair. NX Appliance1 connects to the proxy offline, and

NX Appliance2 is between a LAN-facing switch or router and an Internet-facing switch or

router.



hostname1 > enable

hostname1 # configure terminal

2. Configure your NX Appliance1.Enter the policymgr interface command to configure

pair A (interfaces A1 and A2) in inline block mode.

hostname1 (config) # policymgr interface A op-mode block fail-safe open policy-type mixed

hostname1 (config) # policymgr interface A re-configure


hostname1 (config) # write memory



hostname1 (config) # policymgr network host Proxy_IP_address interface A2 allow


server.


45 © 2015 FireEye

Release 7.6 Configuring InlineMulti-Proxy Mode Using theWebUI




hostname1 (config) # show policymgr interfaces

Policy enabled: yes




hostname2 > enable



interface command.







Policy enabled: yes


Configuring InlineMulti-Proxy Mode Using theWebUIInline multi-proxy deployment requires two network port pairs. This can be accomplished using

an NX Series appliance with two port pairs, or one port pair from each of two NX Series

appliances.

For details about inline deployment with multiple proxy servers, refer to the Hardware

Administration Guide for your appliance model.

© 2015 FireEye 46

Prerequisites


Configuring InlineMulti-ProxyModeWith OneNXSeries Appliance

Use the Settings: Interfaces - Operational Modes page for inline multi-proxy mode to

configure a deployment with one NX Series appliance with two network port pairs. Interface A

connects the LAN-facing switch or router (A1) to the proxy server (A2). Interface B connects

the LAN-facing switch or router (B1) to the Internet-facing switch or router (B2). Additional

NX Series appliances connect to one or more additional proxy servers.


Mode Description










47 © 2015 FireEye

Release 7.6 Configuring InlineMulti-Proxy Mode Using theWebUI

To configure interface A and interface B on NX Appliance1:







To configure NX Appliance2 - NX Appliance n to connect to one or more proxy servers:







6. Repeat Steps 1–5 on each additional NX Series appliance.

Configuring InlineMulti-ProxyModeWith TwoNXSeries Appliances

Use the Settings: Interfaces - Operational Modes page for inline multi-proxy mode to

configure deployment with two NX Series appliances with one network port pair each.

NX Appliance1 is inline between a LAN-facing switch or router and an Internet-facing switch or

router. The NX Series appliances NX Appliance2—NX Appliance n connect to multiple proxy

servers offline.

© 2015 FireEye 48


Mode Description






Bypass Forced bypass wherein the NX appliance neither blocks nor analyzes traffic.

For each appliance connected to a proxy server, use the Settings: Interfaces - Whitelists page

to configure interface A2 to allow incoming traffic from the proxy server to pass through

unblocked.






49 © 2015 FireEye

Release 7.6 Configuring InlineMulti-Proxy Mode Using the CLI











6. Repeat Steps 1—5 on each additional NX Series appliance.

Configuring InlineMulti-Proxy Mode Using the CLIInline multi-proxy deployment requires two network port pairs. This can be accomplished using

an NX Series appliance with two port pairs, or one port pair from each of two NX Series

appliances.

Use the CLI commands in these topics to configure inline blocking mode for an inline

deployment with multiple proxies.

Setting Description

Operational Mode Inline deployment has three operational modes. It is highlyrecommended that you set your appliance to inline blocking mode.








monitored).


malicious events.



© 2015 FireEye 50

Setting Description









For details about inline deployment with multiple proxy servers, refer to the Hardware

Administration Guide for your appliance model.

Prerequisites


Configuring InlineMulti-ProxyModeWith OneNXSeries Appliance

Use the CLI commands in this topic to configure NX Series appliances with multiple network

port pairs. Interface A connects the LAN-facing switch or router (A1) to the proxy server (A2).

Interface B connects the LAN-facing switch or router (B1) to the Internet-facing switch or

router (B2). Additional NX Series appliances connect to one or more additional proxy servers.

To configure interface A and interface B on NX Appliance1:


hostname1 > enable


2. Configure pair A (interfaces A1 and A2) and pair B (B1 and B2) in inline block mode.

Enter the policymgr interface command.



hostname1 (config) # policymgr interface B op-mode block fail-safe open policy-type mixed

hostname1 (config) # policymgr interface B re-configure




51 © 2015 FireEye

Release 7.6 Configuring InlineMulti-Proxy Mode Using the CLI



hostname1 (config) # policymgr network host Proxy_IP_address interface A2 allow


server.





hostname > enable


2. Configure appliances NX Appliance2 -NX Appliance n. Enter the policymgr interface

command to configure pair A (interfaces A1 and A2) in inline blocking mode on each

appliance:






unblocked on each appliance connected to a proxy server. Enter the policymgr network

host command.



server.





Policy enabled: yes


Interface B Active : yes

© 2015 FireEye 52

op mode : block (blocking) fail-safe: open policy : mixed tolerance: 1 Ports : pether5 pether6

Configuring InlineMulti-ProxyModeWith TwoNXSeries Appliances

Use the CLI commands in this topic to configure deployment with two NX Series appliances

with one network port pair each. NX Appliance1 is inline between a LAN-facing switch or router

and an Internet-facing switch or router. NX Appliance2—NX Appliance n connect to multiple

proxy servers offline.



hostname1 > enable



interface command.







Policy enabled: yes




hostname > enable


2. Configure appliances NX Appliance2—NX Appliance n. Enter the policymgr interface

command to configure pair A (interfaces A1 and A2) in inline block mode.



53 © 2015 FireEye

Release 7.6 Configuring TAP ModeUsing theWebUI





unblocked on each appliance connected to a proxy server. Enter the policymgr network

host command.



server.





Policy enabled: yes


Configuring TAPModeUsing theWebUIUse the Settings: Interfaces - Operational Modes page to configure Test Access Point (TAP)

mode.

In TAP mode, you can configure the appliance with one or two network port pairs. The

following example shows one network port pair.


© 2015 FireEye 54

For details about TAP deployment, refer to the FireEye Hardware Administration Guide for your

appliance model.

Prerequisites


To configure TAP mode:



3. Select the TAP operational mode for all available port pairs.


Configuring TAPModeUsing the CLIUse the CLI commands in this topic to set the following options to configure the appliance for

Test Access Point (TAP) mode.

Setting Description

Operational Mode Select TAP mode to configure for TAP or SPAN deployments.

l tap—Monitors malicious traffic.






55 © 2015 FireEye

Release 7.6 Configuring Port Mirroring (SPAN) Mode Using theWebUI

Setting Description





For details about TAP deployment, refer to the FireEye Hardware Administration Guide for your

appliance model.

Prerequisites


To configure TAP mode:


hostname > enable



interface command.

hostname (config) # policymgr interface A op-mode tap policy-type mixed






Policy enabled: yes

Interface A Active : yes op mode : tap (tapping) fail-safe: open policy : mixed tolerance: 1 Ports : pether3 pether4

Configuring Port Mirroring (SPAN) Mode Using theWebUIUse the Settings: Interfaces - Operational Modes page to configure port mirroring (SPAN)

mode.

© 2015 FireEye 56

In port mirroring (SPAN) mode, you can configure the appliance with one or two network port

pairs. The following example shows one network port pair.


Prerequisites


To configure port mirroring (SPAN) mode:



3. Select the TAP operational mode for all available port pairs.



57 © 2015 FireEye

Release 7.6 Configuring Port Mirroring (SPAN) Mode Using the CLI

Configuring Port Mirroring (SPAN) Mode Using the CLIUse the CLI commands in this topic to set the following options to configure the appliance for

port mirroring (SPAN) mode.

Setting Description

Operational Mode Select TAP mode to configure for TAP or SPAN deployments.

l tap—Monitors malicious traffic.









For details about port mirroring (SPAN) deployment, refer to Hardware Administration Guide for

your appliance model.

Prerequisites


To configure port mirroring (SPAN) mode:


hostname > enable



interface command.

hostname (config) # policymgr interface A op-mode tap policy-type mixed






© 2015 FireEye 58

Policy enabled: yes

Interface A Active : yes op mode : tap (tapping) fail-safe: open policy : mixed tolerance: 1 Ports : pether3 pether4


59 © 2015 FireEye

Release 7.6 Basic Network Configuration

CHAPTER 5: Network Administration

This section covers the following topics:

l Basic Network Configuration below

l Updating the IPMI Firmware on page 62

l IP Filtering on page 64

For information about connecting to, configuring, and troubleshooting FireEye as a

Service, see the FireEye as a Service Quick Start Guide.

Basic Network ConfigurationBasic network settings (IP address, subnet mask, and default gateway) for the appliance

management interface, and the Domain Name Service (DNS) server addresses, can be defined

manually or obtained automatically from a Dynamic Host Configuration Protocol (DHCP) server

installed in your network.

Field Description

DHCP Specifies whether DHCP is enabled or disabled on the management interface.

SubnetMask

Specifies the network portion of the IP address. For example, 255.255.255.0 indicates that thefirst 24 bits of the IP address are used for the network portion of the address.

IP Address Specifies the IP address of the management interface.

DefaultGateway

Specifies the IP address of the default router.

PrimaryDNS Server

IP address of the primary DNS server used to translate the domain name into an IP address forrouting.

SecondaryDNS Server

IP address of the secondary DNS server. The secondary DNS server is used when the primaryserver is unavailable..

DomainName

The portion of the network address that identifies the domain to which the appliance belongs.

Hostname The hostname of the appliance.

© 2015 FireEye 60

Prerequisites


Configuring Basic Network Settings Using theWebUI

Use the Settings: Network page to configure basic network settings.

To view and configure network settings:


2. Select Network on the side bar.

3. To change the DNS configuration, enter the IP addresses of the primary and secondary

DNS servers and click Apply. The secondary DNS server is used when the primary server

is unavailable.

4. To add a domain name, enter the domain and click Add Domain Name. To delete a

domain name from the list, select the appropriate checkbox and click Remove Selected

Domain Name.

5. To assign a hostname for the appliance, enter the name in the Configure Hostname field

and click Apply.

System Administration Guide CHAPTER 5: Network Administration

61 © 2015 FireEye

Release 7.6 Updating the IPMI Firmware

Configuring Basic Network Settings Using the CLI

Use the commands in this topic to configure the network settings manually.

To configure basic network settings:



2. To disable DHCP for the interface:

hostname (config) # no interface ether1 dhcp

If you use DHCP and there is no network connection for the management

interface, do the following:

1. Restore the network connection.

2. Disable DHCP.

3. Enable DHCP.

3. Set the interface IP address and network mask. For example:

hostname (config) # interface ether1 ip address 1.1.1.1 255.240.0.0

4. Specify the default gateway. For example:

hostname (config) # ip default-gateway 1.1.1.2 ether1

5. Specify a DNS server. For example:

hostname (config) # ip name-server 10.10.20.5



Updating the IPMI FirmwareNew Intelligent Platform Management Interface (IPMI) firmware is packaged with the appliance

software image, but is not automatically installed when you upgrade to a new appliance release. It

is important to update the IPMI firmware to ensure that you are using the latest, most secure

version.

By default, if the IPMI interface has been configured with an IP address, you are notified when a

newer version is available. The notice is displayed when you log in to the CLI and when you

view the Version Information section on the About > FireEye System Information page in

the Web UI.If you prefer, you can disable the notification from appearing again. For details, see

Disabling IPMI Firmware Notifications on page 64.

© 2015 FireEye 62

Updating the IPMI firmware reverts all settings to factory defaults, including the IPMI

username and password, network configuration, and event logs. Before starting the

update, gather all information you will need to reconfigure IPMI.

The IPMI Web UI will be unavailable during the IPMI firmware update.

The IPMI firmware type is specific to the appliance model, so it is possible that not all

appliances will get an IPMI firmware update in the same FireEye release.

Prerequisites

l Admin access

Updating the IPMI Firmware Using the CLI

Use the commands in this section to update the IPMI firmware, and to disable the new firmware

availability notices.

Updating the Firmware

To update the IPMI firmware:



2. Update the IPMI firmware:

hostname (config) # ipmi firmware update latest

The update progress and final update status is displayed.

3. Verify the update. For example:

hostname (config) # show ipmi version

IPMI Firmware Installed----------------------------Firmware Version: 2.67Device: 1IPMI Version: 2.0

IPMI Firmware Available For Update--------------------------------------------------Update Version: 2.67Update Filename: FireEye_V267.binUpdate Notice: Firmware is up to date for this release.


63 © 2015 FireEye

Release 7.6 IP Filtering

If the update fails, enter the ipmi firmware update latest command again.



Disabling IPMI Firmware Notifications

To disable notifications about out-of-date firmware:



2. Disable notifications:

hostname (config) # no ipmi firmware update notice enable



To re-enable notifications about out-of-date firmware:


hostname (config) # enablehostname (config) # configure terminal

2. Enable notifications:

hostname (config) # ipmi firmware update notice enable



IP FilteringThe IP Filtering feature allows you to manage IP filter rules to filter IP packets entering and

leaving an appliance on its management interfaces. IP filtering supports IPv4 and IPv6, by

separate but largely identical sets of CLI commands. See the FireEye CLI Reference for more

information about the CLI commands for IP filtering.

IP filtering is disabled by default for both IPv4 and IPv6. However, some appliances may have

IP filtering enabled by existing components on the system which will still be visible in the show

ip filter command output.

Enabling IPv6 filtering has no effect unless IPv6 is enabled.

When you use IP filtering, interfaces can be grouped into three sets:

© 2015 FireEye 64

1. Management interfaces: ether*. IP filtering rules apply to these interfaces. Some

appliances such as the NX Series appliance, have one management interface, ether 1. On

the CM Series platform and HX & HXD Series appliance, there are multiple management

interfaces, named ether1, ether2, and so on.

If an interface is not specified for a rule, the default is "ether+," which in IP filtering

matches any interface beginning with "ether".

2. Data ports: pether* . These interfaces cannot have IP filtering rules.

3. Other interfaces: lo, tun0 (if a VPN is enabled). These interfaces may have IP filtering

rules installed automatically by the system. You cannot configure the rules for these

interfaces.

When you view a list of IP filtering rules using the show ip filter or show ipv6 filter command,

rules added for management interfaces as described above and rules added automatically by the

system are listed together, in the order in which they are applied. If you are on the VPN, you

should use the show ipv6 filter command, which displays detailed information about the firewall

rules. The show ipv6 filter configured command, described below, does not include this

information.

Rules that are manually configured are shown with numbers in the left column, which correspond

to the rule numbers visible in show ip filter configured and show ipv6 filter configured

command output. Rules that are added automatically by the system do not have numbers.

The default filter configuration for the INPUT and OUTPUT chains is an ACCEPT rule with a

DROP policy for all traffic on all interfaces whose names begin with "ether". The default

configuration for the FORWARD is simply a DROP policy with no rules since appliances do not

forward packets. Enabling IP filtering has no effect on your network's function until you create

new IP filter rules.

When IP filtering is enabled, one additional rule is added automatically by the system after all

configured rules. This rule is to ACCEPT all inbound and outbound traffic on the loopback 'lo'

interface. The system requires the loopback interface to work for internal purposes.

When you enable FireEye as a Service, IP filters are automatically enabled. See the

FireEye as a Service Quick Start Guide for details.

This feature will affect integration with third-party services. Exercise caution and

common sense when adding IP filtering rules. If rules are set improperly, it may cause

problems such as dropping all traffic. For example, adding DROP rules on the OUTPUT

chain for ether1 or ether+ could interfere with remote syslog; or adding DROP rules on

the INPUT chain could interfere with external access to system services such as SNMP.


65 © 2015 FireEye

Release 7.6 IP Filtering

Prerequisites

l Operator or Admin access to configure IP filtering

l Monitor, Operator, or Admin access to view IP filtering

Enabling IP Filtering Using the CLI

To enable IP filtering, use one of the following commands:

l ip filter enable

l ipv6 filter enable

The default rules do not place any restrictions on incoming and outgoing packets on

ether* interfaces. You may add rules using the CLI. Use caution to not block access to

needed network services.

IP filtering is automatically enabled when you connect to FireEye as a Service, described

in the FireEye as a Service Quick Start Guide.

To view the active rules:


2. View the rules:

hostname # show ip filter

hostname # show ipv6 filter

© 2015 FireEye 66

Release 7.6 Introduction

CHAPTER 6: The DTI Network

IntroductionThe FireEye Dynamic Threat Intelligence (DTI) network (cloud) provides subscriber platforms

with the latest intelligence on advanced cyber attacks and malware callback destinations. This

enables FireEye products to proactively recognize new threats and block attacks. The DTI cloud

is also used to enable automatic software updates. Finally, a connection to the DTI cloud is

required to utilize the license update feature.

Threat Intelligence

The FireEye DTI cloud interconnects FireEye platforms deployed within customer networks,

technology partner networks, and service provider networks around the world. The FireEye DTI

cloud serves as a global distribution hub to efficiently share automatically generated threat

intelligence such as new malware profiles, vulnerability exploits, and obfuscation tactics, as well

as new threat findings from the FireEye APT Discovery Center and verified third-party security

feeds. By leveraging the FireEye DTI cloud, the FireEye Threat Prevention Platform is more

efficient at detecting unknown zero-day, highly targeted attacks used in cybercrime, cyber

espionage, and cyber reconnaissance as well as known malware.

A subscription to the FireEye DTI cloud service is required before you can use the

features described in this section.

When the DTI cloud receives threat intelligence from customers and partners from around the

world, this information is analyzed and distributed to all customers with a DTI cloud

subscription. The information includes:

l New malware profiles

l Vulnerability exploits

l Obfuscation tactics

l New threat findings from the FireEye Labs and verified third-party security feeds

Each customer controls what information is shared with and received from with the DTI cloud.

© 2015 FireEye 67

Automatic License Updates

The license update feature enables appliances to automatically download the appropriate licenses

from the DTI cloud and install them. This feature provides the following benefits:

l Minimal initial configuration—The license update feature is enabled with the configuration

jump-start wizard during the initial configuration. This means the feature can be fully

functional after the jump-start wizard is completed.

l Simplified license management—There is never a need to contact FireEye for license keys

when new features are added or when licenses are renewed, because the new licenses are

automatically downloaded and installed.

l Scalability—Organizations, such as those with a large number of appliances, can benefit

from having all of them being updated automatically, instead of entering license keys

manually on each appliance, one at a time.

For more information on automatic license activation, see Automatic License Updates.

System Administration Guide CHAPTER 6: The DTI Network

68 © 2015 FireEye

Release 7.6 DTI Network Communication

System Health Monitoring and Software Updates

When connected to the DTI cloud, the appliance regularly provides system and diagnostic

information to the DTI cloud. This information is then analyzed to ensure that the appliance is

operating as expected.

The system and diagnostics checks include the following:

l Software Version

l Guest Image Profiles

l System Processes

l Hardware State

l Network State

If problems are found, the customer is alerted. If a new software or guest image is available,

administrators can choose to download and update these software packages on the appliance.

No customer-specific proprietary information is included this system and diagnostic

information exchange.

DTI Network CommunicationTo communicate with the DTI network, the appliance needs the following information:

l DTI server URL

l DTI network username

l DTI network user password

This information is pre-configured on new appliances. For older appliances, the information was

supplied in the box containing your appliance or otherwise provided by FireEye. The

DTI network is enabled during the initial appliance configuration if default values are accepted,

as described in Initial Configuration on page 17.

There are three DTI server settings:

l Download—The source for software updates (guest images, security content, and

appliance images).

l Upload—The destination for system statistics.

l Malware Intelligence Lab (MIL)—The destination for malware detection and callback

intelligence.

© 2015 FireEye 69

The default DTI download source for a standalone appliance is a content delivery network

(CDN) server; for a managed appliance, it is the CM Series platform server. You can select

another DTI source for a standalone appliance, and you can override the managed appliance

DTI source on individual appliances. The upload and MIL settings are not configurable. See

Changing the Active DTI Source on page 79 for details.

If you have a large number of appliances in your network, you might prefer to use the

same username and password on all of them. For more information, see Configuring

DTI Credentials on page 86.

Validating DTI AccessBefore using the features associated with the DTI network, you must establish communication

between the appliance and the DTI network. Use the following procedures to verify this

communication.

Prerequisites


l Appliance access to the DTI network

Validating DTI Access Using theWebUI

Use the Appliance Update page to validate DTI cloud communication.

To validate the DTI access:

1. Click the About tab.

2. Click the Update button in the upper right side.

3. For Source, select DTI or CMS.

4. On the Security Content row, click the Check Configuration icon.

5. Click the information triangle and review the Security Content Status.


70 © 2015 FireEye

Release 7.6 Validating DTI Access

If the Security Content Status Check has failed, confirm that the DTI network user name

and password are correct. If your security content does not need to be updated, you will

see “No new security update available.”

Validating DTI Access Using the CLI

Use the CLI commands in this topic to validate DTI cloud communication.

To validate DTI access:


hostname > enable


2. Check the status of the DTI service:

hostname (config) # show fenet status

Dynamic Threat Intelligence Service:

Update source : onlineEnabled : yesAddress : cloud.fireeye.comUsername : DTIUser

HTTP Proxy:

Address :Username :User-agent :

Request Session:Timeout : 30Retries : 3Speed Time : 60Max Time : 14400Rate Limit :

Dynamic Threat Intelligence Lockdown:

Enabled : noLocked : noLock After : 5 failed attempts

UPDATESEnabled Notify Scheduled Last Updated At------- ------ -------------- ---------------

© 2015 FireEye 71

Security contents: yes yes daily 2014/07/13 12:30:01Stats contents : yes none 2014/07/15 21:36:00

3. Confirm the following information:

l DTI Service: Enabled

l DTI Service Address: cloud.fireeye.com

l DTI Service Username: User name provided with DTI subscription license

l Update source: online

Updating Security ContentYou can also manually update security content with DTI Update Portal. See the DTI

Offline Update Portal User’s Guide for more information.

When you validate DTI access, the system checks for new security content. If new content is

available, you can download the latest malware threat intelligence from the DTI cloud to your

appliance.

For more information on validating DTI access, see Validating DTI Access on page 70.

Prerequisites


Updating Security Content Using theWebUI

Use the Update page to update security content.

To update security content:


2. Click the Update button in the upper left side.

3. For Source, select DTI.

4. On the Security Content row, click the information triangle.


72 © 2015 FireEye

Release 7.6 Updating Security Content

5. Click Refresh.

6. If new content is available, click Download.

When the download is finished, the appliance automatically updates the security content.

Updating Security Content Using the CLI

Use the CLI commands in this topic to update security content.

To update security content:


hostname > enable


2. Download and install the latest security content:

hostname (config) # fenet security-content apply-updateOperation initiated in the background.Run 'show fenet security-content status [progress]' for status

3. Review the download status:

hostname (config) # show fenet security-content status

DTI Security Content Status Information:

Dynamic Threat Intelligence ServiceUpdate source : onlineUpdate channel : cloudEnabled : yesAddress : cloud.fireeye.comUsername : DTIUserSC acceptance level : stableSC type connected : yes

Online Analysis Service:Service available : yesAV-suite enabled : yes

© 2015 FireEye 73

Local Security Content Auto-Generate:Enabled : yesInfections enable : yesCallbacks enabled : yes

Security Content AutoupdateEnabled : yesAction : update with uploadNotify (uploads) : yesNotify (downloads) : yesScheduled : daily at 12:30

Security Content UploadsEnabled : yesLast Uploaded At : 2014/06/27 23:52:46Status : apply-info: No new security contents detected on this

system

Security Content UpdatesEnabled : yesLast Checked At : 2014/07/15 23:40:04Last Applied At : 2014/07/13 12:30:01Status : fetch-done: New security-content available

Security Content Version: 341.209



Configuring Automatic Security UpdatesThe Security Content Settings specify how often the DTI network server and the appliance share

security content.

Prerequisites

l Admin access

Configuring Automatic Security Content Updates Using theWebUI

Use the Settings: DTI Network page to configure automatic security content updates.


74 © 2015 FireEye

Release 7.6 Configuring Automatic Security Updates

To configure automatic security content updates:


2. Click DTI Network on the sidebar.

3. Click Security Contents.

4. (Optional) To receive email notification of each security content update, select the Notify

checkbox.

If you select the Notify checkbox, make sure that you have configured event

notifications.For more information on event notifications, see the Threat

Management Guide for your appliance.

5. Select the update frequency from the Update Frequency drop-down list.

You can select the following update frequencies:

l daily

l hourly

6. Set the update start time in the Time drop-down list.

l If you selected a daily update, set the time, based on a 24-hour clock, when the

update starts.

l If you selected an hourly update, set the minutes after the hour when the update

starts.

7. Click Apply Settings.

Configuring Automatic Security Content Updates Using the CLI

Use the CLI commands in this topic to configure automatic security content updates.

To configure automatic security content updates:


hostname > enable


2. Enable automatic updates of security content:

hostname (config) # fenet security-content autoupdate action update

3. Specify the automatic update time interval:

l To update daily, enter:

fenet security-content autoupdate schedule daily at <hh:mm>

where <hh:mm> specifies the time to start the update based on a 24-hour clock.

© 2015 FireEye 75

l To update hourly, enter:

fenet security-content autoupdate schedule hourly at <mm>

where <mm> is the number of minutes after the hour when the update starts.

l To update after a set number of minutes, enter:

fenet security-content autoupdate schedule every <mm>

where <mm> is the number of minutes between updates.

l To use the default interval, enter:

fenet security-content autoupdate schedule default

4. (Optional) To receive email notification of each security content update, enter the fenet

security-content autoupdate notification enable command. Notifications are disabled

by default. After enabling automatic update notifications, you can specify which kind of

notifications to receive:

l To receive an email notification if the automatic update of security content fails,

enter:

fenet security-content autoupdate notification class fail

This option is the default.

l To receive an email notification when the automatic update of security succeeds or

fails, enter:

fenet security-content autoupdate notification class info

5. Validate the update configuration:

hostname (config) # show fenet security-content status

DTI Security Content Status Information:

Dynamic Threat Intelligence ServiceUpdate source : <online>Update channel : develEnabled : yesAddress : cloud.fireeye.comUsername : engtestSC acceptance level : stableSC type connected : yes

Online Analysis Service:Service available : yesAV-suite enabled : yes

Local Security Content Auto-Generate:Enabled : yesInfections enable : yesCallbacks enabled : yes

Security Content AutoupdateEnabled : yesAction : update with upload


76 © 2015 FireEye

Release 7.6 Configuring Automatic System Information Updates

Notify (uploads) : yesNotify (downloads) : yesScheduled : daily at 12:30

Security Content UploadsEnabled : yesLast Uploaded At : 2014/07/16 12:31:13Status : apply-info: Uploaded new security contents successfully

Security Content UpdatesEnabled : yesLast Checked At : 2014/07/16 12:30:00Last Applied At : 2014/07/16 12:30:00Status : apply-done: Updates installed successfully

Security Content Version: 341.268



Configuring Automatic System Information UpdatesThe Stats Content settings specify how often the DTI network and the appliance share system

statistical information. No customer-specific proprietary information is exchanged.

Prerequisites

l Admin access

Configuring Automatic System Information Updates Using theWebUI

Use the Settings: DTI Network page to configure automatic system information updates.

To configure automatic system information updates:



3. Click Stats Contents.

4. Select the update frequency from the Update Frequency drop-down list.

You can select the following update frequencies:

l default

l none

l daily

l hourly

© 2015 FireEye 77

l monthly

l weekly

5. Set the time interval from the time interval drop-down lists.

6. Click Apply Settings.

Configuring Automatic System Information Updates Using the CLI

Use the CLI commands in this topic to configure automatic system information updates.

To configure automatic system information updates:


hostname > enable


2. Select the information to be collected:

l To collect database information, enter:

hostname (config) # fenet stats-content aggregator db-aggr enable

l To collect log method information, enter:

hostname (config) # fenet stats-content aggregator dmesg-aggr enable

l To collect malware detection information, enter:

hostname (config) # fenet stats-content aggregator pcaps-aggr enable

l To collect runtime system statistics, enter:

hostname (config) # fenet stats-content aggregator rt-stats-aggr enable

3. Set the automatic update schedule:

l To update hourly, enter:

fenet stats-content upload auto hourly at <mm>

where <mm> is the number of minutes within the hour when the update is triggered.

l To update daily, enter:

fenet stats-content upload auto daily at <hh:mm>

where <hh:mm> specifies the time to start the update based on a 24 hour clock.

l To update weekly, enter:

fenet stats-content upload auto weekly on <day>

where <day> is the day of the week the update should occur.


78 © 2015 FireEye

Release 7.6 Changing the Active DTI Source

l sun

l mon

l tue

l wed

l thu

l fri

l sat

l To update monthly, enter:

fenet stats-content upload auto monthly on <dd>

where <dd> is the day the update should occur.

l To disable automatic updates, enter:

fenet stats-content upload auto none

4. Validate the update configuration:

hostname (config) # show fenet stats-content status

DTI Stats Content Status Information:

Dynamic Threat Intelligence ServiceEnabled : yesAddress : fenet1.fireeye.comUsername : engtest

Stats Content UploadsEnabled : yesAuto Upload Schedule : none(only rt-stats upload every 3 hours)Last Uploaded At : 2014/07/16 21:36:00Status : Uploads done successfully: rt-stats

Stats-content aggregators enabled (schedule):db-aggr no (default)dmesg-aggr no (default)pcaps-aggr no (default)rt-stats-aggr yes (default)

Stats Aggregators Version: AGVR_00052

Run 'show fenet stats-content aggregator <aggr-name>' for further details.



Changing the Active DTI SourceFor CM Series-managed appliances, this information pertains only to those appliances

that use the dual-port address type to communicate with the CM Series platform.

© 2015 FireEye 79

Managed appliances using the single-port address type must use the default

CMS DTI source. Appliances running Release 7.6.0 and later use the single-port

address type by default. For details, see Changing the Address Type for

DTI Network Service Requests on page 102.

Software updates (such as guest images, security content, and appliance images) can be

downloaded from the following DTI sources:

l Dynamic Threat Intelligence Network (DTI), the FireEye Dynamic Threat Intelligence

server

l Content Delivery Network (CDN), a content delivery network server

l The CM Series platform (CMS), available only to managed appliances

l A custom DTI source (CUSTOM, if configured). A custom DTI source is used only for

managed appliances in a Network Address Translation (NAT) deployment when the

CM Series platform is in an internal network behind a NAT gateway and the appliance uses

the dual-port address type to communicate with the CM Series platform.

By default, CDN is the DTI source for standalone appliances, and CMS is the global DTI source

for all appliances under the management of a CM Series platform. You can change the DTI

source for a standalone appliance, and you can override the global managed DTI source on

individual appliances.

Reasons for changing the active DTI source include:

l Network address translation. When the CM Series platform is behind a NAT gateway in

a dual-port configuration, an accessible IP address that managed appliances can reach must

be configured as a custom DTI source. For details, see Configuring and Activating an

Accessible DTI Server Address on page 284

l Faster download speed. A CDN server is typically geographically closer to standalone

appliances than the FireEye DTI server. The CDN server could be closer to managed

appliances than the CM Series platform.

l Security. Your security policies could require you to download the software updates

directly from the FireEye DTI server.

DTI Source Settings

The settings for DTI source servers are described in the following table.

Setting Description

Source The server from which to download software updates.

For standalone appliances, the available sources are Dynamic Threat Intelligence Network(DTI) and Content Delivery Network (CDN).

For managed appliances, the available sources are Dynamic Threat Intelligence Network


80 © 2015 FireEye

Release 7.6 Changing the Active DTI Source

Setting Description

(DTI), Content Delivery Network (CDN), and CMS. The CUSTOM source is available in the NATdeployment.

Hostname(Address)

The hostname or IP address of the DTI source server.

Defaults:

DTI—staticcloud.fireeye.com

CDN—cloud.fireeye.com and download.fireeye.com

CMS—Managing CM Series platform IP address

Port The source HTTPS port (443 by default).

Username A user to authenticate access to the DTI source server.

Prerequisites

l Admin access

Changing the Active DTI Source Using theWebUI

Use the Settings: DTI Network page to change the DTI source from which the standalone

appliance downloads software updates.

For information about changing the active DTI source for a managed appliance, see

Overriding the Managed Appliance DTI Source Using the Web UI on page 83.

See DTI Source Settings on the previous page for a description of each source type.

© 2015 FireEye 81

To configure the DTI source:



3. In the Content Source list, select the DTI source the appliance will use for software

updates, and then click Apply Settings.

Changing the Active DTI Source Using the CLI

Use the commands in this section to change the DTI source from which a standalone appliance

downloads software updates.

To change the active download source:



2. View the current active and available DTI sources:

hostname (config) # show fenet dti configuration

3. Change the active download source:

hostname (config) # fenet dti source default type

where type is CDN orDTI

4. Verify your changes:




Example

In this example, the active download source on a standalone appliance is changed from CDN to

DTI.


DTI CLIENT CONFIGURATIONS:ACTIVE SETTINGS:

Mode : onlineDownload source : CDN ([email protected])Upload destination : DTI ([email protected])Mil service : DTI ([email protected])

AVAILABLE OPTIONS:--------------------------------------------------------------Download User Address--------------------------------------------------------------CDN DTIUser cloud.fireeye.comDTI DTIUser staticcloud.fireeye.com--------------------------------------------------------------


82 © 2015 FireEye

Release 7.6 Overriding theManaged Appliance DTI Source

Upload User Address--------------------------------------------------------------DTI DTIUser up-staticcloud.fireeye.com--------------------------------------------------------------MIL User Address--------------------------------------------------------------DTI DTIUser mil-staticcloud.fireeye.com

hostname (config) # fenet dti source default DTIhostname (config) # show fenet dti configuration


Mode : onlineDownload source : DTI ([email protected])Upload destination : DTI ([email protected])Mil service : DTI ([email protected])

.

.


Overriding theManaged Appliance DTI SourceAll managed appliances use a global DTI source to download software updates. This is "CMS" by

default; an administrator can override this global DTI source for individual appliances.

Prerequisites

l Admin access

Overriding theManaged Appliance DTI Source Using theWebUI

Use the Settings: DTI Network page to override the DTI source specified by the CM Series

platform for a managed appliance.

© 2015 FireEye 83

To override the managed appliance DTI source:


2. Click DTI Network in the sidebar.

3. To use the CM Series platform (CMS) as the DTI source:

a. Select the Obtain Settings from CMS? checkbox. The CM Series settings are

displayed, as shown in the following example.

b. Click Apply Settings.

4. To use another DTI source:

a. Clear the Obtain Settings from CMS? checkbox, if it is selected.

b. In the Content Source list, select Content Delivery Network (CDN) or

Dynamic Threat Intelligence Network (DTI). The settings for the selected

server are displayed.

c. Click Apply Settings.

Overriding theManaged Appliance DTI Source Using the CLI

Use the commands in this topic to override the DTI source specified by the CM Series platform

for a managed appliance.

To change the DTI source:

1. Log in to the CLI.



3. View the current active and available DTI sources:

hostname > show fenet dti configuration


84 © 2015 FireEye

Release 7.6 Overriding theManaged Appliance DTI Source

3. Prevent the CM Series platform from changing this appliance's DTI source address, port,

username, and password:

hostname (config) # no fenet dti source override enable

4. Specify the DTI download server for this appliance:

hostname (config) # fenet dti source default type

where type is CDN, CMS, orDTI.

5. Validate your changes:




Example

In this example, CDN overrides the managed appliance DTI source of CMS.



Mode : onlineDownload source : CMS ([email protected]) - Managed by CMSUpload destination : CMS ([email protected]) - Managed by CMSMil service : CMS ([email protected]) - Managed by CMS

AVAILABLE OPTIONS:--------------------------------------------------------------Download User Address--------------------------------------------------------------CDN DTIUser cloud.fireeye.comCMS DTIUser 10.2.0.0DTI DTIUser staticcloud.fireeye.com--------------------------------------------------------------Upload User Address--------------------------------------------------------------CMS DTIUser 10.2.0.0DTI DTIUser up-staticcloud.fireeye.com--------------------------------------------------------------MIL User Address--------------------------------------------------------------CMS DTIUser 10.2.0.0DTI DTIUser mil-staticcloud.fireeye.com

hostname (config) # no fenet dti source override enablehostname (config) # fenet dti source default CDNhostname (config) # show fenet dti configuration

DTI CLIENT CONFIGURATIONS:ACTIVE SETTINGS:Mode : onlineDownload source : CDN ([email protected]) - Managed by ApplianceUpload destination : CMS ([email protected]) - Managed by CMSMil service : CMS ([email protected]) - Managed by CMS..

© 2015 FireEye 85

Configuring DTI CredentialsYou should not change DTI configuration settings, except in the following cases:

l When you need to configure a custom DTI source in a Network Address Translation

(NAT) deployment.

l In a deployment with multiple appliances, in which you want to use the same username

and password for all of them so you do not have to remember multiple credentials.

Prerequisites

l Administrator access

Configuring DTI Credentials Using the CLI

Use the commands in this topic to configure the DTI server user or password.

To configure DTI credentials:



2. Specify the user and password:

hostname (config) # fenet dti source type type username user password password

where type is CDN, DTI, or CMS (for a managed appliance), or CUSTOM (if configured)

and user and password are the new credentials.






86 © 2015 FireEye

Release 7.6 Configuring Secure Shell (SSH) Authentication

CHAPTER 7: CM Series Platform Integration

The connection between an appliance and the CM Series platform can be initiated by either the

appliance or the CM Series platform. By default, a managed appliance uses the CM Series

platform as its source server for software downloads from the DTI network. In this

configuration, both management and DTI network traffic use a single port.

This section includes the following topics:

l Configuring Secure Shell (SSH) Authentication below

l Sending a Management Request to the CM Series Platform on page 98

l Changing the Address Type for DTI Network Service Requests on page 102

If your appliance is managed by the CM Series platform, you should generally avoid

changing shared configuration settings from the appliance Web UI or CLI. If you do so,

the changes could be overwritten by commands and actions issued from the CM Series

platform.

The CM Series platform can send alerts from managed appliances to the HX & HXD

Series appliance only if the HX & HXD Series appliance is running Release 2.6.0 or

later.

See the CM Series Administration Guide for information about accepting a management

request from the appliance. That guide also describes how to initiate the connection

from the CM Series platform.

Configuring Secure Shell (SSH) AuthenticationThe Secure Shell (SSH) protocol is used for secure communication between the CM Series

platform and the appliances it manages. When the CM Series platform initiates the connection, it

logs in as a remote user on the managed appliance. When the managed appliance initiates the

connection, it logs in as a remote user on the CM Series platform. SSH user authentication verifies

the identity of the remote user attempting the connection.

SSH host authentication verifies the identity of the CM Series platform to the managed appliance

and verifies the identity of the managed appliance to the CM Series platform.

© 2015 FireEye 87

The topics in this section describe how to configure SSH authentication for a client-

initiated connection (where a managed appliance administrator sends a request for

management to the CM Series platform, and a CM Series administrator accepts or rejects

the request). For information about a server-initiated connection (where the CM Series

platform administrator adds an appliance directly from the CM Series Web UI or CLI),

see the CM Series Administration Guide.

User Authentication

The remote user can authenticate using either a password or a public key. After the connection is

established, it is controlled by the configured password or the public key.

Password Authentication

With password authentication, a password is configured for the remote user. This is the initial

authentication type for an appliance that is added to the CM Series platform using the Web UI.

Public Key Authentication

Public key authentication uses a pair of keys—a public key and a private key. With public key

authentication, an SSH-DSA2 or SSH-RSA2 identity is configured for the remote user and is

pushed to the CM Series platform.

Benefits of public key authentication include:

l The private key remains on the appliance and cannot be computed from the public key.

This is an advantage over password authentication, where the password could be cracked.

l If you use password authentication, password change policies can break the connection

between the CM Series platform and the managed appliance. For example, suppose users

on the CM Series platform must change their passwords every 90 days. As an EX Series

administrator, you could be unaware of this policy. After the password for the remote user

changes, the connection to the CM Series platform will be broken until you change the

password on the EX Series appliance. Because password change policies apply only to

password authentication, FireEye recommends using public key authentication for this

connection.

For details, see:

l Creating a Public Key Using the CLI on the facing page

l Configuring User Authentication Using the CLI on page 90

System Administration Guide CHAPTER 7: CM Series Platform Integration

88 © 2015 FireEye


Host-Key Authentication

Host-key authentication can be used to prevent man-in-the-middle attacks, in which another

server poses as the managed appliance or the CM Series platform and intercepts the traffic

between them. When the appliance and the CM Series platform connect the first time using a

client-initiated connection, a key exchange takes place. The CM Series platform sends a copy of

its host key to the appliance, where it is compared to the keys in the appliance's host-keys

database.

If strict host-key checking is enabled, the connection can be established only if the key that is

sent matches an entry in the local host-keys database for the appliance's remote user. If global

host-key checking is enabled, the connection can be established only if the key that is sent

matches an entry in the appliance's global host-keys database.

You can enforce strict host-key checking, global host-key checking, or both.

Host keys are stored in the configuration database, so they are included in the backup

file.

In compliance mode, both strict and global host-key checking is enforced. For details,

see the FIPS 140-2 and Common Criteria Addendum.

For details, see:

l Obtaining a Host Key Using the Web UI on page 92 orObtaining a Host Key

Using the CLI on page 93

l Importing a Host Key into the Global Host-Keys Database Using the CLI on

page 94

l Enabling Strict and Global Host-Key Checking Using the CLI on page 96

Prerequisites

l Admin access to configure authentication and create keys

l Monitor, Operator, or Admin access to obtain CM Series host keys

l The private key remains on the appliance and cannot be computed from the public key.

Creating a Public Key Using the CLI

Use the commands in this section to create a new public key for SSH user authentication. You

can use this key instead of the password to authenticate the remote user.

© 2015 FireEye 89

To create a public key:



2. Create the public key:

hostname (config) # cmc auth keyType identity identityName generate

where keyType can be ssh-dsa2 or ssh-rsa2 and identityName is a user-friendly name.

3. Verify your change:

hostname (config) # show cmc auth identities

4. Save your change:


To remove a public key:



2. Remove the public key:

hostname (config) # no cmc auth keyType identity identityName


hostname (config) # show cmc auth identities



Example

The following example creates an SSH-DSA2 identity named "admin4" on the NX-04 appliance.

NX-04 (config) # cmc auth ssh-dsa2 identity admin4NX-04 (config) # show cmc auth identitiesDSA2 identity admin4:

Public Key:ssh-dss AAA3NzaC1kc3MAAACBAJl3PisWNnz/gYLvL4JC7xFMoq3HE89rai7trnJmpxjylArYhfMzaGndFA4qGRZMFzhiz9Jhi/+W1ufIrXLGzakC0lAAAAFQCuMCsMwMGN9zT5w2JCiDt7D6orNwAA...

Configuring User Authentication Using the CLI

Use the commands in this section to configure authentication parameters for the remote user the

managed appliance uses to log in to the CM Series platform to announce itself. This is an existing

user on the CM Series platform.


90 © 2015 FireEye


See the ssh and cmc commands in the FireEye CLI Reference for advanced authentication

options.

To configure password authentication:



2. Specify the "password" authentication type:

hostname (config) # cmc client server auth authtype password

3. Specify the remote user (the CM Series user) to log in to the appliance:

hostname (config) # cmc client server auth password username username

4. Specify the password used to authenticate the remote user:

hostname (config) # cmc client server auth password password password



To configure SSH-DSA2 authentication:



2. Specify the SSH-DSA2 authentication type:

hostname (config) # cmc client server auth authtype ssh-dsa2

3. Specify the remote user to log in to the appliance:

hostname (config) # cmc client server auth ssh-dsa2 username username

4. Specify the named identity used to authenticate the remote user:

hostname (config) # cmc client server auth ssh-dsa2 identity identityName

where identityName is the name of an existing identity.



To configure SSH-RSA2 authentication:



2. Specify the SSH-RSA2 authentication type:

hostname (config) # cmc client server auth authtype ssh-rsa2

© 2015 FireEye 91

3. Specify the remote user to log in to the managed appliance:

hostname (config) # cmc client server auth ssh-rsa2 username username

4. Specify the named identity used to authenticate the remote user:

hostname (config) # cmc client server auth ssh-rsa2 identity identityName

where identityName is the name of an existing identity.



Example

The following example configures SSH-DSA2 authentication parameters used to log in to the

CM Series platform.

hostname (config) # cmc client server auth authtype ssh-dsa2hostname (config) # cmc client server auth ssh-dsa2 username cmcadmin3hostname (config) # cmc client server auth ssh-dsa2 identity admin3

Obtaining a Host Key Using theWebUI

Use the Certificates/Keyspage to obtain the host key of the CM Series platform. This is the

key that you will import into the global host-keys database of the managed appliance.

The host-key string may need to be modified in a Network Address Translation (NAT)

deployment. For details, see Configuring Global Host-Key Authentication in a

NAT Deployment on page 295.

To obtain a host key:

1. Log in to the CM Series Web UI.


3. Click Certificates/Keys on the sidebar.

4. Locate the Appliance Public Key string in the Keys section.

5. Copy the string starting with the IP address.

6. Do one of the following:

l Paste the key into the managed appliance CLI, as described in Importing a Host

Key into the Global Host-Keys Database Using the CLI on page 94.

l Paste the key into a text file and save it for later.


92 © 2015 FireEye


Obtaining a Host Key Using the CLI

Use the command in this section to obtain the host key of the CM Series platform. This is the

key that you will import into the global host-keys database of the managed appliance.

You must obtain the RSA v2 key.

The host-key string may need to be modified in Network Address Translation (NAT)

deployments. For details, see Configuring Global Host-Key Authentication in a


To obtain the host key:

1. Log in to the CM Series CLI.

2. View the keys:

hostname > show ssh server host-keys interface ether1

3. Locate the RSA v2 host key entry.

4. Copy the key string, including the double quotation marks.


l Paste the key into the managed appliance CLI, as described in Importing a Host

Key into the Global Host-Keys Database Using the CLI on the next page.

l Paste the key into a text file and save it for later.

Example

This example displays the CM Series host keys. The RSA v2 key is highlighted for illustration.

CM-08 > show ssh server host-keys interface ether1SSH server configuration:

SSH server enabled: yes...Interface listen enabled: yesListen Interfaces:Interface: ether1

Host Key Finger Prints and Key Lengths:RSA v1 host key: 37:20:5f:af:65:33:e8:62:26:3c:25:d0:1f:2d:8a:54 (2048)RSA v2 host key: c7:64:12:8a:71:a6:da:14:3c:05:37:aa:7a:2e:2a:8c (2048)DSA v2 host key: 85:59:a8:a1:d8:3e:df:2e:74:fc:6a:be:be:d2:62:32 (1024)

Host Keys:RSA v1 host key: "10.11.121.13 2048 65537 2767892723557105143394492343612763

9420072994239434197952617478790730883193561581892416574428382880076651052317847902037474895252247975570054315595358600142845914848782710493540937857691486699538042052007295602744764036681566020303332538223563825872378195559416466034473245176374751379653304184889304215755398717002961974218227773055287228117309728679472422744200184844597327452806661880313000836518022137675657765205670872217927843062

© 2015 FireEye 93

157032172499589577136315879700789083029147987588619557961691104204933846230076323566554605149466931434034062601876531156968025568815192986073498446108395753542572032093143856912019598"

RSA v2 host key: "10.11.121.13 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZZJLE/ftkUddyNW6KdqEQXjS0PjbtzTn3OB51Qg0fdeQHrJgFHM2/4C9WtDkwuX5jd7gdWnSWYwrXDv657thlyRPIt4Wxjf0bpOolPKAe6shgYq35NxalYDt7Pa/oym51SN/x9dGaaTFOHvvdAf0Gu5E7nv3YjLjmSgdpSp7auHnYsyJ5O+xlYocXtoBq6jOueyxm8qm76IWL007JIJ7ZLgMI8FjZ5gp48r+Hnjrdio2rhKKUP/6B0jpHRxsd8yPxMgJpyz2Dwv9ZIJha67f6sgWYdt4yxfBc9yr7yG3iVWVJcLE+83aY24X7DBUXFnG3AeciDpEqAit2dPF586hJ"

DSA v2 host key: "10.11.121.13 ssh-dss AAAAB3NzaC1kc3MAAACBAMY7tSZt46Qrv/hqL1tazYjXNzkyLTWp54DjfkxzE//+qjE0AUr9hTU3ZmHYChzUVTEKj7syaxd+4Y+8IZ94eRVcnrH/jrqtEaJ64SvoUqGkbKKezUbCVfSrzGgTV/A0dUzLYMLbOEMrTMcXki+DnaUSd80PCWLvq0Mcg0IpXAAAAFQDItRIv/iH3AAy23h3cnWzp3dpOXQAAAIAS0AONTi0O8A+f1HNOm3PzS02ZQ9ittHxA1ISs7yE6dcbj9JrWVf1w2lJTEZAJPQz/c9NysGVJusll6Aj1aqQ6EKuhKlPcpY0PyCVKT3TGgY93i648umYZSs9+HzoLY1/aTnnkBGDQ8mFbjhyw3UdeiFjamVVr+4o8QwMbDXAfXAAAAIEAjBMXsp4gK5yvsAgBqcZeZm3vW4zYUpZZ374A3ANXENWTh2yyQd8Ig1gB0YKDBhSHD6sZpPg88WSDxK3IAdifYGx+FAhowiuWcI+kA0UeiAb9/C+A653zii1Nc85/fsIwl3GIjmp/xO23b+9YmHY8V5CsT+mmSIYQutCIzUVWbcYvEc="

Importing a Host Key into the Global Host-Keys Database Using the CLI

Use the commands in this section to import the host key from a CM Series platform into the

appliance global host-keys database. This procedure is required for global host-key

authentication, in which the connection will be allowed only if the host key the CM Series sends

is already in this database.

If you choose to use global host-key authentication, you must explicitly enable the

feature in addition to importing the host key. For details, see Enabling Strict and

Global Host-Key Checking Using the CLI on page 96.

Before you perform this procedure, you must obtain the host key from the CM Series

platform. For CM Series platforms running Release 7.6.0 or later, you can obtain this

key from the CM Series platform Web UI or CLI. For CM Series platforms running an

earlier release, you must obtain this key from the CLI. For details, see Obtaining a

Host Key Using the Web UI on page 92 orObtaining a Host Key Using the CLI

on the previous page.

The host-key string may need to be modified in a Network Address Translation (NAT)

deployment. For details, see Configuring Global Host-Key Authentication in a


See the ssh commands in the FireEye CLI Reference for advanced authentication options.

To import a host key:

1. Log in to the appliance CLI.




94 © 2015 FireEye


3. Import the key into the global host-keys database:

hostname (config) # ssh client global known-host "keyString"

The key must start with the CM Series IP address and it must be enclosed in

double quotation marks. If the key starts with the hostname, replace the

hostname with the IP address.


hostname (config) # show ssh server host-keys



To remove a host key:




3. Remove the key:

hostname (config) # no ssh client global known-host "keyString"


hostname (config) # show ssh server host-keys



If you delete a host key that is in use, the connection between the CM Series platform

and the managed appliance is broken.

Example

This example imports the host key from a CM Series platform into the appliance global host-key

database.

hostname (config) # ssh client global known-host "10.11.121.13 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZZJLE/ftkUddyNW6KdqEQXjS0PjbtzTn3OB51Qg0fdeQHrJgFHM2/4C9WtDkwuX5jd7gdWnSWYwrXDv657thlyRPIt4Wxjf0bpOolPKAe6shgYq35NxalYDt7Pa/oym51SN/x9dGaaTFOHvvdAf0Gu5E7nv3YjLjmSgdpSp7auHnYsyJ5O+xlYocXtoBq6jOueyxm8qm76IWL007JIJ7ZLgMI8FjZ5gp48r+Hnjrdio2rhKKUP/6B0jpHRxsd8yPxMgJpyz2Dwv9ZIJha67f6sgWYdt4yxfBc9yr7yG3iVWVJcLE+83aY24X7DBUXFnG3AeciDpEqAit2dPF586hJ"hostname (config) # show ssh server host-keysSSH client Strict Hostkey Checking: askMinimum protocol version: 2Cipher list: compatibleMinimum key length: 1024 bits

SSH Global Known Hosts:

© 2015 FireEye 95

Entry 1:Host: 10.11.121.13Finger Print: c7:64:12:8a:71:a6:da:14:3c:05:37:aa:7a:2e:2a:8cKey Length (bits): 2048

.

.

Enabling Strict andGlobal Host-Key Checking Using the CLI

Use the commands in this section to enable strict host-key checking, global host-key checking,

or both.

l With strict host-key checking, the connection will be allowed only if the local host-keys

database for the managed appliance remote user already has an entry that matches the key

the CM Series platform sends.

l With global host-key checking, the connection will be allowed only if the managed

appliance global host-keys database already has an entry that matches the key the

CM Series platform sends.

When you enable global host-key authentication, any established connections will be

broken until you explicitly add the host key to the global host-keys database. See

Importing a Host Key into the Global Host-Keys Database Using the CLI on

page 94 for instructions.

See the ssh and cmc commands in the FireEye CLI Reference for advanced authentication

options.

To enable strict host-key checking:




3. Enable strict host-key checking:

hostname (config) # cmc auth ssh host-key strict


hostname (config) # show cmc auth ssh




96 © 2015 FireEye


To enable global host-key checking:




3. Enable global host-key checking:

hostname (config) # cmc auth ssh host-key global-only





To disable strict or global host-key authentication:




3. Perform the following steps as needed.

l To disable strict host-key checking:

hostname (config) # no cmc auth ssh host-key strict

l To disable global host-key checking:

hostname (config) # no cmc auth ssh host-key global





Example

This example enforces both strict and global host-key checking on a managed appliance.

hostname (config) # cmc auth ssh host-key stricthostname (config) # cmc auth ssh host-key global-onlyhostname (config) # show cmc auth ssh

CMC SSH configuration:Strict host key checking enabled: yesGlobal only known hosts enabled: yesMinimum protocol version: 2Cipher list: compatibleMinimum key length: 1024 bits

© 2015 FireEye 97

Sending aManagement Request to the CM SeriesPlatformYou can send a request to be added to the CM Series platform to be managed. A rendezvous

process enables appliances to attempt the request and allows the CM Series administrator to see

the list of pending requests.

To send a management request, you must enable the following:

l Rendezvous process on the CM Series platform (enabled by default)

l Automatic rendezvous attempts on the requesting appliance

l Auto connect feature on the requesting appliance so it automatically tries to connect to the

CM Series platform after the rendezvous attempt succeeds (enabled by default)

Instructions for verifying and enabling these settings are included in the Preparing an

Appliance to Send a Management Request below procedure.

The rendezvous process has an identifier (known as service name) that is set to "cmc" by

default. The CM Series platform and the requesting appliance must have the same

service name; if you change the service name on one, you must change it on the other as

well. The cmc rendezvous service-name hostname command changes the service

name; the no cmc rendezvous service-name command restores the default value. For

details, see the FireEye CLI Reference.

See Sending a Management Request in a NAT Deployment on page 289 for

procedures to follow in a Network Address Translation (NAT) deployment.

Prerequisites


l Unique hostname for each requesting appliance

l Remote user credentials. This is a CM Series user that the appliance uses to log in to the

CM Series platform to announce itself. See User Authentication on page 88 for details

about configuring the remote user.

Preparing an Appliance to Send aManagement Request

Use the commands in this section to prepare an appliance to send a request for management to

the CM Series platform.


98 © 2015 FireEye

Release 7.6 Sending aManagement Request to the CM Series Platform

To prepare to send a request:

1. Log in to the requesting appliance CLI.


appl-hostname > enableappl-hostname # configure terminal

3. Enable automatic rendezvous attempts:

appl-hostname (config) # cmc rendezvous client auto

4. Verify that the auto connect feature is enabled:

a. View appliance (client) information:

appl-hostname (config) # show cmc client

b. If Autoconnect: no is shown, enable auto connect:

appl-hostname (config) # cmc client connection auto


appl-hostname (config) # write memory

Sending aManagement Request Using theWebUI

Use the Settings: CMS Network page in the requesting appliance Web UI to initiate a request

to be added to the CM Series platform.

To initiate a request to be managed:


2. Click CMS Network on the sidebar.

3. In the CMS IP Address and Port boxes, enter the CM Series IP address and the remote

management port, which is 22 by default.

© 2015 FireEye 99

4. In the CMS Username and CMS Password boxes, enter the credentials of the

CM Series user the appliance should use to log in to the CM Series platform to announce

itself.

5. If the appliance is behind a NAT gateway, select the Appliance Behind NAT checkbox.

See Configuring Network Address Translation (NAT) on page 278 for

detailed NAT deployment information.

6. Click Send Request.

A message informs you that the request succeeded or failed, or that the appliance is already

being managed by the CM Series platform. If the request succeeded, a CM Series

administrator can accept or reject the request. Example messages follow.

Sending aManagement Request Using the CLI

Use the commands in this section to configure an appliance to initiate a request to added to the

CM Series platform.

To initiate a request to be managed:



2. Specify the IP address of the CM Series platform:

hostname (config) # cmc client server address IPaddress

3. Specify the authentication type and the credentials of the CM Series user the appliance

should use to log in to the CM Series platform to announce itself.

hostname (config) # cmc client server auth authtype authtypehostname (config) # cmc client server auth authtype username usernamehostname (config) # cmc client server auth authtype {password password} |{identity identityName}

where:


100 © 2015 FireEye

Release 7.6 Sending aManagement Request to the CM Series Platform

l authtype can be password, ssh-dsa2, or ssh-rsa2.

l password password is used with the password authentication.

l identity identityName is used with SSH-DSA2 and SSH-RSA2 authentication.


hostname (config) # cmc rendezvous client auto



hostname (config) # show cmc client


hostname (config) # cmc client connection auto



© 2015 FireEye 101

Changing the Address Type for DTI Network ServiceRequestsBy default, the CM Series platform and a managed appliance use a single port (the SSH port, 22

by default) for the following types of communication:

l Remote management— Initiates the connection and configures the appliance.

l DTI network service—Requests software updates (such as guest images, security content,

and appliance images) from the DTI network.

The single-port configuration uses the single-port address type. It reduces the complexity of

firewall rules, and provides an additional layer of security and privacy between the CM Series

platform and the appliances it manages. In environments in which the CM Series platform is

behind a Network Address Translation (NAT) gateway, using a single port also eliminates the

need to open an additional HTTPS port (443) for the managed appliance to request software

updates from the CM Series platform. (For details about NAT deployment, see Configuring

Network Address Translation (NAT) on page 278.)

You can instead configure the dual-port address type, in which the management traffic uses the

SSH port and the DTI network service traffic uses the HTTPS port (port 443). If you change the

address type on an appliance that was already added to the CM Series platform using a client-

initiated connection, that appliance will be briefly disconnected and then reconnected using the

new configuration.

The single-port or dual-port address type is configured on individual managed

appliances, not on the CM Series platform. This feature is available only on appliances

that use the CM Series platform as their DTI source server. It is not available if the

appliance uses another DTI source server (described in Changing the Active

DTI Source on page 79).

If the CM Series platform is in an internal network behind a NAT gateway, see

Switching to Single-Port or Dual-Port Communication in a NAT Deployment on

page 287 for additional information.

Prerequisites

l Admin access to the appliance

l For single-port communication, CMS must be configured as the DTI source type for the

appliance (see Changing the Active DTI Source on page 79 for details).


102 © 2015 FireEye

Release 7.6 Changing the Address Type for DTI Network Service Requests

Configuring Single-Port CM Series Communication Using the CLI

Single-port communication is the default behavior, and requires no configuration. Use the

commands in this topic to restore single-port communication if dual-port communication was

enabled. This topic also describes how to enable dual-port communication.

Before you restore single-port communication, make sure CMS is the configured

DTI source (see Changing the Active DTI Source on page 79 for details).

To enable single-port communication:




3. If your appliance has already been added to the CM Series platform, type yes to confirm

that you want to enter configuration mode:

********************* CMS notice *********************

This system is under management of a CMS. Please note that the CMS mayupdate this system's configuration, which could overwrite changes thatyou have made locally.

Enter 'YES' to enter configuration mode anyway: yes

4. Enable single-port communication:

hostname (config) # fenet dti source type CMS address-type cms-singleport

5. Verify the configuration:




Alternatively, you can use the no fenet dti source type CMS address-type command

to restore single-port communication.

To enable dual-port communication:


2. Enable dual-port communication:

hostname (config) # fenet dti source type CMS address-type cms-auto

© 2015 FireEye 103





Dual-port communication is the default behavior (and the only option) for appliances

running a release earlier than Release 7.6.0.

Examples

This example enables single-port communication.

hostname (config) # fenet dti source type CMS address-type cms-singleporthostname (config) # show fenet dti configuration

DTI CLIENT CONFIGURATIONS:

ACTIVE SETTINGS:

Mode : onlineDownload source : CMS ([email protected] : singleport) - Managed by CMSUpload destination : CMS ([email protected] : singleport) - Managed by CMSMil service : CMS ([email protected] : singleport) - Managed by CMS

AVAILABLE OPTIONS:

----------------------------------------------------Download User Address----------------------------------------------------CDN DTIUser cloud.fireeye.comCMS DTIUser 10.2.0.0DTI DTIUser staticcloud.fireeye.com...

This example enables dual-port communication.

hostname (config) # fenet dti source type CMS address-type cms-autohostname (config) # show fenet dti configuration

DTI CLIENT CONFIGURATIONS:

ACTIVE SETTINGS:

Mode : onlineDownload source : CMS ([email protected]) - Managed by CMSUpload destination : CMS ([email protected]) - Managed by CMSMil service : CMS ([email protected]) - Managed by CMS

AVAILABLE OPTIONS:

----------------------------------------------------Download User Address----------------------------------------------------CDN DTIUser cloud.fireeye.comCMS DTIUser 10.2.0.0DTI DTIUser staticcloud.fireeye.com...


104 © 2015 FireEye

Release 7.6 Manual TimeConfiguration

CHAPTER 8: Setting Date and Time

You can set the appliance date and time manually, or configure one or more Network Time

Protocol (NTP) servers that synchronize the time automatically. You can also perform a one-time

synchronization of the system clock to the DTI server clock.

The date and time are stored as Coordinated Universal Time (UTC) in the database.

The Z character in syslog output indicates that the time displayed is in the UTC

time zone; for example, Oct 19 2012 16:10:10 Z. By default, the display time zone

is UTC.

l NTP Server Configuration on page 108

l Manual Time Configuration below

l Time Zone Configuration on page 110

l DTI Server Time Synchronization on page 112

Manual TimeConfigurationYou can manually set the date and time on your appliance.

l Setting the Date and Time Using the Web UI below

l Setting the Date and Time Using the CLI on the next page

Setting the Date and TimeUsing theWebUI

Use the top section of the Settings: Date and Time page to set the date and time for your

appliance.

NTP synchronization is set by default and must be disabled before you can manually

configure the date and time. For instructions about disabling NTP, see NTP Server

Configuration on page 108.

© 2015 FireEye 105

Prerequisites

l Admin access

To set the date and time:


2. If the Settings tabs are not visible, select Appliance Settings from the Admin menu, or

click the Appliance Settings tab at the top of the page.

3. Click Date and Time on the sidebar.

4. Select the date and time from the drop-down lists.

5. Click Update Time.

6. Set the timezone as described in Time Zone Configuration on page 110.

Setting the Date and TimeUsing the CLI

Use the CLI commands in this topic to manually set the date, time, and timezone on your

system.

NTP synchronization is set by default and must be disabled before you can manually

configure the date and time. For instructions about disabling NTP, see NTP Server

Configuration on page 108.

Prerequisites

l Admin access

To set the date and time:



System Administration Guide CHAPTER 8: Setting Date and Time

106 © 2015 FireEye

Release 7.6 Manual TimeConfiguration

2. Specify the time and date:

hostname (config) # clock set HH:MM YYYY/MM/DD

The date parameter is optional; if you do not include it, the date remains the

same.

For example, the following command sets the time and date to 2:00 p.m. on July 21, 2014:

hostname (config) # clock set 14:00 2014/07/21

3. Specify the timezone:

hostname (config) # clock timezone timezone

For example, both of the following commands set the time zone to Pacific Standard Time:

hostname (config) # clock timezone UTC-offset UTC+8

hostname (config) # clock timezone America North United_States Pacific

The time zone is for display purposes and should match other security device

settings.

4. Restore the default time zone:

hostname (config) # no clock timezone

5. View the configured time and date settings:

hostname (config) # show clock



Examples

l Time and date using the North America Central Daylight time zone:

hostname > show clockTime: 16:39:35Date: 2014/06/25Time zone: America North United_States Central

(US/Central)UFC offset: -0500 (UTC minus 5 hours)

l Time and date settings using the default time zone:

hostname > show clockTime: 21:40:37Date: 2014/06/25Time zone: UTC

(Etc/UTC)UTC offset: same as UTC

© 2015 FireEye 107

NTP Server ConfigurationInstead of manually setting the system date and time, you can specify one or more Network Time

Protocol (NTP) servers to synchronize the time automatically. You can also specify a secondary

NTP server to be used if the primary NTP server is unavailable. By default, NTP version 4 is

used, but you can use the CLI change it to version 3 if that is the version your server supports.

You can also perform a one-time action that synchronizes the system clock to a specific

NTP server.

l Configuring NTP Servers Using the Web UI below

l Configuring NTP Servers Using the CLI on the facing page

Configuring NTPServers Using theWebUI

Use the middle section of the Settings: Date and Time page to configure NTP servers.

Prerequisites

l Admin access

To configure NTP servers:



3. Enter the IP address or hostname of the NTP server that you want to use in the Add

NTP Server box.

4. Click Add NTP Server.

5. Repeat the previous two steps to add additional servers.

6. Set the timezone as described in Time Zone Configuration on page 110.

7. To update the time based on a selected NTP server, click Update Time next to the

server entry.


108 © 2015 FireEye

Release 7.6 NTP Server Configuration

The time is updated, and the needed adjustment is displayed in a message on the page.

8. To delete an NTP server, select the checkbox next to the server and then click Remove

Selected NTP Servers.

Configuring NTPServers Using the CLI

Use the CLI commands in this topic to configure NTP servers.

Prerequisites

l Admin access

To enable and configure NTP servers:



2. Enable NTP synchronization:

hostname (config) # ntp enable

3. Specify the primary NTP server:

hostname (config) # ntp server ipAddress_or_hostname

4. Specify the secondary NTP server:

hostname (config) ntp server ipAddress_or_hostname

5. Specify NTP version 3:

hostname (config) ntp peer address version 3

6. Disable NTP:

hostname (config) # ntp disable

or

hostname (config) # no ntp enable

7. View the current NTP runtime state and configuration:

hostname > show ntp

8. View the configured NTP servers and their settings:

hostname > show ntp configured

9. Update the system time once based on a specific NTP server:

hostname (config) # ntpdate ipAddress or hostname



© 2015 FireEye 109

Examples

l Enable NTP and specify both a primary and secondary server by their hostnames:

hostname (config) # enable peer 2.acme.pool.ntp.org server IP address1.acme.pool.ntp.org

l Disable NTP and then display the resulting NTP status:

hostname (config) # ntp disablehostname (config) # show ntpNTP is administratively disabled.Clock in unsynchronized.No NTP associations present.

l Display the current NTP runtime state and configuration:

hostname > show ntpNTP is administratively enabled.Clock is synchronized. Reference: 200.00.00.0 Offset: 1.713 ms.Active servers and peers:

Poll LastConf Offset Ref Interv Resp

Address Type Status Stratum (msec) Clock (sec) (sec)===========================================================================90.000.000.00 n/a candidat (+) 2 -0.233 200.00.000.000 1024 28470.000.000.0 n/a outlyer (-) 2 12.069 60.0.00.00 1024 80890.000.00.00 n/a candidat (+) 2 -0.958 50.000.000.000 1024 775200.00.00.0 n/a sys.peer (*) 2 1.713 100.0.000.00 1024 537

l Display the configured NTP servers and their settings:

hostname > show ntp configuredNTP enabled: yesNo NTP peers configured.NTP server 0.acme.pool.ntp.orgEnabled: yesNTP version: 4

NTP server 1.acme.pool.ntp.orgEnabled: yesNTP version: 4



Time Zone ConfigurationYou must set the timezone on your appliance whether you configure the date and time manually

or synchronize with an NTP server.

l Setting the Date and Time Using the Web UI on page 105

l Setting the Date and Time Using the CLI on page 106


110 © 2015 FireEye

Release 7.6 Time Zone Configuration

Setting the Time Zone Using theWebUI

Use the bottom section of the Settings: Date and Time page to set the timezone for your

appliance.

Prerequisites

l Admin access

To set the time zone:



3. Select the time zone from the drop-down list.

4. Select options from other drop-down lists, if present.

5. Click Set Time Zone.

Setting the Time Zone Using the CLI

Use the CLI commands in this topic to set the time zone on your appliance.

Prerequisites

l Admin access

To set the timezone:



2. Specify the timezone:

hostname (config) # clock timezone timezone

For example, both of the following commands set the time zone to Pacific Standard Time:

© 2015 FireEye 111

hostname (config) # clock timezone UTC-offset UTC+8

hostname (config) # clock timezone America North United_States Pacific

The time zone is for display purposes and should match other security device

settings.

3. Restore the default time zone:

hostname (config) # no clock timezone

4. View the configured time and date settings:

hostname (config) # show clock



Examples

Time and Date Using the North America Central Daylight Timezone

hostname > show clockTime: 16:39:35Date: 2014/06/25Time zone: America North United_States Central

(US/Central)UFC offset: -0500 (UTC minus 5 hours)

Time and Date Settings Using the Default Timezone

hostname > show clockTime: 21:40:37Date: 2014/06/25Time zone: UTC

(Etc/UTC)UTC offset: same as UTC

DTI Server Time SynchronizationThe system time should match the DTI server time as closely as possible. This is necessary for

features such as the license update service, in which licenses are downloaded from the

DTI server and installed on the appliance. FireEye recommends that you perform this

synchronization before you enable the feature to prevent time gaps that could affect the validity

of your licenses.

The fenet time sync CLI command retrieves the time (in UTC) from the DTI server and then

synchronizes the system clock to it. This command is especially useful if you do not use

NTP servers to synchronize your system clock.

This action synchronizes the system clock to the DTI server a single time. It does not

change the system timezone.


112 © 2015 FireEye

Release 7.6 DTI Server Time Synchronization

Prerequisites

l Admin access

To synchronize the system clock to the DTI server clock:



2. Synchronize the clocks:

hostname (config) # fenet time sync



© 2015 FireEye 113

Release 7.6

CHAPTER 9: License Management

License keys are required for system operation. The appliance requires three license keys:

Appliance (FIREEYE_APPLIANCE)—Required to register your system and use the product

features.

Support (FIREEYE_SUPPORT)—Allows your system to receive software image updates and

the latest guest images.

Content (CONTENT_UPDATES)—Allows your system to access the Dynamic Threat

Intelligence (DTI) network, which provides the latest intelligence on advanced cyber attacks and

malware callback destinations. This enables FireEye products to proactively recognize new

threats and block attacks. There are two versions of the content update license:

l The two-way sharing license provides your appliance with malware intelligence from the

DTI network and shares data about malware analyzed by your appliance.

l The one-way sharing license provides your appliance with malware intelligence, but no

information is submitted to the DTI cloud.

IPS (IPS)—Allows your appliance to use FireEye integrated Intrusion Prevention System

features.

ATI (ATI) —Allows your appliance to use Advanced Threat Intelligence features.

Managed defense (MD_ACCESS)—Allows your appliance to use FireEye as a Service.

Sophos (AV_ENGINE_SOPHOS)—Allows your appliance to use Sophos scanning and

detection.

The functionality provided by the optional licenses is disabled if the FIREEYE_

APPLIANCE license is invalid.

Warnings are displayed on the Settings: Appliance Licenses page if licenses have expired or

will expire within 30 days. For details, see Viewing License Notifications Using the Web UI

on page 123.

There are two ways to manage licenses:

l Automatic License Updates on the next page

l Manual License Installation on page 119

© 2015 FireEye 114

Automatic License UpdatesThe license update feature enables an appliance with basic network connectivity to automatically

download licenses from the DTI network and install them. This feature provides the following

benefits:

l Minimal initial configuration—The license update feature is enabled with the configuration

jump-start wizard during the initial system configuration. This means the feature can be

fully functional after the jump-start wizard is completed.

l Simplified license management—There is no need to contact FireEye for license keys

when new features are added or when licenses are renewed, because the new licenses are

automatically downloaded and installed.

l Scalability—Organizations, such as those with a large number of appliances, can benefit

from all appliances being updated automatically, instead of entering license keys manually

on each appliance, one at a time.

How it Works

The license update feature, if enabled, downloads and applies licenses to which the customer is

contractually entitled. If an active license for a feature is already installed and the licensing

service downloads an active license for the feature, the installed license is replaced by the

downloaded license only if the downloaded license offers more functionality or a later expiry

date. This process is automatic; however, you can also explicitly update licenses.

The licensing service will not:

l Install a downloaded license that would cause a feature to become temporarily unlicensed.

l Install a product (FIREEYE_APPLIANCE) license that changes licensed features. If this

is your intention, you must install the new license manually.

You can manually force a downloaded license to be installed. In this case, if a downloaded license

and an installed license are both valid, the downloaded license takes precedence; the installed

license is removed and the downloaded license is installed in its place. If you use this option, the

license is installed even if it is less advantageous than the existing license, and even if it causes

the two scenarios listed above to occur.

You can synchronize the system time to the DTI server time to prevent a feature from being

temporarily unlicensed due to time differences. This is a one-time synchronization, but it can be

repeated.

System Administration Guide CHAPTER 9: LicenseManagement

115 © 2015 FireEye

Release 7.6 Automatic License Updates

When an appliance is managed by the CM Series platform, the CM Series platform acts as a proxy

between the managed appliance and the licensing service. The license update feature must still be

enabled on the managed appliance. In such an integrated environment, the CM Series platform

acts as the DTI server for the managed appliances, so the licensing service uses the CM Series

DTI network credentials instead of the appliance's credentials.

Managed appliances running release 7.5.0 or later can be configured to use a DTI server

other than the CM Series platform, as described in Changing the Active DTI Source

on page 79. (An exception to this is the 7.5.0 release of the FX Series appliance, which

does not provide this functionality.)

For more information, see Enabling Automatic License Updates.

Enabling Automatic License Updates

You can enable the license update feature using the configuration wizard or the CLI.

Configuration Wizard

The configuration wizard is typically used to initially configure a new system. The wizard steps,

which include the following license activation steps, allow a customer to have a functioning

system with only minimal configuration.

l Enable fenet service?

l Enable fenet license update service?

l Sync appliance time with fenet?

l Update licenses from fenet?

For details about the wizard steps, see Configuration Wizard Steps on page 21.

Enabling Automatic License Updates Using the CLI

The remaining topics in this section describe how to use CLI commands to enable and use the

license update feature.

Prerequisites

l An established connection between the appliance and the Internet.

l Operator or Admin access to enable the license update feature and download and install

licenses.

l DTI network access to allow the appliance to get updates directly from the DTI network.

l (Optional) Admin access to synchronize the system clock with the DTI server clock.

© 2015 FireEye 116

Using the Licensing Service

When the license update feature is enabled, license updates are automatic. You can also explicitly

update licenses.

Prerequisites


To verify and enable the feature:


hostname > enable


2. Verify the license update feature status:

hostname > show fenet licensefenet License Update Service

Licensing service: Administratively enabled

Last time licensing service was contacted: 2014/08/11 10:50:04Last time licensing service was contacted successfully: 2014/08/11 10:50:04Last time keys from licensing service were applied: 2014/08/07 17:50:03

3. If the license update feature service is disabled, enable it:

hostname (config) # fenet license update enable



(Optional) See DTI Server Time Synchronization on page 112 for information about

preventing potential licensing issues if there is a time gap between the two clocks.

To explicitly update licenses:


hostname > enable


2. Update licenses:

hostname (config) # fenet license update




117 © 2015 FireEye

Release 7.6 Automatic License Updates

To disable the feature:


hostname > enable


2. Disable the feature:

hostname (config) # no fenet license update enable



Forcing License Updates

When you force license updates, the licensing service downloads licenses from the DTI server,

removes existing licenses if there are conflicts, and installs the downloaded licenses in their

place. The licenses are installed even if they are less functional or of a shorter duration than the

existing licenses, and even if would cause the two scenarios listed inHow it Works on page 115

to occur.

Carefully consider the implications of forcing license updates before you perform this

procedure.

Prerequisites


To force license updates:



2. Download the licenses and replace existing licenses with them if there are conflicts:

hostname (config) # fenet license update force

The system clearly indicates which licenses were replaced.



Examples

l The licensing service replaced an existing license with one that it downloaded:

hostname (config) # fenet license update forceAdded license(s) from fenet

LK2-CONTENT_UPDATES-33XX-00XX-XX00-0X0X-0000-X000-X000-X00X-0XXX-J00

© 2015 FireEye 118

Deleted installed license(s) (superceded by license(s) shown above):LK2-CONTENT_UPDATES-42XX-44XX-00XX-0000-H888-X00X-000R-XX22-XYZ-0

l The licensing service installed a license that did not exist:

hostname (config) # fenet license update forceAdded license(s) from fenet

LK2-FIREEYE-SUPPORT-000X-XX00-XX00-0X0X-0000-X000-X000-X00X-0XXX-X00XNo license(s) deleted

l All licenses were already installed and did not conflict with downloaded licenses:

hostname (config) # fenet license update forceAll licenses fetched from fenet have already been installed

Manual License InstallationIf the license update feature is not enabled, you need to install license keys manually. Licenses

need to be installed when an evaluation license expires or when a license expires or no longer

meets your needs. In addition, replacement licenses need to be installed after a Return Material

Authorization (RMA).

You can obtain your license keys from the Assets tab in the FireEye Customer Support Portal or

by sending an email that includes the MAC address of your appliance to key_

[email protected].

There are two ways to manually install licenses, described in the following topics:

l Installing Licenses Using the Web UI below

l Installing Licenses Using the CLI on the facing page

Installing Licenses Using theWebUI

Use the Settings: Appliance Licenses page to install licenses.


119 © 2015 FireEye

http://csportal.fireeye.com/

mailto:[email protected]


Release 7.6 Manual License Installation

This illustration is from a CM Series platform.

Prerequisites

l Admin or Operator access

To install license keys:


2. Click Appliance Licenses on the sidebar.

3. Paste the license key you obtained from FireEye in the License Key box.

4. Click Add License.

The page refreshes to show the license key in the table. If the key is valid, the Valid

column shows true and additional information is displayed about the license.

Removing Licenses Using theWebUI

Use the Settings: Appliance Licenses page to remove licenses.

Prerequisites


To remove license keys:


2. Click Appliance Licenses on the sidebar.

3. Click Remove in the row for the license you want to remove.

4. Click OK in the confirmation message that appears.

Installing Licenses Using the CLI

Use the CLI commands in this topic to install licenses.

Prerequisites


© 2015 FireEye 120

To install licenses:



2. Install each license:

hostname (config) # license install Key1 Key2 Key3

You can enter the license keys sequentially separated by spaces as shown above,

or enter license install and then press Enter to be prompted to enter the

license keys one at a time.

3. Verify the licenses:

hostname (config) # show licensesLicense 1: LK2-FIREEYE_APPLIANCE-0000-0000-0000-0000-0000-0000-0000-0000-0000Feature: FIREEYE_APPLIANCEDescription: FireEye ApplianceValid: yesStart date: 2014/01/08 (ok)End date: 2017/01/17 (ok)Tied to MAC addr: 00:00:00:00:00:00 (ok)Product: eMPS (ok)Type: PROD (ok)Agreement: EULA (ok)Active: yes

License 2: LK2-CONTENT_UPDATES-0000-0000-0000-0000-0000-0000-0000-0000-0000Feature: CONTENT_UPDATESDescription: Content updatesValid: yesStart date: 2014/01/08 (ok)End date: 2017/01/17 (ok)Tied to MAC addr: 00:00:00:00:00:00 (ok)Sharing: all (ok)Active: yes

License 3: LK2-FIREEYE_SUPPORT-0000-0000-0000-0000-0000-0000-0000-0000-0000Feature: FIREEYE_SUPPORTDescription: FireEye SupportValid: yesStart date: 2014/01/08 (ok)End date: 2017/01/17 (ok)Tied to MAC addr: 00:00:00:00:00:00 (ok)Sharing: all (ok)Active: yes



The show licenses command output in this procedure shows the basic licenses

installed on an EX Series appliance. The output will vary depending on the

appliance type and the feature licenses that are installed.


121 © 2015 FireEye

Release 7.6 Manual License Installation

Removing Licenses Using the CLI

Use the CLI commands in this topic to remove licenses.

Prerequisites


To remove licenses:



2. List the installed licenses:

hostname (config) # show licensesLicense 1: LK2-FIREEYE_APPLIANCE-0000-0000-0000-0000-0000-0000-0000-0000-0000Feature: FIREEYE_APPLIANCEDescription: FireEye ApplianceValid: yesStart date: 2014/01/08 (ok)End date: 2017/01/17 (ok)Tied to MAC addr: 00:00:00:00:00:00 (ok)Product: wMPS (ok)Type: PROD (ok)Agreement: EULA (ok)Active: yes

License 2: LK2-CONTENT_UPDATES-0000-0000-0000-0000-0000-0000-0000-0000-0000Feature: CONTENT_UPDATESDescription: Content updatesValid: yesStart date: 2014/01/08 (ok)End date: 2017/01/17 (ok)Tied to MAC addr: 00:00:00:00:00:00 (ok)Sharing: all (ok)Active: yes

License 3: LK2-FIREEYE_SUPPORT-0000-0000-0000-0000-0000-0000-0000-0000-0000Feature: FIREEYE_SUPPORTDescription: FireEye SupportValid: yesStart date: 2014/01/08 (ok)End date: 2017/01/17 (ok)Tied to MAC addr: 00:00:00:00:00:00 (ok)Sharing: all (ok)Active: yes


l Remove the license using the license ID. For example, to remove the Support

license listed above:

hostname (config) # license delete 3

l Remove all licenses:

hostname (config) # license delete all

© 2015 FireEye 122



The show licenses command output in this procedure shows the basic licenses

installed on an NX Series appliance. The output will vary depending on the appliance

type and the feature licenses that are installed.

Viewing License Notifications Using theWebUIFunctionality associated with a license stops when a license expires. For example, when the

FIREEYE_APPLIANCE license expires, the appliance will block access to all pages except the

Settings: Appliance Licenses page, and CLI commands (except those that install licenses) are

disabled or their execution fails. For example, the report generate command will not create a

report, and on an EX Series appliance, the show email-analysis statistics command will return

FIREEYE_APPLIANCE license has expired, cannot show xxx details.

To help prevent a gap in functionality, the Settings: Appliance Licenses page displays

notification details about expired license and licenses that will expire within 30 days. For

example:

See Automatic License Updates on page 115 for information about enabling the

appliance to automatically download licenses from the DTI network when it is time to

renew them.


123 © 2015 FireEye

Release 7.6

CHAPTER 10: Upgrading Your Appliance

The appliance automatically checks for new software images and guest images versions. Updates

are made on an ongoing basis and are easy to download and install. For an appliance that is

managed by the CM Series platform, software updates should be performed entirely from the

CM Series Web UI. For more information, see the CM Series Administration Guide.

Refer to the FireEye DTI Offline Update Portal Guide for upgrade instructions if your

appliance is offline and cannot download updates from the DTI network.

The appliance also checks for new security content versions, and if configured,

automatically downloads and installs them. For more information, see Updating

Security Content on page 72 and Configuring Automatic Security Updates on

page 74.

PrerequisitesReview the items in this section before you begin your upgrade.

l User Role—You must have admin access to upgrade the appliance.

l Licenses—Before performing upgrades, confirm that the following licenses are installed

and valid:

l CONTENT_UPDATES license (needed for security updates)

l FIREEYE_SUPPORT license (needed for software updates)

See License Management on page 114 for more information. If you need to

obtain the licenses, send an email to [email protected].

l End-User License Agreement (EULA)—The upgrade could require acceptance of the

End User License Agreement (EULA). If it is required, the appliance will not function

until the EULA is accepted. To review the EULA before the upgrade, download a copy

from the FireEye Customer Support Portal at http://csportal.fireeye.com.

l Minimum Version to Upgrade—Refer to the Release Notes to determine whether you

can upgrade directly from the current release to the new release.

l Download Time—Downloading the operating system software requires about 45 minutes

when upgrading from the CLI. Downloading the guest images typically requires 2 ½ to 9

© 2015 FireEye 124



http://csportal.fireeye.com/

hours from the CLI, depending on connection speed and whether the full set of guest

images is downloaded. A complete set can require 24 hours or more.

l Network Proxy Configuration—If you have an intelligent proxy appliance that is

required for access to the Internet, ensure that it does not perform secure sockets layer

(SSL) terminations with certificate replacement. An example of such a proxy is the Blue

Coat ProxySG appliance. If the proxy does perform SSL terminations, then you must

whitelist the CM Series platform, the FireEye Dynamic Threat Intelligence (DTI) network

server (staticcloud.fireeye.com, or the Content Distribution Network (CDN) server

(cloud.fireeye.com or download.fireeye.com in the proxy configuration.

For third-party integration, such as ArcSight, Juniper STRM, Blue Coat ProxySG, or Q1

Lab QRadar, contact FireEye Technical Support. Refer also to the vendor documentation

for proxy configuration information.

Upgrading the Appliance Using theWebUIUse the Update page to upgrade the appliance. To open the Update page, click the About tab

and then click Update.

The following is an example of the Update page for a standalone appliance.

The following is an example of the Update page for an appliance that is managed by the

CM Series platform.

Task List for Upgrades

Perform the following steps (detailed in the sections that follow) to upgrade the appliance.

If your appliance is offline and cannot download updates from the DTI network,

perform Select an Update Source on the facing page and then refer to the FireEye

DTI Offline Update Portal Guide for additional instructions.

System Administration Guide CHAPTER 10: Upgrading Your Appliance

125 © 2015 FireEye

Release 7.6 Upgrading the Appliance Using theWebUI

1. Select an Update Source below.

2. Check for Available Update Software on the next page.

3. Download the Software on the next page.

4. Install the Software Update on the next page.

5. Reload or Refresh the Appliance on page 128.

6. Validate the Software Updates on page 128.

Select an Update Source

The update source is the location from which the software updates will be downloaded.

Online Options

l DTI—The software is downloaded from the Dynamic Threat Intelligence (DTI) server or

a Content Delivery Network (CDN) server. The server address is displayed at the top right

of the page. See Changing the Active DTI Source on page 79 for details about these

options.

l CMS—This option is displayed instead of DTI if the appliance is being managed by the

CM Series platform. The default source server is the CM Series platform, but can be

overridden by the three DTI options specified above.

Offline Options

The following options can be used if your appliance cannot download updates from a DTI source

server.

l Local—Upload a local file (obtained from the FireEye DTI Update Portal for offline

appliances).

l URL—Upload a local file (obtained from FireEye via the DTI Update Portal for offline

appliances and hosted on a local site identified by a URL). Click URL and specify a URL

to the update software.

For offline guest image updates, downloads are more efficient if Source is set to

URL, not Local.

If neither offline option is feasible, you can do the following:

1. Use secure copy (SCP) to download the update package from the DTI Update Portal.

2. Save the package on a UNIX-like system accessible to the appliance.

© 2015 FireEye 126

3. Run the following command:

# scp package applianceAddress:/data/updates

For example:

# scp femeta.ensig 192.168.1.100:/data/updates

Check for Available Update Software

Do one of the following:

l Click the Check For Update icon in the Tasks column for a resource row to

determine if update software is available.

l Click the orange arrow to expand the software image resource row (for example, security

content, software image, or guest images) and then click Check to check for available

update software.

The status is displayed in the expanded Status area.

If the Check For Update icon is disabled, then the software is already available for

download or an update has recently taken place. The Check For Update icon is also

disabled during software downloads.

Download the Software

If a software update is available for a software image, guest image, or security content update, the

Download icon in the Tasks column is enabled (green).

Do one of the following:

l Click the Download icon to begin the software download.

l Click the orange arrow to expand the resource row, and then click Download for a DTI

download.

The download status is displayed in the expanded Status area.

Install the Software Update

Installation status is displayed in the expanded Status area. After you download a software

update, do one of the following to install it:

l Click the Install icon in the Tasks column.

l Click the orange arrow to expand the resource row, and then click Install.


127 © 2015 FireEye

Release 7.6 Upgrading the Appliance Using the CLI

Installation status is displayed in the expanded Status area. If prompted, read the End User

License Agreement agreement (EULA), and then accept it if you agree to its terms. If you do not

accept it, the appliance will not function.

If an upgrade process is interrupted or fails, the appliance software automatically

falls back to the currently installed image.

Reload or Refresh the Appliance

When installation of guest images or security content is complete, click the Refresh button.

When installation of the software image is complete, click the Reload button to complete the

update process.

Validate the Software Updates

After all appliance software and guest images are installed, verify the installations:

l Click the Settings tab, and then click Guest Images on the sidebar to verify and view

the installed guest images version.

l Click the About tab. The current software image, guest images, and security content

version information is displayed on the FireEye System Information page.

l Click the Settings tab, and then click Appliance Licenses on the sidebar to verify and

view installed licenses.Valid and active licenses display the attribute “True.” Without

activation of the latest licenses, the updates are not functional.

Upgrading the Appliance Using the CLIUse the commands in the following sections to upgrade the appliance.

Task List for Upgrades

Perform the following steps (detailed in the sections that follow) to upgrade the appliance.

1. Download and Install the Appliance Software Image on the next page

2. Restart the Appliance and Accept the EULA on the next page

3. Download Guest Images on page 130.

4. Install Downloaded Guest Image Profiles on page 132.

5. Verify the Upgrade on page 132.

© 2015 FireEye 128


Be sure to download the software image and guest image files from the configured

DTI source server before beginning any installations.

Download and Install the Appliance Software Image

To download and install the software image:



2. Check for downloads:

hostname (config) # fenet image checkhostname (config) # show fenet image status

3. Download the software image:

hostname (config) # fenet image fetch

4. View download progress:

hostname (config) # show fenet image status

Progress of latest action taken: action fetch initiated Tue Aug 25 13:04:44 2015

applying fetch for image lms fetching checksum of the requested image done fetching requested image 7.6.0 initiated fetching requested image 7.6.0 done action fetch completed Tue Aug 25 10 13:06:03 2015 fetch-done: OS image downloaded successfully: image-lms_7.6.0.img status

5. Install the downloaded software image:

hostname (config) # image install image-lms_7.6.0.img

hostname (config) # image boot next

If an upgrade process is interrupted or fails, the appliance software automatically

falls back to the currently installed image.



Restart the Appliance and Accept the EULA

To restart the appliance and accept the EULA:




129 © 2015 FireEye


2. Restart the appliance:

hostname (config) # reload

3. After restarting the appliance, the system could display the FireEye End User License

Agreement (EULA). Read the EULA. Click Yes if you agree to its terms, and then click

Submit. If you do not accept the EULA, the appliance will not function.

After accepting the EULA, the login page is displayed. Wait a few minutes before logging

in because database records are undergoing an update in preparation for the upgrade.

DownloadGuest Images

Default guest images are automatically downloaded and installed from the DTI source

server. To download and install a guest image bundle or profile, you must first use the

guest-images configure command to select the guest image.

This procedure depends on whether default or non-default guest images are to be installed.

To download guest images:



2. View the guest images configured for the appliance:

hostname (config) # show guest-images config

3. Download the guest images, but do not install them yet. Downloading guest images will

take some time, so allow the download to run in the background.

hostname (config) # guest-images download

Wait for the appliance to fully download the guest images before beginning any

installations.

You can perform automatic downloads of available guest images. For details, see

the fenet guest-images auto download and fenet guest-images auto update

commands in the FireEye CLI Reference.

4. Confirm the guest image downloads are completed:

hostname (config) # show guest-images download

To cancel a download in progress:

hostname (config) # guest-images download cancel

To resume a download that has been interrupted for any reason:

hostname (config) # guest-images download resume

© 2015 FireEye 130


5. To download non-default guest images:

Perform this step if you do not want or need all guest images currently available.

a. Download the server manifest:

hostname (config) # guest-images download manifest

b. Display available guest image bundles:

hostname (config) # show guest-images available bundles

c. Note the bundle ID of the bundle of guest images that you want from the list

displayed (only one bundle can be selected).

d. Select the guest image bundle to be installed where bundle_id is obtained from Step

c:hostname (config) # guest-images configure bundle bundle-id

e. Verify that the bundle is properly selected:

hostname (config) # show guest-images config

f. Download the guest images from the FireEye network:


g. Monitor the download progress:


6. To update guest images with one or more profiles (mutually exclusive with default and

bundle sets):

a. Download the server manifest:

hostname (config) # guest-images download manifest

b. Display available guest image profiles:

hostname (config) # show guest-images available profiles

c. Note the profile ID of the needed profile(s) from the list displayed.

d. Select the guest image profile to be installed

hostname (config) # guest-images configure profile profileID

where profileID is the profile you noted in Step c.

e. Repeat the previous step for each additional profile needed.

f. Verify that all needed profiles are configured:

hostname (config) # show guest-images configuration


131 © 2015 FireEye


g. Download the guest images:


h. Monitor the download progress:


If you encounter a problem with a download, the output of the show

guest-images download command will describe the issues, including

notification about the specific file that was involved in the failure. Network

connectivity issues cause download failures. Repeat the download using the

guest images download command. The system will restart the download

at the point at which it was interrupted or failed. If the problem persists,

contact FireEye Technical Support.



Install DownloadedGuest Image Profiles

To download default guest images:



2. After the download is complete, install the guest images:

hostname (config) # guest-images install

3. Verify that guest images are properly installed:

hostname (config) # show guest-images



Verify the Upgrade

To verify the upgrade:



2. Display the version information for the current system image:

hostname (config) # show version

© 2015 FireEye 132

3. Display all guest images:


Configuring Auto-Mounting on a USB DeviceYou can configure auto-mounting on a USB device attached to an appliance. Only one USB

device can be mounted at a time. You can configure HTTP access to install guest images,

security content, or software images from the USB device onto the appliance.

You can configure auto-mounting on a USB device only using the CLI.

Prerequisites

l Admin access

Enabling or Disabling Auto-Mounting on a USBDevice Using the CLI

Use the commands in this topic to enable or disable auto-mounting on a USB device attached to

the appliance. You must enable auto-mounting when the USB device is attached. By default,

auto-mounting is disabled. Auto-mounting will not mount the USB device when it is already

attached to the appliance.

Prerequisites

l Administrator access

To enable auto-mounting on a USB device:


hostname > enable


2. Enable auto-mounting on a USB device attached to the appliance:

hostname (config) # media usb auto-mount enable

3. Plug the USB device in to the appliance immediately.

4. Verify the USB device auto-mount configuration. Enter the show media usb command.

hostname (config) # show media usb

USB auto-mount configuration:

Enabled: yes


133 © 2015 FireEye

Release 7.6 Configuring Auto-Mounting on a USB Device

Local web access: yes

Top-level directory: fireeye

To disable auto-mounting on the USB device:


hostname > enable


2. Disable auto-mounting on the USB device:

hostname (config) # no media usb auto-mount enable

3. Verify the USB device auto-mount configuration. Enter the show media usb command.


Enabled: no



Configuring HTTPAccess to Install Guest Images Using the CLI

Use the commands in this topic to configure HTTP access to install guest images from a USB

device onto the appliance. By default, you can access only the contents locally in the fireeye

directory for the first partition from a specified URL.

Prerequisites

l Admin access

l Enable auto-mounting on the USB device to the attached appliance. For details about how

to enable auto-mounting, see Enabling or Disabling Auto-Mounting on the USB Device.

l Complete the steps in the following order to set up the files correctly to install guest

images from a USB device:

1. Download the guest images tar file from the FireEye network.

2. Extract the contents on the USB device.

3. Remove the version numbers. Copy the following file names:

l server-manifest.VERSION to server-manifest

l server-manifest.VERSION.md5 to server-manifest.md5

l server-manifest.VERSION.v2 to server-manifest.v2

l server-manifest.VERSION.v2.md5 to server-manifest.v2.md5

© 2015 FireEye 134

To configure HTTP access to install guest images from a USB device:


hostname > enable


2. Enable HTTP access on the loopback interface on the appliance:

hostname (config) # media usb web-access enable local

Local web access is enabled by default.

3. Specify the top-level directory as the location to extract guest images on a USB device:

hostname (config) # media usb web-access top-dir fireeye

This directory will be used as the URL to extract the images on the USB device. For

example, if you specified the install directory as fireeye/gi-13.0701, the URL for the

installation is http://localhost/media/usb1/fireeye/gi-13.0701

4. Verify that the USB device is mounted. Enter the show media usb command.

hostname (config) # show media usb


Enabled: yes



USB auto-mount status:

Device mounted: yes

Access URL: N/A

5. Download guest images using the specified URL as the location to install the guest images:

hostname (config) # guest-images download url URL

where URL is the location that you specified as the top-level directory for the installation.

Wait for the appliance to fully download the guest images before beginning any

installations.

6. Verify the download progress:


7. After the download is complete, install the guest images:

hostname (config) # guest-images install

8. Verify that guest images are properly installed:



135 © 2015 FireEye

Release 7.6 Configuring Auto-Mounting on a USB Device

Mounting or Unmounting a USBDevice Using the CLI

Use the commands in this topic to manually mount or unmount a USB device to the attached

appliance. We recommend that you physically remove the USB device from the port. Use the

media usb mount command before you attach the drive, and use the media usb eject

command after you unplug it.

The media usb eject command will not have any effect if the USB device is not

mounted.

Prerequisites

l Admin access

To mount a USB device:


hostname > enable


2. Mount the USB device to the attached appliance:

hostname (config) # media usb mount

To unmount a USB device:


hostname > enable


2. Unmount the USB device from the attached appliance:

hostname (config) # media usb eject

© 2015 FireEye 136

Release 7.6 Retrieving SNMP Data

CHAPTER 11: Configuring SNMP

FireEye appliances send Simple Network Management Protocol (SNMP) data to convey

abnormal conditions to administrative computers that monitor and control them. The

administrative computers are called SNMP managers.

SNMP data includes the following:

l Information that is retrieved (pulled) by the SNMP manager. This information is sent in

response to requests the SNMP manager sends to the appliance.

l Events (known as traps) that are sent (pushed) by the appliance to the SNMP manager.

Traps typically report alarm conditions such as a disk failure or excessive temperature.

They are unsolicited; that is, they are not sent in response to requests from the

SNMP manager.

Retrieving SNMP DataThis section describes how to retrieve SNMP information from the appliance.

A Management Information Base (MIB) is a text file written in a specific format in which all of

the manageable features of a device are arranged in a tree. Each branch of the tree contains a

number and a name, and the complete path from the top of the tree down to the point of interest

forms the Object Identifier, or OID. The OID is a string of values separated by periods, such as

.1.3.6.1.2.1.1.3.0.

You can send requests for data on an object using the OID, but it can be simpler to use the

symbolic name for the object instead. A MIB allows SNMP tools to translate the symbolic names

into OIDs before sending the requests to the managed device. Symbolic names for objects in the

FireEye MIB include feSerialNumber.0, feHardwareModel.0, feProductLicenseActive0,

feFanIsHealthy.1, and so on.

The FireEye MIB, named FE-FIREEYE-MIB, needs to be downloaded from the appliance to the

SNMP manager so it can be loaded into an SNMP browser or other tool. A typical SNMP

browser can retrieve the values the appliance supports, and then display them in a hierarchy so

you can navigate to the value you need to include in the request.

This section contains the following topics:

l Configuring Access to SNMP Data

l Downloading the MIB

© 2015 FireEye 137

l Sending Requests for SNMP Information

Configuring Access to SNMPData

To allow access to SNMP v3 data, configure a username and password.

Prerequisites


To enable access to SNMP data:



2. Verify that SNMP is enabled:

hostname (config) # show snmp

If the output shows SNMP enabled: no, enter the snmp-server enable command.

3. SNMP v3: Specify the SNMP user and password:

hostname (config) # snmp-server user username v3 enablehostname (config) # snmp-server user username v3 auth sha password



Downloading theMIB

You can download the MIB from the Web UI or from the command prompt.

Downloading the MIB Using the Web UI

Use the Settings: Notifications page to download the MIB.

This illustration is from an EX Series appliance.

System Administration Guide CHAPTER 11: Configuring SNMP

138 © 2015 FireEye

Release 7.6 Retrieving SNMP Data

Prerequisites

l Analyst, Operator, or Admin access

To download the MIB:


2. Click Notifications on the sidebar.

3. Click the snmp link.

4. In the SNMP Settings section, click Download our MIB file.

Downloading the MIB Using the Command Prompt

This section describes how to download the FE-FIREEYE-MIB to SNMP managers that run on

Microsoft Windows, Linux, and Apple devices. The MIB file is retrieved using a program that

connects using port 22, which is normally used for protocols such as SSH, SCP, and PSCP.

Because file-level access is denied by policy, the direct path to the MIB file needs to be

specified.

To download the FireEye MIB to Windows devices:

1. Download the pscp.exe tool (available from PuTTY download page).

2. Navigate to a command prompt window .

3. Change to the directory in which you downloaded the pscp.exe tool:

cd Downloads

4. Copy the MIB file from the appliance:

pscp.exe -r -scp admin@applianceIPAddress:/usr/share/snmp/mibs \Temp\mibs\

5. When prompted for the password, enter admin.

The files are copied to the \Temp\mibs directory on the Windows device.

6. Change to the mibs directory:

cd C:\Temp\mib

7. Load the MIB into an SNMP browser or tool, or open the MIB file:

FE-FIREEYE-MIB.txt

To download the FireEye MIB to Linux devices:

1. Copy the MIB file from the appliance using the OpenSSH client:

scp -r admin@applianceIPAddress:/usr/share/snmp/mibs /usr/userDirectoryName

2. When prompted for the password, type admin.

© 2015 FireEye 139

http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

The files are copied to the mibs directory that resides in the /usr/userDirectoryName

directory.

3. Change to the mibs directory:

cd mibs


vi FE-FIREEYE-MIB.txt

To download the FireEye MIB to Apple devices:

1. Navigate to the terminal emulator.

2. Copy the MIB files from the appliance:

scp -r admin@applianceIPAddress:/usr/share/snmp/mibs ~/

3. When prompted for the password, type admin.

The files are copied to the mibs directory that resides in the user directory.


vi ~/mibs/FE-FIREEYE-MIB.txt

Sending Requests for SNMP Information

This topic describes two ways to retrieve SNMP information.

l The snmpget command retrieves the value of a specific object.

l The snmpwalk command walks through the object hierarchy, automatically retrieving the

values of objects for the subtree or node that you specified.

Examples of basic commands that retrieve SNMP data follow. The commands are entered from

the SNMP manager application. The IP address in the commands is the appliance IP address.

SNMP v3 commands:

snmpmgr # snmpget -m +FE-FIREEYE-MIB -v 3 -u myname -a MD5 -A mypassword -lauthNoPriv 172.0.0.0 feTemperatureValue.0

snmpmgr # snmpwalk -m +FE-FIREEYE-MIB -v 3 -u myname -a MD5 -A mypassword -lauthNoPriv 172.0.0.0 enterprises.25597

SNMP v2c commands:

snmpmgr # snmpget -m +FE-FIREEYE-MIB -v 2c -c public 172.0.0.0feSupportLicenseActive.0

snmpmgr # snmpwalk -m +FE-FIREEYE-MIB -v 2c -c public 172.0.0.0 fireeye

snmpmgr # snmpwalk -v 2c -c public 172.0.0.0 enterprises.25597

To query license expiration dates formatted in a table, use a command similar to the following

(different commands are required by different SNMP manager applications):

snmpmgr # snmptable -c public -Of -v 2c localhost feLicenseFeatureTable


140 © 2015 FireEye

Release 7.6 Sending Traps

Check the number of days in the rightmost column. If the value is less than 30, contact your

system administrator.

Sending TrapsThis section describes how to configure basic SNMP support on the appliance, enable and

configure traps, and set up trap logging. For detailed information about SNMP commands and

options for more advanced configurations, see the FireEye CLI Reference.

Enabling and Configuring Traps

Various events can trigger the appliance to send traps to the SNMP manager. Most of the events

are enabled by default. This topic describes how to enable the appliance to send traps, configure

the IP address of the SNMP manager that receives the traps, and disable and enable individual

events.

Prerequisites


To enable traps and events:



2. SNMP is enabled by default. Verify that it is enabled:

hostname (config) # show snmp

If the output shows SNMP enabled: no, enter the snmp-server enable command.

3. Enable the appliance to send notifications to the SNMP manager:

hostname (config) # snmp-server enable notify

4. Specify the IP address of the SNMP manager:

hostname (config) # snmp-server hostIPAddress traps public

5. Save your changes


To specify the events that you want to view:



© 2015 FireEye 141

2. View a list of all events that can be enabled:

hostname (config) # snmp-server notify event ?

3. View the events that are currently enabled:

hostname (config) # show snmp events



To disable or enable specific events:

1.1. Enable the CLI configuration mode:


2. Disable an event:

hostname (config) # no snmp-server notify event event

For example, the following command stops a trap from being sent when the temperature of

the appliance is normal:

hostname (config) # no snmp-server notify event normal-temperature

3. Enable an event:

hostname (config) # snmp-server notify event event

For example, the following command enables the appliance to send a trap when there is a

change in an interface link:

hostname (config) # snmp-server notify event if-link-change

4.1. Save your changes:


Logging TrapMessages

The snmptrapd service receives and logs trap messages.

To set up trap logging:

1. Log into the SNMP manager application.

2. Enable the snmptrapd service:

snmptrapd

3. Specify the log location:

/var/log/snmptrapd.log


142 © 2015 FireEye

Release 7.6

CHAPTER 12: Customizing Login Messages

You can customize or remove the messages that appear when users log in to the appliance. You

can configure three messages:

l Remote Banner—Shown on the Web UI and SSH login pages.

l Local Banner—Shown after the username is entered in the CLI session.

l Message of the Day—Shown after the user is authenticated and logged into the

appliance CLI.

The default remote banner is shown in the following illustration.

The default local banner and message of the day are shown in the following illustration.

© 2015 FireEye 143

You can use the Web UI or CLI to change the messages.

l Customizing Login Messages Using the Web UI

l Customizing Login Messages Using the CLI

Customizing LoginMessages Using theWebUIUse the Settings: Login Banner page to configure the messages users see when they log in to

the appliance.

System Administration Guide CHAPTER 12: Customizing LoginMessages

144 © 2015 FireEye

Release 7.6 Customizing LoginMessages Using theWebUI

Prerequisites


To configure login messages:


2. Click Login Banner on the sidebar.

3. In the Remote Banner Text box, clear any existing text, and then enter the message to

be displayed in the Web UI and SSH login pages. You can enter up to 2000 characters.

If you change the banner text later with the banner login CLI command, the

new text will also appear in the Web UI and SSH login pages, overwriting the text

you specify here.

4. In the Local Banner Text box, clear any existing text, and then enter the message to be

displayed in the CLI after the username is entered. You can enter up to 2000 characters.

5. In theMessage of the Day Text box, clear any existing text, and then enter the message

to be displayed in the CLI after the user is authenticated. You can enter up to 2000

characters.

© 2015 FireEye 145

6. Click Update.

The messages will appear the next time the user logs in.

Customizing LoginMessages Using the CLIUse the CLI commands in this topic to configure the messages users see when they log in to the

appliance.

l The login message is shown after the username is entered.

l The message of the day is shown after the password is entered and the user is authenticated.

Messages can be longer than one line. To add a new line, type >. Each message can

contain up to 2000 characters.

Prerequisites


To customize the messages:



2. Display the current banner text:

hostname (config) # show banner

3. Perform the following tasks as needed.

l To change the login message:

hostname (config) # banner login "text"

This also changes the message that is displayed on the Web UI and

SSH login pages. Use the Customizing Login Messages Using the Web

UI on page 144 to specify a unique Web UI and SSH login message.

l To change the message of the day:

hostname (config) # banner motd "text"

l To clear the messages so no text is displayed:

hostname (config) # banner login ""hostname (config) # banner motd ""

System Administration Guide CHAPTER 12: Customizing LoginMessages

146 © 2015 FireEye

Release 7.6 Customizing LoginMessages Using the CLI

(The pair of double quotation marks indicates an empty string.)

l To restore the default messages:

hostname (config) # no banner loginhostname (config) # no banner motd

4. Save the configuration:

hostname (config) write memory

Examples

The following example changes the login message and the message of the day.

hostname (config) # banner login "This FireEye appliance is the property of Acme, Inc.

>Unauthorized access is prohibited and is punishable by law."

hostname (config) # banner motd “There are no maintenance

activities scheduled for this week.”

The following example shows the current messages.

hostname > show bannerBanners:

Message of the Day (MOTD): There are no maintenance activities scheduled for thisweek.

Login: This FireEye appliance is the property of Acme, Inc.Unauthorized access is prohibited and is punishable by law.

© 2015 FireEye 147

Release 7.6

CHAPTER 13: Configuring System Email Settings

The appliance can send email notifications triggered by system health events, such as low disk

space or a power supply failure. It can also send scheduled reports containing appliance traffic

and malware analysis data, and email notifications triggered by malware alerts.

Health Check Notifications

The system email server can send notifications about appliance health-check events to

configured recipients. You configure the email server and recipients for these events on the

Settings: Email page of the Web UI or by using the email notify CLI commands. You can also:

l Specify whether each recipient should receive notifications for "fail" events, "info" events,

or both "fail" and "info" events.

l Specify whether each recipient should receive detailed or summarized notifications.

l Enable or disable specific events from triggering notifications.

For details, see:

l Configuring the Mail Server on the next page

l Adding and Removing Email Recipients on page 153

l Configuring System Events on page 157

Scheduled Reports

Scheduled reports use the same email server and recipient list as the system events. If you use

the CLI, you configure them using the report email commands instead of the email notify

commands, as described in Configuring the Mail Server for Scheduled Reports Using the

CLI on page 152. You configure the report data and schedule on the Reports > Schedule page

of the Web UI or by using the report schedule CLI commands. See the "Reports" section of

the Threat Management Guide for details.

Malware Alert Notifications

You configure email settings for malware alert notifications on the Settings: Notifications page

of the Web UI or by using the fenotify email CLI commands. See the "Notifications" section of

the Threat Management Guide for details.

© 2015 FireEye 148

Configuring theMail ServerHealth check event notifications and scheduled reports can use the same mail server. If you use

the CLI to configure the server, you must use two separate sets of CLI commands. The mail

server settings are described in the following table.

System Mail Server Settings

WebUI Field

HealthCheckCLI

Parameter

ReportCLI

ParameterDescription

Enableemail

— — Enables the email delivery of health check notifications andscheduled reports.

Mail hub mailhub server The hostname or IP address of the mail server.

Port mailhub-port port The SMTP port used to send the emails. The default is 25.

Domain domain domain The domain name from which emails will appear to come. Thedefault is the active domain for the appliance.

ReturnAddr

return-addr return-addr Health check parameter: The username or fully qualified returnaddress from which emails are sent. If the string contains the @character, it is considered fully qualified. Otherwise, it isconsidered a username, and by default takes the [email protected]. The default username is do-not-reply.

Report parameter: The fully qualified return address from whichemails are sent.

Incl.hostname

return-host — Whether the appliance hostname is included in the returnaddress. If it is excluded, the return address takes the formusername@domain.

This setting is ignored if the provided return address is fullyqualified.

Prerequisites


Configuring theMail Server Using theWebUI

Use the Settings: Email page to configure settings for the mail server.

System Administration Guide CHAPTER 13: Configuring System Email Settings

149 © 2015 FireEye

Release 7.6 Configuring theMail Server

To configure the mail server:


2. Click Email on the sidebar.

3. Specify settings as described in System Mail Server Settings on the previous page.

4. Click Update to save your changes.

Configuring theMail Server for Health Check Notifications Using the CLI

Use the CLI commands in this topic to configure the mail server that sends health check

notifications. See System Mail Server Settings on the previous page for a description of each

parameter.

See Adding and Removing Email Recipients Using the CLI on page 155 for

information about configuring the notification recipients. See Configuring System

Event Notifications Using the CLI on page 158 for information about configuring

the events that trigger notifications.

To configure the mail server for system notifications:



2. Specify the hostname or IP address of the mail server:

hostname (config) # email mailhub {hostname | ipAddress}

3. Specify the SMTP port used by the mail server to send notifications:

hostname (config) # email mailhub-port port

4. Specify the domain name from which emails will appear to come:

hostname (config) # email domain domainName

5. Specify the username or fully qualified return address from which emails are sent:

hostname (config) # email return-addr {username | returnAddress}

6. (Optional) Include the hostname of the mail server in the return address:

hostname (config) # email return-host

© 2015 FireEye 150


hostname (config) # show email



To remove a configuration or restore a default setting, append no to the command. For

example, to exclude the hostname in the return address, use the no email return-host

command, and to restore the default domain name, use the no email domain

command.

Examples

In this example, the return address is not fully qualified, so the hostname ("hostname") and

domain are appended to it.

hostname (config) # email mailhub 10.1.0.0hostname (config) # email domain mail.acme.comhostname (config) # email return-addr adminhostname (config) # show emailMail hub: 10.1.0.0Mail hub port: 25Domain override: mail.acme.comReturn address: adminInclude hostname in return address: yes

Current reply address: [email protected]..

In this example, the return address is fully qualified, so the hostname and domain are not

included.

hostname (config) # email mailhub 10.1.0.0hostname (config) # email domain mail.acme.comhostname (config) # email return-addr [email protected] (config) # show emailMail hub: 10.2.0.0Mail hub port: 25Domain override: mail.acme.comReturn address: [email protected] hostname in return address: yes


In this example, all settings are restored to their default values.

hostname (config) # show emailMail hub: 10.3.0.0Mail hub port: 26Domain override: mailhost.acme.comReturn address: adminInclude hostname in return address: no

Current reply address: [email protected]


151 © 2015 FireEye

Release 7.6 Configuring theMail Server

.

.hostname (config) # no email mailhubhostname (config) # no email mailhub-porthostname (config) # no email return-addrhostname (config) # email return-hosthostname (config) # show emailMail hub:Mail hub port: 25Domain override:Return address: do-not-replyInclude hostname in return address: yes


Configuring theMail Server for Scheduled Reports Using the CLI

Use the CLI commands in this topic to configure the mail server that sends scheduled reports.

See System Mail Server Settings on page 149 for a description of each parameter.

If you use the CLI to configure the mail server, the changes will not appear on the

Settings: Email page in the Web UI.

See Adding and Removing Scheduled Report Recipients on page 156 for

information about configuring the report recipients using the CLI.

To configure the mail server for scheduled reports:



2. Specify the hostname or IP address of the mail server:

hostname (config) report email smtp server {hostname | ipAddress}

3. Specify the SMTP port used by the mail server to send reports:

hostname (config) # report email smtp port port

4. Specify the domain name from which emails will appear to come:

hostname (config) # report email smtp domain domainName

5. Specify the fully qualified return address from which emails are sent:

hostname (config) # report email smtp return-addr returnAddress


hostname (config) # show report email

7. Save the configuration:


© 2015 FireEye 152

To remove a configuration or restore the default setting, append no to the command.

For example, to restore the default return address, use the no report email return-

addr command, and to remove the configured domain name, use the no report email

smtp domain command.

Examples

In this example, the email server is configured to send scheduled reports.

hostname (config) # report email server 10.4.0.0hostname (config) # report email smtp domain mailer.acme.comhostname (config) # report email smtp return-addr [email protected] (config) # show report email

Report email configurations:SMTP server: 10.4.0.0SMTP server port: 25SMTP Domain: mailer.acme.comSMTP Return addr: [email protected]..

In this example, all configuration settings are restored to their default values.


Report email configurations:SMTP server: 10.4.0.0SMTP server port: 26SMTP Domain: acme.comSMTP Return addr: [email protected]..

hostname (config) # no email report smtp serverhostname (config) # no email report smtp porthostname (config) # no email report smtp domainhostname (config) # no email report smtp return-addrhostname (config) # show report email

Report email configurations:SMTP server:SMTP server port: 25SMTP Domain:SMTP Return addr: do-not-reply... .

Adding and Removing Email RecipientsThe same users can receive both system event notifications and scheduled reports. If you use the

CLI to configure them, you must use two separate sets of CLI commands.

Each new recipient will receive detailed notifications for all enabled system health check events.

You can customize the notifications for individual users, and configure which specific events

trigger notifications. (See Configuring System Events on page 157 for details.)


153 © 2015 FireEye

Release 7.6 Adding and Removing Email Recipients

If you use the CLI to configure a scheduled report recipient, the change will not be

reflected in the Web UI. For example:

l You add [email protected] using the report email recipient

[email protected] CLI command. That recipient will be listed in the show

report email command output, but will not be added to the recipient list on the

Settings: Email page in the Web UI.

l The recipient list on the Settings: Email page includes [email protected], but

the Report checkbox is not selected. You then add that recipient using the

report email recipient [email protected] CLI command. The Report

checkbox will still not be selected on the Settings: Email page.

If you use the Web UI to add an email recipient, the recipient will be enabled to receive

both system event notifications and scheduled reports. However, if you use the email

notify recipient CLI command to add this recipient, the recipient will receive only

system event notifications, not scheduled reports (the Report check box will be cleared

on the Settings: Email page).

Prerequisites


Adding and Removing Email Recipients Using theWebUI

Use the Settings: Email page to add or remove the email recipients for system event

notifications and for scheduled reports.

To configure a system event notification recipient:


2. Click Email in the sidebar.

3. Enter the email address of the user in the Add Email Recipient box and then click Add

Recipient.

© 2015 FireEye 154

4. (Optional) Clear the Info, Fail, and Detail checkboxes as needed to customize the

notifications the user will receive. (See Configuring System Event Notifications Using

the Web UI on page 157 for details.)

To add a scheduled report recipient:

1. Enter the email address of the user in the Add Email Recipient box and then click Add

Recipient.

2. Make sure the Report checkbox remains selected.

3. (Optional) Clear the Info, Fail, and Detail checkboxes to prevent the user from receiving

system event notifications as well as scheduled reports.

To remove an email recipient:

1. Click the icon in the Delete column.

2. When prompted, click OK to confirm the action.

Adding and Removing Email Recipients Using the CLI

Use the commands in this section to add or remove email recipients for system event

notifications and scheduled reports.

If you use the CLI to add or remove a scheduled report recipient, the changes will not

appear on the Settings: Email page in the Web UI.

Adding and Removing System Event Notification Recipients

To add system event notification recipients:



2. To add a recipient:

hostname (config) # email notify recipient emailAddress

3. To remove a recipient:

hostname (config) # no email notify recipient emailAddress






155 © 2015 FireEye

Release 7.6 Adding and Removing Email Recipients

Adding and Removing Scheduled Report Recipients

To configure scheduled report recipients:



2. To add a recipient:

hostname (config) # report email recipient emailAddress

3. To remove a recipient:

hostname (config) # no report email recipient emailAddress





Examples

This example adds [email protected] as a system event notification recipient and removes

[email protected].

hostname (config) # show email...Email notification recipients:[email protected] (all events, in detail)[email protected] (failure events only, in detail)[email protected] (all events, summarized)

...hostname (config) # email notify recipient [email protected] (config) # no email notify recipient [email protected] (config) # show email...Email notification recipients:[email protected] (all events, in detail)[email protected] (all events, in detail)[email protected] (failure events only, in detail)

This example adds [email protected] as a scheduled report recipient, and removes

[email protected].


Report email configurations:...Email recipients:

[email protected]@acme.com

hostname (config) # report email recipient [email protected] (config) # no report email recipient [email protected] (config) # show report email

Report email configurations:

© 2015 FireEye 156

...Email recipients:

[email protected]@acme.com

Configuring System EventsBy default, configured users receive detailed notifications about all enabled system events.

Informational events are logged when there is a change in the system. Failure events are logged

when there is a failure in the system.

You can use the CLI to change which events are enabled. For example, you could disable

informational events, such as system log file rotations, from triggering notifications.

For each recipient, you can specify whether failure notifications, informational notifications, or

both are sent. For example, a user might want to know that a disk failed, but not that an

excessive temperature condition returned to normal.

You can also specify whether a user receives summarized or detailed notifications.

Prerequisites


Configuring System Event Notifications Using theWebUI

Use the Settings: Email page to configure system email event notifications for each configured

recipient.

To configure system events:


2. Click Email in the sidebar.

3. Select or clear the Info and Fail checkboxes to specify the severity of events for which

the user receives notifications.


157 © 2015 FireEye

Release 7.6 Configuring System Events

4. Select or clear the Detail checkbox to specify whether the user receives detailed or

summarized notifications.

5. Click Update to save your changes.

Configuring System Event Notifications Using the CLI

Use the commands in this topic to customize system event notifications for each user and to

configure which events trigger notifications.

Viewing System Events

You can view all system events, or the system events that are currently enabled to trigger

notifications, ordered by their severity.

To view all system events:



2. View the events:

hostname (config) # email notify event ?

To view enabled system events and their severity:

l View the events by severity:

hostname > show email events

Configuring System Event Notifications for Each User

To configure system event notifications for each user:



2. View the current configuration:


3. Specify the severity of events for which each user should receive notifications.

l To receive "info" events:

hostname (config) # email notify recipient emailAddress class info

l To stop receiving "info" events:

hostname (config) # no email notify recipient emailAddress class info

© 2015 FireEye 158

l To receive "failure" events:

hostname (config) # email notify recipient emailAddress class failure

l To stop receiving "failure" events:

hostname (config) # no email notify recipient emailAddress class failure

4. Specify the notification format.

l To receive detailed notifications:

hostname (config) # email notify recipient emailAddress detail

l To receive summarized notifications:

hostname (config) # no email notify recipient emailAddress detail

Configuring Which Events Trigger Notifications

To configure which events trigger notifications:



2. View the current configuration as described in Viewing System Events on the previous

page.

3. To enable an event:

hostname (config) # email notify event event

4. To disable an event:

hostname (config) # no email notify event event


hostname (config) # show email events



Examples

This example stops [email protected] from receiving "info" notifications and changes the

message format to a summary.

hostname (config) # show email..Email notification recipients:[email protected] (all events, in detail)[email protected] (failure events only, in detail)[email protected] (all events, in detail)

.

.hostname (config) # no email notify recipient [email protected] info


159 © 2015 FireEye

Release 7.6 Configuring Auto Support for System Event Notifications

hostname (config) # no email notify recipient [email protected] detailhostname (config) # show email..Email notification recipients:[email protected] (failure events only, summarized)[email protected] (failure events only, in detail)[email protected] (all events, in detail)

This example disables log file rotations from triggering event notifications:

hostname (config) # no email notify event syslog-rotation

Configuring Auto Support for System Event NotificationsYou can configure the appliance to send emails to [email protected] when specific

system events occur.

This includes configuring settings to ensure the emails are sent securely. You can specify one of

the following security types:

l none—Do not use TLS to secure the autosupport emails.

l tls—Use TLS over the default server port to secure autosupport emails. Do not send the

emails if TLS fails.

l tls-none—Use TLS over the default server port to secure autosupport email. The email is

sent in plain text if TLS fails.

Prerequisites


Configuring Auto Support for System Event Notifications Using the CLI

Use the commands in this section to configure autosupport for system event notifications. (See

Viewing System Events on page 158 for information about viewing a full list of events.)

To configure autosupport:



2. Enable autosupport email notifications (disabled by default):

hostname (config) # email autosupport enable

3. Display the current configuration for generating autosupport emails for system events:


© 2015 FireEye 160


4. Specify each event for which autosupport email notifications should be sent:

hostname (config) # email autosupport event event

5. Configure the supplemental Certificate Authority (CA) certificates that are used to verify

the server certificates.

l To use only the built-in list:

hostname (config) # email autosupport ssl ca-list none

l To use the default supplemental CA certificate list:

hostname (config) # email autosupport ssl ca-list default-ca-list

6. Configure a security type to use for autosupport email.

l No TLS:hostname (config) # email autosupport ssl mode none

l TLS:hostname (config) # email autosupport ssl mode TLS

l TLS none:hostname (config) # email autosupport ssl mode tls-none

7. Verify the server certificates:

hostname (config) # email autosupport cert-verify




161 © 2015 FireEye

Release 7.6 Managing Logs Using theWebUI

CHAPTER 14: Managing Logs

You can manage logs from the Web UI or CLI.

l Managing Logs Using the Web UI below

l Managing Logs Using the CLI on the next page

Prerequisitesl Admin access

Managing Logs Using theWebUIThe Log Manager allows granular customization of log generation for a variety of time period

options. Use the Log Management page to manage appliance logs.

You may need to download logs and provide them to FireEye Technical Support

for troubleshooting. You may also need to upload the logs to FireEye as requested.

© 2015 FireEye 162

To manage logs:


2. Click Log Manager.

3. Select which log categories to include by clicking Log categories shown below or

Everything.

4. Select or clear checkboxes to specify the categories you want to include in the logs.

5. If a drop-down list is present, select the time period the log should cover. The default is

today. The other options are past week, past 2 weeks, and past month.

6. If you want to view the log files you download, clear the Password-protect generated

log archive checkbox.

If this checkbox is selected, you will be unable to open the files.

7. Click Create. The log is added to the Archives area.

8. To download a log, click Download.

The log archive is downloaded to your local file system. The archive name begins with the

hostname of the appliance.

9. If FireEye requests that you upload an archive, click Upload. The file is automatically

uploaded to FireEye.

10. To delete an archive, click Delete.

Managing Logs Using the CLILog management commands allow you to view the appliance log files, send log messages to one

or more syslog servers, and manage the log files saved on the local disk. Use the CLI commands

in this topic to manage logs. For a full list and for details about command usage and parameters,

see the FireEye CLI Reference.

You may need to download logs and provide them to FireEye Technical Support

for troubleshooting.

System Administration Guide CHAPTER 14: Managing Logs

163 © 2015 FireEye

Release 7.6 Managing Logs Using the CLI

Prerequisites

To manage logs:



2. Display the current logging configuration:

hostname (config) # show loggingLocal logging level: notice Override for class mgmt-back: notice Override for class mgmt-front: notice

Remote syslog default level: noticeRemote syslog servers:

10.10.20.62

Receive messages from remote hosts: yes

Log file rotation: Log rotation size threshold: 256 megabytes Archived log files to keep: 40

Log format: Overall format: standard Subsecond timestamp field: disabled

3. Specify a syslog server to which logging messages are sent. For example:

hostname (config) # logging 10.10.20.62

4. Specify the minimum severity level of messages sent to syslog servers:

hostname (config) # logging trap severity-level

where severity-level is one of the following:

l none—Disables logging.

l emerg—System failure.

l alert—Immediate action required.

l crit—Critical condition.

l err—Error condition.

l warning—Warning condition.

l notice—Normal but significant condition.

l info—Informational message.

l debug—Debug-level message.

5. Specify the minimum severity level of messages stored on the local disk:

hostname (config) # logging local severity-level

© 2015 FireEye 164

where severity-level is one of the following:






l warning—Warning condition.

l notice—Normal but significant condition.

l info—Informational message.

l debug—Debug-level message.

l override—Override a log level.

6. Upload the active log file to a specified network location using file transfer protocol

(FTP), trivial file transfer protocol (TFTP), or secure copy (SCP). For example:

hostname (config) # logging files upload currentscp://[email protected]/logs/FireEye_log.gz

Password (if required): ***********

hostname (config) #

7. Save your changes.


System Administration Guide CHAPTER 14: Managing Logs

165 © 2015 FireEye

Release 7.6

CHAPTER 15: System Health and Performance

The appliance provides information about its health and performance.

l Checking System Health and Status on the next page

l Deployment Verification on page 174

l Utilization and Performance Checks on page 187

© 2015 FireEye 166

Checking System Health and StatusYou can use the Web UI or CLI to view health and status information.

Prerequisites

l Monitor, Operator, Analyst, or Admin access

Checking System Health Using theWebUI

Use the FireEye System Information page to check appliance health and status.


See Deployment Verification on page 174 for details about the information that is

displayed when you click Deployment Check at the top of this page.

To view health and status:


2. Click Health Check.

The results of the last check are displayed.

3. Review the system information.

4. To update the results, click the Initiate Recheck.

The following tables contain descriptions of the information in each section of the page.

System Administration Guide CHAPTER 15: System Health and Performance

167 © 2015 FireEye

Release 7.6 Checking System Health and Status

Version Information

The Version Information section provides an up-to-date view of the software running on your

appliance platform and compares that with the available software on the FireEye DTI network.

Information Description

SoftwareVersion

Compares the software version running on the system to the available software on the DTInetwork. If a newer version exists, administrators are prompted to upgrade the software.

InstalledVersion

Displays the current software version running on the system.

AvailableVersion

Displays the current software version available on the DTI network.

ContentVersion

Compares the security content version on the appliance to the available version on the DTInetwork and displays the status and the version that is currently installed. If a newer versionexists, or if an error condition exists, administrators are prompted to take appropriate action.

Last UpdatedAt

Shows the last time the security content was updated.

IPMI Version Compares the IPMI firmware version running on the system to the available version on theDTI network. If a newer version exists, administrators are prompted to upgrade the firmware.

InstalledVersion

Displays the current IPMI firmware version.

AvailableVersion

Displays the latest available IPMI firmware version.

Guest Images Information

The Guest Images Information section provides an up-to-date view of the guest images

installed on your appliance.


Profiles Compares the profile versions within your installed guest image and compares them profilesto the latest profiles available on the DTI network. If newer profiles are available,administrators are prompted to update their guest images.

ProfileVersions

For each profile found in the current guest image, the profile version number is displayed.

System Information

The System Information status section provides an up-to-date status of the hardware running on

your appliance and alerts administrators when problems are found.

© 2015 FireEye 168


Product Info Compares system hardware performance and if a problem is found, alerts the administrator.

Model The hardware model.

Name The product name.

Type The product type.

License Displays whether the software license has been successfully installed.

ProcessingLoad

Provides analysis of the overall load the system is carrying. If it is nearing capacity, theadministrator is alerted.

Average Load The average processing load handled by the system.

Elapsed The current uptime of the system in days, hours, minutes, and seconds.

DetectionEngine

Displays the status of the detection engine. If the Detection Engine is not running, theadministrator is alerted.

VM Analyzing The number of virtual machines currently analyzing suspect content.

VM Allowed The maximum number of VMs that can run concurrently to analyze suspect content.

Hardware

The Hardware Information provides status on the appliance’s hardware components.


Disk Provides a quick status check on the hard disks. If a problem is found, the administrator isalerted.

Device State Displays the current state of the hard disk.

Device Support Displays the type of back up available on the system.

Self Assessment Provides the status of the disk provided by the disk.

User Capacity Shows the disk capacity on the appliance.

Chassis Provides a quick status of the hardware chassis data. If a problem is found, theadministrator is alerted.

Lock Provides the state of the chassis lock.

Boot Up State Provides the boot up status.

Power SupplyState

Provides the state of the power supply.


169 © 2015 FireEye


Dynamic Threat Intelligence Cloud

The Dynamic Threat Intelligence Cloud section displays the status of the connection

between the appliance and the DTI network.


DTI Client Shows whether the DTI client is running on the system.

Username Displays the current user the system.

Support Updates Displays the status of the support license.

Security Content Displays whether security content sharing is enabled on the system.

Sharing Displays the type of content update license purchased.

Content Updates Displays the status of the content update license.

Interfaces

The Interfaces section shows information about each available Ethernet port on the appliance.


Ethern or Pethern Whether the Ethernet port is up or down.

Auto Negotiation Whether auto negotiation is enabled.

Duplex The type of duplex communication used by the Ethernet port.

Link Detected Whether the Ethernet port is currently linked to another port.

Link Transceiver The location of the link transceiver used to generate Ethernet traffic.

Link Speed The maximum data speed available on the Ethernet port.

MAC Address The MAC address of the Ethernet port.

RX Packet The number of packets received by the Ethernet port during the life of this connection.

TX Packet The number of packets transmitted by the Ethernet port during the life of this connection.

Checking System Health Using the CLI

Use the CLI commands in this topic to view health and status information about appliance

components. This topic describes selected commands that return system, hardware status, DTI

network, and interface information. For a full list of commands and details about their usage and

parameters, see the FireEye CLI Reference.

© 2015 FireEye 170

l Monitor, Operator, or Admin access

l Admin access for the show ipmi command

The examples in this section are from an NX Series appliance.

To check appliance health:

1. Enable the CLI enable mode:

hostname > enable

2. Display detailed information about the system and the software running on it.

hostname > show versionProduct name: Web MPS [licensed]Product model: FireEyeNX900Bandwidth: 100 MbProduct release: wMPS (wMPS) 7.6.0.352454Build ID: #232454Build date: 2015-08-06 23:46:20Build arch: x86_64Built by: root@vta114Version summary: wmps wMPS (wMPS) 7.6.0.352454 #352454 2015-05-05 23:46:20 x86_64 build@vta114:FireEye (xxx)Content Version: 385.314Appliance ID: 002590AEE884

Product model: FireEyeNX900Host ID: 17ab40a3729dSystem serial num: SM1346AH00YSystem UUID: 49434d53-0200-90ae-2500-ae90250084e8

Uptime: 11d 6h 34m 34.205sCPU load averages: 0.23 / 0.52 / 1.10Number of CPUs: 8System memory: 7503 MB used / 8562 MB free / 16065 MB totalSwap: 0 MB used / 65536 MB free / 65536 MB total

3. Display the IPMI configuration:

hostname # show ipmiIPMI LAN Settings----------------------------------------Admin Shut Down : noShut Down : noIP Address Source : Static AddressIP Address : 192.168.42.27Subnet Mask : 0Default Gateway IP : 0

IPMI Firmware Installed-------------------------------Firmware Version: 2.67Device: 1IPMI Version: 2.0

IPMI Firmware Available For Update-----------------------------------New Firmware Version: 2.67New Firmware Filename: FireEye_V267.bin


171 © 2015 FireEye


Firmware Update Notice: Firmware is up to date for this release

IPMI Firmware Availability Notice is enabled

4. Display overall system status:

hostname > show system health

Overall system feature status: Good

5. Display information about the Dynamic Threat Intelligence (DTI) network:

hostname # show fenet status

Dynamic Threat Intelligence Service:

Update source : <online>Enabled : yesDownload : [email protected] : [email protected] Mil : [email protected]

HTTP Proxy:

Address :Username :User-agent :

Request Session:

Timeout : 30Retries : 3Speed Time : 60Max Time : 14400Rate Limit :

Speed Limit : 1

Dynamic Threat Intelligence Lockdown:

Enabled : noLocked : noLock After : 5 failed attempts

UPDATESEnabled Notify Scheduled Last Updated At------- ------ --------- -------------------

Security contents : yes no every 2015/08/07 20:17:56Stats contents : yes none 2015/08/07 18:32:01

6. Display status and traffic statistics for all interfaces:

hostname # show interfaces

Interface ether1 status:Comment:Admin up: yesLink up: yesDHCP running: noIP address: 172.00.00.00Netmask: 255.000.0.0IPV6 enabled: noSpeed: 1000Mb/s (auto)Duplex: full (auto)Interface type: ethernetInterface ifindex: 12

© 2015 FireEye 172

Interface source: physicalMTU: 1500HW address: 00:25:90:D0:A3:76

RX bytes: 3114981133 TX bytes: 227921679RX packets: 31934013 TX packets: 367951RX mcast packets: 31564 TX discards: 0RX discards: 296 TX errors: 0RX errors: 1 TX overruns: 0RX overruns: 0 TX carrier: 0RX frame: 0 TX collisions: 0

TX queue len: 1000

Interface ether2 status:Comment:Admin up: yesLink up: noDHCP running: noIP address:Netmask:IPV6 enabled: noSpeed: UNKNOWNDuplex: UNKNOWNInterface type: ethernetMTU: 1500HW address: 00:25:90:D0:A3:77


TX queue len: 0

Interface pether2 status:Comment:Admin up: yesLink up: noDHCP running: noIP address:Netmask:IPV6 enabled: noSpeed: UNKNOWNDuplex: UNKNOWNInterface type: ethernetInterface ifindex: 9Interface source: physicalBridge group: ether2MTU: 1500HW address: 00:25:90:D0:A3:77


TX queue len: 1000


173 © 2015 FireEye

Release 7.6 Deployment Verification

Interface pether3 status:Comment:Admin up: yesLink up: yesDHCP running: noIP address: 127.0.0.10Netmask: 255.255.255.0IPV6 enabled: noSpeed: 1000 MB/s (auto)Duplex: full (auto)Interface type: ethernetInterface ifindex: 6Interface source: physicalMTU: 1500HW address: 00:25:90:D0:A3:67


TX queue len: 1000

Deployment VerificationThe Deployment Check > FireEye System Information page contains three sections:

l Dynamic Threat Intelligence Cloud—Checks whether the appliance can receive

security content updates from and upload analysis statistics to the DTI network. See

Checking DTI Services Using the Web UI below.

l Detection Verification—Checks whether the appliance can detect the callback, callback

block, Web analysis, binary analysis, domain match, and IPS alert types. See Checking

Alert Detection on the next page.

l Network Deployment Check—Captures all TCP traffic for a specific duration, and

checks for network issues including duplicate packets, asymmetric TCP traffic, packet

loss, and out-of-order packets. See Checking Network Deployment on page 179.

Checking DTI Services Using theWebUI

The Dynamic Threat Intelligence Cloud section shows whether the appliance can receive

security content updates from and upload analysis statistics to the DTI network. See Validating

DTI Access on page 70 if the services in this section are not reachable.

The other two sections on the FireEye System Information page do not depend on

DTI cloud services being reachable.

© 2015 FireEye 174

Prerequisites

l Monitor, Analyst, Operator, or Admin access

To refresh the DTI cloud status information:

1. On the Web UI, select the About tab.

2. Click Deployment Check.

3. Click Initiate Recheck.

Checking Alert Detection

Alert detection tests allow you to check whether the appliance can detect callback, callback

block, Web analysis, binary analysis, domain match, and IPS alerts. You can perform these tests

from the Deployment Check > FireEye System Information page or by sending test URLs

from a Web browser.

The laptop or device from which you are testing must be in the network in which the

NX Series appliance is deployed inline.

Checking Alert Detection Using the Web UI Procedure

Use the Deployment Check > FireEye System Information page to check NX Series

appliance alert detection.


175 © 2015 FireEye


Prerequisites


l NX Series appliance is deployed inline.

l Laptop or device from which you are testing is in the network in which the NX Series

appliance is deployed.

l Alerts and notifications are configured.

To check alert detection:



3. Click the Check icon in the Perform Check column in the Detection Verification

table to test whether the appliance can detect the following alert types:

l Callback

l Callback block

l Web analysis

l Binary Analysis

l Domain Match

l IPS check (not shown above)

4. Click Initiate Recheck to display the check results in the Detection Verification table.

If any of the checks fails, check that the hardware is installed correctly for your deployment (see

the Hardware Administration Guide for your NX Series appliance for installation and deployment

instructions). If the hardware is installed correctly, contact FireEye Technical Support.

Checking Alert Detection Using the Test URL

You can check NX Series appliance alert detection by sending test URLs from a Web browser.

The test URLs and the buttons in the Web UI point to the same test pages.

Prerequisites

l Monitor, Analyst, or Admin access

l NX Series appliance is deployed inline.

l Laptop or device from which you are testing is in the network in which the NX Series

appliance is deployed.

l Alerts and notifications are configured.

© 2015 FireEye 176

To check alert detection using test URLs:

1. To test NX Series appliance callback communication detection:

a. Send the following test URL:

http://fedeploycheck.fireeye.com/appliance-test/alert.html

The following test page opens:

b. Select the Alerts tab in the Web UI.

c. Click Alerts and look for an "FETestEvent" alert.

2. To test NX Series appliance callback blocking:


http://fedeploycheck.fireeye.com/appliance-test/block.html

This test actively blocks a simulated malware callback. The following test page

opens:

b. Select the Alerts tab in the Web UI.

c. Click Alerts and look for an alert detecting the blocking event.

3. To test NX Series appliance detection of Web-based malware and IPS events:


http://fedeploycheck.fireeye.com/appliance-test/test-infection.pdf

This URL points to a simulated malicious PDF, and is used to check both the Web

analysis and IPS check alert types. A PDF file with the following content opens:


177 © 2015 FireEye

http://fedeploycheck.fireeye.com/appliance-test/alert.html

http://fedeploycheck.fireeye.com/appliance-test/block.html

http://fedeploycheck.fireeye.com/appliance-test/test-infection.pdf


b. Select the Alerts tab in the Web UI

c. Click Alerts and look for an alert detecting the event.

4. To test NX Series appliance detection of a binary-analysis executable file:


http://fedeploycheck.fireeye.com/appliance-test/test-infection.exe

A browser-specific message prompts you to open or save the file:

b. Click Cancel.

c. Select the Alerts tab in the Web UI.

d. Click Alerts and look for an alert detecting the event.

5. To test NX Series appliance detection of domain matched URLs:


http://fedeploymentcheck.dns.fireeye.com

b. A browser-specific page opens:

© 2015 FireEye 178

http://fedeploycheck.fireeye.com/appliance-test/test-infection.exe

http://fedeploymentcheck.dns.fireeye.com/

c. Select the Alerts tab in the Web UI.

d. Click Alerts and look for an alert detecting the event.

If any of the checks fails, check that the hardware is installed correctly for your deployment (see

the Hardware Administration Guide for your NX Series appliance for installation and deployment

instructions). If the hardware is installed correctly, contact FireEye Technical Support.

Checking Network Deployment

The NX Series software automatically checks for network status information that might indicate

appliance deployment problems. The system automatically runs the deployment check process at

midnight. You can explicitly start a deployment check from the appliance Web UI or CLI,

provided that a deployment check process is not already running.

A network deployment check captures all TCP traffic that enters and exits the monitoring ports

for a certain duration and then analyzes the captured traffic for duplicate packets, out-of-order

packets, packet loss, and asymmetric traffic flows. Based on packet counts, the network

deployment check produces an overall score of success or failure. If the network deployment

check fails, the Web UI and CLI output identify the specific packet counts that indicate network

deployment problems. To investigate appliance network deployment problems, you can upload

the most recent packet capture file to a remote host and then use a packet browser to analyze the

captured traffic.

The following events trigger network deployment check notifications:

l The deployment check results transition from success to failure.

l The system restarts and the last deployment check fails.

l Any managed process restarts and the last deployment check resulted in failure.

If the deployment-check-failure and deployment-check-recover notifications are configured and enabled on

your appliance, network deployment check notifications are sent by email and SNMP traps. For

instructions, see Sending Traps on page 141.


l Viewing Network Deployment Check Results on the facing page

l Starting a Network Deployment Check on page 184

l Clearing Network Deployment Check Results on page 186

l Configuring the Maximum Packet Capture Duration on page 185


179 © 2015 FireEye


Viewing Network Deployment Check Results

You can view the network deployment check results. The system automatically runs the network

deployment check every day at midnight.

Prerequisites


Viewing Network Deployment CheckResults Using theWebUI

The bottom section of the Deployment Check > FireEye System Information page displays

the results..

The following table describes the fields for the network deployment check results.

Field Description

Status Overall results of packet capture analysis:

success—No network deployment errors were detected.

failed—Network deployment check errors were found.

Check starttime

Date and time the packet capture started.

Checkcompletiontime

Date and time the analysis finished.

Totalcapturedpkts

Size (in packets) of analyzed packet capture.

If this number is below a system-defined threshold, an asterisk (*) indicates that the value mightindicate a network deployment problem.

Re-Transmittedpkts

Number of packets retransmitted.

If this number exceeds a system-defined threshold, an asterisk (*) indicates that the value mightindicate a network deployment problem.

Dup Ackpkts

Number of TCP DUP ACK records in the capture.


© 2015 FireEye 180

Field Description

Out-of-Order pkts

Number of reordered packets in the capture.


Ackedunseenpkts

Number of TCP ACKed unseen segments in the capture.


Previousseg notcapturedpkts

Number of packets that arrived with a sequence number greater than the next expectedsequence number on that connection.


Malformedpkts

Number of packets in the capture that are malformed. A sender might transmit a malformedpacket, or a packet can become corrupted in transit.


Asymmetricstreamcount

Number of asymmetric streams in the capture.


Messages Latest deployment check is still running. Following is status for previous check:

If you run this command while a previous network deployment check is still in progress, thismessage is displayed. The results of the previous network deployment check are displayed.

Captured network output is available in file deployment_check.pcap. It can be uploaded with'file tcpdump upload deployment_check.pcap'.

Whether the network deployment check overall result is success or failed, you can upload thecaptured and analyzed network traffic to a remote host by using the file tcpdump uploaddeployment_check.pcap command, and then use a packet browser to analyze the capturedtraffic.

To display network deployment check results:



Review the results at the bottom of the page.

Viewing Network Deployment CheckResults Using the CLI

Use the CLI commands in this topic to view the results.


181 © 2015 FireEye


The following table describes the fields for the network deployment check results.

Field Description

Status Overall results of packet capture analysis:

success—No network deployment errors were detected.

failed—Network deployment check errors were detected.

Start time Date and time the packet capture started.

End time Date and time the analysis finished.

Captured datasize (bytes)

Size (in bytes) of the packet capture analyzed.

Capturedpacket count

Size (in packets) of analyzed packet capture.

If this number is below a system-defined threshold, an asterisk (*) indicates that the valuemight indicate a network deployment problem.

Re-transmitpacket count

Number of packets retransmitted.

If this number exceeds a system-defined threshold, an asterisk (*) indicates that the valuemight indicate a network deployment problem.

Dup ACKpacket count

Number of TCP DUP ACK records in the capture.


Out-of-orderpacket count

Number of reordered packets in the capture.


Acked unseenpacket count

Number of TCP ACKed unseen segments in the capture.


Previous segnot capturedpacket count

Number of packets that arrived with a sequence number greater than the next expectedsequence number on that connection.


Malformedpacket count

Number of packets in the capture that are malformed. A sender might transmit a malformedpacket, or a packet can become corrupted in transit.


© 2015 FireEye 182

Field Description

Stream count Number of active streams in the capture.


Asymmetricstream count

Number of asymmetric streams in the capture.


Messages Latest deployment check is still running. Following is status for previous check:

If you run this command while a previous network deployment check is still in progress, thismessage is displayed. The results of the previous network deployment check aredisplayed.

Captured network output is available in file deployment_check.pcap. It can be uploadedwith 'file tcpdump upload deployment_check.pcap'.

Whether the network deployment check overall result is success or failed, you can savethe captured and analyzed network traffic by using the file tcpdump upload deployment_check.pcap CLI command.

Please run 'deployment check network start'

If you cleared the results of the last network deployment check, this message is displayedinstead of the status lines.

To display network deployment check results:


hostname > enable

2. Show full results. Enter the show deployment check network command.

hostname # show deployment check network

Network deployment check configuration:Packet Capture Duration: 120

Network deployment check status:Status: successStart time: 2014/07/21 00:00:00End time: 2014/07/21 00:00:19Captured data size (bytes): 10712908Message: Captured network output is available in file deloyment_check.pcap. It

can be downloaded with 'file tcpdump upload deployment_check.pcap'.

3. Show configuration information only. Enter the show deployment check network

config command.

hostname # show deployment check network config


183 © 2015 FireEye


Network deployment check configuration:

Packet Capture Duration: 120

4. Show status information only. Enter the show deployment check network status

command.

hostname # show deployment check network status

Network deployment check status:

Status: success

Start time: 2014/12/02 01:19:55

End time: 2014/12/02 01:20:56

Captured data size (bytes): 10277941

Message: Captured network output is available in file deployment_check.pcap.It can be uploaded with 'file tcpdump upload deployment_check.pcap'.

5. Show status details only. Enter the show deployment check network status detail

command.

hostname # show deployment check network status detail

Latest deployment check is still running. Following is status for previous check

Network deployment check status:Status: failedStart time: 2014/07/24 08:44:38End time: 2014/07/24 08:44:48Captured data size (bytes): 10691225Captured packet count: 97239Re-transmit packet count: 12079Dup ACK packet count: 870Out-Of-Order packet count: 21303 *Acked unseen packet count: 162Previous seg not captured packet count: 4180Malformed packet count: 0Stream count: 1260Asymmetric stream count: 94Message: Captured network output is available in file deployment_check.pcap. It

can be downloaded with 'file tcpdump upload deployment_check.pcap'.* Indicates error

Starting a Network Deployment Check

You can explicitly start a network deployment check from the NX Series Web UI or CLI.

Prerequisites


l Monitoring interfaces are "up"

Starting a Network Deployment CheckUsing theWebUI

You can manually start a network deployment check from the NX Series Web UI if another

check is not running.

© 2015 FireEye 184

To start a network deployment check:



3. Click Re/initiate Network Deployment Check.

For information about viewing the results, see Viewing Network Deployment Check

Results on page 180.

Starting a Network Deployment CheckUsing the CLI

You can manually start a network deployment check from the CLI if another check is not

running.

To start a network deployment check:

1. Enter the enable CLI mode:

hostname > enable

2. Start the check:

hostname # deployment check network startNetwork deployment check has been started. Please run 'show deployment checknetwork status' for status update

For information about viewing the results, see Viewing Network Deployment Check Results

on page 180.

For command details, see the FireEye CLI Reference.

Configuring the Maximum Packet Capture Duration

You can override the default maximum packet capture duration used by the network deployment

checking feature. The default value is 120 seconds. The maximum capture number is 100,000

packets, regardless of the packet capture duration.

Prerequisites


To configure the maximum packet capture duration:


hostname > enable


185 © 2015 FireEye


2. (Optional) Display the current duration:

hostname # show deployment check network

3. Specify the new duration:

hostname # deployment check network duration seconds

The following example sets the upper limit for packet capture duration to 60 seconds:

hostname # deployment check network duration 60


Clearing Network Deployment Check Results

You can clear the results of the last network deployment check. This operation leaves the packet

capture itself intact. The packet capture data is stored in the deployment_check.pcap file, which

you can upload to a remote host and then use a packet browser to analyze the captured traffic.

The next network deployment check, whether started automatically at 00:00 (midnight) or

started explicitly using the CLI or Web UI, generates a new set of results.

If a network deployment check results in the failed status, network deployment check

notifications are triggered to report the failed events. If you do not clear the results,

subsequent system restarts and managed process restarts will trigger new notifications

for the same events.

Prerequisites


To clear the last network deployment check results:


hostname > enable

2. Clear the results:

hostname # deployment check network clear

Example

The following example shows the network deployment check status after the results are cleared.

hostname # show deployment check network status detailNetwork deployment check status:Message: Please run 'deployment check network start'* Indicates error


© 2015 FireEye 186

Utilization and Performance ChecksThe NX Series appliance continuously gathers and reports relevant data about its utilization.

There are recommended levels of utilization, known as rated limits, that are specific to each

appliance model. Exceeding these limits can cause reduced malware detection efficacy, packet

loss, and queuing errors.

You can use the utilization data as a tool for future capacity planning. When your appliance

continuously or critically exceeds the rated limits, prominent messages and event notifications

advise you to contact FireEye for guidance.

Utilization data and the associated rated limits are reported in the Appliance Utilization section

on the Dashboard in the Web UI and in the show sizing stats CLI command output. On the

Dashboard, you can view statistics for the current day, past week, or past month.

The Appliance Utilization section of the NX Series Dashboard includes a verdict that states the

utilization zone your appliance is operating in (based on the most recent one-hour average) and

recommended actions to take. The warning verdict is shown in the following illustration:

The Dashboard section also includes the following charts:

l Utilization Summary shows the overall appliance utilization level.

l MVX Web Analysis shows the Web pages waiting to be analyzed by the NX Series MVX

engine, displayed as a percentage of capacity.

l Total Bandwidth (Mbps) shows the total amount of traffic going through the monitoring

ports, measured in Mbps. The thresholds are based on the rated bandwidth for the

appliance.

In the following example, the appliance is operating in the good zone. Although it exceeded the

rated limit for total bandwidth during the reporting period, it was back in the good range at the

time the chart was rendered.


187 © 2015 FireEye

Release 7.6 Utilization and Performance Checks

Prerequisites


l NX Series Release 7.6.1 or later

Viewing Utilization Statistics Using theWebUI

Use the Appliance Utilization section of the NX Series Dashboard to view utilization statistics

for the current day, past week, or past month.

To view the utilization statistics:

1. Click the Dashboard button at the top of the NX Series Web UI to open the Dashboard.

2. If your appliance is operating in the warning or critical zone, the Appliance Utilization

section is displayed at the top of the Dashboard. If it is operating in the good zone, scroll

to the bottom of the Dashboard to view this section.

3. To specify the time period to report, click the Day, Week, orMonth button at the

bottom of the section.

© 2015 FireEye 188

.

4. To refresh the data, click the icon.

To hide all other Dashboard sections, click the icon. Click the icon again to show

the other sections.

Viewing Utilization Statistics Using the CLI

Use the show sizing stats command to view utilization statistics.

To view utilization statistics:


hostname > enable

2. Display the statistics:

hostname # show sizing stats

Example

As shown in the following example, this command displays the current status and value for each

measurement, as well as the benchmarks from which the measurements are made.

hostname # show sizing stats

Stat Status Value Warning CriticalLevel Level

Utilization summary: Warning 1 1 2Web analysis MVX utilization(%): ok 9 75 95Total bandwidth (Mbps): Warning 888 750 950


189 © 2015 FireEye

Release 7.6

CHAPTER 16: AAA

AAA (authentication, authorization, and accounting) is a security framework that validates user

identities, enforces access to resources, and audits user activities and usage.

This chapter includes the following sections:

l Authentication

l User Accounts

l Managing Your Own Account

l Local Access Control

l Configuring Password Validation Policies

l Configuring Password Change Policies

l Authentication Order

l Local Overrides

l Mapping Remote Users to Default Local Users

l RADIUS Server Configuration

l TACACS+ Server Configuration

l LDAP Server Configuration

l Example Authentication Configuration

l Authorization

l Roles

l Capabilities

l Accounting

l Audit Logs

© 2015 FireEye 190

AuthenticationAuthentication validates users before they are allowed to access the system. Each user has a

unique identity and associated credentials. The authentication process compares the login

credentials the user provides with the user credentials stored in a database. If the credentials

match, the user is granted access to the system; otherwise, the authentication fails and the user is

denied access.

FireEye supports four remote authentication methods:

l Local—The appliance authenticates users against the local username database. For

information about adding users to this database, see User Accounts.

l RADIUS—The appliance authenticates users against a remote RADIUS security server.

l TACACS+—The appliance authenticates users against a remote TACACS+ security

server.

l LDAP—The appliance authenticates users against a remote LDAP server.

The appliance uses the remote authentication methods as a client and does not become

an authentication server itself.

When remote users are authenticated by a remote server, they are logged in to the appliance as a

local user and are granted the same access privileges as that user. For any remote authentication

method, the mapping of a remote user to a local user is configured in a method-specific attribute

string that is returned by the remote server after a user is authenticated. If the string is not

returned, the remote user is logged in as the default local user specified by the aaa

authorization map default-user CLI command, as described in Mapping Remote Users to

Default Local Users.

You can use the aaa authorization rules rule command to configure rules in the local

configuration to override this mapping when specified conditions are met. For more information,

see Local Overrides of Remote User Mappings.

For security, the provided Monitor user account is locked out by default. This account must be

enabled before remote users can be mapped to it. See Local Access Control for more

information.

For details about configuring method-specific attribute strings, see:

l Configuring a RADIUS Server

l Configuring a TACACS+ Server

l Configuring an LDAP Server

l Configuring an Active Directory Server

System Administration Guide CHAPTER 16: AAA

191 © 2015 FireEye

Release 7.6 Authentication

Order of Authentication

An authentication methods list defines the order in which authentication should be attempted,

and provides backup methods in the event that a method fails to authenticate a user. The local

method must be included in the list, preferably first to reduce the risk of local account access

issues.

If a method denies a user or is not reachable, the next method in the list is tried. If there are

multiple servers within a method (assuming the method is contacting authentication servers), and

a server timeout is encountered, then the next server in the list is tried.

If the current server being contacted issues an authentication reject, no other servers for that

method are tried and the next method in the list is attempted. If no method validates a user, the

user is denied access to the appliance.

You can configure the system to track authentication attempts, limit authentication based on

previous failures, and so on.

See the following topics for more information:

l Defining the Authentication Order

l Example: Configuring Authentication

l Configuring Failed Authentication Attempts

User Accounts

Users must be created before they can log in to the appliance. User accounts include the

following information:

l User Name—The name with which the user logs in to the appliance.

l Role—The role that determines what the user can do on the appliance. For details, see

Roles.

l Password—The password that along with the user name, authenticates the user and

permits access to the appliance. You can configure rules for stricter password security. For

details, see Configuring Password Validation Policies on page 200 and Configuring

Password Change Policies on page 207.

l Account Status—The status that determines whether and how the user can log in to the

appliance locally. For details, see Local Access Control.

There is a permanent user account that corresponds to each role. These are system accounts and

cannot be deleted or modified, with the exception of being locked out so they cannot be used to

log in. The self user account is the account of the logged-in user.

© 2015 FireEye 192

All users can change their own passwords. For more information, see Managing Your Own

Account.

You can create and update user accounts using either the Web UI or the CLI. For instructions,

see the following topics:

l Managing Users Using the Web UI

l Managing Users Using the CLI

Managing Users Using the Web UI

Use the Settings: User Accounts page to add and update user accounts using the Web UI.

Prerequisites

l Admin access

To add or modify a user account:


2. Click User Accounts on the sidebar.


193 © 2015 FireEye


3. If you are updating a user account, click the appropriate link in the User column in the

table at the bottom of the page.

4. Under Add New User or Update User, enter the User Name, which is the login name

for the user. It must be between 1 and 16 characters, is case sensitive, and must be unique.

Use only letters, numbers, and underscores.

5. Select a role from the Role list. For detailed information about the functionality each role

provides, see Roles.

6. Enter a case-sensitive password for the user in the Create Password and Confirm

Password boxes. In the default configuration, the password must be between 8 and 32

characters.

You can change the password requirements as described in Configuring Password

Validation Policies.

7. (Optional) Specify a subnet, subnet mask, and VLAN for the user (Monitor user only).

8. If needed, change the Account Status for the user. For information about each status, see

Local Access Control.

The Password set account status is set automatically for new users because you

cannot create a new user from the Web UI without a password.

9. To delete one or more users, select the check box to the left of each user name, and then

click Remove Selected Users.

The user configuration is displayed at the bottom of the page, along with the following additional

information:

l Last Login—The date and time the user last logged in to the appliance in the UTC time

standard.

l Login Count—The number of times the user has logged in to the appliance since the user

account was created.

l Last Action—The date and time the user last logged in to or out of the appliance, in the

UTC time standard.

l IP Address—The IP address from which the user logged in to the appliance.

Managing Users Using the CLI

Use the CLI commands in this topic to add and update user accounts.

Prerequisites

l Admin access

© 2015 FireEye 194

To add a new user:



2. Create a new user:

hostname (config) # username username

User names must be between 1 and 16 characters, is case sensitive, and must be unique.

Use only letters, numbers, and underscores.

3. Assign a role to a specified user:

hostname (config) # username username role role

where role is admin, monitor, operator, analyst, or auditor.

4. Assign a password to a specified user:

hostname (config) # username username password password

5. (Optional) Configure a subnet for the specified user:

hostname (config) # username username subnet network_prefix

6. (Optional) Configure a VLAN ID for the specified user:

hostname (config) # username username vlan vlan_identifier

7. If needed, change the account status for the user. For information about each status, see

Local Access Control on page 199.

8. To delete a specified user:

hostname (config) # no username username



For command usage and parameters, see the FireEye CLI Reference.

Managing Your Own Account

Users in all roles can manage their own accounts in the following ways:

l Change their passwords.

l Install secure shell (SSH) authorized keys that permit them to log in from remote hosts

using an SSH identity.

l Create and manage SSH identities that permit them to log in to another host on which the

corresponding authorized key was installed.


195 © 2015 FireEye


l Remove SSH known host entries so they can log in to remote hosts whose host keys have

changed.

l Restrict the ways they can log in locally.

l View their account information, including when their password will expire and whether

they authenticate using a password or an SSH authorized key

You can use the Web UI to change your password, and use the CLI to change your password and

perform the other account management functions available to you.

Prerequisites

l Any role

Managing Your Own Account Using the Web UI

Use the Settings: My Account page to change your own password.

Users with the Admin role do not have access to this page, they must instead use the

Settings: User Accounts page to manage their own accounts.

To change your own password:


2. Click My Account on the sidebar.

3. Enter your current password in the Current Password box (if present).

4. Enter your new password in the New Password box.

© 2015 FireEye 196

5. Enter your new password again in the Confirm Password box.

6. Click Update User.

Managing Your Own Account Using the CLI

Use the CLI commands in this topic to perform management functions on your own account.

Prerequisites

l Any role

To manage your own account:

1. Log in to the CLI as yourself.



3. To change your password:

hostname (config) # username username password password

If your administrator requires you to enter your current password when you change your

password, do one of the following:

l Append curr-password currentPassword to the command. For example:

hostname (config) # username tsmith password ABCDE12345 curr-passwordFGHIJ678910

l Wait for the system to prompt for your current password:

hostname (config) # username tsmith password ABCDE12345Current password:***********hostname (config) #

If you enter an invalid current password, you must wait three seconds before trying again:

hostname (config) # username tsmith password ABCDE12345Current password:*********%Current password does not match. Please retry after 3 seconds.

4. To change your local account status:

l To specify that you cannot log in to the appliance locally using a password, but can

do so using an SSH authorized key:

hostname (config) # username username disable login

If your role is Monitor, Analyst, or Auditor, the CLI session will end

immediately after you run this command.


197 © 2015 FireEye


l To specify that you cannot log in to the appliance locally, but can log in remotely:

hostname (config) # username username disable local-login

5. To generate a new identify that allows you to open a Secure Shell (SSH) session on

another device from this appliance:

hostname (config) # ssh client user username ...

(See the FireEye CLI Reference for command usage and parameters.)

6. To show your own SSH client identities:

hostname (config) # show ssh client

7. To display your own account information:

hostname (config) # show usernames user username

or

hostname (config) # show whoami

8. (Operator role only): Save your changes:


Although you can change your own password with a Monitor, Analyst, or Auditor

role, you cannot save the changes to memory. Your changes could be lost if an

administrator reboots without saving changes or reverts to the last saved

configuration.

Example

In this example, Marie changes her password and then displays her account information two

ways.

hostname (config) # username marieb password 12345ABCDEhostname (config) # show usernames user mariebLocal username: mariebFull name:Account status: Password setRole: operatorVLAN: not setSubnet: not setPassword last set: 2014/11/21 15:51:31Passsword age: 20 days 12 hr 17 min 50 secPassword expires: in 69 days 23 hr 58 min 20 secMust change password: no

hostname (config) # show whoamiUsername: mariebLocal username: mariebFull name:Account status: Password setRole: operatorVLAN: not setSubnet: not setPassword last set: 2014/11/21 15:51:30Password age: 20 days 12 hr 17 min 55 secPassword expires: in 69 days 23 hr 58 min 15 sec

© 2015 FireEye 198

Must change password: noLogin time: 2014/12/12Auth method: local (password)Remote address: 10.10.0.0Line: pts/1Session ID: 25614

Local Access Control

Each user has an account status that determines whether and how the user can log in to the

appliance locally. The account statuses are described in the following table.

AccountStatus Description

Password set The user can log in to the appliance locally using a username and password.

Localpasswordlogindisabled

The user cannot log in to the appliance locally using a password, but can log in using anSSH authorized key.

Local logindisabled

The user cannot log in to an appliance locally, using either a password or an SSH authorizedkey. A user with this account status can still authenticate remotely and be mapped to this useraccount.

Accountlocked out

The user cannot log in at all. This could be due to the account status being configured thisway explicitly, or due to too many unsuccessful login attempts.

The provided Operator, Analyst, and Auditor system accounts have the "local login disabled"

status set by default, so they cannot log in until an administrator changes their account status by

setting passwords for them. The provided Monitor account defaults to the "account locked out"

status for security.

For information about changing a user's account status, see the following topics:

l Defining Account Status Using the Web UI

l Defining Account Status Using the CLI

Defining Account Status Using the Web UI

Use the Settings: User Accounts page to set the account status for a user. For a description of

each account status, see Local Access Control.

Prerequisites

l Admin access


199 © 2015 FireEye


To set an account status:



3. Click the user name in the User column.

4. In the Update User section, select an account status from the Account Status list.


Defining Account Access Using the CLI

Use the CLI commands in this topic to set the account status for a user.

Prerequisites

l Admin access

To set an account access:



2. Change the password for the specified user:

hostname (config) # username username password

3. Disable the means to log in to this account:

hostname (config) # username username disable




Configuring Password Validation Policies

You can define rules to validate user passwords and enable stricter password security. Note the

following:

l The validation rules are enforced only when the user sets a plain text string as the

password. They are not applied to passwords that are configured as a hashed value. For full

enforcement, you can prevent administrators from configuring passwords as hashed values,

described in Prohibiting Hashed Passwords Using the CLI on page 206.

l The rules are enforced only when a password is being set. They are not applied to

passwords that already exist.

© 2015 FireEye 200

The password validation features described in this section are disabled by default.

You must use the CLI to configure password policies.

Configuring Password Strength

You can require that passwords be a certain length; have a minimum number of uppercase or

lowercase characters, numerals, or special characters; and limit the number of times characters

can be repeated in a password. You can also configure a minimum length for the password used

to log in to the LCD panel on the front of most appliances. For details, see Configuring

Password Strength Rules Using the CLI on the facing page.

Requiring the Current Password for Password Changes

You can require users to enter their current passwords when they change their passwords. The

following things change when you do so:

l The Settings: My Account page in the Web UI includes a Current Password field.

l Local login commands such as username username password password prompt for the

current password if the user does not supply it as a command parameter.

Custom scripts that use the CLI to configure user accounts may need to be updated if

the current password is required. For example, a script that sets the password for a user

needs to be modified to accommodate the prompt for the current password.

This feature currently applies to those users with a role other than Admin.

For details, see Requiring the Current Password for Password Changes Using the CLI on

page 204.

Prohibiting Matching Username and Password

By default, users can select a password that is the same as their username. For stricter password

security, you can prevent this. For details, see Preventing a Password from Matching the

Username Using the CLI on page 204.


201 © 2015 FireEye


Configuring Password Reuse Criteria

You can configure how many password changes are required before users can reuse a password.

When this feature is enabled, the system maintains a history of the configured number of

passwords. For example, if you specify the number 5, users must change their passwords five

times before they can reuse their first password. If the configured number is changed to a lower

number, the oldest excess passwords are removed from the history.

The password history is cleared in the following cases:

l An administrator disables the feature.

l An administrator clears the history.

A password can be reused immediately after the password history is cleared or the feature is

disabled. In both cases, information about the current password, such as the date and time it was

set, is retained.

For details, see Configuring Password Reuse Policy Using the CLI on page 205.

Prohibiting Hashed Passwords

Password validation rules can be enforced only on plain text passwords; they cannot be enforced

on hashed passwords. You can prevent administrators from using the username username

password 7 hashValue command to set passwords as hashed values. For details, see Prohibiting

Hashed Passwords Using the CLI on page 206.

The show configuration command output contains commands that restore system user

accounts. These commands include hashed passwords. If you prohibit hashed

passwords, the accounts cannot be restored and those commands will be commented

out in the output.

Prerequisites

l Admin access

Configuring Password Strength Rules Using the CLI

Use the commands in this section to configure the criteria that determine the strength of your

password security.

To configure password strength rules:



2. Configure rules as needed:

© 2015 FireEye 202

l To set the minimum number of lowercase letters:

hostname (config) # aaa authentication password local character-type lower-case minimum number

where number is 0 by default.

l To set the minimum number of uppercase letters:

hostname (config) # aaa authentication password local character-type upper-case minimum number


l To set the minimum number of special characters:

hostname (config) # aaa authentication password local character-typespecial minimum number


l To set the minimum number of numerals:

hostname (config) # aaa authentication password local character-typenumeral minimum number


l To set the maximum times a character can repeat consecutively:

hostname (config) # aaa authentication password local max-char-repeatsmaximum number

where the default is no limit, and number is a number greater than 1. To specify that

characters cannot repeat, enter 1.

l To set the minimum length of the LCD password:

hostname (config) # aaa authentication password lcd length minimum number


Before you can change the number, you must change the LCD password to

at least the minimum length, using the lcd password password command.


hostname (config) # show aaa authentication password



To restore the default settings, append no to each command. For example, to remove a

restriction on the number of characters that can be repeated, use the no aaa

authentication password local max-chars-repeats command; to remove the

minimum number of upper-case characters, use the no aaa authentication password

local character-type upper-case minimum command, and so on.


203 © 2015 FireEye


Example

See Example: Configuring Password Validation Policies on page 206.

Requiring the Current Password for Password Changes Using the CLI

Use the commands in this section to require users to enter their current password as well as their

new password when they change passwords.

To require current passwords:



2. Enable the current password feature:

hostname (config) # aaa authentication password local change require-current non-admin

3. Verify that it is enabled:




To disable the feature, use the no aaa authentication password local change

require-current command.

Example

See Example: Configuring Password Validation Policies on page 206.

Preventing a Password from Matching the Username Using the CLI

Use the commands in this section to prevent users from setting a password that matches their

username.

To prevent a matching username and password:


hostname (config) # enablehostname (config) # configure terminal

2. Prevent users from using their username as a password:

hostname (config) # aaa authentication password local no-userid



© 2015 FireEye 204

4. Save your change.


To allow the username and password to match, use the no aaa authentication

password local no-userid command.

Example

See Example: Configuring Password Validation Policies on the facing page.

Configuring Password Reuse Policy Using the CLI

Use the commands in this section to configure the number of times users must change a

password before using it again, and to clear the password history for a specific user or all users.

To configure the number of passwords:



2. Specify the number of previous passwords to maintain:

hostname (config) # aaa authentication password local history compare number

where number is the number of times a password must be changed before an earlier

password can be reused. Valid values are 1–50.





To disable the feature, use the no aaa authentication password local history

compare or aaa authentication password local history compare 0 command.

To clear the password history:

1. Clear the password history:

l To clear the history for a specific user:

hostname (config) # aaa authentication password local history clear userusername

l To clear the history for all users:

hostname (config) # aaa authentication password local history clear all




205 © 2015 FireEye


Example

See Example: Configuring Password Validation Policies below.

Prohibiting Hashed Passwords Using the CLI

Use the commands in this section to prevent administrators from setting a hashed (already

encrypted) value as a password for a user. This will cause all passwords to be in plain text, and

therefore subject to the password validation rules described in Configuring Password

Validation Policies on page 200. (Password validation rules cannot be enforced on hashed

passwords.)

The show configuration command output contains commands to restore system user

accounts. These commands include hashed passwords, which are needed because plain-

text passwords are unavailable. If you prohibit hashed passwords, this restoration cannot

be done, and those commands will be commented out in the output.

To prohibit hashed passwords:



2. Prohibit hashed passwords:

hostname (config) # no aaa authentication password local change allow-encrypted





To allow administrators to set hashed passwords, use the aaa authentication password

local change allow-encrypted command.

Example

See Example: Configuring Password Validation Policies below.

Example: Configuring Password Validation Policies

This example specifies that a password must include at least one uppercase character, two

numerals, and one special character; that a character cannot be repeated consecutively; and that

the password must be changed five times before it can be used again. It also specifies that the

password must be different from the username, that non-admin users must enter their current

passwords to change their passwords, that admin users cannot use hashed passwords when they

create new users, and that the LCD password must be at least eight characters.

© 2015 FireEye 206

hostname (config) # aaa authentication password local character-type upper-caseminimum 1hostname (config) # aaa authentication password local character-type numeral minimum 2hostname (config) # aaa authentication password local character-type special minimum 1hostname (config) # aaa authentication password local character max-char-repeats 1hostname (config) # aaa authentication password local history compare 5hostname (config) # aaa authentication password local no-useridhostname (config) # aaa authentication password local change require-current non-adminhostname (config) # no aaa authentication password local change allow-encryptedhostname (config) # aaa authentication password lcd length minimum 8hostname (config) # show aaa authentication passwordLocal password requirements:

Minimum length: 8Maximum length: 32Maximum character repeats: 1Minimum lower case characters: 0Minimum upper case characters: 1Minimum special characters: 1Minimum numeric characters: 2Recent passwords to check against: 5Allowed to match userid: no

Require current password on change: yes(non-admin users only)

Allow set of encrypted password: no(admin users only)

Require password change on local accounts:

Require password change for new account: noMaximum password age before change required: noneWarn user before password expires: 7 days ahead

LCD password requirements:

Minimum length: 8

Configuring Password Change Policies

You can require users who authenticate locally to change their passwords in the following

circumstances:

l After new users log in the first time

l After a specific period of time elapses

l At the next login attempt, for a specific user or all users

The new password must be different from the current password, even if no password reuse

restrictions are configured. After users change their passwords, they must log out and then log in

again to access the functionality their role allows.

You can also configure when the system should start warning users that their passwords will

expire. The warnings are displayed on the Dashboard in the Web UI and in the CLI after the user

logs in.


207 © 2015 FireEye


If the password is not changed before it expires, the account will not be locked. However, in the

Web UI, users will be taken directly to the Settings: My Account page where a message is

displayed. Until the password is changed and users log out and then log in again, they can do

nothing in the Web UI except change their passwords.

In the CLI, a similar message is displayed. Users will be unable to do anything except change

their passwords and run a small number of basic commands that do not impact the system or

show sensitive information (such as show whoami, show cli, and cli session).

These policies apply only to users who authenticate locally. They are not enforced if a

user authenticates remotely and is then mapped to a local user account that requires a

password change, or if a user authenticates using an SSH authorized key.

The connection between the CM Series platform and its managed appliances requires

remote user credentials for the appliance (if the CM Series platform initiated the

connection) or the CM Series platform (if the appliance initiated the connection). If the

password expires, the connection between the CM Series platform and the managed

appliance will be lost until the password is changed and the connection is reset. To

work around this scenario, you can use an SSH authorized key for authentication. For

details, see User Authentication on page 88.

The password change features described in this section are disabled by default.

© 2015 FireEye 208

You must use the CLI to configure password change policies. For details, see Configuring

Password Change Policies Using the CLI below.

Prerequisites

l Admin access

Configuring Password Change Policies Using the CLI

Use the commands in this section to configure when users must change their passwords, and

how far in advance a warning message should be presented.

To configure the password change frequency:



2. Specify the number of days before a password must be changed:

hostname (config) # aaa authentication password local require-change max-password-age days

where days is the number of days. Valid values are 1–999.





To require new users to change their passwords after their first login:



2. Enable the requirement:

hostname (config) # aaa authentication password local require-change new-account





This setting affects only users who are created after this change was made. It does not

affect users who were created earlier, even if those users have not logged in yet.


209 © 2015 FireEye


To force a password change on the next login:



2. Configure the policy:

l To set the policy on all users:

hostname (config) # aaa authentication password local require-change forceall

l To set the policy on a single user:

hostname (config) # aaa authentication local require-change force userusername


l For all users:

hostname (config) # show usernames password-status

l For a single user:

hostname (config) # show usernames username username



To configure the advance notice about a pending password change:



2. Specify the number of days:

hostname (config) # aaa authentication password local require-change advance-warning days

where days is the number of days. Valid values are 1–999.

When you specify 1, the unit of measurement is minutes, not days. This allows

you to test your configuration without having to wait a full day to see the results.





To remove a configuration, append no to the command. For example, to remove the

requirement for all users to change their passwords the next time they log in, use the no

aaa authentication password local require-change force all command.

© 2015 FireEye 210

Example

This example requires new users to change their passwords after the first login, requires all other

passwords to be changed every 90 days, and specifies that users should be warned 15 days before

their passwords expire. It also requires Harry to change his password the next time he logs in.

hostname (config) # aaa authentication password local require-change new-accounthostname (config) # aaa authentication password local require-change max-password-age90hostname (config) # aaa authentication password local require-change advance-warning15hostname (config) # aaa authentication password local require-change force user harryhostname (config) # show aaa authentication passwordLocal password requirements:

Minimum length: 8Maximum length: 32Maximum character repeats: no limitMinimum lower case characters: 0Minimum upper case characters: 0Minimum special characters: 0Minimum numeric characters: 0Recent passwords to check against: 0Allowed to match userid: yes

Require current password on change: no(non-admin users only)

Allow set of encrypted password: yes(admin users only)

Require password change on local accounts:

Require password change for new account: yesMaximum password age before change required: 90Warn user before password expires: 15 days ahead

LCD password requirements:

Minimum length: 0

hostname (config) # show usernames username harryLocal username: harryFull name:Account status: Password setCurrent role: adminConfigured role: operator

VLAN: Not setSubnet: Not set

Password last set: 2014/12/12 20:13:41Password age: 7 hr 20 min 27 secMust change password: yes (set by administrator)

hostname (config) # show usernames password-statusUSERNAME FULL NAME LOCAL PASSWORD AGE CHANGE REQUIRED?baker 11h 35m 44s yes (*)harry 7h 20m 29s yes (*)admin System Administrator 21d 11h 32m 41s no..


211 © 2015 FireEye


.* Password change required by administrator regardless of age

Defining the Authentication Order

Use the CLI commands in this topic to specify the order in which methods will be tried when

authenticating users.

Prerequisites

l Admin access

To define the authentication order:



2. Specify the authentication methods in the sequence that you want used. For example:

hostname # (config) aaa authentication login default local radius ldap tacacs+

For more information, see Example: Configuring Authentication.

Configuring Failed Authentication Attempts

Use the CLI commands in this topic to clear authentication history or to unlock accounts.

Prerequisites

l Admin access

To configure failed authentication attempts:



2. Display the configuration and history of authentication failures:

hostname (config) # show aaa authentication attempts

3. Reset a specified user account:

hostname (config) # aaa authentication attempts reset user

4. Reset all user accounts:

hostname (config) # aaa authentication attempts reset all



© 2015 FireEye 212

Local Overrides of Remote User Mappings

When a remote user logs into an appliance, a remote authentication server typically determines

which local user account on the appliance the remote user should use. It uses one of the

following methods to do this:

l Mapping to a local user account according to rules set by the aaa authorization map

order CLI command. The mapping can come from the local configuration or from an

attribute in the remote authentication server's response.

l Directly from an attribute in the remote authentication server's response.

An administrator can use the aaa authorization rules rule CLI command to configure rules in

the local configuration that override this mapping when the specified conditions are met. Rule

criteria include the following:

l Authentication type

l Remote user name

l Local user name (before the override)

l LDAP group

l LDAP search filter

The first rule that evaluates as "true" will override the initial mapping, and the remaining rules

will not be considered. If a rule includes multiple criteria, every criterion must be met before the

rule itself can evaluate as true. For example, if a rule specifies that the remote username must be

"alice" and that the LDAP group cannot be "group_a" , the rule will evaluate as true if the user is

Alice, but only if she is in a group other than Group A.

For more information, see Locally Overriding Remote User Mappings.

Locally Overriding Remote User Mappings

Use the CLI commands in this topic to override remote user mappings.

Prerequisites

l Admin access

To configure local override rules:



2. Displays all authorization rules, including whether they are enabled:

hostname (config) # show aaa authorization rules


213 © 2015 FireEye


3. Enable all authorization rules:

hostname (config) # aaa authorization rules enable

4. Disable all authorization rules:

hostname (config) # no aaa authorization rules enable

5. Delete the specified rule:

hostname (config) # no aaa authorization rules rule rule_number

6. Create a new rule or to modify an existing rule:

hostname (config) # aaa authorization rules rule word-pair

where word-pair is one of the following:

l append tail creates a new rule after the highest-numbered existing rule or at

position 1 if there are no rules.

l insert rule_number creates a new rule at the specified number. If another rule is

already at that position, it is shifted up by one, along with the other existing rules

above it.

l set rule_number creates a new rule at the specified number. If another rule is at that

position, it is replaced.

l modify rule_number creates or modifies the rule at the specified number. If another

rule is at that position, its values are preserved, except when they are overwritten by

new values specified in this command.




Mapping Remote Users to Default Local Users

As described in Authentication Overview, if a remote authentication method does not return a

local user attribute string after a remote user is authenticated, the remote user will be mapped to

a default local user account.

Prerequisites

l Admin access

© 2015 FireEye 214

To specify the default local user account:



2. Specify the default local user account:

hostname (config) # aaa authorization map default-user username

Any nonmapped users will default to the specified local user account.



The no aaa authorization map default-user command not only removes the

specified default local user account, but also sets it to "admin." This allows any partially

or incorrectly configured user to have "admin" privileges.

Configuring a RADIUSServer

Use the CLI commands in this topic to configure a RADIUS server to return Local-User

attributes.

This topic describes how to configure the RADIUS server, not the FireEye appliance.

Your configuration should follow standard RADIUS protocol; the examples in this topic

are provided for illustration only.

To configure a RADIUS server:

1. Configure a code on the authentication server to match the appliance key.

2. Create a dictionary to reference the following mapping data:

VENDOR FireEye 25597BEGIN-VENDOR FireEyeATTRIBUTE FireEye-Local-User 1 stringEND-VENDOR FireEye

where Local-User is the mapping attribute with an index of 1 that matches the FireEye

code.

3. Store the dictionary, typically in the /user/share/radius/dictionary directory.

4. Use the authentication types shown in the following example to create user authentications

against the RADIUS server login credentials, and authentication against “on-the-fly”

passwords:

<username> Auth-Type := SystemFireEye-Local-User = “admin”

r-admin Auth-Type := Local, User-Password == “test123”FireEye-Local-User = “admin”


215 © 2015 FireEye


r-monitor Auth-Type := Local, User-Password == “test123”FireEye-Local-User = “monitor”

Both r-admin and r-monitor are authenticated against “on-the-fly” passwords. Local-User

is the string defined in the dictionary and used by the authentication server to map to the

local user. In the example above, both <username> and r-admin are admin users on the

appliance while r-monitor is mapped to the appliance’s monitor role.

5. Restart the RADIUS server after authentication mappings are modified. For example, enter

service radiusd restart.

Auth-Type := System causes the RADIUS server to use the password file on the server

for user passwords. Passwords for users with the "admin" or "monitor" role must be

specified on an individual basis.

Configuring a TACACS+ Server

Use the CLI commands in this topic to configure a TACACS+ server to return Local-User

attributes.

This topic describes how to configure the TACACS+ server, not the FireEye

appliance. Your configuration should follow standard TACACS+ protocol; the examples

in this topic are provided for illustration only.

To configure a TACACS+ server:

1. Define users on the authentication server.

2. In the tac_plus.conf file on the authentication server, configure a key that matches the

appliance key.

3. Store the file, typically in the /usr/local/etc/ directory.

4. Create user authentications against the TACACS+ server login credentials:

user=t-admin {pap = cleartext “test123”service = fireeye-exec { "local-user-name-fireeye” = “admin”

}}

user=t-monitor { pap = cleartext “test123”service = fireeye-exec {“local-user-name-fireeye” = “monitor”

}}

where local-user-name-fireeye is the mapping attribute that matches the FireEye code,

and fireeye-exec matches the service definition. The t-admin user maps to the appliance

admin role, and the t-monitor user maps to the appliance monitor role.

© 2015 FireEye 216

5. On the appliance, define the server host and key attributes, where the appliance key

matches the server key:

tacacs-server host <hostname>tacacs-server key <keyData>

6. After configuring authentication mappings, put the following line in the /etc/rc.local file

to start the authentication mapping on reboot:

/usr/local/bin/tac_plug -g -C /usr/local/etc/tac_plus.conf

LDAPServer Configuration

This section describes how to configure LDAP servers to authenticate users. It contains the

following topics:

l Configuring an LDAP Server

l Defining LDAP Search Filters

l Example: Configuring an LDAP Server

l Configuring Active Directory

Configuring an LDAP Server

For LDAP configuration, localUserNameFireEye is the attribute name for mapping to the Admin

or Monitor role.

This topic describes how to configure the LDAP server, not the FireEye appliance.

Your configuration should follow standard LDAP protocol; the examples in this topic

are provided for illustration only.

To configure an LDAP server:

1. Add local user attributes:

a. Define a schema at /etc/openldap/schema/fireeye.schema.

b. Refer to the schema in your sldap.conf file on the LDAP server.

c. On the authentication server, add the localUserNameFireEye attribute to the

schema so that it can be defined and referenced in the user definition.

2. Define users.

3. On the appliance, define the server host, base-dn, and login-attribute.

4. Run the service ldap start CLI command after configuring authentication mappings.


217 © 2015 FireEye


Defining LDAP Search Filters

An administrator can define an LDAP search filter in the local configuration that controls which

users can log in using LDAP. For example, the filter could prevent users who are not part of a

certain LDAP group from logging in. A negative response from the filter takes precedence over a

remote authentication server that permits the user to log in.

Prerequisites

l Admin access

To specify or remove an LDAP search filter:



2. Configure the LDAP search filter:

hostname (config) # ldap search-filter filterString

3. Remove a search filter:

hostname (config) # no ldap search-filter




Example: Configuring an LDAP Server

The following example shows how to add the FireEye attribute to the schema file:

attributetype ( FEattributeType:1NAME ‘localUserNameFireEye’DESC ‘local username to map this user to

the appliance’EQUALITY caseIgnoreMatchSUBSTR caseIgnoreSubstringMatchSYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32}SINGLE-VALUE )

The following example shows how to define users:

# 1-admindn: cn=ldap-admin,ou=users,dc=fireeye,dc=comobjectclass: topobjectclass: FireEyeEmployeecn: ldap-adminsn: ldap-adminuid: 1-adminlocalUserNameFireEye: adminuserPassword: gaNoLdT7LYczjvD1F3oSUQCMvRy7gwk2

# 1-monitordn: cn=ldap-monitor,ou=users,dc=fireeye,dc=com

© 2015 FireEye 218

objectclass: topobjectclass: FireEyeEmployeecn: ldap-monitorsn: ldap-monitoruid: 1-monitorlocalUserNameFireEye: monitoruserPassword: gaNoLdT7LYczjvD1F3oSUQCMvRy7gwk2

In this example, the password "test123" is encrypted as

gaNoLdT7LYczjvD1F3oSUQCMvRy7gwk2 .

The following example shows how to define attributes on the appliance:

ldap host hostnameldap base-dn cn=ldap-monitor,ou=users,dc=fireeye,dc=com ldap login-attribute uid

Configuring an Active Directory Server

Because Active Directory (AD) supports the LDAP protocol, FireEye appliances can also

authenticate through an AD server.

The binding user or bind-dn as seen in the FireEye configuration is a read-only user that is used

to query the directory structure starting from the base-dn. The localUserNameFireEye attribute is

an addition that needs to be made above other attributes used by default on Active Directory.

Adding the localUserNameFireEye as an attribute to the AD schema is not without risks. Refer

to the following resource for more information:

http://technet.microsoft.com/en-us/magazine/2008.05.schema.aspx?pr=blog

The localUserNameFireEye attribute requires a non-administrator “binding user” for

searching and browsing AD server records.

Prerequisites

l Admin access

To configure Active Directory authentication:



2. Configure the host to send LDAP authentication requests:

hostname (config) # ldap host AD_server_hostname_IP_address

3. Configure the LDAP user search base:

hostname (config) # ldap base-dn LDAP_base_DN

4. Set the Distinguished Name used to bind to the server:

hostname (config) # ldap bind-dn Search_user_DN


219 © 2015 FireEye

http://technet.microsoft.com/en-us/magazine/2008.05.schema.aspx?pr=blog


5. Configure the credentials used to bind to the server:

hostname (config) # ldap bind-password Search_user_password

6. Configure which attribute holds the login name. For example:

hostname (config) #ldap login-attribute sAMAccountName

where sAMAccountName is fixed and replaces the uid attribute defined for LDAP

authentication.



Example: Configuring Authentication

This topic provides an example of how to configure authentication for an appliance.

Prerequisites

l Admin access

To configure the authentication:



2. Authenticate first from the local user/password settings, then from RADIUS if that does

not work, then from LDAP if RADIUS does not work, and finally from TACACS+ if

LDAP does not work:

hostname (config) # aaa authentication login default local radius ldap tacacs+

3. For users who do not exist in the local user/password settings, if there is no Local-User

attribute returned by the RADIUS, LDAP, or TACACS+ server at login time, the login

will have the same capabilities as the Monitor user. Otherwise, it will have the capabilities

of the username given by the attribute.

hostname (config) # aaa authorization map default-user monitorhostname (config) # aaa authorization map order remote-first

4. Configure the IP address and secret of the RADIUS server:

hostname (config) # radius-server host 10.1.0.58 key myradius123

5. Configure the IP address and secret of the TACACS+ server:

hostname (config) # tacacs-server host 10.1.0.58 key mytac123

6. Configure the fully-qualified hostname of the LDAP server. The hostname (not the IP

address) is needed for the optional TLS certificate validation to work.

hostname (config) # ldap host orange.purple.com

© 2015 FireEye 220

7. Configure the IP address of the LDAP server, as a fallback mechanism:

hostname (config) # ldap host 10.1.0.58

8. Configure the base of the user tree for LDAP:

hostname (config) # ldap base-dn ou=users,dc=orange,dc=com

9. Configure the LDAP user schema name for LDAP:

hostname (config) # ldap login-attribute uid

10. Configure the base of the group tree for LDAP:

hostname (config) # ldap group-dn cn=authgroup1,ou=groups,dc=orange,dc=com

11. Configure the LDAP group schema name for membership:

hostname (config) # ldap group-attribute member



AuthorizationAuthorization provides access control, and is accomplished by assigning users roles, which offer

a specific set of capabilities.


l Roles Overview

l Capabilities Overview

l Assigning Roles Using the Web UI

l Assigning Roles Using the CLI

Roles

Roles give system administrators finer control over what users can do and see on an appliance.

Each user account is associated with a single role, which is a collection of capabilities that allow

the user to perform certain operations. The following roles are provided:

admin—The system administrator is a "super user" who has all capabilities except those that

allow access to the FireEye Web services API. The primary function of this role is to configure

the system.

monitor—The system monitor has read-only access to some things the admin role can change or

configure, and has access to some malware analysis functions.

operator—The system operator has a subset of the capabilities associated with the admin role.

Its primary function is configuring and monitoring the system.analyst—The system analyst focuses on the detection of malware and taking appropriate action, including


221 © 2015 FireEye

Release 7.6 Authorization

setting up alerts and reports.

auditor—The system auditor reviews audit logs and performs forensic analysis to trace how

events occurred.

api_analyst, api_monitor—CM Series platform Only. Web services API roles. The api_analyst

and api_monitor roles must be assigned from the CM Series Web UI or CLI. Users with these

roles cannot log into the CLI or the Web UI. Users with any other role (including the admin role)

cannot access the API.

fe_services—The system analyst focuses on providing FireEye as a Service.

For every role, there is a corresponding system account by the same name that has the role.

System accounts cannot be deleted or modified, with the exception of being locked out so they

cannot be used to log in.

By default, each new user is granted the monitor role. An administrator can change the role or

give a user no role; a user with no role cannot log in to the appliance. If a role is changed while

the affected user is logged in, the user will be forcibly logged out. When the user logs in again,

the capabilities provided by the new role are available to the user.

Users in all roles can change their passwords and perform other account management functions.

For details, see Managing Your Own Account.

For details about the capabilities associated with each role, see Capabilities Overview.

For information about assigning roles to users, see Assigning Roles Using the Web UI and

Assigning Roles Using the CLI.

Capabilities

The following sections provide detailed information about the roles and their associated

capabilities.

l Capability Categories

l Capability Descriptions

l Access Messages

Capability Categories

The capabilities associated with the roles are divided into five categories: System Administration,

Malware Analysis, Auditing, All Users, and Web Services API. The following tables list the

capabilities in each category and show which roles have access to the functionality granted by the

capabilities.

The FireEye services role has the same capabilities as the Monitor role but allows access

to the FireEye as a Service feature.

© 2015 FireEye 222

SystemAdministration

The following table lists the System Administration capabilities and associated roles.

Capability Admin Monitor Operator Analyst Auditor

Authentication (AAA) X

Authentication (AAA) (view) X X X

CM Series X X

CM Series (view) X X X

CM Series Proxy X

CM Series Proxy (view) X X X

CM Series Client (LMS) X X

CM Series Client (LMS) (view) X X X

Crypto X X

Crypto (view) X X X

Detection X X

Detection (view) X X X X

Diagnostics X X

Health (view) X X X X

FireEye Database (fedb) X X

FireEye Database (fedb) (view) X X X

Licenses X X

Licenses (view) X X X

Network X X

Network (view) X X X

Stats X X

Stats (view) X X X

System Admin X

System X X


223 © 2015 FireEye



System (view) X X X

System Logs X X X

Malware Analysis

The following table lists the Malware Analysis capabilities and associated roles.


Alerts X X X

Alerts (view) X X X

Analysis X X

Analysis (view) X X X

Monitor Legacy X X

Notifications X X

Notifications (view) X X X X

Reports X X X

Reports (view) X X X

Auditing

The following table lists Auditing capabilities and associated roles.


Audit Logs X X X

All Users

The following table lists the capabilities available to all roles (except API Analyst and

API Monitor).


Manage Own Account X X X X X

All Users X X X X X

WebServices API

The following table lists the Web Service API capabilities and associated roles.

© 2015 FireEye 224

Capability API Analyst API Monitor Admin

Alerts X X

Alerts Create X

Alerts View X X X

All Users X X X

Analysis X X

Analysis View X X X

Email Analysis X X

Email Analysis View X

File Analysis X

File Analysis View X X

Reports View X X X

Web Services Access X X

Capability Descriptions

The following table describes the functionality provided by each capability.

Capability Description

Alerts Ability to annotate or acknowledge alerts, which indicate the detection of malware.

Alerts (view) Read-only access to the "Alerts" functionality. If a subnet is configured on the local account,the view could be filtered by subnet.

All Users Commands and functionality available to users in all roles (except API Analyst andAPI Monitor).

Analysis Ability to analyze malware.

Analysis (view) Read-only access to "Analysis" functionality.

Audit Logs Ability to view audit logs, but not system logs.

Authentication(AAA)

Configuration of authentication, authorization, and accounting (AAA).

Authentication(AAA) (view)

Read-only access to "Authentication (AAA)" functionality.


225 © 2015 FireEye



CM Series Ability to configure managed appliances and appliance records remotely.

NOTE: The "CM Series" capabilities are available only on the CM Series platform.

CM Series(view)

Read-only access to "CM Series" functionality.

CM SeriesClient (LMS)

Management of appliances by the CM Series platform. (A managed appliance is alsoknown as a client or LMS.)

CM SeriesClient (LMS)(view)

Read-only access to "CM Series Client (LMS)" functionality.

CM SeriesProxy

Ability to fully control remote managed appliances both by executing commands remotelyfrom the CM Series platform and by sending proxied actions and queries.

CM SeriesProxy (view)

Read-only access to "CM Series Proxy" functionality.

Crypto Management of cryptological functions such as Internet Protocol Security (IPsec) andcertificates.

Crypto (view) Read-only access to "Crypto" functionality. Sensitive information such as private keys maybe obfuscated.

Detection Management of system configuration and data that affect malware detection efficacy, suchas downloading and managing guest images and security content.

Detection(view)

Read-only access to "Detection" functionality.

Diagnostics Access to diagnostic tools such as debug dumps (sysdumps), ping, and traceroute.

FireEyeDatabase(fedb)

Management of the FireEye database, such as backing it up and restoring it.

FireEyeDatabase(fedb) (view)

Read-only access to "FireEye Database (fedb)" functionality.

Health Ability to view summary information about current system status. (Detailed information isavailable with the "System (view)" capability.)

Licenses Management of license keys.

© 2015 FireEye 226


Licenses (view) Read-only access to "Licenses" functionality.

Manage OwnAccount

Ability to change one's own local account password and to manage local SSH clientfunctionality (authorized keys, identities, and known hosts) for one's own local account.

This functionality is available only to locally authenticated users; that

is, users who were authenticated using the configuration they are now

attempting to change. Remotely authenticated users cannot change

local account information, even if they are mapped to the same or a

different local user name.

Monitor Legacy Functionality that the "monitor" capability had prior to the introduction of roles, which is notpermitted according to the strict interpretation of the "monitor" role.

Network Ability to manage network configuration, such as interfaces and routers.

Network (view) Read-only access to "Network" functionality.

Notifications Ability to configure user notifications about malware-related events (such as alerts) andsystem-related events (such as low disk space).

Notifications(view)

Read-only access to "Notifications" functionality.

Reports Ability to generate reports.

Reports (view) Read-only access to "Reports" functionality, such as viewing generated reports.

Stats Ability to manage statistics.

Stats (view) Read-only access to "Stats" functionality.

System General system administration functions.

System Admin Both general system administration functions and sensitive functions that require a higherlevel of authorization.

System (view) Read-only access to the "System" and "System Admin" functionality.

System Logs Ability to read system logs, but not audit logs.

Access Messages

The functionality that is available to a user depends on the user's role, which includes a set of

capabilities.


227 © 2015 FireEye


l If a user enters an unavailable command, an % Unrecognized command command message is

displayed.

l If a user does not have access to a page or control in the Web UI, it is either not shown or

the action is ignored and a message is displayed.

l If a user has limited access to a CLI command and enters the command with unauthorized

parameters, an % Insufficient authorization... message is displayed.

l If an Admin user enters a CLI command that displays data that should not be shown (such

as plain text passwords), asterisks (***) are displayed to mask the data.

Assigning Roles Using theWebUI

Use the Settings: User Accounts page to change an existing user’s role. (If you are creating a

new user, follow the instructions in Managing Users Using the Web UI.)

If you change a role while the user is logged in, the user will be forcibly logged out.

When the user logs in again, the capabilities associated with the new role are available to

the user.

Prerequisites

l Admin access

To assign a role to a user:



3. Click the appropriate link in the User column in the table at the bottom of the page.

4. Select the new role in the Role list. For detailed information about the functionality each

role provides, see Roles.


Assigning Roles Using the CLI

Use the CLI commands in this topic to change an existing user’s role. (If you are creating a new

user, follow the instructions in Managing Users Using the CLI.)

If you change a role while the user is logged in, the user will be forcibly logged out.

When the user logs in again, the capabilities associated with the new role are available to

the user.

© 2015 FireEye 228

Prerequisites

l Admin access

To assign a role to a user:



2. Assign a role to a user:

hostname (config) # username username role role

where role is one of the roles listed in Roles on page 221.



For descriptions of the roles and the functionality each one provides, see Roles on page 221.

AccountingAccounting tracks user activities and resource usage. All user activities that affect the system,

such as configuration changes, are written to an audit log. Audit log messages can be viewed by

issuing the show log audit command, and indicate the following:

l Which user made the change (login and logout details, including the origin, authentication

method, and role).

l Authentication failures and lockouts.

l The interface used to make the change: Command Line Interface (CLI), Web UI, Serial

Console, or LCD Panel Interface.

l The change that was made.

l The date and time the change was made.

l The session ID used to initiate the change. The session ID persists for the duration of the

session, which starts when the user logs in and ends when the user logs out.

Audit log messages are also logged to the system log. The audit log messages in this log are

prefixed with AUDIT: and tagged as described in the following table so you can quickly locate

them.

Message Type Tag

Configuration changes Config change ID

Other actions Action ID


229 © 2015 FireEye

Release 7.6 Accounting

Message Type Tag

User login User login

User logout User logout

Authentication failure Authentication failure

User account lockout Maximum number of failed logins reached, account locked

Authorization failure Denying access to

Execution of CLI commands Executing command: ...

Miscellaneous Boot manager password changedTime change detected, clock was moved...

See Managing Audit Logs for information about configuring and viewing audit logs.

You can use the aaa accounting CLI command to send audit messages to TACACS+

servers.

Managing Audit Logs

All user activities that impact the system, such as configuration changes, are automatically written

to a log.

Prerequisites

l Admin access

To manage audit logs:


2. Display the active audit log file, a list of all audit log files, an archived audit log file, or

selected entries in the active audit log:

hostname (config) # show log audit

3. Enable the override of the global minimum severity level of audit log messages saved in

log files on the local disk:

hostname (config) # logging local override class audit

4. Enable the global minimum severity level of the audit log messages with the specified

severity level:

hostname (config) # logging local override class audit priority severity_level

© 2015 FireEye 230

You can select the following severity levels:






l warning—Warning of possible problem.

l notice—Significant, but normal event (the default).

l info—Information only.

l debug—Debugging information.

5. Upload the active audit log file to the specified network location:

hostname (config) # logging files audit upload current path




231 © 2015 FireEye

Release 7.6 System Self-Signed Server Certificate

CHAPTER 17: Certificate Management

FireEye appliances use X.509 (TLS/SSL) certificates to allow secure connections between the

appliance and the Web browser running the Web UI, and to verify remote servers for various

client applications.

System Self-Signed Server CertificateThe appliance automatically generates and maintains a self-signed server certificate with the

reserved name system-self-signed. This is the default certificate for the appliance, and can be used

for Web UI sessions. The appliance hostname is used in the certificate's Common Name (CN)

attribute. If the hostname or other pertinent system identity information changes, the certificate

is automatically regenerated to reflect the current information. For details, see Regenerating

the System Self-Signed Certificate on page 239.

HTTPS Server CertificatesInstead of using the system self-signed certificate, you can install an alternate HTTPS certificate,

such as one issued by a trusted public certificate authority (CA) or your own organization. The

HTTPS certificate has the reserved name web-cert. This certificate is not tied to the appliance

hostname. For details, seeManaging HTTPS Certificates on page 241.

Certificate Authority (CA) Client CertificatesThe appliance has an internal bundle of well-known trusted CA certificates distributed by

Mozilla. These certificates serve as root CA certificates for HTTP servers that have publicly

issued certificates. However, some SSL-enabled applications (such as the system email server and

the LDAP server) connect to HTTPS servers that have privately issued certificates. You must

add one or more intermediate or trusted private root certificates as supplemental CA certificates

to validate against the private certificates on these servers. For details, see Adding

Supplemental CA Certificates on page 254.

Viewing CertificatesThe appliance provides a simple way to view the following:

© 2015 FireEye 232

l Common certificate attributes, such as the name, status, and expiration date

l All certificate attributes, which include the signature and public key algorithms in addition

to the common attributes

l Certificate configuration (CLI only)

l Public key PEM string of a certificate (CLI only)

See the table in Defining Default Certificate Attributes on page 250 for certificate

attribute descriptions.

The Web UI also displays the public key of the appliance. This key is used to

authenticate the connection between the CM Series platform and its managed

appliances. For details, see Obtaining a Host Key Using the Web UI on page 92.

Prerequisites


Viewing Certificates Using theWebUI

Use the Settings: Certificates/Keys page to view certificates.

For information about managing certificates, see:

System Administration Guide CHAPTER 17: Certificate Management

233 © 2015 FireEye

Release 7.6 Viewing Certificates

l Regenerating the System Self-Signed Certificate Using the Web UI on page 239

l Managing HTTPS Certificates Using the Web UI on page 242

l Activating Named Certificates Using the Web UI on page 249

l Adding Supplemental CA Certificates Using the Web UI on page 254

The Keys section at the bottom of the page pertains to Secure Shell (SSH) host key

authentication. For details, see Obtaining a Host Key Using the Web UI on

page 92.

To view certificates:


2. Click Certificates/Keys on the sidebar.

3. View common certificate attributes in any section on the page:

l System Self-Signed Certificate

l HTTPS Configuration

l CA Certificates

4. Click the link in the Certificate column to view all certificate attributes in a separate

browser window.

Example

The following example shows the attributes of a system self-signed certificate.

After you click system-self-signed, the following window opens. Scroll down to view all of the

data.

© 2015 FireEye 234

In this example, the https in the address bar is crossed out because self-signed

certificates are not typically included in the trusted root of the browser.

Viewing Certificates Using the CLI

Use the commands in this section to view certificate attributes, the certificate configuration, and

the public key PEM string.

Viewing Common Attributes

To view common certificate attributes:


hostname > enable

2. Display the attributes.

l To view common information about all certificates:

hostname # show crypto certificate

l To view common attributes for a specific certificate:

hostname # show crypto certificate name certificateName

Viewing All Attributes

To view all certificate attributes:


hostname > enable

2. Show the attributes.

l To view all attributes for all certificates:

hostname # show crypto certificate detail


235 © 2015 FireEye


l To view all attributes for a specific certificate:

hostname # show crypto certificate name certificateName detail

Viewing the Certificate Configuration

To view the certificate configuration:


hostname > enable

2. Show the configuration:

hostname # show configuration

3. Scroll to the X.509 certificates configuration section of the output.

The command output indicates whether a private key is defined for each certificate.

Private key PEM strings are omitted for security.

Viewing the Public Key PEM String

To view the public key PEM string:


hostname > enable

2. Show the public key PEM string.

l To view the source data for all certificates:

hostname # show crypto certificate public-pem

l To view the source data for a specific certificate:

hostname # show crypto certificate name certificateName public-pem

Examples

Common Attributes for All Certificates

The following example shows common attributes for all certificates in the certificate database.

hostname # show crypto certificateCertificate with name 'server' (default-cert)

Private Key: presentSerial Number: 0x71a676d9a1j5d8a316488f9d683kkc0SHA-1 Fingerprint: 7g04933d77491wgeg2h78d2a6f34s50cech324c78

Validity:Starts: 2015/02/26 15:40:47Expires: 2017/11/21 15:40:47

Subject:Common Name: acme-hostname

© 2015 FireEye 236

Country: USState or Province: NYLocality: AlbanyOrganization: Acme, IncOrganizational Unit: IT

Issuer:Common Name: Symantec Class 3 EV SSLCA - G3Country: USState or Province: CALocality: Mountain ViewOrganization: Symantec CorporationOrganizational Unit: Symantec Trust Network

Certificate with name 'system-self-signed'Private Key: presentSerial Number: 0x54a623d9a1f5d7a207788f2e683ffc0SHA-1 Fingerprint: 7k04833m77951wgjr2h94d2a6f34b60pgph984v43


Subject:Common Name: acme-hostnameCountry: USState or Province: CALocality: MilpitasOrganization: FireEye, Inc.Organizational Unit: Network Security Management

Issuer:Common Name: acme-hostnameCountry: USState or Province: CALocality: MilpitasOrganization: FireEye, Inc.Organizational Unit: Network Security Management

All Attributes for a Specific Certificate

The following example shows all attributes for the system self-signed certificate.

hostname # show crypto certificate name system-self-signed detailCertificate with name 'system-self-signed' (default-cert)

Comment: system-generated self-signed certificatePrivate Key: presentSerial Number: 0x54a623d9a1f5d7a207788f2e683ffc0SHA-1 Fingerprint: 7k04833m77951wgjr2h94d2a6f34b60pgph984v43Version: 3Subject Public Key Algrithm: rsaEncryptionSubject Public Key Length: 2048 bitsSignature algorithm: sha256WithRSAEncryption


Subject: emailAddress=admin,CN=acme-hostname,OU=Network SecurityManagement,O=FireEye\, Incl,L=Milpitas,ST=California,C=US

Common Name: acme-hostnameCountry: USState or Province: CA


237 © 2015 FireEye


Locality: MilpitasOrganization: FireEye, Inc.Organizational Unit: Network Security ManagementE-mail Address: admin

Issuer: emailAddress=admin,acme-hostname,OU=Network SecurityManagement,O=FireEye\, Incl,L=Milpitas,ST=California,C=US

Common Name: acme-hostnameCountry: USState or Province: CALocality: MilpitasOrganization: FireEye, Inc.Organizational Unit: Network Security ManagementE-mail Address: admin

Certificate Configuration

The following example shows the certificate configuration for an appliance.

hostname # show configuration...#### X.509 certificates configuration#### Certificate name system-self-signed, ID 9c077abarhb9e10d698c98e03431bbba410965b8## (public-cert config omitted since private-key config is hidden)

crypto certificate min-key-size 2048crypto certificate secure-hashes-only

##

Public Key PEM String

The following example shows the public key PEM string for the "server" certificate.

hostname # show crypto certificate name server public-pem-----BEGIN CERTIFICATE-----MIIDuzCCAqOgAwIBAgIBADANBgkqhkiG9w0BAQUFADB4MQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExETAPBgNVBAcMCE1pbGlwdGFzMRQwEgYDVQQKDAtGaXJlRXllIEluYzEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNVBAMMFHZwczEuZW5nLmZpcmVleWUuY29tMB4XDTE1MDIyNjIzNDA0N1oXDTE3MTEyMTIzNDA0N1oweDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMREwDwYDVQQHDAhNaWxpcHRhczEUMBIGA1UECgwLRmlyZUV5ZSBJbmMxFDASBgNVBAsMC0VuZ2luZWVyaW5nMR0wGwYDVQQDDBR2cHMxLmVuZy5maXJlZXllLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJt3LsgIYXyWiaRoAsLJnSxbQdwLuRZV74qEpVv1cRAwxymVu4/iXSWTFYmUOZGFeHKK/2R/twISBHBhCuoGUYirg0KiM7bWmFPdAJXID6cAhPghkHwLHPTF4+PorXfc2m0W24G1Hi0o10oY7TPe2R5HctwGaoVtQ3znzESsuXKl+8qF+UVaP6qliDeXQyc9h/rGLQE50+9jluq1sWHfhszi4ireTqTu18iZesOeWSW+XzVcPRFy8pxwRMoWw52Eczz2tZNudw2Bnozx25xlOIUvMLvrWeSenonqnrnQBPAtm7g/kBmSE4eHX7crD6KxczmuCvAfIZLZBibM2Vu6slUCAwEAAaNQME4wHQYDVR0OBBYEFMT6ayAuFjvN7yVCVXMQX8Pgd3YtMB8GA1UdIwQYMBaAFMT6ayAuFjvN7yVCVXMQX8Pgd3YtMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAHTmrw4j6s0ut72n8P1pzGuD6OYnuufKkHDaCC58g7OMMeOMu11XWScCy/44q2WMs1oNhKrcQHivHilKrAXB8Stra2bSHcWutnu1OamRmglrkFmhS10NrNUIu5OwluTO3QF7FxA1EBwqEJ/8YrKhQb4paL4b0xRuNleRmy4GnR/k3a7Jllf9/qnpXYWIdtkyHOqx/854wxsdOiZYU9U1ZYEe4Es9hEk5pkRvnioS0lJZWTGmt9a0EjpgZXIMcSxukeyZ4UPKaie8gypIPtK+ia9evXwAvTn745uZs06piroFhIOkPkG1H4pahgdi4uPntSosmHI63i0bc9VnN7QK0Rg=-----END CERTIFICATE-----

© 2015 FireEye 238

Regenerating the System Self-Signed CertificateThe appliance automatically generates and maintains a self-signed server certificate with the

reserved name system-self-signed. This is the global default certificate for the appliance. It can be

used for Web UI sessions. You cannot delete this certificate, because it ensures secure access to

the appliance Web UI and other applications in the factory default configuration. If an alternate

HTTPS certificate is designated as the active certificate and is later deleted, the system self-

signed-certificate is automatically restored as the active certificate.

The appliance hostname is the Common Name (CN) attribute for the system self-signed

certificate. The certificate is automatically regenerated if the hostname changes. You can

regenerate the certificate on demand to extend the expiration date, or to get updated default

certificate attributes (such as the organization or email address).

The certificate is valid for one year. If you use the Web UI to regenerate the certificate, the

expiration date is extended by 365 days (or the number of days defined for the "time

remaining" default attribute). You can specify a non-default number of days if you use the CLI to

regenerate the certificate.

Self-signed certificates are not included in the trusted root of many browsers, because

they are not issued by a trusted certificate authority. Security warnings could be

displayed to users when they navigate to the appliance Web UI. To prevent the warning

from appearing again, the Web UI user can add the certificate to the browser's trusted

root.

Prerequisites


Regenerating the System Self-Signed Certificate Using theWebUI

Use the Settings: Certificates/Keys page to manually regenerate the system self-signed

certificate.

You can also download the certificate to your local file system, but there is typically no

reason to do so.


239 © 2015 FireEye

Release 7.6 Regenerating the System Self-Signed Certificate

To regenerate the system self-signed certificate:

1. Click Regenerate.

2. When prompted, click OK to confirm that you want to regenerate the certificate.

3. Confirm that the certificate was regenerated:

l The Time Remaining changes to 365 days, and the Expire Date changes

accordingly.

l A message at the top of the page informs you that the regeneration was successful.

To download the system self-signed certificate:

1. Click Export.

2. Verify that the system-self-signed.crt file was downloaded to your computer.

Regenerating the System Self-Signed Certificate Using the CLI

Use the commands in this section to regenerate the system self-signed certificate.

If the Web server is configured to use the system self-signed certificate, the web server

certificate regenerate command will also regenerate and replace the system self-signed

certificate.

To regenerate the system self-signed certificate:



2. Regenerate the certificate:

l To extend the expiration date by 365 days:

hostname (config) # crypto certificate system-self-signed regenerate

l To extend the expiration date by a different number of days:

hostname (config) # crypto certificate system-self-signed days-valid days


hostname (config) # show crypto certificate name system-self-signed



Example

The following example regenerates the system self-signed certificate and extends the expiration

date by two years.

© 2015 FireEye 240

hostname (config) # crypto certificate system-self-signed regenerate days-valid 730hostname (config) # show crypto certificate name system-self-signedCertificate with name 'system-self-signed'

Comment: system-generated self-signed certificatePrivate Key: presentSerial Number: 0x71a676d9a1j5d8a316488f9d683kkc0SHA-1 Fingerprint: 7g04933d77491wgeg2h78d2a6f34s50cech324c78

Validity:Starts: 2015/04/25 20:32:50Expires: 2017/04/22 20:32:50... ?ys

Managing HTTPS CertificatesHTTPS certificates (also known as Web or server certificates) are named certificates that the

appliance uses to identify itself to the Web browsers running the Web UI, and to allow Web UI

to accept HTTPS connections.

The system self-signed certificate is the default active HTTPS certificate. You can configure an

alternate certificate, which can be a certificate issued by your own organization (also a self-signed

certificate) or a certificate issued by a public certificate authority (CA).

You can use the following methods to obtain and install a certificate:

l Upload both an existing certificate file and the matching private key file from your local

file system. (Web UI only)

l Enter the public and private key PEM strings at the command line. (CLI only)

l Create your own self-signed certificate. This process automatically generates an internal

matching private key that is paired with the certificate.

UsageGuidelines

l Each appliance needs a unique HTTPS certificate and matching private key.

l The certificate and private key must be configured as a Privacy Enhanced Email (PEM)

encrypted ASCII string

l The active HTTPS certificate uses the reserved name web-cert.

l You cannot add a new web-cert certificate if one already exists. You must delete or rename

the existing certificate first.

l After you add the new certificate, you must explicitly activate it for the Web server.

l The HTTPS certificates you import or create can have unique names, but must be

renamed to "web-cert" before you can activate them.

l The certificate section of the show configuration CLI command output indicates

whether a private key is defined for each certificate. Private key PEM strings are omitted.


241 © 2015 FireEye

Release 7.6 Managing HTTPS Certificates

l If a private key has a passphrase, the key must be converted to an unlocked private key

PEM string before it can be imported.

Prerequisites


Managing HTTPSCertificates Using theWebUI

Use the HTTPS Configuration section of the Settings: Certificates/Keys page to do the

following:

l Import the public and private keys for an HTTPS certificate.

l Activate the certificate.

l Export the public key.

Importing an HTTPS Certificate

You must select both the public and private key before you click Update to add the

certificate to the certificate database.

To import an HTTPS certificate:


2. Click Certificates/Keys in the sidebar.

3. Select the certificate public key:

a. Click Choose File in the Certificate field.

b. In the dialog box that opens, navigate to the certificate .pem file in your local file

system.

© 2015 FireEye 242

4. Select the private key:

a. Click Choose File in the Private Key field.

b. In the dialog box that opens, navigate to the private key .pem file in your local file

system.

5. (Optional) Enter a certificate name in the Cert name field.

The certificate name must be changed to web-cert before you can activate it.

6. If you want to activate the certificate, select the After import, activate checkbox.

The certificate can be activated later, if you prefer. For details, see Activating

Named Certificates on page 248.

7. Click Update.

Exporting an HTTPS Certificate

Because private keys are sensitive, you can export only the public key.

To export the public key:



3. Click Export in the Actions column for the HTTPS certificate.

4. Verify that the .crt file was downloaded to your local file system.

Managing NamedCertificates Using the CLI

Use the commands in this section to do the following:

l Import an HTTPS certificate.

You can also download the certificate, as described in Downloading a

Certificate Using the CLI on page 248.

l Generate and regenerate an HTTPS self-signed certificate.

l Export the public key.

If the certificate you import or generate will be used on the Web server, you must

specify "web-cert" as the certificate name, and then activate the certificate as described

in Activating Named Certificates on page 248.


243 © 2015 FireEye


Importing a Certificate

To import a certificate and private key:



2. Import the certificate:

hostname (config) # cryto certificate name certificateName public-cert pem"pemString" [comment "comment"]

where:

l certificateName can be a name of your choice, but must be changed to "web-cert"

before it can be activated.

l pemString is the public certificate PEM string. It must include the BEGIN and END

delimiter strings and must be enclosed in double quotation marks.

l comment is the text for the comment, and must be enclosed in double quotation

marks.

Any commentary outside the BEGIN and END delimiter strings is preserved in

the configuration database, but is ignored.

3. Import the private key:

l To add the private key directly:

hostname (config) # crypto certificate name certificateName private-key pem"pemString"

where pemString is the private key PEM string. It must include the BEGIN and END


l To prompt for the private key with secure echo, so asterisks are displayed instead of

the PEM string characters:

hostname (config) # crypto certificate name certificateName prompt-private-key

Any commentary outside the BEGIN and END delimiter strings is ignored.


hostname (config) # show crypto certificate



© 2015 FireEye 244

Creating a Self-Signed HTTPS Certificate

If you do not supply attribute values when you create the self-signed certificate, the

default attribute values will be used.

To create a self-signed HTTPS certificate:

1. Enter the CLI configuration mode:

2. Create the certificate:

l To use default attribute values:

hostname (config) # crypto certificate name certificateName generate self-signed

where certificateName can be a name of your choice, but must be changed to "web-

cert" before it can be activated on the Web server.

l To use other attribute values:

hostname (config) # crypto certificate name certificateName generate self-signed [attribute_1 value] [attribute_2 value] [attribute_n value]

where:

l certificateName can be a name of your choice, but must be changed to "web-

cert" before it can be activated on the Web server.

l attribute_1, attribute_2, and attribute_n are attribute names, and value is the value

of the specified attribute. For descriptions of the attributes and values, see

Defining Default Certificate Attributes on page 250.


hostname (config) # show crypto certificate name certificateName



Regenerating the Self-Signed HTTPS Certificate

Regenerating the self-signed certificate regenerates both the public and private keys. It extends

the expiration date by 365 days or the number of days you specify, and gets any updated default

attribute values.

To regenerate the HTTPS self-signed certificate:




245 © 2015 FireEye


2. Regenerate the HTTPS certificate:

hostname (config) # crypto certificate name web-cert regenerate [days-valid days]

where days is the number of days before the certificate expires. If the days-valid parameter

is not included, the default attribute value is used.


hostname (config) # show crypto certificate name web-cert



Displaying the Public Key for Export

You can copy the public key PEM string and then paste it into a text file that you can distribute.

Because private keys are sensitive, you can export only the public key.

To display the public key PEM string for export:


hostname > enable

2. Display the public key PEM string:

hostname # show crypto certificate name certificateName public-pem

Examples

Importing a Certificate and Key

The following example imports a certificate and its private key.

hostname (config) # crypto certificate name acme.cert3.pem public-cert pem "

> -----BEGIN CERTIFICATE-----> MIID2jJUAsKgAwIBAgIBBjANBgkqhkiG8g0BAQUFADCBsDELMAkGA1UEBhMCVVMx> FjAUBgNVBAgTNT1hc3NhY2h1c2V0dHMxFDASBgNVBAcTC1dlc3Rib3JvdWdoMRsw> GQYDVQQKExJUYWxsIE1hcGxlIFN5c3RlbXMxEDAOBgNVBAsTB3Rtkq1lbmcxHjAc> BgNVBAMTFW9jdGFnb24udGFsbG1hcGxlLmNvbTEkMCIGCSqGSIb3DQEJARYVc2xh...> -----END CERTIFICATE-----> "Successfully installed certificate with name 'acme.cert3.pem'

hostname (config) # crypto certificate name acme.cert3.pem private-key pem "> -----BEGIN RSA PRIVATE KEY-----> MIICGTCCAYICAQAwgawxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNl> dHRzMRQwEgYDVQQHEwtXZXN0Ym9mi3VnaDEbMBkGA1UEChMSVGFsbCBNYXBsZSBT> eXN0ZW1zMRAwDgYDVMGLEwd0bXMtZW5nMRowGAYDVQQDExF0YjcudGFsbG1hcGxl> LmNvbTEkMCIGCSqGSIb3DQEJARYVc2xhbnNlckB0YWrebWFwbGUuY29tMIGfMA0G.

© 2015 FireEye 246

.

.> -----END RSA PRIVATE KEY-----> "

Creating a Self-Signed Certificate

The following example generates an HTTPS self-signed certificate:

hostname (config) # crypto certificate name acme.selfcert5.pem generate self-signedSuccessfully generated certificate with name 'acme.selfcert5.pem'

Regenerating the Certificate

The following example regenerates the HTTPS self-signed certificate and its private key and

extends the expiration date by two years.

hostname (config) # crypto certificate name web-cert regenerate days-valid 730Successfully regenerated certificate with name 'web-cert'hostname # show crypto certificate name web-certCertificate with name 'web-cert'

Private Key: presentSerial Number: 0x71a676d9a1j5d8a316487f9d683kkc0SHA-1 Fingerprint: 7g04933d77491wgba2h78d2a6f34s50cech324c78

Validity:Starts: 2015/04/25 20:32:50Expires: 2017/04/22 20:32:50..

Exporting the Public Key PEM String

The following example displays the public key PEM string.

hostname # show crypto certificate name acme-cert12 public-pem> -----BEGIN CERTIFICATE-----> jjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEDAOBgNVBAcMB1Nh> HzAdBgkqhkiG9w0BCQEWEGZlYWRtaW5AYWNtZS5jb20wggEiMA0GCSqGSIb3DQEB> s0KvSMHO/8o0is/2wOuTQ/SF1gnBGZtPWWV0CUOZGHNt9ftAh6RLLvvvVnbguwc7> HhcNMTUwNDI3MDIzODU2WhcNMTYwNDI2MDIzODU2WjCBjjELMAkGA1UEBhMCVVMx> .> .> -----END CERTIFICATE-----

Downloading CertificatesYou can download the public and private keys for a certificate from a URL to add the certficate

to the certificate database.

Prerequisites



247 © 2015 FireEye

Release 7.6 Activating NamedCertificates

Downloading a Certificate Using the CLI

Use the commands in this section to download a certificate and its matching private key, and add

an optional comment.

The private key is an optional parameter, but it must be downloaded to activate the

certificate for an application that requires a private key.

To download a certificate:



2. Specify the name for the certificate and download it:

hostname (config) # crypto certificate name certificateName fetch public-cert-urlURL [private-key-url URL] [comment "comment"]

where:

l URL is the direct path to the certificate or private key file.

l comment is a description of the certificate. It must be enclosed in double quotation

marks.

3. Verify that the certificate was added to the certificate database:

hostname (config) # show crypto certificate name certificateName



Example

This example downloads a certificate and private key, and adds it to the certificate database with

the name "newcert."

hostname (config) # crypto certificate name newcert fetch public-cert-urlhttp://acme/security/certs/acme.crt private-key-urlhttp://acme/security/certs/acme.keyhostname (config) # show crypto certificate name newcertCertificate with name 'newcert'

Private Key: presentSerial Number: 0x532gdda69e90b436542ea92e9gd5dor9SHA-1 Fingerprint: 4563a957349g83264bw2c8b32c0rw5g8d8353246

...

Activating NamedCertificatesThe system self-signed-certificate is active on the Web server by default. You can activate the

web-cert certificate instead.

© 2015 FireEye 248

Prerequisites


l The named certificate is in the certificate database.

Activating NamedCertificates Using theWebUI

Use the HTTPS Configuration section of the Settings: Certificates/Keys page to activate

the web-cert certificate on the Web server.

Perform this procedure only if the system self-signed certificate is currently active on

the Web server.

To activate the certificate on the Web server:



3. Click Activate in the Actions column for the web-cert certificate.

To reactivate the system-self-signed certificate, select System Self-Signed in the

list, or click Activate in the column for the system-self-signed certificate.

Activating NamedCertificates Using the CLI

Use the commands in this section to activate the web-cert certificate on the Web server.

If you type web server certificate name ? at the command line, a list of all

certificates in the certificates database will be displayed. However, only the "web-cert"


249 © 2015 FireEye

Release 7.6 Defining Default Certificate Attributes

or "system-rself-signed" certificate can be activated.

To activate the web-cert certificate on the Web server:



2. Activate the certificate:

hostname (config) # web server certificate name web-cert

3. Verify the change:

hostname (config) # show web

4. Save the change:


To reactivate the system-self-signed certificate, use the no web server certificate

name or web server certificate name system-self-signed command.

Example

The following example activates web-cert on the Web server, which is currently using the system

self-signed certificate.

hostname (config) # show web

Web User Interface server:Web interface enabled: yes..HTTPS certificate name: system-self-signed..

hostname (config) # web server certificate name web-certhostname (config) # show web

Web User Interface server:Web interface enabled: yes..HTTPS certificate name: web-cert..

Defining Default Certificate AttributesAll X.509 certificates have common attributes. The following table describes the attributes and

provides the system default value for each attribute. The default values populate the attributes in

self-signed and regenerated certificates. You can change the default values as desired. For

example, you could update the contact email address or change the validity period to two years

© 2015 FireEye 250

instead of one.

Certificate Attributes

Attribute Web UIField

CLIKeyword Description

CertificateName

Certificate cert-name A unique name that identifies the certificate. The name cancontain letters, numbers, and the period (.), comma (,) andunderscore (_) characters.

CommonName (CN)

CommonName

common-name

A fully qualified domain name for the appliance. Anexception is the system-self-signed certificate, in which theCN is the appliance hostname.

Organization Organization organization The legal name of your organization.

OrganizationalUnit

OrganizationalUnit

org-unit The department or unit in your organization using thecertificate.

City or Locality City (Locality) locality The city or locality where your organization is located.

State orProvince

State (Province)

state-or-prov

The state or province where your organization is located.

Country Country country-code

The country code of the country where your organization islocated.

Issued By Issued By — This attribute represents the Distinguished Name (DN) of thecertificate. The DN includes all of the identification attributesdescribed above. For brevity, the Web UI shows only theCommon Name and Organization in the Issued By field.The CLI has no specific "Issued By" line of output.

TimeRemaining

Days beforeexpiration

days-valid The number of days until the certificate will expire.

Expire Date Expire Date — The date and time the certificate will expire.

Status Status — Whether the certificate is valid. After a certificate expires, it isno longer valid.

Key Bits — key-size-bits The number of bits in the private key.

Serial Number Serial Number serial-num A unique number that the issuer assigned to the certificate.

Email Address — email-addr The email address used to contact the certificate holder(also known as the certificate subject).

Comment — comment Descriptive information about the certificate.

CertificateType

— CertificateType

The class of algorithm used to generate the certificate. Validvalues are ECDSA and RSA.

Private Key — Private Key Whether a matching private key for the certificate is present.

SHA-1 — SHA-1 A short sequence of bytes used to authenticate or look up


251 © 2015 FireEye

Release 7.6 Defining Default Certificate Attributes

Attribute Web UIField

CLIKeyword Description

Fingerprint Fingerprint the public key.

Subject Hash — SubjectHash

A unique hash value based on the subject of the certificate.

Version Version Version The X.509 standard version.

Subject PublicKey Algorithm

Public KeyAlgorithm

SubjectPublic KeyAlgorithm

The general type of public key algorithms that are allowed.Valid values are id-ecPublicKey (unrestricted ellipticalcurve algorithms, defined in RFC 5480) and rsaEncrytion(RSA encryption algorithms, defined in RFC 2437).

Subject PublicKey Length

Public-Key SubjectPublic KeyLength

The length of the public key PEM string.

SignatureAlgorithm

SignatureAlgorithm

Signaturealgorithm

The public key signature algorithm.

Prerequisites


Defining Default Certificate Attributes Using the CLI

Use the commands in this section to define default certificate attributes.

To define attributes:



2. Define the default value:

hostname (config) # crypto certificate generation default attribute value

3. Repeat the previous step for each attribute you want to change.



5. (Optional) Regenerate the certificates to apply the updated attributes:

hostname (config) # crypto certificate name certificateName regenerate

© 2015 FireEye 252

Example

This example changes the organizational unit to Information Technology. It then regenerates the

web-cert certificate to apply the updated attribute value, and displays the certificate to verify the

change.

hostname (config) # crypto certificate generation default org-unit "InformationTechnology"hostname (config) # crypto certificate name web-cert regenerateSuccessfully regenerated certificate with name 'web cert'hostname (config) # show crypto certificate name web-cert


253 © 2015 FireEye

Release 7.6 Adding Supplemental CA Certificates

Adding Supplemental CA CertificatesCA certificates (also known as peer certificates) are part of a chain of authority used to verify a

remote server or endpoint. SSL-enabled applications can consult the following to find a suitable

CA certificate:

l Public CA bundle: The appliance has an internal bundle of well-known trusted CA

certificates distributed by Mozilla. They serve as root CA certificates for HTTP servers

that have publicly issued certificates.

l Supplemental CA list: Some SSL-enabled applications connect to HTTPS servers that

have privately issued certificates. Examples may include the email server used to send

system event notifications, the LDAP server used to authenticate users, the server used to

transfer files, and the server used to post malware alert notifications.

You must add the trusted private root certificate and intermediate certificates (if needed)

as supplemental CA certificates to validate against the certificates on these servers.

Supplemental CA certificates are stored in the default CA list, which is empty until

supplemental CA certificates are added. The default CA list supplements the well-known

bundle; it does not replace it.

A server with a publicly issued certificate could start using a new certificate that is

not yet part of the well-known bundle. In this case, you must add the new

certificate to the default CA list as a supplemental certificate.

By default, most SSL-enabled applications refer to the well-known bundle first, and then look for

a certificate in the default CA list. You can configure some applications to use only the well-

known bundle. For details, see the email ssl ca-list, ldap ssl ca-list, and web client ssl

ca-list commands in the FireEye CLI Reference. An exception is malware event notifications,

where the appliance automatically refers to the default CA list to verify the identity of the server

to which it posts the notifications..

Prerequisites


Adding Supplemental CACertificates Using theWebUI

Use the CA Certificates section of the Settings: Certificates/Keys page to add a supplemental

CA certificate to the default CA list.

© 2015 FireEye 254

To add a supplemental CA certificate:



3. Click Add Root/Intermediate CA Certificate.

4. Click Choose File.

5. In the dialog box that opens, navigate to the certificate file in your local file system.

6. Click Commit.

Adding Supplemental CACertificates Using the CLI

Use the commands in this section to add a certificate to the certificate database, and then add it

to the default CA list as a supplemental certificate.

You can also download the certificate, as described in Downloading a Certificate

Using the CLI on page 248.

To add a supplemental CA certificate:



2. Import the certificate:

hostname (config) # crypto certificate name certificateName public-cert pem"pemString" [comment "commentText"]

where:


255 © 2015 FireEye

Release 7.6 Renaming a Certificate

l certificateName must be unique; it cannot be the name of an existing certificate in the

certificate database.

l pemString is the public certificate PEM string. It must include the BEGIN and END

delimiter strings and be enclosed in double quotation marks.

l comment is the text for the comment, and must be enclosed in double quotation

marks.

3. Import the private key:

l To add the private key directly:

hostname (config) # crypto certificate name certificateName private-key pem"pemString"

where pemString is the private key PEM string. It must include the BEGIN and END


l To prompt for the private key with secure echo, so asterisks are displayed instead of

the PEM string characters:

hostname (config) # crypto certificate name certificateName prompt-private-key

Any commentary outside the BEGIN and END delimiter strings is ignored.

4. Add the certificate to the default CA list:

hostname (config) # crypto certificate ca-list default-ca-list namecertificateName


hostname (config) # show crypto certificate ca-list



Renaming a CertificateYou can rename certificates that do not have reserved names. Reasons for doing so include:

l You want to use a named certificate with a private key as the Web server certificate.

Because the Web server requires a certificate with the reserved name of web-cert, you

must rename it before activating it.

l Reusing a certificate name for convenience.

l Saving an older certificate with another name as a backup.

Each certificate name must be unique, so the renaming operation fails if a certificate with the

same name already exists.

© 2015 FireEye 256

Prerequisites


Renaming a Certificate Using the CLI

Use the commands in this section to rename a certificate.

To rename a certificate:



2. Rename the certificate:

hostname (config) # crypto certificate name currentName rename newName



Example

The following example renames the "server" certificate to "web-cert" so it can be activated for

the Web server, and then activates it.

hostname (config) # crypto certificate name server rename web-certhostname (config) # web server certificate name web-cert

Improving Certificate SecurityYou can do the following to improve the security of your certificates:

l Increase the size of the keys to increases the strength of their signatures.

l Specify that only secure hash signature algorithms (sha256WithRSAEncryption,

sha384WithRSAEncryption, or sha512WithRSAEncryption) be used. Certificates with

the sha1WithRSAEncryption signature algorithm will be removed from the default CA

list, and from the Web server.

If the Web server certificate is removed, it is replaced by the system self-signed

certificate..

Prerequisites



257 © 2015 FireEye

Release 7.6 Improving Certificate Security

Improving Certificate Security Using the CLI

Use the commands in this section to increase the minimum key size and specify that secure

hashes be used.

To specify the minimum key size:



2. Specify the size:

hostname (config) # crypto certificate min-key-size bits

where bits is the minimum number of bits.

You cannot generate a self-signed certificate with a key that is longer than 8192

bits.



To specify that secure hashes be used:



2. Require secure hashes:

hostname (config) # crypto certificate secure-hashes-only



To remove the requirement for secure hashes, use the no crypto certificate secure-

hashes-only command.

© 2015 FireEye 258

Release 7.6 Database Backup and Restore Introduction

CHAPTER 18: Backing Up and Restoring theAppliance Database

This section describes how to back up and restore the appliance database and how to manage

backup files on the appliance. It includes the following topics:

l Introduction

l Viewing the Last Backup and Restore Results

l Estimating the Space Needed for the Backup File

l Backing Up the Database

l Scheduling Automatic Backups

l Downloading Backup Files

l Uploading Backup Files

l Restoring the Database from a Backup File

l Deleting Previous Backup Files

Database Backup and Restore IntroductionYou can back up, restore, upload, download, and delete the appliance configuration and data. You

can restore a database from a previous backup. Backup files can be deleted to free space for new

backups.

You can control what data is backed up using one of the following profiles:

l config—Backs up the configuration database and appliance-specific data.

l config+fedb—Backs up the configuration database, FireEye appliance database, and

appliance-specific data.

l fedb—Backs up the FireEye appliance database.

l full—Backs up the configuration database, FireEye appliance database, appliance-specific

data, and detected data (malware, alerts, reports, videos, and so on).

Guest images and license keys are not included in the backup. You must reinstall the

guest images and license keys separately. Network settings can be restored.

© 2015 FireEye 259

Task List for Backing Up and Restoring the Database

Complete the steps for backing up and restoring the database in the following order:

1. Log in to the Web UI or CLI.

2. Verify the status of the last backup and restore operations. For details about how to view

the last backup and restore operations, see Viewing the Last Backup and Restore Results.

3. Estimate the space needed for the backup file for a particular profile. For details about how

to estimate the space needed, see Estimating the Space Needed for the Backup File.

4. Specify a backup profile and a location for the backup file. Decide whether to include

public and private key encryption. Start the backup. For details about how to specify a

backup profile, include encryption, and start or cancel the backup, see Backing Up the

Appliance Database.

To schedule how often you want the backup job to automatically run, see Scheduling

Automatic Backups.

To restore the database, select the backup file. For details about how to restore the

database, see Restoring the Appliance Database from a Backup File.

5. Monitor the status of the backup or restore operation.

Viewing the Last Backup and Restore ResultsYou can view the details for the last backup and restore operations.

Details of the last backup include the following:

l Status of the backup (such as "running")

l Type of backup profile

l Destination of the backup file

l Start time of the backup

l End time of the backup

l Result of the backup (such as "success")

Details of the last restore include the following:

l Status of the restore (such as "running")

l Type of restore profile

l Source of the restore file

l Start time of the restore

System Administration Guide CHAPTER 18: Backing Up and Restoring the Appliance Database

260 © 2015 FireEye

Release 7.6 Viewing the Last Backup and Restore Results

l End time of the restore

l Result of the restore (such as "success")

After a backup or restore operation, the appliance marks the result as success or failure.

When a backup or restore operation is in process, the appliance displays the status as "running

Prerequisites

l Admin access

Viewing the Last Backup and Restore Results Using theWebUI

The Settings: Appliance Backup & Restore page displays the status details about the last

backup and restore operation. Example status details are shown in the following illustration.

Viewing the Last Backup and Restore Results Using the CLI

Use the commands in this section to view the status for the last backup and restore operations.

To view the details of the last backup:

1. Enable the CLI enable mode.

hostname > enable

2. Enter the show backup status command.

hostname # show backup statusBackup status: not-runningLast backup profile: full

Last backup destination: localLast backup start time: 2015/08/08 18:32:58.112Last backup end time: 2015/08/08 18:34:26.301Last Backup result: success

© 2015 FireEye 261

To view the details of the last restore:


hostname > enable

2. Enter the show restore status command.

hostname # show restore statusRestore status: not-runningLast restore profile: fedb

Last restore source: usbLast restore start time: 2015/08/08 21:13:53.151Last restore end time: 2015/08/08 21:13:53.151Last restore result: success

Estimating the Space Needed for the Backup FileThe appliance estimates the size of the backup file and calculates the amount of space it needs.

The available space must be greater than the estimated space required to perform the backup

operation. The size depends on the profile you select (described in Database Backup and

Restore Introduction on page 259).

Details of the backup estimates for each profile include the following:

l Size estimate of the database file based on the backup profile

l Available space based on the backup profile

l Whether the backup can be performed

Prerequisites

l Admin access to run the estimate

l Monitor, Operator, or Admin access to view the backup estimate using the CLI. (In the

Web UI, these roles can view only existing backup files, not the backup estimate.)

Estimating the Space Needed for the Backup File Using theWebUI

Use the Appliance Backup & Restore page to estimate the space needed for the backup file.

To estimate the space needed for the backup file:


2. Click Appliance Backup & Restore on the sidebar.

3. Select the profile you want to estimate. (See Database Backup and Restore

Introduction on page 259 for descriptions.)


262 © 2015 FireEye

Release 7.6 Backing Up the Database

4. Click Estimate in the Estimate Backup column.

Details of the backup estimates for the selected profile are displayed.

Estimating the Space Needed for the Backup File Using the CLI

Use the commands in this section to estimate the space needed for the backup file.

To estimate the space needed for the backup file:


hostname > enablehostname #

2. View the estimate for the type of backup profile.

l To view the estimate for the configuration database, enter:

hostname # show backup estimate profile config

l To view the estimate for the FireEye appliance database, enter:

hostname # show backup estimate profile fedb

l To view the estimate for both the configuration database and the FireEye appliance

database, enter:

hostname # show backup estimate profile config+fedb

l To view the estimate for the configuration database, FireEye appliance database, and

detected data (malware, alerts, reports, and so on), enter:

hostname # show backup estimate profile full

Example

The following example displays the estimates that are available for a full backup operation:

hostname # show backup estimate profile full------------------------------------------------

# Estimates for full backup------------------------------------------------Local space available : 950462 MBSpace reserved for other purposes : 502295 MBSpace available for backups : 448167 MBEstimated space required for backup : 1736 MBCan perform local or remote backup : yesUSB space available : 1764 MBCan perform USB backup : yes

Backing Up the DatabaseYou can save the backup file three ways:

© 2015 FireEye 263

l To a local destination on the appliance

l To a remote server

l To a USB device connected to your local machine

Use the media usb mount command to mount the USB device to the attached

appliance. If the USB device is mounted, use the media usb eject command to

unmount the USB device. For details about how to mount or unmount a USB

device, see Mounting or Unmounting a USB Device.

The appliance must have sufficient space to save one backup. You cannot proceed with the

backup operation if there is not enough space. For information about estimating the amount of

space, see Estimating the Space Needed for the Backup File on page 262.

The appliance is fully functional while the backup operation is in process.

Prerequisites

l Admin access

Backing Up the Appliance Database Using theWebUI

Use the Settings: Appliance Backup & Restore page to back up the database.

This illustration is from an NX Series appliance.

To back up the database:




264 © 2015 FireEye

Release 7.6 Backing Up the Database

3. Locate the backup profile, then select the backup location from the drop-down list.

l Local—Saves the backup file to a local destination on the appliance.

l USB—Saves the backup file to a USB device connected to your local machine.

l Remote Server—Saves the backup file to a remote server.

See Database Backup and Restore Introduction on page 259 for a

description of each backup profile.

4. If you selected Remote Server, enter the remote location to save the backup file in the

Remote URL or Server Location column using the following format:

scp://username:password@hostname/remote path

5. Enter a custom prefix for the backup file name in the File Name Prefix column.

You can use the prefix to sort the list of the backup files.

6. (Optional) Clear the Encrypt checkbox to disable public and private key encryption for

the backup operation. Each backup file is signed by default using the public and private

key pairs. By default, encryption is always included in the backup.

Encryption delays the backup operation. Backups are encrypted only using static

keys.

7. Click Backup in the Action column.

A progress bar indicates the status of the backup operation.

To cancel a database backup that is in progress, click the red X in the progress

bar.

Backing Up the Database Using the CLI

Use the commands in this section to back up the database.

To back up the database:

1. Enable the CLI configuration mode.


2. Specify the type of profile.

l To set the profile for the configuration database, enter:

hostname (config) # backup profile config

l To set the profile for FireEye appliance database, enter:

hostname (config) # backup profile fedb

© 2015 FireEye 265

l To set the profile for both the configuration database and the FireEye appliance

database, enter:

hostname (config) # backup profile config+fedb

l To set the profile for the configuration database, FireEye appliance database, and

detected data (malware, alerts, reports, and so on), enter:

hostname (config) # backup profile full

3. Specify the location for the backup file.

l To save the backup file to a local destination on the appliance:

hostname (config) # backup profile <profile> to local

l To save the backup file on a remote server:

hostname (config) # backup profile <profile> to <url>

where <url> is the specified remote location using the following format:

scp://username:password@hostname/remote path

l To save the backup file to a USB drive on your local machine:

hostname (config) # backup profile <profile> to usb

4. Specify a custom prefix for the backup file name:

hostname (config) # backup profile <profile> to <backupLocation> prefix <prefix>

where valid characters for <prefix> are A–Z, a–z, 0–9, and _.

You can use the prefix to sort the list of the backup files.

5. (Optional) Monitor the progress of the backup operation.

l To disable progress tracking for the backup operation:

hostname (config) # backup profile <profile> to <backupLocation> progressno-track

l To enable progress tracking for the backup operation:

hostname (config) # backup profile <profile> to <backupLocation> progresstrack

By default, progress tracking is enabled.

You can cancel progress tracking by using Ctrl+C. The backup operation still

happens in the background. Use the show backup status command to find the

status of the backup operation.

6. (Optional) Disable public and private key encryption for the backup operation.

hostname (config) # backup profile <profile> to <backupLocation> no-encryption

Each backup file is signed by default using the public and private key pairs. By default,

encryption is always included in the backup.


266 © 2015 FireEye

Release 7.6 Scheduling Automatic Backups

Encryption delays the backup operation. Backups are encrypted only using static

keys.

To cancel a backup that is in progress, enter the backup cancel command. When you

cancel the backup operation that is in progress, the system finishes the current step

before canceling the entire operation.

Example

The following example backs up the configuration database, detected data, and artifacts to a local

destination on the appliance:

hostname (config) # backup profile full to localStep 1 of 4: Backing up config db100.0% [#################################################################]Step 2 of 4: Backing up fedb100.0% [#################################################################]Step 3 of 4: Backing up Artifacts100.0% [#################################################################]Step 4 of 4: Generating Backup package100.0% [#################################################################]

Scheduling Automatic BackupsYou can configure and enable automatic backup jobs. You can specify how often you want the

backup job to run automatically.

You can schedule automatic backup jobs only using the CLI.

Additional space is required when you schedule automatic backups to run frequently.

You must monitor the generated backups and delete the unnecessary backups.

Prerequisites

l Admin access

Scheduling Automatic Backups Using the CLI

Use the commands in this section to schedule automatic backups for the database.

© 2015 FireEye 267

To configure the scheduled backup job:



2. Create the job by specifying the job ID.

hostname (config) # job <job_ID>

3. Specify the sequence number for the scheduled backup job.

hostname (config) # job <job_ID> command <sequence_number>

4. Use the backup profile command to specify the type of profile.

hostname (config) # job <job_ID> command <sequence_number> "backup profile<profile>"

l To schedule the backup job for the configuration database:

hostname (config) # job <job_ID> command <sequence_number> "backup profileconfig"

l To schedule the backup job for the FireEye appliance:

hostname (config) # job <job_ID> command <sequence_number> "backup profilefedb"

l To schedule the backup job for both the configuration database and the FireEye

appliance:

hostname (config) # job <job_ID> command <sequence_number> "backup profileconfig+fedb"

l To schedule the backup job for the configuration database, FireEye appliance

database, and detected data (malware, alerts, reports, and so on):

hostname (config) # job <job_ID> command <sequence_number> "backup profilefull"

5. Use the backup profile command to specify the location for the backup file.

hostname (config) # job <job_ID> command <sequence_number> "backup profile<profile> to <backup_location>"

l To schedule the backup job to a local destination on the appliance:

hostname (config) # job <job_ID> command <sequence_number> "backup profile<profile> to local"

l To schedule the backup job on a remote server:

hostname (config) # job <job_ID> command <sequence_number> "backup profile<profile> to <url>"


scp:// username:password@hostname/remote path

l To schedule the backup job to a USB drive on your local machine:


268 © 2015 FireEye

Release 7.6 Scheduling Automatic Backups

hostname (config) # job <job_ID> command <sequence_number> "backup profile<profile> to usb"



To schedule automatic backups for the database:

1. Specify how often you want the backup job to run automatically.

l To schedule daily, enter the end date, start date, or time :

hostname (config) # job <job_ID> schedule daily end date <yyyy/mm/dd>

hostname (config) # job <job_ID> schedule daily start date <yyyy/mm/dd>

hostname (config) # job <job_ID> schedule daily time <hh:mm:ss>

l where <yyyy/mm/dd> specifies the end or start date for the backup job.

l where <hh:mm:ss> specifies the time to start the backup job based on a 24-

hour clock.

l To schedule monthly, enter:

hostname (config) # job <job_ID> schedule monthly day-of-month <day>

where <day> is the day of the month the backup should occur.

l To schedule once, enter:

hostname (config) # job <job_ID> schedule once time <hh:mm:ss> date<yyyy/mm/dd>

l where <hh:mm:ss> specifies the time to start the backup job based on a 24-

hour clock.

l where <yyyy/mm/dd> specifies the date to start the backup job.

l To schedule periodically, enter the end and start date or time interval:

hostname (config) # job <job_ID> schedule periodic end date <yyyy/mm/dd>time <hh:mm:ss>

hostname (config) # job <job_ID> schedule periodic start date <yyyy/mm/dd>time <hh:mm:ss>

hostname (config) # job <job_ID> schedule periodic interval <time_interval>

l where <yyyy/mm/dd> specifies the end or start date for the backup job.

l where <hh:mm:ss> specifies the end or start time for the backup job based on

a 24-hour clock.

l where <time_interval> is specified in the format of "2h3m4s."

ll To schedule weekly:

hostname (config) # job <job_ID> schedule weekly day-of-week <day>

where <day> is the day of the week the backup job is scheduled to occur.

© 2015 FireEye 269

l sun

l mon

l tue

l wed

l thu

l fri

l sat

l To specify a type of schedule, enter:

hostname (config) # job <job_ID> schedule <type>

where <type> is the type of schedule for the backup job.

l once

l daily

l weekly

l monthly

l periodic

2. Enable the configuration for the scheduled backup job.

hostname (config) # job <job_ID> enable



4. Verify the status for the scheduled backup job. Enter the show job command.

hostname (config) # show job

Job 333:

Status: pending

Enabled: yes

Continue on failure: no172

Schedule type: daily

Time of day: 00:00:00

Absolute start: 2014/12/07

Absolute end: (no limit)

Last exec time: N/A

Next exec time: Sun 2014/12/07 00:00:00 +0000

Commands:

Command 1: backup profile config to local


270 © 2015 FireEye

Release 7.6 Downloading Backup Files

Downloading Backup FilesYou can download backup files from the appliance to your local machine.

A backup file is downloaded only using the Web UI.

Prerequisites

l Admin access

Downloading Backup Files Using theWebUI

Use the Settings: Appliance Backup & Restore page to download a backup file from the

appliance to your local machine.

This illustration is from a CM Series platform.

To download a database backup file:



3. In the Restore Available Backups section, locate the backup FEBKP file in the Backup

name (Profile) column.

4. Click the green arrow in the Download column to download the backup.

Uploading Backup FilesYou can upload backup files from your local machine to the appliance. One backup file is used to

restore the database for multiple appliances. The uploaded backup files are stored in the same

location where you saved the local backup files.

A backup file is uploaded only using the Web UI.

© 2015 FireEye 271

Prerequisites

l Admin access

Uploading Backup Files Using theWebUI

Use the Settings: Appliance Backup & Restore page to upload a backup file from your local

machine to the appliance.

To upload a backup file from your local machine:



3. In the Upload Backup File area, click Choose File, and then navigate to the backup file

you want to upload.

4. Click Submit to upload the backup file from your local machine.

An error occurs if an invalid backup file is uploaded.

Restoring the Database from a Backup FileYou can restore the backup from three locations:

l From your local appliance.

l From a remote server. Do not restore the current network settings while the appliance is

performing a restore operation from a remote server.

l From a USB device connected to your local machine.


272 © 2015 FireEye

Release 7.6 Restoring the Database from a Backup File

UsageGuidelines for Restoring the Database

Follow these usage guidelines when you are restoring the database from a backup file:

l The appliance will not be fully operational during the restore operation. For example, the

alert detection process will stop during the restore operation.

l You cannot cancel the restore operation while it is in process.

l If the restore process fails, you can revert the appliance back to the factory-installed

defaults. If you are restoring only the configuration database, the appliance will

automatically revert back to the original configuration.

l Only the config, config+fedb, and fedb backup profiles can be restored from a software

upgrade. You cannot restore the backup from a software downgrade.

l You cannot restore a backup from another product family.

l You cannot restore a backup from a release earlier than NX Series 7.5.0.

Prerequisites

l Admin access

l Verify that you have a backup FEBKP file of the current database before you begin the

restore operation.

l Locate the previous backup you want to restore.

l Verify the details for the appliance, backup profile, version, hostname, and date stamp.

These details are validated while the restore operation is in process.

Restoring the Database from a Backup File Using theWebUI

Use the Settings: Appliance Backup & Restore page to restore the database from a backup

file.


© 2015 FireEye 273

To restore the database from a backup file:



3. Locate the backup FEBKP file you want to restore in the Backup Name (Profile)

column.

You have the option to restore everything using a full profile or restore portions using one

of the other profiles.

4. If you selected Remote Server, scroll down to enter the backup location of the remote

server in the Remote URL or SCP box using the following format:

https or scp://username:password@hostname/remote path

Then select the profile you want to restore from the drop-down list.

5. (Optional) Clear the Exclude Network Settings checkbox to include the network

settings from the backup file. By default, the network settings are not included in the

restore operation.

Do not restore the current network settings while the appliance is performing a

restore operation from a remote server.

6. Click Restore to restore the backup.

7. In the confirmation dialog box, click OK.

The appliance will not be fully operational during the restore operation. You

cannot cancel the restore operation while it is in process.

You must reinstall the guest images and license keys separately.

Restoring the Database from a Backup File Using the CLI

Use the commands in this section to restore the database from a backup file.

To restore the database from a backup file:



2. Locate the backup FEBKP file you want to restore.

l To display a list of the backup files on the USB drive:

hostname (config) # show backup available on-usb


274 © 2015 FireEye

Release 7.6 Restoring the Database from a Backup File

l To display a list of the backup files:

hostname (config) # show backup available local

3. Specify a backup profile.

l To set the profile for the configuration database:

hostname (config) # restore profile config

l To set the profile for the appliance database:

hostname (config) # restore profile fedb

l To set the profile for both the configuration database and the appliance database:

hostname (config) # restore profile config+fedb

l To set the profile for the configuration database, appliance database, and detected

data (malware, alerts, reports, and so on):

hostname (config) # restore profile full

4. Specify the location of the backup file.

l To restore the backup from the local destination on the appliance:

hostname (config) # restore profile <profile> from local

l To restore the backup from a remote server:

hostname (config) # restore profile <profile> from <url>


https or scp://username:password@hostname/remote path

l To restore the backup from a USB drive on your local machine:

hostname (config) # restore profile <profile> from usb

5. Enter the name of the backup file.

hostname (config) # restore profile <profile> from <backup_location> backup<name>

6. (Optional) Restore the network settings from the relevant backup:

hostname (config) # restore profile profile from <backup_location> backup <name>include-network-config

By default, the network settings are not included in the restore operation.

Do not restore the current network settings while the appliance is performing a

restore operation from a remote server.

7. (Optional) Monitor the progress of the restore operation.

l To disable progress tracking for the restore operation:

hostname (config) # restore profile <profile> from <backup_location> backup<name> progress no-track

© 2015 FireEye 275

l To enable progress tracking for the restore operation:

hostname (config) # restore profile <profile> from <backup_location> backup<name> progress track

By default, progress tracking is enabled.

You can cancel progress tracking by using Ctrl+C. The restore operation still

happens in the background. Use the show restore status command to find the

status of the restore operation.

Example

The following example shows how to restore a configuration database backup from local on an

EX Series appliance.

hostname (config) # restore profile config from local backup eMPS-Config-7.6.0-IE-EX3400-20150802-172500.febkpStep 1 of 4: Performing Sanity checks100.0% [#################################################################]Step 2 of 4: Extracting backup package100.0% [#################################################################]Step 3 of 4: Restoring config db100.0% [#################################################################]Step 4 of 4: Restart system services100.0% [#################################################################]

Deleting Previous Backup FilesYou can delete previous backup files to free space for new backup files.

Prerequisites

l Admin access

Deleting Previous Backup Files Using theWebUI

Use the Settings: Appliance Backup & Restore page to delete a backup file.



276 © 2015 FireEye

Release 7.6 Deleting Previous Backup Files

To delete a backup:



3. In the Restore Available Backups area, locate the backup FEBKP file you want to

delete in the Backup Name (Profile) column.

4. Click the red X in the Delete column, as shown in the following example.

Deleting Previous Backup Files Using the CLI

Use the commands in this section to delete a backup file.

To delete a backup file:



2. Specify the location of the backup file.

l To delete a file from the appliance, enter:

hostname (config) # backup delete from local

l To delete a file from a USB drive on your local machine, enter:

hostname (config) # backup delete from usb

To delete a remote backup file, you must log in to the remote server and

delete the file manually.

3. Specify the name of the backup file to delete from the backup location.

hostname (config) # backup delete from backup location name backup name

where backup name is the backup FEBKP file you want to delete.

Example

The following example shows how to delete a database backup that resides locally on an

NX Series appliance.

hostname (config) # backup delete from local name wMPS-Config-7.6.0-IE-NX900-20150807-220207.febkp

© 2015 FireEye 277

Release 7.6 Address Mapping

CHAPTER 19: Configuring Network AddressTranslation (NAT)

The following sections describe how to add an appliance to the CM Series platform for

management in a deployment in which the CM Series platform, the appliance, or both are behind

a NAT gateway.

Network address translation (NAT) is not supported in CM Series high availability (HA)

deployments.

l Address Mapping below

l Sending a Management Request in a NAT Deployment on page 289

l Configuring and Activating an Accessible DTI Server Address on page 284

l Configuring Global Host-Key Authentication in a NAT Deployment on page 295

Address MappingTo implement NAT deployment in a CM Series network, a network administrator needs to map

source-to-destination IP address and port pairs so a connection to the device behind the

NAT gateway can be established. Appliances can use either one or two ports for the connection

and the management and DTI network traffic; one port is the default. Appliances running earlier

releases use two ports. (For more information, see Changing the Address Type for

DTI Network Service Requests on page 102.)

For the single-port configuration, the SSH port needs to be accessible. This port is used to

initiate the connection, configure and monitor the appliance, and request software updates (such

as guest images, security content, and appliance images) from the DTI source server. Port 22 is

the default.

For the dual-port configuration, the following ports need to be accessible:

l Remote management (SSH) port. The management port used to initiate the connection,

and for the CM Series platform to use to configure and monitor the appliance. Port 22 is

the default.

l DTI network service (HTTPS) port. The port used to request software updates (such as

guest images, security content, and appliance images) from the DTI source server. Port

443 is the default.

© 2015 FireEye 278

In the dual-port configuration, the network administrator must map an accessible DTI server

IP address and HTTPS port (described in Configuring and Activating an Accessible DTI

Server Address on page 284) if the CM Series platform is behind a NAT gateway.

The diagrams in the following sections illustrate the mapping that is required for each supported

topology.

Some topologies use virtual IP addresses. These addresses are mapped on the NAT

gateway to reach a CM Series platform platform or managed appliance that is in an

internal network behind the gateway.

Only those addresses that need mapping are shown. If no mapping is indicated, the

default IP addresses and default ports (22, or 22 and 443) will be used.

CM Series Platform Initiates Connection

The following diagrams show the required mapping when the CM Series platform initiates the

process of adding an appliance for management.

The EX Series appliance represents the managed appliance in the diagrams for the

single-port address type. The NX Series appliance represents the managed appliance in

the diagrams for the dual-port address type. (Although it is not depicted in the diagrams,

the the EX Series appliance can also use the dual-port address type, and the NX Series

appliance can use the single-port address type.)

CM Series Behind NAT Gateway

Single-port address type: The EX Series appliance is in an external network, so no mapping is

required.

Dual-port address type: The NX Series appliance is in an external network, so no mapping is

required for the CM Series platform to initiate the connection and then configure and manage the

appliance. The CM Series platform is in an internal network, so the accessible DTI server

IP address and HTTPS port must be mapped to the CM Series internal IP address and port 443

for the appliance to request software updates.

System Administration Guide CHAPTER 19: Configuring Network Address Translation (NAT)

279 © 2015 FireEye


Appliance Behind NAT Gateway

Single-port address type: A virtual NAT IP address and port must be mapped to the EX Series

internal IP address and port 22 for the CM Series platform to initiate the connection and then

configure and monitor the appliance, and for the appliance to request software updates.

Dual-port address type: A virtual NAT IP address and port must be mapped to the NX Series

internal IP address and port 22 for the CM Series platform to initiate the connection and then

configure and manage the appliance. The CM Series platform is in an external network, so no

mapping is required for the appliance to request software updates.

CM Series and Appliance Behind Different NAT Gateways

Single-port address type: A virtual NAT Gateway 2 IP address and port must be mapped to

the EX Series internal IP address and port 22 for the CM Series platform to initiate the

connection and then configure and monitor the appliance, and for the appliance to request

software updates.

© 2015 FireEye 280

Dual-port address type: A virtual NAT Gateway 2 IP address and port must be mapped to the

NX Series internal IP address and port 22 for the CM Series platform to initiate the connection

and then configure and monitor the appliance.

The accessible DTI server IP address and HTTPS port must be mapped to a virtual NAT

Gateway 1 IP address and port. The virtual NAT Gateway 1 IP address and port must be mapped

to the CM Series internal IP address and port 443 for the appliance to request software updates.

CM Series and Appliance in External Networks

No mapping is required because the appliance is in an external network and the CM Series

platform can access it. For details, see Adding an Appliance from the CM Series Platform.

Appliance Initiates Connection

The following diagrams show the required mapping when the appliance sends a request to be

added to a CM Series platform for management.

CM Series Behind NAT Gateway

Single-port address type: A virtual NAT IP address and port must be mapped to the internal

CM Series IP address and port 22 for the EX Series appliance to send a request to be added to

the CM Series platform and request software updates, and for the CM Series platform to

configure and manage the appliance.


281 © 2015 FireEye


Dual-port address type: A virtual NAT IP address and port must be mapped to the CM Series

IP address and port 22 for the NX Series appliance to send a request to be added to the

CM Series network, and for the CM Series platform to configure and monitor the appliance. The

accessible DTI server IP address and HTTPS port must be mapped to the CM Series internal IP

address and port 443 for the appliance to request software updates.

Appliance Behind NAT Gateway

No mapping is required because the CM Series platform is in an external network and the

appliance can access it.


Single-port address type: The virtual NAT Gateway 1 IP address and port must be mapped to

the CM Series internal IP address and port 22 for the appliance to send a request to be added to

the CM Series platform and request software updates, and for the CM Series platform to

configure and monitor the appliance.

Dual-port address type: The virtual NAT Gateway 1 IP address and port must be mapped to

the CM Series internal IP address and port 22 for the appliance to send a request to be added to

the CM Series platform, and for the CM Series platform to configure and monitor the appliance.

The NX Series internal IP address and port 443 must be mapped to a virtual NAT Gateway 2

IP address and port. The virtual NAT Gateway 1 IP address and port must be mapped to the

CM Series internal IP address and port 443 for the appliance to request software updates.

© 2015 FireEye 282

CM Series and Appliance in External Networks

No mapping is required because the CM Series platform is in an external network and the

appliance can access it. For details, see Sending a Management Request to the CM Series

Platform on page 98.


283 © 2015 FireEye

Release 7.6 Configuring and Activating an Accessible DTI Server Address

Configuring and Activating an Accessible DTI ServerAddressThe CM Series platform can act as the DTI source for its managed appliances to download

software updates (such as guest images, security content, and appliance images). In a dual-port

configuration, management traffic goes through the SSH port, and DTI traffic goes through the

HTTPS port. When the CM Series platform is behind a NAT gateway, it has an internal IP

address that the managed appliances cannot reach.

In this environment, you must configure and activate an accessible address that the managed

appliances will use as the DTI source for software updates. This address is the virtual NAT IP

address and port that are mapped to the CM Series internal IP address and port 443. For details,

see Configuring and Activating an Accessible DTI Server Address Using the CLI on the

next page .

The accessible DTI server address must be configured and activated on each managed appliance.

In addition, on managed appliances running a supported release (see note below), a "no override"

flag needs to be set to prevent the default CM Series address from overriding the accessible

address.

Any appliances behind the same NAT gateway as the CM Series platform will use the

default CM Series platform as their DTI source and require no additional configuration.

An accessible DTI server address is required only in a dual-port configuration. If you

change from dual-port to single-port communication, you must remove the "no

override" flag and instead set an "override" flag to allow the CM Series platform to push

the single-port settings to the managed appliance. For details, see Switching to Single-

Port or Dual-Port Communication in a NAT Deployment on page 287.

Dual-port is the default configuration for appliances running releases earlier than Release

7.6.0. For details, see Changing the Address Type for DTI Network Service

Requests on page 102.

Prerequisites

l Admin access

© 2015 FireEye 284

Configuring and Activating an Accessible DTI Server Address Using the CLI

Use the CLI commands in this section to configure a custom DTI source, and activate it as an

accessible DTI server address for managed appliances using the dual-port address type. This is

the address that should be used when the CM Series platform is behind a NAT gateway and in

another network.

Do not use this procedure for any reason other than the scenario described above.

You must enter the commands in the order shown.

This configuration must be performed on each managed appliance. You can repeat the

procedure on each appliance, or use appliance group functionality to configure the

accessible address on multiple appliances at the same time.

Only one custom DTI source can be configured.

To configure the accessible address:




3. Configure the accessible address as the DTI source:

a. Prevent the local address from overriding the accessible address:

appl-hostname (config) # no fenet dti source override enable

b. Configure the IP address and port:

appl-hostname (config) # fenet dti source type CUSTOM address ipAddressport port

where ipAddress is the NAT IP address. The port parameter is optional and defaults

to 443 if it is not specified.

c. Specify the DTI server user and password:

appl-hostname (config) # fenet dti source type CUSTOM username usernamepassword password

d. Set "CUSTOM" as the default DTI source type:

appl-hostname (config) # fenet dti source default CUSTOM


285 © 2015 FireEye


4. Configure the accessible address as the DTI upload destination:


appl-hostname (config) # no fenet dti upload destination override enable

b. Configure the address and port:

appl-hostname (config) # fenet dti upload destination type CUSTOM addressipAddress port port

where ipAddress is the NAT gateway IP address and port is the HTTPS port. (The

port parameter is optional if the port is 443.)


appl-hostname (config) # fenet dti upload destination type CUSTOM usernameusername password password

d. Set "CUSTOM" as the default DTI upload destination type:

appl-hostname (config) # fenet dti upload destination default CUSTOM

5. Configure the accessible address as the "mil" service address:


appl-hostname (config) # no fenet dti mil service override enable

b. Configure the address and port:

appl-hostname (config) # fenet dti mil service type CUSTOM addressipAddress port port

where ipAddress is the virtual NAT IP address and port is the HTTPS port. (The port

parameter is optional if the port is 443.)


appl-hostname (config) # fenet dti mil service type CUSTOM usernameusername password password

d. Set "CUSTOM" as the default DTI source type:

appl-hostname (config) # fenet dti mil service default CUSTOM


appl-hostname (config) # show fenet



Deleting the Custom DTI Source

You can delete the custom DTI source, which removes it from the list of available options.

You cannot delete the custom DTI source if it is an active DTI source for managed

appliances.

© 2015 FireEye 286

To delete the custom DTI source:


cm-hostname (config) > enablecm-hostname # configure terminal

2. Delete the custom DTI source:

cm-hostname (config) # no fenet dti source type CUSTOM


cm-hostname (config) # show fenet dti configuration


cm-hostname (config) # write memory

Example

The following example configures a custom address and prevents the CM Series platform from

overriding it with the CM Series local address.

appl-hostname (config) # no fenet dti source override enableappl-hostname (config) # fenet dti source type CUSTOM address 3.3.3.6 port 2000appl-hostname (config) # fenet dti source type CUSTOM username user8 password123ABCXYZappl-hostname (config) # fenet dti source default CUSTOMappl-hostname (config) # no fenet dti upload destination override enableappl-hostname (config) # fenet dti upload destination type CUSTOM address 3.3.3.5 port2000appl-hostname (config) # fenet dti upload destination type CUSTOM username user8password 123ABCXYZappl-hostname (config) # fenet dti upload destination default CUSTOMappl-hostname (config) # no fenet dti mil service override enableappl-hostname (config) # fenet dti mil service type CUSTOM address 3.3.3.5 port 2000appl-hostname (config) # fenet dti mil service type CUSTOM username user8 password123ABCXYZappl-hostname (config) # fenet dti mil service default CUSTOMappl-hostname (config) # write memoryappl-hostname (config) # show fenetDTI CLIENT CONFIGURATION:Download source : CUSTOM ([email protected])Upload destination : CUSTOM ([email protected])Update channel : CUSTOM ([email protected])Http proxy : NoneConnect timeout : 30 (max tries: 3)Speed Time : 60Max Time : 14400Rate Limit : NoneLockdown enabled : No

Switching to Single-Port or Dual-Port Communication in a NATDeployment

Managed appliances communicate with the CM Series platform over a single port by default, but

they can be configured to use two ports. (For details, see Changing the Address Type for

DTI Network Service Requests on page 102.)


287 © 2015 FireEye


In the dual-port configuration, if the CM Series platform is in an internal network behind a NAT

gateway, a custom DTI source address must be configured. The custom address allows the

managed appliance to access the HTTPS port on the CM Series platform to request software

updates from the DTI network. (For details, see Configuring and Activating an Accessible

DTI Server Address on page 284.)

To configure the custom address, you must set a flag to prevent the CM Series platform from

overriding the custom address settings. If you switch from dual-port to single-port

communication, you must remove this flag so the CM Series platform can push the single-port

settings to the managed appliance.

To switch from dual-port to single-port communication:




3. Allow the CM Series platform to push the single-port settings:

appl-hostname (config) # fenet dti source override enableappl-hostname (config) # fenet dti upload destination override enableappl-hostname (config) # fenet dti mil service override enable


appl-hostname (config) # show fenet


appl-hostname (config) write memory

To switch from single-port to dual-port communication:

l Perform the procedure in Configuring and Activating an Accessible DTI Server

Address Using the CLI on page 285.

Example

The following example allows the CM Series platform to push the single-port settings to the

appliance, after the address type was changed from dual-port to single-port.

appl-hostname (config) # fenet dti source override enableappl-hostname (config) # fenet dti upload destination override enableappl-hostname (config) # no fenet dti mil service override enableappl-hostname (config) # write memoryappl-hostname (config) # show fenet dti configuration

DTI CLIENT CONFIGURATION:Download source : CMS ([email protected] : singleport) - Managed by CMSUpload destination : CMS ([email protected] : singleport) - Managed by CMSUpdate channel : CMS ([email protected] : singleport) - Managed by CMS

.

.

© 2015 FireEye 288

.

Sending aManagement Request in a NAT DeploymentAn appliance (for example, an NX Series) administrator can send a request to add the appliance to

the CM Series platform. A rendezvous process enables the appliance to attempt the request and

allows the CM Series administrator to see the list of pending requests.

Requirements for Establishing a Successful Connection

To send a management request and successfully establish and maintain the connection, the

following must be in place:

l Automatic rendezvous attempts are enabled on the requesting appliance (disabled by

default).

l The auto connect feature is enabled on the requesting appliance so it automatically

tries to connect to the CM Series platform after the rendezvous attempt succeeds (enabled

by default).

See Preparing an Appliance to Send a Management Request in a

NAT Deployment on the facing page to verify and enable these settings.

l The appliance has a unique and permanent hostname. Pending requests from

appliances with the same hostname or IP address will be rejected. If the hostname is

changed, the connection will be broken and cannot be reset. If this happens, the appliance

must be removed from the CM Series platform and then added again using the new

hostname.

l The CM Series platform and the appliance have the same rendezvous service

name. The rendezvous process has an identifier (known as service name) that is set to "cmc"

by default. The CM Series platform and the requesting appliance must have the same

service name; if you change the service name on one, you must change it on the other as

well. The cmc rendezvous service-name hostname command changes the service name;

the no cmc rendezvous service-name command restores the default value. For details,

see the FireEye CLI Reference.

Appliance-initiated connections are not supported in CM Series high availability (HA)

deployments.


289 © 2015 FireEye

Release 7.6 Sending aManagement Request in a NAT Deployment

Prerequisites


l Network address translation (NAT) mapping, as described in Address Mapping

l If the requesting appliance is behind a NAT gateway: The virtual NAT address and port that map

to the requesting appliance internal IP address and SSH port

l If the CM Series platform is behind a NAT gateway:

l The virtual NAT address and port that map to the CM Series internal IP address and

SSH port

l One of the following:

l The accessible CM Series IP address and port, described in Configuring and

Activating an Accessible DTI Server Address on page 284

l Single-port communication enabled on the appliance, described in Changing

the Address Type for DTI Network Service Requests on page 102

Preparing an Appliance to Send aManagement Request in aNAT Deployment

Use the commands in this section to prepare an appliance in a NAT deployment to send a

request for management to the CM Series platform.

To prepare to send a request:





appl-hostname (config) # cmc rendezvous client auto

After automatic rendezvous is enabled, when the requesting appliance is behind a

NAT gateway, the local IP address of the appliance will be included in the

request instead of the mapped address. You must prevent the local IP address of

the appliance from being part of the request, and then force the request to be sent

again using the mapped address. These commands are included in the relevant

procedures.



appl-hostname (config) # show cmc client

© 2015 FireEye 290


appl-hostname (config) # cmc client connection auto



Sending aManagement Request in a NAT Deployment Using the ApplianceWebUI

Use the Settings: CMS Network page in the requesting appliance Web UI to initiate a request

to be added to a CM Series platform.

To send a management request:

1. If the appliance has never sent a management request, ensure that it meets the

requirements described in Preparing an Appliance to Send a Management Request

in a NAT Deployment on the previous page.

2. Log in to the requesting appliance Web UI.

3. Select the Settings tab.

4. Click CMS Network on the sidebar.

5. In the CMS IP Address and Port boxes, do one of the following:

l If the CM Series is not behind a NAT gateway or is behind the same NAT gateway as the

appliance: Enter the CM Series IP address and remote management port. The default

port is 22.

l If the CM Series is behind a NAT gateway different from the appliance NAT gateway: Enter

the accessible CM Series IP address and port.

6. In the CMS Username and CMS Password boxes, enter the admin credentials the

appliance should use to log in to the CM Series platform to announce itself.

7. If the appliance is behind a NAT gateway, select the Appliance Behind NAT checkbox.


291 © 2015 FireEye


8. Click Send Request.

A message informs you that the request succeeded or failed, or that the appliance is already

being managed by the CM Series platform. If the request succeeded, a CM Series

administrator can accept or reject the request. An example success message is shown

below:

See Accepting a Management Request in a NAT Deployment Using the Web UI

for information about accepting the requests and adding the appliances to the

CM Series platform.

Sending aManagement Request in a NATDeployment Using the ApplianceCLI

Use the commands in this section to send a management request from an appliance in a

NAT deployment to the CM Series platform.

The following topologies are supported:

l CM Series and Appliance Behind the Same NAT Gateway below

l Appliance Behind NAT Gateway and CM Series in External Network on the next

page

l CM Series Behind NAT Gateway and Appliance in External Network on page 294

l CM Series and Appliance Behind Different NAT Gateways on page 294

If the appliance has never sent a management request, ensure the requirements

described in Preparing an Appliance to Send a Management Request in a

NAT Deployment on page 290 are in place before you attempt to send the request.

CM Series and Appliance Behind the Same NAT Gateway





© 2015 FireEye 292


appl-hostname (config) # cmc client server address IPaddress

4. Specify the authentication type and admin credentials the appliance should use to log in to

the CM Series platform to announce itself.

appl-hostname (config) # cmc client server auth authtype authtypeappl-hostname (config) # cmc client server auth authtype username usernameappl-hostname (config) # cmc client server auth authtype password password |identity identity

where authtype can be password, ssh-dsa2, or ssh-rsa2. (See Configuring User

Authentication Using the CLI on page 90 for details.)



Appliance Behind NAT Gateway and CM Series in External Network












5. Prevent the local IP address of the appliance behind the NAT gateway from being part of

the request:

appl-hostname (config) # no cmc rendezvous client send-client-address

6. Send the request again without including the local IP address of the appliance:

appl-hostname (config) # cmc rendezvous client force




293 © 2015 FireEye


CM Series Behind NAT Gateway and Appliance in External Network





3. Specify the virtual NAT IP address and port that are mapped to the CM Series internal

IP address and SSH port:


where IPaddress is the mapped IP address.

4. (Optional) Specify the virtual NAT port that is mapped to the CM Series internal

SSH port:

appl-hostname (config) # cmc client server port port

The port defaults to 22 if it is not specified.













3. Specify the virtual CM Series NAT IP address that is mapped to the CM Series internal

IP address:


where IPaddress is the mapped IP address.

© 2015 FireEye 294

4. (Optional) Specify the virtual CM Series NAT port that is mapped to the CM Series

internal SSH port:

appl-hostname (config) # cmc client server port port

The port defaults to 22 if it is not specified.



hostname (config) # cmc client server auth authtype authtypehostname (config) # cmc client server auth authtype username usernamehostname (config) # cmc client server auth authtype password password | identityidentity



6. Prevent the local IP address of the appliance behind the NAT gateway from being part of

the request:

appl-hostname (config) # no cmc rendezvous client send-client-address

7. Send the request again without including the local IP address of the appliance:

appl-hostname (config) # cmc rendezvous client force



Configuring Global Host-Key Authentication in a NATDeploymentWhen global host-key authentication is enforced on the managed appliance, you must obtain the

public host-key from the CM Series platform and import it into the managed appliance global

host-keys database. This is described inHost-Key Authentication on page 89.

The CM Series host-key string includes its IP address. If the CM Series platform is in an internal

network behind a NAT gateway, the IP address in the key string you obtain from the CM Series

Web UI or CLI must be replaced with the virtual IP address that is mapped to the CM Series on

the NAT gateway.

Example

In this example, the CM Series platform is behind the NAT gateway. Its IP address is 1.1.1.5,

and its virtual IP address is 3.3.3.5.


295 © 2015 FireEye

Release 7.6 Configuring Global Host-Key Authentication in a NAT Deployment

The host-key string you obtain from the CM Series Web UI or CLI starts with "1.1.1.5". For

example:

1.1.1.5 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzd5JwKBjHLe/jxkF0JzWcXOTw9l0bz2SctkQrihkqg/zXqrmxAfgbzYulDSIxOKZTh2VBnKsy0qRWrCps64Itlh6iRlr7Jxa+jAtTAGsy..

Before you import the host-key into the EX Series global host-keys database, you must replace

"1.1.1.5" with "3.3.3.5." For example:

3.3.3.5 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzd5JwKBjHLe/jxkF0JzWcXOTw9l0bz2SctkQrihkqg/zXqrmxAfgbzYulDSIxOKZTh2VBnKsy0qRWrCps64Itlh6iRlr7Jxa+jAtTAGsy..

© 2015 FireEye 296

© 2015 FireEye 297

GLOSSARY

A

Access Control List (ACL)

A mechanism for enforcing user privileges. For

example, an ACL determines who has access to a

certain service and whether the user has

read/write privileges. See also Capability and

Role.

Advanced Persistent Threat (APT)

A sophisticated cyber attack that employs

advanced stealth techniques to remain undetected

for extended periods of time.

Advanced Targeted Attack (ATA)

Another name for an advanced persistent threat.

AX Series (formerly known as Malware

Analysis System or MAS)

Appliance equipped with a virtual execution

engine that enables users to manually inspect

objects suspected of containing malware.

B

Baiting

A social-engineering attack in which physical

media (such as a USB Flash drive) containing

malware is deliberately left in proximity to a

targeted organization.

Blacklist

A list or register of entities to be denied a

specified access or privilege. During FireEye

VXE analysis, when content matches any pattern

on the blacklist, the content is deemed malicious

and an alert or block action is enacted

immediately.

Blended threat

A cyber attack incorporating a combination of

attacks against different vulnerabilities.

Bot

An infected computer (or endpoint) centrally

controlled by a command and control (CnC)

server.

Botnet

Set of software “robots” or “zombies” that are

controlled remotely by a command and control

server.

Botnet server

Command and control server that directs the

operation of a botnet.

Bring Your Own Device (BYOD)

An organizational policy of employees bringing

personally owned devices to their place of work

in order to access the organization’s data.

Buffer overflow attack

An attack accomplished by placing more data

into the buffer than it is configured to hold which

ends up enabling the attacker to run custom code

(oftentimes with the escalated privileges granted

to the vulnerable application or network service).

C

Capability

A group of related CLI commands and Web UI

functions. Each capability belongs to one of the

following categories: System Administration,

Malware Analysis, Auditing, All Users, and Web

Services API. Each user is assigned to a role,

which is a collection of capabilities.

Central Management (CM) Series

A FireEye rack-mount appliance with a Web-

based graphical user interface responsible for

monitoring and managing appliances within an

NGTP environment.

Command and Control (CnC)

A server operated by a cybercriminal to provide

instructions to bots.

Command-line Interface (CLI)

An interface in which you type commands in lieu

of choosing them from a menu or selecting an

icon. The FireEye appliance has a CLI for

administering the appliance.

Cybercriminal

A hacker illegally stealing data from another

computer for personal financial gain.

Cyberwar

Politically motivated hacking to conduct sabotage

and/or espionage against a nation-state.

D

Darkspace

Currently unused address space.

Data Leakage Prevention (DLP)

A system designed to detect potential data loss

based on patterns (such as Social Security

numbers) in a timely manner.

DB-9

Serial port connector used to connect a computer

to the FireEye appliance.

Defense-in-depth strategy

Installing a series of cybersecurity defenses so that

a threat missed by one layer of security may be

caught by another.

Demilitarized Zone (DMZ)

An area of the network where systems have direct

access to the Internet or an external network.

Denial-of-Service (DoS) attack

A cyber attack intended to disrupt or disable a

targeted host by flooding it with benign

communication requests from a single host.

Domain Name Service

An Internet service that translates domain names

into IP addresses.

Glossary

298 © 2015 FireEye

Dynamic Host Configuration Protocol

(DHCP)

A network protocol used to configure devices

that are connected to a network so that they can

communicate on an IP network.

Dynamic Threat Intelligence (DTI) network

The DTI network exchanges anonymized threat

intelligence through the DTI cloud. FireEye

customers receive contextual visibility of global

attacks. The DTI network accurately captures

shared volume of working security content while

supporting Guest Images, and detecting

multivector algorithms.

E

Egress traffic

Computer network traffic flowing from inside

the network to hosts outside the network.

Event

Indicates a type of security intrusion or attack.

Execution anomaly

Type of event triggered by a memory anomaly

(such as a buffer overflow).

F

Fail open

The ability of copper interfaces on a network

appliance to maintain connectivity in order to

prevent network disruption upon appliance

power loss or interference.

False negative

Misclassifying a file containing malware as

benign.

False positive

Misclassifying a benign file as containing

malware.

G

Graphical User Interface (GUI)

An interface utilizing windows and icons rather

than text as a way for users to interact with the

computer.

Greylist

Greylists provide control over the priority of

workorders for known IP addresses and URLs.

Greylists have files that contain either URLs or

IP addresses and are used by the FireEye VXE

analysis engine to check if the specified URLs or

IP addresses contain a malicious rule match.

Guest Image

Software image for an operating system and

applications that is run in a virtual machine to

analyze suspicious or captured traffic.

H

Hacktivism

The use of computers and computer networks as

a means to protest and/or promote political ends.

I

Inline (active)

Signature-based security device that monitors

network traffic and blocks known cyber attacks

upon detection.

Inline mode

Placement of a network appliance directly in the

line of network traffic, enabling it to block cyber

attacks.

Glossary

© 2015 FireEye 299

Intrusion Detection System (IDS)

An out-of-band, signature-based security device

that monitors network traffic and creates alerts

upon detecting known cyber attacks.

Intrusion Protection System (IPS)

A security appliance that monitors network

activities for malicious activity. The main

functions of intrusion protection systems are to

identify malicious activity, log information about

said activity, attempt to block/stop said activity,

and report the activity.

K

Keylogger

An application that records computer keystrokes,

usually unbeknownst to the user.

Known botnet server bot command

Events that are triggered when the appliance sees

any of the common IRC bot commands or

communication to known botnet servers.

L

Live mode

Analysis mode in which the malware is allowed

to detonate inside the VX engine and is even

permitted to contact external entities, including

the CnC servers.

M

Malware

Malicious software (such as a computer virus,

worm, or Trojan) created to disrupt computer

operation, gather sensitive information, or gain

access to private computer systems. See also

spyware, Trojan, and worm.

Malware Protection Cloud (MPC)

See Dynamic Threat Intelligence (DTI) network.

Malware Protection System (MPS)

A rack-mount appliance responsible for detecting

suspicious network objects and forwarding them

to the virtual execution engine (which it also

hosts) for signature-less analysis.

Multi-staged

A cyber attack incorporating multiple types of

malware designed to be launched at different

phases of an advanced cyber attack.

Multivector

A cyber attack designed to target multiple target

hosts within the same organization using multiple

attack techniques.

Multivector Virtual Execution (MVX) Engine

A component on an MPS appliance that is

responsible for signature-less analysis of

suspicious objects in the safety of a virtual

machine.

MVX Engine-verified

Type of event triggered by a drive-by or social

engineering attack and verified as a malicious

behavior in the FireEye Multivector Virtual

Execution (MVX) engine.

MVX Engine-verified outbound

communications

A post-infection event that signals the presence of

malicious software attempting to contact an

external CnC server inside the MVX engine.

N

Network Time Protocol (NTP)

A networking protocol for clock synchronization

between computer systems.

Glossary

300 © 2015 FireEye

Next-generation threat

A new breed of cyber attacks not easily detected

by signature-based security defenses. Examples

include polymorphic malware, zero-day threats,

and APTs.

Next-Generation Threat Protection (NGTP)

Software installed on purpose-built, rack-mount

appliances that is designed to detect and block

today’s new breed of cyber attacks.

O

Open Shortest Path First (OSPF)

A protocol that computes an optimal path for

traffic in a TCP/IP network.

Operating System anomaly

Events that indicate modification of the

operating system.

Out-of-band mode

The mode of operation of a network appliance

that enables it to analyze traffic copied from a

network TAP or switch SPAN port.

P

Phishing

The act of sending an email to a user falsely

claiming to be a legitimate entity in an attempt to

scam the user into surrendering private

information, such as credit card and Social

Security numbers.

Polymorphic threat

Malware that changes its signature (binary

pattern) every time it replicates in order to evade

detection by a security device or application.

R

Remote Administration Tool (RAT)

Software that provides the hacker with a

backdoor into the infected system to snoop or

take control of the host.

Role

A collection of capabilities that allow a user to

perform certain operations. Each user is assigned

one of the following roles: Admin, Monitor,

Operator, Analyst, Auditor, API Analyst, or

API Monitor.

S

Sandbox

A software application designed to analyze

suspicious binaries in the safety of a virtual

machine, while often evading sophisticated

cyberattackers.

Sandbox mode

Mode in which malware is permitted to run, but

results of the malware action are restricted to the

virtual machine and not permitted to escape.

Secure Sockets Layer (SSL)

A protocol that uses multiple layers to manage

the security of a message transmission on the

Internet.

Simple Network Management Protocol

(SNMP)

A set of protocols for exchanging management

information between network devices.

Spear phishing

A phishing attempt directed toward a specific

organization or person(s) within that

organization.

Glossary

© 2015 FireEye 301

Spyware

A type of malware that collects information about

users, with or without their knowledge.

State-sponsored threat actor

A cybercriminal employed by a nation-state to

conduct cyber attacks against enemies of the state

for politically-motivated purposes.

Structured Query Language injection attack

(SQL injection attack)

A form of attack on a database-driven Web

application in which the attacker executes

unauthorized SQL commands in order to exploit

insecure code.

T

Transport Layer Security (TLS)

Encrypted protocols that provide secure

communication over the Internet.

Trojan

Malware that masquerades as a legitimate file or

helpful application with the ultimate purpose of

granting a hacker unauthorized access to a

computer.

V

Virtual Execution Engine (VXE)

See Multivector Virtual Execution (MVX)

Engine.

Virtual Local Area Network (VLAN)

A network of computers that act as if they are

connected to the same wire despite actually being

physically located on different segments of a local

area network.

Virtual Machine (VM)

FireEye software program that runs an instance

of an operating system. The operating system runs

on top of a program which emulates a hardware

system.

VX Engine-verified

Type of event triggered by a drive-by or social

engineering attack and verified as a malicious

behavior in the FireEye Virtual Execution

Engine.

VX Engine-verified outbound

communications

A post-infection event that signals the presence of

malicious software attempting to contact an

external CnC server inside the VX engine.

W

Whaling

A cyber attack directed specifically at senior

executives and other high-profile targets within

businesses.

Workorders

Identify traffic that needs to be analyzed by the

appliance. Workorders are generated for the

suspicious traffic identified by the appliance, and

for the manually-defined traffic capture policies

(if any).

Worm

A form of malware that exploits network

vulnerabilities in order to propagate itself onto

other computers.

Z

Zero-day attack

An attack by malware that exploits unknown or

newly-discovered vulnerabilities in software

Glossary

302 © 2015 FireEye

before they become known or before security

patches are applied to fix them.

Glossary

© 2015 FireEye 303

© 2015 FireEye 304

INDEX

A

AAA

accounting 229

authentication 191, 212, 220

authorization 221

LDAP 217

local access 199-200

overview 190

password rules 200, 207

password, changing 192, 195

RADIUS 215

remote users 213-214

roles 221, 228

TACACS+ 216

user accounts 192-194

account status 199

accounting 229-230

Active Directory (AD) 219

address type for CM Series

communication 102, 287

admin password 21

Admin role 221

aggregators 78

analyst role 221

api_analyst role 222

api_monitor role 222

appliance license 114

ArcSight 125, 162

audit logging 224, 229-230

auditor role 222

authentication

example 220

failed attempts 212

local-to-remote user mappings 214

local override rules 213

methods 191

order 192, 212

SSH 87

authorization 221-222

B

backup, database

estimating space 262

overview 259

scheduling with CLI 267

task list 260

uploading files 271

using CLI 265

viewing results 260

Blue Coat ProxySG 125

C

CA certificates 232

capabilities

all users 224

auditing 224

descriptions 225

malware analysis 224

overview 222

system administration 223

Web services API 224

Certificate Authority (CA)

certificates 232

certificates

activating 248

Certificate Authority (CA) 232, 254

client 232, 254

default attributes 250

downloading 247

HTTPS 232, 254

key size 257

LDAP server 232, 254

Mozilla bundle 232, 254

renaming 256-257

secure hash 257

supplemental CA 232, 254

system self-signed 232, 239

viewing 232

Web server 232, 241

X.509 (TLS/SSL) 232

checks, health 167

client-initiated connections 87

CM Series authentication 87, 287, 295

CM Series integration

changing address type 102

initiating request for management 87,

98, 103

CONTENT_UPDATE license 114

current password requirement 204

D

database 259-260, 262-263, 267, 271-

272, 276

date and time settings 105-106, 108-112

deployment modes 36

deployment testing 174, 179-180

from the Web UI 175

DNS settings, configuring 61

DSA2 public keys 88-90

DTI network

automatic updates 74, 77

Index

305 © 2015 FireEye

changing source server 69, 79, 81-84,

86

configuring credentials 86

overview 67

security updates 72

stats uploads 77

status 167

upgrading from 125-126, 128

validating 70-71

E

Ethernet port status 170

EULA (End User License Agreement)

18-19, 124-125, 129

F

FIREEYE_APPLIANCE license 114

FIREEYE_SUPPORT license 114

front panel, removing 30

G

Guest Images 124, 130

guest images status 168

H

hardware status 169

health checks 167, 170

host-key authentication 92-94, 96

HTTPS certificates 232

I

inline deployment mode 36

IP filtering 64, 66

IPMI port 24

J

Juniper STRM 125

L

LCD 19, 30

LDAP

configuring 217

example configuration 218

overview 217

search filters 218

liquid crystal display 19, 30

Log Manager 162

logs 162-163

M

malware analysis capabilities 224

MIB, downloading

to Apple devices 140

to Linux devices 139

to Windows devices 139

monitor role 221

Mozilla certificates 232

N

Network Address Translation (NAT)

278, 284, 287, 290, 295

network administration 60, 62, 64, 66

network proxy 125

network requirements 13

Index

© 2015 FireEye 306

notifications 148

NTP (Network Time Protocol) 108-109

O

operator role 221

order of authentication 192

P

password authentication 88

passwords

changing admin 21

changing your own 196-197

configuring password change

policies 207, 209

configuring validation rules 202, 204-

206

public key authentication 88-89

Q

Q1 Lab QRadar 125

R

RADIUS 215

resolution, screen 27

restore, database

guidelines 273

overview 259

task list 260

using CLI 274

viewing results 260

roles

admin 221

analyst 221

api_analyst 222

api_monitor 222

assigning 228

auditor 222

capabilities 222

fe_services 222

monitor 221

operator 221

RSA2 public keys 88, 90

S

screen resolution 27

Secure Shell (SSH) authentiction 87

serial port

accessing from a terminal server 19

accessing from a Linux system 18

accessing from a PC laptop 18

accessing from an Apple laptop 18

settings 17

single-port communication 102, 287

SNMP notifications 137

SPAN deployment mode 36

SSH-DSA2, SSH-RSA2 public keys 88-

90

SSL certificates 232

status

DTI network 170

Ethernet port information 170

guest images information 168

Index

307 © 2015 FireEye

hardware information 169

system informantion 168

version information 168

supplemental CA certificates 232

support license 114

system administration capabilities 223

system self-signed certificate 232

system status 168

T

TACACS+ 216

TAP deployment mode 36

testing deployment 174, 179-180

time and date settings 105, 108, 110-111

time zone settings 110-111

TLS certificates 232

two-port communication 102, 287

U

upgrades 124

user accounts

adding 193-194

local access 199-200

managing your own 195-197

overview 192

permanent 199

status 199

updating 193-194

user authentication 87, 90

user interfaces

IPMI 33

LCD 19

Web UI 26, 28-29

V

version status 168

W

Web server certificates 232

Web services API capabilities 224

Web UI 28-29

X

X.509 certificates 232

Index

© 2015 FireEye 308

Date post:	03-Feb-2016
Category:	Documents
Upload:	pizamatador
View:	274 times
Download:	32 times

NX_SAG_7.6.0

Documents