Date post: | 03-Feb-2016 |
Category: |
Documents |
Upload: | pizamatador |
View: | 274 times |
Download: | 32 times |
NX SeriesSystem Administration Guide
Release 7.6
FireEye and the FireEye logo are registered trademarks of FireEye, Inc. in the United
States and other countries. All other trademarks are the property of their respective
owners.
FireEye assumes no responsibility for any inaccuracies in this document. FireEye reserves
the right to change, modify, transfer, or otherwise revise this publication without notice.
Copyright © 2015 FireEye, Inc. All rights reserved.
NX Series System Administration Guide
Release 7.6.1
Revision 1
FireEye Contact Information:
Website: www.fireeye.com
Support Email: [email protected]
Support Website: csportal.fireeye.com
Phone:
United States: 1.877.FIREEYE (1.877.347.3393)
United Kingdom: 44.203.106.4828
Other: 1.408.321.6300
© 2015 FireEye 1
CONTENTS
Preface 12
Before You Begin 13
CHAPTER 1: Getting Started 14
Deployment Modes 14
Management Path 14
FIPS 140-2 and Common Criteria Compliance 16
CHAPTER 2: Initial Configuration 17
Configuring Initial Settings Using the Serial Console Port 17
Using aWindows or Mac Laptop 18
Using a Linux System 18
Using a Terminal Server 19
Configuring Initial Settings Using the LCD Panel 19
Configuring Initial Settings Using a Keyboard and Monitor 20
Configuration Wizard Steps 21
Configuring the IPMI Interface 24
CHAPTER 3: User Interfaces 26
The Web UI 26
Browser Support 26
Screen Resolution Requirements 27
Logging in to theWebUI 27
NX SeriesWebUI Tabs 28
PDFGeneration 28
The Dashboard 29
The Command Line Interface 29
The LCD Display 30
Navigating the LCD Menus 30
LCD Panel Menus 31
The IPMI Interface 33
CHAPTER 4: Operational Mode Configuration 36
Configuring Inline Mode Using the Web UI 36
Configuring Inline Mode Using the CLI 38
Configuring Inline Proxy Mode Using the Web UI 40
Configuring Inline ProxyModeWith OneNX Series Appliance 40
Configuring Inline ProxyModeWith TwoNX Series Appliances 41
Configuring Inline Proxy Mode Using the CLI 43
Configuring Inline ProxyModeWith OneNX Series Appliance 44
Configuring Inline ProxyModeWith TwoNX Series Appliances 45
Configuring Inline Multi-Proxy Mode Using the Web UI 46
Configuring InlineMulti-ProxyModeWith OneNX Series Appliance 47
Configuring InlineMulti-ProxyModeWith TwoNX Series Appliances 48
Configuring Inline Multi-Proxy Mode Using the CLI 50
Configuring InlineMulti-ProxyModeWith OneNX Series Appliance 51
Configuring InlineMulti-ProxyModeWith TwoNX Series Appliances 53
Configuring TAP Mode Using the Web UI 54
Configuring TAP Mode Using the CLI 55
Configuring Port Mirroring (SPAN) Mode Using the Web UI 56
Configuring Port Mirroring (SPAN) Mode Using the CLI 58
CHAPTER 5: Network Administration 60
Basic Network Configuration 60
Contents
2 © 2015 FireEye
Configuring Basic Network SettingsUsing theWebUI 61
Configuring Basic Network SettingsUsing the CLI 62
Updating the IPMI Firmware 62
Updating the IPMI Firmware Using the CLI 63
IP Filtering 64
Enabling IP Filtering Using the CLI 66
CHAPTER 6: The DTI Network 67
Introduction 67
Threat Intelligence 67
Automatic License Updates 68
SystemHealth Monitoring and Software Updates 69
DTI Network Communication 69
Validating DTI Access 70
Validating DTI AccessUsing theWebUI 70
Validating DTI AccessUsing the CLI 71
Updating Security Content 72
Updating Security Content Using theWebUI 72
Updating Security Content Using the CLI 73
Configuring Automatic Security Updates 74
Configuring Automatic Security Content UpdatesUsing theWebUI 74
Configuring Automatic Security Content UpdatesUsing the CLI 75
Configuring Automatic System Information Updates 77
Configuring Automatic System Information UpdatesUsing theWebUI 77
Configuring Automatic System Information UpdatesUsing the CLI 78
Changing the Active DTI Source 79
Changing the Active DTI Source Using theWebUI 81
Contents
© 2015 FireEye 3
Changing the Active DTI Source Using the CLI 82
Overriding the Managed Appliance DTI Source 83
Overriding theManaged Appliance DTI Source Using theWebUI 83
Overriding theManaged Appliance DTI Source Using the CLI 84
Configuring DTI Credentials 86
Configuring DTI Credentials Using the CLI 86
CHAPTER 7: CM Series Platform Integration 87
Configuring Secure Shell (SSH) Authentication 87
Creating a Public KeyUsing the CLI 89
Configuring User Authentication Using the CLI 90
Obtaining a Host KeyUsing theWebUI 92
Obtaining a Host KeyUsing the CLI 93
Importing a Host Key into the Global Host-KeysDatabase Using the CLI 94
Enabling Strict andGlobal Host-KeyChecking Using the CLI 96
Sending a Management Request to the CM Series Platform 98
Preparing an Appliance to Send aManagement Request 98
Sending aManagement Request Using theWebUI 99
Sending aManagement Request Using the CLI 100
Changing the Address Type for DTI Network Service Requests 102
Configuring Single-Port CM Series Communication Using the CLI 103
CHAPTER 8: Setting Date and Time 105
Manual Time Configuration 105
Setting the Date and TimeUsing theWebUI 105
Setting the Date and TimeUsing the CLI 106
NTP Server Configuration 108
Configuring NTP Servers Using theWebUI 108
Configuring NTP Servers Using the CLI 109
Contents
4 © 2015 FireEye
Time Zone Configuration 110
Setting the Time Zone Using theWebUI 111
Setting the Time Zone Using the CLI 111
DTI Server Time Synchronization 112
CHAPTER 9: LicenseManagement 114
Automatic License Updates 115
How it Works 115
Enabling Automatic License Updates 116
Using the Licensing Service 117
Forcing License Updates 118
Manual License Installation 119
Installing LicensesUsing theWebUI 119
Removing LicensesUsing theWebUI 120
Installing LicensesUsing the CLI 120
Removing LicensesUsing the CLI 122
Viewing License Notifications Using the Web UI 123
CHAPTER 10: Upgrading Your Appliance 124
Upgrading the Appliance Using the Web UI 125
Select an Update Source 126
Check for Available Update Software 127
Download the Software 127
Install the Software Update 127
Reload or Refresh the Appliance 128
Validate the Software Updates 128
Upgrading the Appliance Using the CLI 128
Download and Install the Appliance Software Image 129
Restart the Appliance and Accept the EULA 129
Contents
© 2015 FireEye 5
DownloadGuest Images 130
Install DownloadedGuest Image Profiles 132
Verify the Upgrade 132
Configuring Auto-Mounting on a USB Device 133
Enabling or Disabling Auto-Mounting on a USB Device Using the CLI 133
Configuring HTTP Access to Install Guest ImagesUsing the CLI 134
Mounting or Unmounting a USB Device Using the CLI 136
CHAPTER 11: Configuring SNMP 137
Retrieving SNMP Data 137
Configuring Access to SNMP Data 138
Downloading theMIB 138
Sending Requests for SNMP Information 140
Sending Traps 141
Enabling and Configuring Traps 141
Logging TrapMessages 142
CHAPTER 12: Customizing LoginMessages 143
Customizing Login Messages Using the Web UI 144
Customizing Login Messages Using the CLI 146
CHAPTER 13: Configuring System Email Settings 148
Configuring the Mail Server 149
Configuring theMail Server Using theWebUI 149
Configuring theMail Server for Health CheckNotificationsUsing the CLI 150
Configuring theMail Server for Scheduled Reports Using the CLI 152
Adding and Removing Email Recipients 153
Adding and Removing Email Recipients Using theWebUI 154
Adding and Removing Email Recipients Using the CLI 155
Contents
6 © 2015 FireEye
Configuring System Events 157
Configuring SystemEvent NotificationsUsing theWebUI 157
Configuring SystemEvent NotificationsUsing the CLI 158
Configuring Auto Support for System Event Notifications 160
Configuring Auto Support for SystemEvent NotificationsUsing the CLI 160
CHAPTER 14: Managing Logs 162
Managing Logs Using the Web UI 162
Managing Logs Using the CLI 163
CHAPTER 15: System Health and Performance 166
Checking System Health and Status 167
Checking SystemHealth Using theWebUI 167
Checking SystemHealth Using the CLI 170
Deployment Verification 174
Checking DTI ServicesUsing theWebUI 174
Checking Alert Detection 175
Checking Network Deployment 179
Utilization and Performance Checks 187
Viewing Utilization Statistics Using theWebUI 188
Viewing Utilization Statistics Using the CLI 189
CHAPTER 16: AAA 190
Authentication 191
User Accounts 192
Managing Your Own Account 195
Local AccessControl 199
Configuring Password Validation Policies 200
Configuring Password Change Policies 207
Contents
© 2015 FireEye 7
Defining the Authentication Order 212
Local Overrides of Remote User Mappings 213
Mapping Remote Users to Default Local Users 214
Configuring a RADIUS Server 215
Configuring a TACACS+ Server 216
LDAP Server Configuration 217
Example: Configuring Authentication 220
Authorization 221
Roles 221
Capabilities 222
Assigning RolesUsing theWebUI 228
Assigning RolesUsing the CLI 228
Accounting 229
Managing Audit Logs 230
CHAPTER 17: CertificateManagement 232
System Self-Signed Server Certificate 232
HTTPS Server Certificates 232
Certificate Authority (CA) Client Certificates 232
Viewing Certificates 232
Viewing Certificates Using theWebUI 233
Viewing Certificates Using the CLI 235
Regenerating the System Self-Signed Certificate 239
Regenerating the SystemSelf-Signed Certificate Using theWebUI 239
Regenerating the SystemSelf-Signed Certificate Using the CLI 240
Managing HTTPS Certificates 241
Managing HTTPS Certificates Using theWebUI 242
Managing NamedCertificates Using the CLI 243
Contents
8 © 2015 FireEye
Downloading Certificates 247
Downloading a Certificate Using the CLI 248
Activating Named Certificates 248
Activating NamedCertificates Using theWebUI 249
Activating NamedCertificates Using the CLI 249
Defining Default Certificate Attributes 250
Certificate Attributes 251
Defining Default Certificate AttributesUsing the CLI 252
Adding Supplemental CA Certificates 254
Adding Supplemental CA Certificates Using theWebUI 254
Adding Supplemental CA Certificates Using the CLI 255
Renaming a Certificate 256
Renaming a Certificate Using the CLI 257
Improving Certificate Security 257
Improving Certificate Security Using the CLI 258
CHAPTER 18: Backing Up and Restoring the Appliance Database 259
Database Backup and Restore Introduction 259
Viewing the Last Backup and Restore Results 260
Viewing the Last Backup and Restore Results Using theWebUI 261
Viewing the Last Backup and Restore Results Using the CLI 261
Estimating the Space Needed for the Backup File 262
Estimating the Space Needed for the Backup File Using theWebUI 262
Estimating the Space Needed for the Backup File Using the CLI 263
Backing Up the Database 263
Backing Up the Appliance Database Using theWebUI 264
Backing Up the Database Using the CLI 265
Contents
© 2015 FireEye 9
Scheduling Automatic Backups 267
Scheduling Automatic BackupsUsing the CLI 267
Downloading Backup Files 271
Downloading Backup Files Using theWebUI 271
Uploading Backup Files 271
Uploading Backup Files Using theWebUI 272
Restoring the Database from a Backup File 272
UsageGuidelines for Restoring the Database 273
Restoring the Database from a Backup File Using theWebUI 273
Restoring the Database from a Backup File Using the CLI 274
Deleting Previous Backup Files 276
Deleting Previous Backup Files Using theWebUI 276
Deleting Previous Backup Files Using the CLI 277
CHAPTER 19: Configuring Network Address Translation (NAT) 278
Address Mapping 278
CMSeries Platform Initiates Connection 279
Appliance Initiates Connection 281
Configuring and Activating an Accessible DTI Server Address 284
Configuring and Activating an Accessible DTI Server AddressUsing the CLI 285
Switching to Single-Port or Dual-Port Communication in a NAT Deployment 287
Sending a Management Request in a NAT Deployment 289
Preparing an Appliance to Send aManagement Request in a NAT Deployment 290
Sending aManagement Request in a NAT Deployment Using the ApplianceWebUI 291
Sending aManagement Request in a NAT Deployment Using the Appliance CLI 292
Configuring Global Host-Key Authentication in a NAT Deployment 295
GLOSSARY 297
Contents
10 © 2015 FireEye
INDEX 304
Contents
© 2015 FireEye 11
Release 7.6
Preface
This guide provides an overview of the FireEye NX Series appliance and describes how to use
both the Web user interface (Web UI) and the command-line interface (CLI) to configure and
manage the appliance's network administration features. It is intended for system administrators
responsible for deploying, operating, and maintaining the appliance.
The NX Series Threat Management Guide is intended for security and forensics analysts. It describes
how to configure analysis policies, view analysis results, and generate reports.
These guides are also intended for security and information technology (IT) managers and
personnel interested in learning more about FireEye technologies.
© 2015 FireEye 12
Before You Begin
Before you configure the appliance:
l Read the Release Notes for the current release.
l Collect the following information from your network administrator:
l Static IP address, subnet mask, and default gateway address for the appliance
management interface. (You do not need this information if Dynamic Host
Configuration Protocol (DHCP) will be used on the management interface.)
l IP address for each Domain Name System (DNS) server (if DNS name resolution
will be used).
l IP address for each Network Time Protocol (NTP) server (if NTP synchronization
will be used).
l Telnet or SSH client on the remote system (if the appliance will be managed
remotely).
System Administration Guide Before You Begin
13 © 2015 FireEye
Release 7.6 Deployment Modes
CHAPTER 1: Getting Started
Advanced targeted attacks use the Internet as a primary threat vector to compromise key
systems, perform reconnaissance on existing defenses, establish long-term control and access to
networked systems, and extract data. The FireEye NX Series appliance stops Web-based attacks
that traditional and next-generation firewalls (NGFW), IPS, AV, and Web gateways miss. The
NX Series appliance protects against zero-day Web exploits and multi-protocol callbacks to keep
sensitive data and systems safe.
Deployment ModesYou can deploy the NX Series appliance on your network in either inline mode or out-of-band
mode. Each mode provides various options and offers specific costs and benefits. FireEye
strongly recommends using one of the inline deployment modes. An appliance deployed inline
can automatically block attacks and callbacks to Command and Control (CnC) servers. With
inline deployment, recovering from a malware attack is faster and less resource-intensive. For
information about the deploying the NX Series appliance in your network, see the NX Series
Hardware Administration Guide for your appliance model and Operational Mode Configuration
on page 36.
Management PathFireEye appliances can download security content and software updates from the FireEye
Dynamic Threat Intelligence (DTI) network. With a two-way content license, the appliance can
also upload threat intelligence information to the DTI network.
CM Series Platforms and Standalone Appliances That Receive DTI Updates
The CM Series platform and standalone appliances use the ether1 port to communicate with the
DTI network. In the default configuration, where you receive updates from the DTI network
(cloud.fireeye.com), allow outbound access to all IP addresses on the following ports:
l DNS (UDP/53)
l HTTPS (TCP/443)
Management interface ether1 requires a static IP address or reserved DHCP address and subnet
mask.
© 2015 FireEye 14
Appliances That Restrict Outbound Access to Certain IP Addresses
If your security policy requires that you restrict outbound access to certain IP addresses, you
cannot use the DTI network. Instead, point to staticcloud.fireeye.com for DTI updates, and
allow access to the *incapdns.net domain.
To configure and access staticcloud.fireeye.com:
1. Enter the following command from the appliance CLI:
hostname (config) # fenet dti source default DTI
2. Add the following block of IP addresses to the firewall:
l 199.16.196.0/22
To allow access to *incapdns.net:
1. Allow access to the *.incapdns.net domain at the proxy device.
2. Add the following block of IP addresses to the firewall:
l 199.83.128.0/21
l 198.143.32.0/19
l 149.126.72.0/21
l 103.28.248.0/22
l 45.64.64.0/22
l 185.11.124.0/22
l 192.230.64.0/18
Appliances with Domain-based Proxy ACL Rules
If your configuration includes domain-based proxy ACL rules, allow access to *.fireeye.com.
Appliances Connected to the CM Series Platform
For appliances connected to the CM Series platform, use only a static IP address and subnet
mask. The appliance should use the ether1 port to communicate with the CM Series platform.
Do not use ZeroConf on the primary interface.
To enable IPv6 routing for the management network, use the Configuration Wizard or see the
FireEye CLI Reference for information about the ipv6 enable command, interface ipv6 command,
or the configuration jump-start command.
System Administration Guide CHAPTER 1: Getting Started
15 © 2015 FireEye
Release 7.6 FIPS 140-2 and CommonCriteria Compliance
Integrated CM Communications Protocol and Port Configurations
Establish SSH connectivity from the CM Series platform to each managed appliance. See the
Hardware Administration Guide for details about the port and protocol configuration.
FIPS 140-2 and CommonCriteria ComplianceUse the Settings: Compliance page to configure compliance features. For details and for
information about how to display the page, see the FIPS 140-2 and Common Criteria Addendum.
© 2015 FireEye 16
Release 7.6 Configuring Initial Settings Using the Serial Console Port
CHAPTER 2: Initial Configuration
The management interface is the port through which the appliance is managed and administered.
It is also the port through which integration of the CM Series platform and a managed appliance
is managed. With the single-port address type (described in Changing the Address Type for
DTI Network Service Requests on page 102), the management interface is also the port
through which a managed appliance requests and downloads software updates from the
DTI network.
Initial settings need to be configured to set up the management interface, and to allow access to
the network, change the default administrator password, and so on. The following initial
configuration methods are available:
l Serial console port—You can connect a Windows or Mac laptop, a Linux system, or a
terminal server to the serial port on the back of the appliance to log in to the CLI and
configure the initial settings. See Configuring Initial Settings Using the Serial Console
Port below.
l LCD panel—A liquid-crystal display (LCD) panel on the front of most appliance models
has navigation buttons and menus you use to select initial settings. See Configuring
Initial Settings Using the LCD Panel on page 19.
l KVM and VGAmonitor—You can use a keyboard, mouse, and VGA monitor connected
directly to the appliance to log in to the CLI and configure the initial settings. See
Configuring Initial Settings Using a Keyboard and Monitor on page 20.
Configuring Initial Settings Using the Serial Console PortIt is recommended that you use the serial console port for the initial configuration. If you are not
using a terminal server, you need to be physically near the appliance to use the serial port. The
serial port is on the back of the appliance. See yourHardware Administration Guide to view the port
location.
The serial port uses the following settings:
l Baud rate: 115200
l Data bits: 8
l Stop bits: 1
© 2015 FireEye 17
l Parity: None
l Flow control: XON/XOFF
You can access the serial port and configure initial settings as described in the following topics:
l Using a Windows or Mac Laptop below
l Using a Linux System below
l Using a Terminal Server on the facing page
Using aWindows or Mac Laptop
Because laptops do not usually have a serial port, you need a USB-to-serial cable to connect the
laptop to the serial port (DB-9) of the appliance. FireEye uses Prolific Technology Inc. adapters.
To configure initial settings from a Windows or Mac laptop:
1. Connect the cable to the serial port of the appliance and the USB port on the laptop.
2. Use a serial application (such as PuTTY) to establish a connection. Specify the COM port
assigned to the USB-to-serial cable.
3. When prompted, enter the default username (admin) and password (admin) for the
administrator.
4. You are asked to accept the End User License Agreement (EULA). Enter y to accept the
terms of the agreement.
5. Enter y when you are prompted to use the Configuration Wizard for initial configuration.
Then respond to the prompts as described in Configuration Wizard Steps on page 21.
6. After you answer the questions, the wizard summarizes your answers. To change an
answer, enter the step number. Press Enter to save changes.
Using a Linux System
You can use a serial cable or a USB-to-serial cable to connect the Linux machine to the serial port
of the appliance. FireEye uses Prolific Technology Inc. adapters.
To configure initial settings from a Linux system:
1. Connect the cable to the serial port of the appliance and to the Linux machine.
2. From a command prompt, establish a connection. If you are using a USB-to-serial cable,
specify the COM port assigned to it.
3. When prompted, enter the default username (admin) and password (admin) for the
administrator.
System Administration Guide CHAPTER 2: Initial Configuration
18 © 2015 FireEye
Release 7.6 Configuring Initial Settings Using the LCD Panel
4. You are asked to accept the End User License Agreement (EULA). Enter y to accept the
terms of the agreement.
5. Enter y when you are prompted to use the Configuration Wizard for initial configuration.
Then respond to the prompts as described in Configuration Wizard Steps on page 21.
6. After you answer the questions, the wizard summarizes your answers. To change an
answer, enter the step number. Press Enter to save changes.
Using a Terminal Server
To configure initial settings from a terminal server:
1. Set the terminal server to a baud rate of 115200.
2. Plug one end of a serial cord into the serial port (DB-9) on the appliance and plug the
other end into the terminal server.
3. In a Telnet application (such as PuTTY), enter the host name or terminal server IP
address, the terminal server port number that the appliance is using, and the appliance port
number.
4. When prompted, enter the default username (admin) and password (admin) for the
administrator.
5. You are asked to accept the End User License Agreement (EULA). Enter y to accept the
terms of the agreement.
6. Enter y when you are prompted to use the Configuration Wizard for initial configuration.
Then respond to the prompts as described in Configuration Wizard Steps on page 21.
7. After you answer the questions, the wizard summarizes your answers. To change an
answer, enter the step number. Press Enter to save changes.
Configuring Initial Settings Using the LCD PanelAn LCD panel is available on the front of most appliance models.
To configure initial settings from the LCD panel:
1. Press the center button to access the Networkmenu and respond to the prompts:
a. Hostname—Specify the hostname for the system.
b. DHCP enabled—Enter yes to use dynamic host configuration protocol (DHCP).
Enter no to manually configure your IP address and network settings. If you entered
yes, proceed to the IPv6 enabled step.
© 2015 FireEye 19
c. Static IP address—Enter the IP address for the Ethernet 1 (management interface)
port.
d. Netmask—Enter the network mask.
e. Default gateway—Enter the gateway IP address for the management interface.
f. Primary DNS—Enter the primary DNS server IP address.
g. Domain name—Enter the domain name for the management interface; for
example, it.acme.com.
h. IPv6 enabled—Enter "yes" to enable IPv6 protocol, which changes network
IP routing from IPv4 to IPv6. If you enter "no," proceed to the Admin net login
step.
i. SLAAC enabled—Enter "yes" to enable IPv6 autoconfig on the ether1
(management interface) port.
j. Admin net login—Enter "yes" to enable the administrator to log in to the system
remotely. Enter "no" to disable remote access.
2. Press the left or right arrow button until you reach the LCDmenu. At the Password
prompt, enter a password used to access the LCD panel. (This is not the password used to
access the appliance Web UI or CLI.)
3. Press the left or right arrow button until you reach the Config Options menu. At the
Reset admin password prompt:
a. Press the center button to reset the password used by the permanent admin user to
log in to the appliance CLI or Web UI. (This is not the password used to access the
LCD panel.)
b. A randomly generated password is displayed. After you memorize it, press the
center or exit button to dismiss the display.
After the initial configuration, you can change to a password of your choice using the
appliance Web UI or CLI.
Configuring Initial Settings Using a Keyboard andMonitorYou can connect keyboard, video, and mouse (KVM) cables to the appliance and then log in to
the appliance CLI to perform the initial configuration. See yourHardware Administration Guide to
view the port locations.
To configure initial settings using a keyboard and monitor:
1. Plug in a VGA monitor and a keyboard.
2. When prompted, enter the default username (admin) and password (admin) for the
permanent "admin" user.
System Administration Guide CHAPTER 2: Initial Configuration
20 © 2015 FireEye
Release 7.6 ConfigurationWizard Steps
3. You are asked to accept the End User License Agreement (EULA). Enter y to accept the
terms of the agreement.
4. Enter y when you are prompted to use the Configuration Wizard for initial configuration.
Then respond to the prompts as described in Configuration Wizard Steps below.
5. After you answer the questions, the wizard summarizes your answers. To change an
answer, enter the step number. Press Enter to save changes.
ConfigurationWizard StepsThe configuration wizard is typically used to perform the initial configuration of the system. See
Initial Configuration on page 17 for information about running the wizard before the
management interface is configured. After the management interface is configured, an
administrator can use the configuration jump-start CLI command to run the wizard.
The following table describes the questions the configuration wizard prompts you to answer as it
moves through the wizard steps. As noted in the table, the wizard skips some steps based on
your answers to previous steps.
Press CTRL+C to exit the configuration wizard.
Step Response
Hostname? Enter the hostname for the appliance.
Admin password? Enter a new administrator password. The new password must be from 8–32characters. If you do not change the password, the administrator will be unable to login to the appliance.
Confirm adminpassword?
Re-enter the new administrator password.
Enable remote accessfor ‘admin’ user?
Enter yes to enable the administrator to log in to the appliance remotely. Enter no todisable remote access.
Use DHCP on ether1interface?
Enter yes to use Dynamic Host Configuration Protocol (DHCP) to configure theappliance IP address and other network parameters. Enter no to manually configureyour IP address and network settings. (If you enter yes, the zeroconf and staticIP addressing steps are skipped.)
Use zeroconf onether1 interface?
Enter yes to use zero-configuration (zeroconf) networking. Enter no to specify a staticIP address and network mask. (If you specify yes, the next step is skipped.)NOTE: Do not use zeroconf on the primary interface.
Primary IP address Enter the IP address for the management interface in A.B.C.D format and enter the
© 2015 FireEye 21
Step Response
and masklen? network mask, for example: 1.1.1.2/12.
Default gateway? Enter the gateway IP address for the management interface.
Primary DNS server? Enter the IP address of the DNS server.
Domain name? Enter the domain for the management interface; for example: it.acme.com.
Enable IncidentResponse orCompromiseAssessment? *
Enter yes to configure an Incident Response or Compromise Assessmentdeployment. (If you enter yes, the next four steps are performed automatically, andthe "Enable NTP?" and "Enable IPv6?" steps are skipped.)
Enable fenet service? Enter yes to enable access to the DTI network. (If you enter no, the next three stepsare skipped.)
Enable fenet licenseupdate service?
Enter yes to enable the licensing service to automatically download your licensesfrom the DTI network and install them.
Sync appliance timewith fenet?
Enter yes to synchronize the appliance time with the DTI server time. If you enabledthe licensing service, synchronization prevents a feature from being temporarilyunlicensed due to a time gap. The wizard makes three attempts to perform this stepbefore it gives up and moves to the next step.
Update licenses fromfenet?
Enter yes to download and install your licenses. The wizard makes three attempts toperform this step before giving up and moving on to the next step.
Enable NTP? Enter yes to enable automatic time synchronization with one or more Network TimeProtocol (NTP) servers. Enter no to manually set the time and date on the appliance.(This step is skipped if you entered yes in the "Sync appliance time with fenet?" or"Enable Incident Response or Compromise Assessment?" step.)
Enable FaaS VPN? * Enter yes to enable the appliance to connect to FireEye as a Service over theInternet using a secure SSL VPN connection. (This step is skipped if no MD_ACCESS license is installed. This step is performed automatically if you entered yesin the "Enable Incident Response or Compromise Assessment?" step.)
Set time(<hh>:<mm>:<ss>)?
Enter the appliance time. (This step and the next step are skipped if you entered yesin the "Sync appliance time with fenet?" or "Enable NTP?" step.)
Set date(<yyyy>/<mm>/<dd>)?
Enter the appliance date.
Enable IPv6? Enter yes to enable IPv6 protocol, which changes network IP routing from IPv4 toIPv6. (This step and the next two steps are skipped if you entered yes in the "Enable
System Administration Guide CHAPTER 2: Initial Configuration
22 © 2015 FireEye
Release 7.6 ConfigurationWizard Steps
Step Response
Incident Response or Compromise Assessment?" step. This step and the next twosteps will be automatically performed if you entered yes in the “Enable FaaS VPN”step.)
Enable IPv6autoconfig (SLAAC)on ether1 interface?
Enter yes to enable IPv6 autoconfig on the ether1 (management interface) port. (Thisstep is skipped if you entered no in the "Enable IPv6?" step.)
Enable DHCPv6 onether1 interface?
Enter yes to use DHCPv6 to configure IPv6 hosts with IP addresses. (This step isskipped if you entered no in the "Enable DHCP?" or "Enable IPV6?" step.)
Mirror traffic to a PXappliance? *
Enter yes to use port mirroring to forward NX Series traffic to the PX Series appliancein an Incident Response deployment. If you enter no, you must manually configureyour PX Series appliance to receive the proper traffic. (This step is skipped if youentered no in the "Enable Incident Response or Compromise Assessment?" step.)
IMPORTANT: FireEye recommends using port mirroring in an Incident Responsedeployment.
Interface pair to mirrortraffic to PX? *
Enter the NX Series interface pair or pairs whose traffic will be forwarded to thePX Series appliance.
If multiple mirror ports are already configured, this skip and the next step are skipped.If a single mirror port is already configured for one or more pairs, that pair or pairs areprovided as the default for this step.
IMPORTANT: FireEye recommends using the default pair (A) if you are configuring anew appliance. Otherwise, manual configuration steps may be required.
Interface to mirrortraffic to PX? *
Enter the NX Series port that will forward the traffic to the PX Series capture port. Donot specify a port that belongs to an interface pair you entered in the previous step.
If a single mirror port is already configured, it is provided as the default for this step.
IMPORTANT: FireEye recommends using the default port (pether6) if you areconfiguring a new appliance. Otherwise, manual configuration steps may berequired.
Enable forensicanalysis? *
Enter yes to perform full packet capture and analysis on the mirrored traffic.
IP address of PX * Enter the IP address of the PX Series appliance. (This step is skipped if you enteredno in the "Enable forensic analysis?" step.)
Product license key? Enter the product license key you obtained from FireEye, or press Enter to install a15-day evaluation license. (This step and the next step are skipped if you entered
© 2015 FireEye 23
Step Response
yes in the "Enable fenet license update service?" step and if licenses weresuccessfully installed as a result.)
Security-contentupdates key?
Enter the security-content license key you obtained from FireEye, or press Enter toskip this step and install the license later.
A support license is also required for the appliance software. See LicenseManagement on page 114 for details.
* This step is included in NX Series Release 7.6.1 and later.
Configuring the IPMI InterfaceUse the commands in this section to configure the IPMI interface.
See The IPMI Interface on page 33 for information about using the IPMI interface
after it is configured.
To configure the IPMI port:
1. Plug one end of an Ethernet cable into the IPMI port and the other end into an
administrative computer or terminal server.
2. If you want to configure a static IP address for the IPMI interface, do the following:
a. Log in to the appliance CLI.
b. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
c. If DHCP was previously configured for IPMI, change to the static method:
hostname (config) # ipmi lan ipsrc static
d. Configure the IP address for the IPMI interface:
hostname (config) # ipmi lan ipaddr ipAddress
e. Configure the netmask for the IPMI interface:
hostname (config) # ipmi lan netmask netmask
f. Configure the default gateway for the IPMI interface:
hostname (config) # ipmi lan defgw ipAddress
System Administration Guide CHAPTER 2: Initial Configuration
24 © 2015 FireEye
Release 7.6 Configuring the IPMI Interface
3. If you want to configure DHCP:
a. Make sure that DHCP is enabled on your network:
hostname (config) # show ip dhcp
b. Enable DHCP:
hostname (config) # ipmi lan ipsrc dhcp
4. By default, the username used to log in to the IPMI Web UI is ADMIN. Configure the
password:
hostname (config) # ipmi user set password password
5. Save your changes:
hostname (config) # write memory
To view the IPMI configuration:
1. Enter the CLI enable mode:
hostname # enable
2. Display the configuration. For example:
hostname (config) # show ipmi interfaceIPMI LAN Settings----------------------------------------Admin Shut Down : noShut Down : noIP Address Source : Static AddressIP Address : 192.168.42.27Subnet Mask : 0.0.0.0Default Gateway IP : 0.0.0.0
To revert to the default configuration:
1. Enter the CLI configuration mode:
hostname > enablehostname > configure terminal
2. Revert to the default configuration:
hostname (config) # ipmi lan ipsrc static
3. Save your changes:
hostname (config) # write memory
It is important to use the latest IPMI firmware available for your system. For details, see
Updating the IPMI Firmware on page 62.
© 2015 FireEye 25
Release 7.6 TheWebUI
CHAPTER 3: User Interfaces
Before you begin to set up the appliance on your network, you should first take the time to
familiarize yourself with the basic user interfaces.Before you begin to set up the appliance on
your network, you should first take the time to familiarize yourself with the basic user interfaces.
There are four user interfaces available on the appliance:There are four user interfaces available
on the appliance:
l Web UI—A Web based UI used to configure and manage the appliance. For details, see:
l The Web UI below
l The Dashboard on page 29
l CLI—A Command Line Interface used to configure and manage the appliance. For
details, see The Command Line Interface on page 29.
l LCDDisplay— The LCD display and associated controls can be used to initially set up
the appliance. It can also be used to check system status and make certain configuration
changes. For details, see The LCDDisplay on page 30.
l IPMI Interface— The IPMI Interface allows you to access the appliance and perform
recovery activities in the event that it becomes unresponsive. For details, see The
IPMI Interface on page 33.
TheWebUIThe appliance Web UI uses HTTPS to provide a secure connection for configuring the
appliance. The Web UI functions you have access to depend on the privileges granted by your
role.
You access the Web UI by directing a Web browser to the management port's IP address or
hostname using HTTPS. The IP address and hostname are set during the initial configuration of
the appliance. The hostname must be resolved by a DNS server if you use it to access the Web
UI.
Browser Support
Use one of the following browsers on the computer from which you plan to access the Web UI:
© 2015 FireEye 26
l Internet Explorer 9.0 or higher on current versions of Windows
l Firefox 15 or higher on current versions of Windows and Mac
l Google Chrome 13.0 or higher on current versions of Windows and Mac
Screen Resolution Requirements
The Web UI supports the following screen resolutions:
1152 x 864 pixels 1440 x 900 pixels
1280 x 800 pixels 1600 x 900 pixels
1280 x 1024 pixels 1680 x 1050 pixels
1360 x 768 pixels 1920 x 1080 pixels
1366 x 768 pixels 1920 x 1200 pixels
Logging in to theWebUI
The user name for the default administrator is admin. The default password (admin) must
be changed to a password of 8 to 32 characters before this user can log in to the Web UI
and create other users. If this has not been done, see Initial Appliance Configuration
for instructions.
To log in to the Web UI:
1. Open a Web browser and enter https://appliance in the address line, where appliance is
the IP address or hostname of the appliance. For example, if the configured IP address of
the appliance is 10.1.0.1, enter https://10.1.0.1.
2. On the login page, enter the user name and password your administrator provided.
System Administration Guide CHAPTER 3: User Interfaces
27 © 2015 FireEye
Release 7.6 TheWebUI
NX SeriesWebUI Tabs
This section describes the NX Series Web UI tabs.
l Dashboard—Shows a high-level view of the threat intelligence gathered by the NX Series
appliance. Within many panels on the Dashboard, you can click blue buttons and text links
to drill down to critical threat information affecting your network.
l Alerts—Provides expandable levels of detailed information about the hosts that are
infected in the network, callback activity (botnet servers), and malware attacks.
l IPS Events—Displays all IPS events and IPS alerts (MVX-correlated IPS events)
detected by the IPS-enabled appliance.
l Summaries—Displays summaries of observed infections, malware, charts, and Web
analysis priorities.
l Filters—Allows you to filter events based on source and target IP addresses, date, and
occurrence range. These filters allow you to simplify the event listing by showing only the
events of interest on the Alerts and Summaries pages.
l Settings—Provides options for configuring the appliance.
l Reports—Allows you to generate or schedule consolidated executive summary reports,
callback server reports, infected host trends reports, alert details reports, and malware
activity reports.
l About—Network administration information and controls:
o Health Check—Displays appliance and system health information.
o Deployment Check—Provides network connectivity, detection verification, and
network deployment checks.
o Log Manager—Allows you to create, download, upload, and delete log archives.
o Update—Allows you to view and update security content, software image, and
guest images versions.
PDFGeneration
Some Web UI pages, such as those that display analysis results, have a Print PDF button at the
top right side of the page that allows you to save the content of the page to PDF so it can be
printed or saved. Only the content that is visible on the page is included in the PDF output. For
example, if an item on the page is not expanded, the details about that item are not displayed and
will not be included in the PDF output. Depending on your Web browser settings, the generated
PDF opens in the Web browser or is downloaded to your computer.
© 2015 FireEye 28
The amount of time needed to generate the PDF depends on the current load on the system. By
default, the system will try to generate the PDF using Standard Processing Time, the fastest
way possible. If the PDF generation times out, you can try again using other options by clicking
the arrow on the button and then selecting Extra Processing Time orHeavy Processing
Time, where heavy processing time takes the longest.
TheDashboard
The Dashboard page of the NX Series Web UI provides a high-level view of the threat
intelligence gathered by appliance. Within many panels on the Dashboard, you can click blue
buttons and text links to drill down to critical threat information affecting your network.
For details about the Dashboard, see the NX Series Threat Management Guide.
The Command Line InterfaceThe appliance includes a standard command-line interface (CLI) that can be used to configure,
manage, and monitor the appliance.
To log into the CLI using a terminal window or SSH client:
1. Using the SSH protocol, log in to the appliance using the management interface’s
IP address or hostname.
$ ssh username@ipAddress | hostName
2. When prompted, enter your password.
Password: password
The hostname > prompt is displayed after you are logged in.
System Administration Guide CHAPTER 3: User Interfaces
29 © 2015 FireEye
Release 7.6 The LCD Display
The LCDDisplayAn LCD panel is available on the front of most appliance models. You can perform the initial
configuration of the appliance using the LCD panel, as described in Configuring Initial
Settings Using the LCD Panel on page 19. You can use the LCD panel to perform other basic
configuration tasks as well.
Navigating the LCD Menus
The following illustration of the LCD panel shows how to use the navigation buttons to
configure settings. For details about the menus, see LCD Panel Menus on the next page.
On some models, you need to remove the front panel to access the LCD panel navigation
buttons.
To remove the front panel:
1. Unscrew the front panel to unlatch it.
© 2015 FireEye 30
2. Remove the front panel.
LCDPanel Menus
The LCD panel has four menus: Network Menu below, Config Options Menu on the facing
page, LCD Panel Menus above, and Restart Options Menu on page 33.
See Navigating the LCD Menus on the previous page for information about
moving through the menus and selecting options.
Network Menu
The following table provides information about the Networkmenu.
System Administration Guide CHAPTER 3: User Interfaces
31 © 2015 FireEye
Release 7.6 The LCD Display
Prompt Description
Hostname Hostname for the appliance.
DHCP enabled Enter “yes” to use DHCP on the ether1 (management interface) port. Enter “no” to manuallyconfigure your IP address and network settings.
Static IPaddress
This prompt is available if DHCP is disabled. Enter the IP address for the ether1(management interface) port.
Netmask This prompt is available if DHCP is disabled. Enter the network mask.
Default gateway This prompt is available if DHCP is disabled. Enter the gateway IP address for themanagement interface.
Primary DNS This prompt is available if DHCP is disabled. Enter the Primary DNS server IP address.
Domain name This prompt is available if DHCP is disabled. Enter the domain name for the managementinterface; for example, it.acme.com
IPv6 enabled Enter “yes” to enable IPv6 protocol, which changes the network IP routing from IPv4 to IPv6.
SLAAC enabled This prompt is available if IPv6 is enabled. Enter “yes” to enable IPv6 autoconfig on theether1 (management interface) port.
Admin net login Enter “yes” to enable the administrator to log in to the appliance remotely. Enter "no" todisable remote access.
Config Options Menu
The following table provides information about the Config Options menu.
Prompt Description
Save settings Saves changes made during a session so they will persist after a reboot.
Revert to factorydefaults
Reverts the appliance to its factory default settings, which include user name andpassword, and network configuration information.
Reset adminpassword
Resets the admin password for accessing the appliance itself. (This does not set thepassword for accessing the LCD panel.) The new password is randomly generated. TheLCD will display the password. When you have memorized it, press a button to move to thenext prompt or menu. You can change to a password of your choice using the applianceCLI or Web UI after the basic configuration is complete.
LCD Menu
The following table provides information about the LCDmenu.
© 2015 FireEye 32
Prompt Description
Password Sets a password for LCD panel access. (This does not set the password for accessing theappliance.)
Brightness Sets the LCD panelʼs level of brightness from 0 to 9, with 9 being the brightest.
Contrast Sets the LCD panelʼs level of contrast between the background and text from 0 to 9, with 9being the highest contrast.
Restart Options Menu
The following table provides information about the Restart Options menu.
Prompt Description
Reboot system Restarts the system.
Halt system Brings the system down to its lowest state while remaining on.
Next boot loc Specifies disk partition (1 or 2) to boot from during the next reboot.
The IPMI InterfaceThe FireEye Intelligent Platform Management Interface (IPMI) allows you to perform the
following tasks remotely from a Web browser:
l Cycle the power on your appliance when it is unresponsive.Cycle the power on your
CM Series platform when it is unresponsive.
The IPMI is active even if the appliance was powered down from the appliance
CLI or from the power button on the front panel, as long as the main power is on.
l Reset the server.
l Access the serial console when the management interface is unavailable or unresponsive.
l Check the status of server sensors.
The IPMI interface uses a network connection to the IPMI port of the appliance and is accessed
through a secure Web browser session. (The standard IPMI interface allows connections using
third-party tools such as Supermicro s̓ IPMIView; however, all such external access to the
IPMI interface from the appliance is disabled.)
The IPMI remote control cannot perform a graceful power down of the appliance.
System Administration Guide CHAPTER 3: User Interfaces
33 © 2015 FireEye
Release 7.6 The IPMI Interface
To log in to the IPMI interface:
1. Open a Web browser and navigate to the IP address that was configured for the IPMI
interface.
The IPMI interface requires an HTTPS connection.
2. Log in to the IPMI Web UI using ADMIN as the username and the password that was
configured for the IPMI user.
See Configuring the IPMI Interface on page 24 for configuration information.
To cycle power or reset the server:
1. Click Remote Control and then Power Control.
2. Select the option you need and then click Perform Action.
To access the serial console:
Use the IPMI Web UI to access the serial console only during a power or system reset
or when the system is not otherwise responding on the management interface.
© 2015 FireEye 34
1. Click Remote Control and then Console Redirection.
2. Click Launch Console.
You might be prompted to install a Java program to launch the console, which could
require changes to your Java security settings. If your security policy does not allow this,
and if your appliance uses a recent IPMI firmware version, you can instead open ports on
the firewall. To view the installed and available firmware versions, click System and then
System Information, or follow the instructions in Updating the IPMI Firmware on
page 62.
To check the status of server sensors:
1. Click Server Health and then Sensor Readings.
2. Click options at the bottom of the page as needed.
System Administration Guide CHAPTER 3: User Interfaces
35 © 2015 FireEye
Release 7.6 Configuring InlineMode Using theWebUI
CHAPTER 4: Operational Mode Configuration
After deploying the NX Series appliance in your network, you need to configure the system to
operate accordingly.
You can configure your system for each of the deployment types below from either the Web UI
or the CLI.
Inline
l Configuring Inline Mode Using the Web UI below
l Configuring Inline Mode Using the CLI on page 38
Inline Proxy
l Configuring Inline Proxy Mode Using the Web UI on page 40
l Configuring Inline Proxy Mode Using the CLI on page 43
Inline with Multiple Proxies
l Configuring Inline Multi-Proxy Mode Using the Web UI on page 46
l Configuring Inline Multi-Proxy Mode Using the CLI on page 50
Test Access Point (TAP)
l Configuring TAP Mode Using the Web UI on page 54
l Configuring TAP Mode Using the CLI on page 55
Switch Port Analyzer (SPAN)
l Configuring Port Mirroring (SPAN) Mode Using the Web UI on page 56
l Configuring Port Mirroring (SPAN) Mode Using the CLI on page 58
Configuring InlineMode Using theWebUIUse the Settings: Interfaces - Operational Modes page to configure inline mode.
In inline mode, you can configure the appliance with one or two network port pairs. The
following example shows one network port pair.
© 2015 FireEye 36
The following example shows two network port pairs.
Operational modes for inline deployment are described in the following table.
Mode Description
Block Blocks malicious traffic (recommended).
l FS Open—In case of failure, all traffic passes through (recommended).
l FS Close—In case of failure, all traffic is blocked. (Use this setting only if
the device is actively monitored).
Monitor Monitors the traffic and generates alerts on malicious events.
Bypass Forced bypass wherein the NX Series appliance neither blocks nor analyzes traffic.
For details about inline deployment, refer to the FireEye Hardware Administration Guide for your
appliance model.
System Administration Guide CHAPTER 4: Operational Mode Configuration
37 © 2015 FireEye
Release 7.6 Configuring InlineMode Using the CLI
Prerequisites
l Operator or Admin access
To configure inline mode:
1. Click the Settings tab.
2. Click Inline Operational Modes on the sidebar.
3. Select a blocking option for each available port pair. (Inline Block FS Open is
recommended).
4. Click Update: Operational Modes.
Configuring InlineMode Using the CLIUse the CLI commands in this topic to set the following options to configure inline blocking
mode.
Setting Description
Operational Mode The inline deployment has three operational modes. It is highlyrecommended that you set your appliance to inline blocking mode.
If you set the operational mode to block traffic, input
a fail-safe setting (block open or block close).
l block—Blocks malicious traffic (recommended).
l open—In case of failure, all traffic passes
through (recommended).
l close—In case of failure, all traffic is blocked.
(Use this setting only if the device is actively
monitored).
l monitor—Monitors the traffic and generates alerts on
malicious events.
l bypass—Forced bypass wherein the NX Series
appliance neither blocks nor analyzes traffic.
Policy Type The following policy types are supported:
l mixed—Applies both local and global policies, and the
local policy overrides the global policy (recommended).
l global—Applies FireEye-defined global policy to the
specified interface.
© 2015 FireEye 38
Setting Description
l local—Applies user-defined local policy to the
specified interface.
l none—Does not apply any policy. No policy is used.
For details about inline deployment, refer to the Hardware Administration Guide for your appliance
model.
Prerequisites
l Operator or Admin access
To configure inline mode:
1. Enable the CLI configuration mode:
hostname > enable
hostname # configure terminal
2. Configure pair A (interfaces A1 and A2) in inline block mode. Enter the policymgr
interface command.
hostname (config) # policymgr interface A op-mode block fail-safe open policy-type mixed
hostname (config) # policymgr interface A re-configure
3. Save your changes:
hostname (config) # write memory
4. (Optional) Configure pair B (interfaces B1 and B2) in inline block mode. Enter the
policymgr interface command.
hostname (config) # policymgr interface B op-mode block fail-safe open policy-type mixed
hostname (config) # policymgr interface B re-configure
5. Save your changes:
hostname (config) # write memory
6. Check your configuration. Enter the show policymgr interfaces command.
hostname (config) # show policymgr interfaces
Policy enabled: yes
Interface A
Active : yes op mode : block (blocking) fail-safe: open policy : mixed
System Administration Guide CHAPTER 4: Operational Mode Configuration
39 © 2015 FireEye
Release 7.6 Configuring Inline Proxy Mode Using theWebUI
tolerance: 1
Ports : pether3 pether4
Interface B Active : yes op mode : block (blocking) fail-safe: open
policy : mixed tolerance: 1 Ports : pether5 pether6
Configuring Inline Proxy Mode Using theWebUIInline proxy deployment requires two network port pairs. This can be accomplished using an
NX Series appliance with two port pairs, or one port pair from each of two NX Series appliances.
For details about inline proxy deployment, refer to the Hardware Administration Guide for your
appliance model.
Prerequisites
l Operator or Admin access
Configuring Inline ProxyModeWith OneNXSeries Appliance
Use the Settings: Interfaces - Operational Modes page for inline proxy mode to configure a
deployment with one NX Series appliance with two network port pairs. Interface A connects the
LAN-facing switch or router (A1) to the proxy server (A2). Interface B connects the LAN-facing
switch or router (B1) to the Internet-facing switch or router (B2).
Operational modes for inline deployment are described in the following table.
© 2015 FireEye 40
Mode Description
Block Blocks malicious traffic (recommended).
l FS Open—In case of failure, all traffic passes through (recommended).
l FS Close—In case of failure, all traffic is blocked. (Use this setting only if the
device is actively monitored).
Monitor Monitors the traffic and generates alerts on malicious events.
Bypass Forced bypass wherein the NX Series appliance neither blocks nor analyzes traffic.
Use the Settings: Interfaces - Whitelists page for inline whitelists to configure interface A2 to
allow incoming traffic from the proxy server to pass through unblocked.
To configure interface A and interface B:
1. Click the Settings tab.
2. Click Inline Operational Modes on the sidebar.
3. Select a blocking option for pair A and pair B. (Inline Block FS Open is recommended).
4. Click Update: Operational Modes.
5. Select Inline Whitelists on the sidebar. Enter the information for the proxy server and
then click Add Whitelist.
Configuring Inline ProxyModeWith TwoNXSeries Appliances
Use the Settings: Interfaces - Operational Modes page for inline proxy mode to configure a
deployment with two NX Series appliances with one network port pair each. NX Appliance1
connects to the proxy offline, and NX Appliance2 is between a LAN-facing switch or router and
an Internet-facing switch or router.
System Administration Guide CHAPTER 4: Operational Mode Configuration
41 © 2015 FireEye
Release 7.6 Configuring Inline Proxy Mode Using theWebUI
Operational modes for inline deployment are described in the following table.
Mode Description
Block Blocks malicious traffic (recommended).
l FS Open—In case of failure, all traffic passes through (recommended).
l FS Close—In case of failure, all traffic is blocked. (Use this setting only if the
device is actively monitored).
Monitor Monitors the traffic and generates alerts on malicious events.
Bypass Forced bypass wherein the NX Series appliance neither blocks nor analyzes traffic.
Use the Settings: Interfaces - Whitelists page for inline whitelists to configure interface A2 to
allow incoming traffic from the proxy server to pass through unblocked.
To configure NX Appliance1:
1. Click the Settings tab.
2. Click Inline Operational Modes on the sidebar.
3. Select a blocking option for pair A. (Inline Block FS Open is recommended).
4. Click Update: Operational Modes.
© 2015 FireEye 42
5. Select Inline Whitelists on the sidebar. Enter the information for the proxy server and
then click Add Whitelist.
To configure NX Appliance2:
1. Click the Settings tab.
2. Click Inline Operational Modes on the sidebar.
3. Select a blocking option for pair A. (Inline Block FS Open is recommended).
4. Click Update: Operational Modes.
Configuring Inline Proxy Mode Using the CLIInline proxy deployment requires two network port pairs. This can be accomplished using an
NX Series appliance with two port pairs, or one port pair from each of two NX Series appliances.
Use the CLI commands in this topic to set the following options to configure inline blocking
mode for a proxy deployment.
Setting Description
Operational Mode The inline deployment has three operational modes. It is highlyrecommended that you set your appliance to inline blocking mode.
If you set the operational mode to block traffic, input
a fail-safe setting (block open or block close).
l block—Blocks malicious traffic (recommended).
l open—In case of failure, all traffic passes
through (recommended).
l close—In case of failure, all traffic is blocked.
(Use this setting only if the device is actively
monitored).
l monitor—Monitors the traffic and generates alerts on
malicious events.
l bypass—Forced bypass wherein the NX Series
appliance neither blocks nor analyzes traffic.
Policy Type The following policy types are supported:
l mixed—Applies both local and global policies, and the
local policy overrides the global policy (recommended).
l global—Applies FireEye-defined global policy to the
specified interface.
System Administration Guide CHAPTER 4: Operational Mode Configuration
43 © 2015 FireEye
Release 7.6 Configuring Inline Proxy Mode Using the CLI
Setting Description
l local—Applies user-defined local policy to the
specified interface.
l none—Does not apply any policy. No policy is used.
For details about inline proxy deployment, refer to the Hardware Administration Guide for your
appliance model.
Prerequisites
l Operator or Admin access
Configuring Inline ProxyModeWith OneNXSeries Appliance
Use the CLI commands in this topic to configure deployment with one NX Series appliance with
two network port pairs. Interface A connects the LAN-facing switch or router (A1) to the proxy
server (A2). Interface B connects the LAN-facing switch or router (B1) to the Internet-facing
switch or router (B2).
To configure interface A and interface B:
1. Enable the CLI configuration mode:
hostname > enable
hostname # configure terminal
2. Configure pair A (interfaces A1 and A2) and pair B (B1 and B2) in inline block mode.
Enter the policymgr interface command.
hostname (config) # policymgr interface A op-mode block fail-safe open policy-type mixed
hostname (config) # policymgr interface A re-configure
hostname (config) # policymgr interface B op-mode block fail-safe open policy-type mixed
hostname (config) # policymgr interface B re-configure
3. Save your changes:
hostname (config) # write memory
4. Configure interface A2 to allow incoming traffic from the proxy server to pass through
unblocked. Enter the policymgr network host command.
hostname (config) # policymgr network host Proxy_IP_address interface A2 allow
where interface A2 is the proxy server. where Proxy_IP_address is the IP address of the
server.
© 2015 FireEye 44
5. Save your changes:
hostname (config) # write memory
6. Check your configuration. Enter the show policymgr interfaces command.
hostname (config) # show policymgr interfaces
Policy enabled: yes
Interface A Active : yes op mode : block (blocking) fail-safe: open policy : mixed tolerance: 1 Ports : pether3 pether4
Interface B Active : yes op mode : block (blocking) fail-safe: open policy : mixed tolerance: 1 Ports : pether5 pether6
Configuring Inline ProxyModeWith TwoNXSeries Appliances
Use the CLI commands in this topic to configure a deployment with two NX Series appliances,
each with one network port pair. NX Appliance1 connects to the proxy offline, and
NX Appliance2 is between a LAN-facing switch or router and an Internet-facing switch or
router.
To configure NX Appliance1:
1. Enable the CLI configuration mode:
hostname1 > enable
hostname1 # configure terminal
2. Configure your NX Appliance1.Enter the policymgr interface command to configure
pair A (interfaces A1 and A2) in inline block mode.
hostname1 (config) # policymgr interface A op-mode block fail-safe open policy-type mixed
hostname1 (config) # policymgr interface A re-configure
3. Save your changes:
hostname1 (config) # write memory
4. Configure interface A2 to allow incoming traffic from the proxy server to pass through
unblocked. Enter the policymgr network host command.
hostname1 (config) # policymgr network host Proxy_IP_address interface A2 allow
where interface A2 is the proxy server. where Proxy_IP_address is the IP address of the
server.
System Administration Guide CHAPTER 4: Operational Mode Configuration
45 © 2015 FireEye
Release 7.6 Configuring InlineMulti-Proxy Mode Using theWebUI
5. Save your changes:
hostname1 (config) # write memory
6. Check your configuration. Enter the show policymgr interfaces command.
hostname1 (config) # show policymgr interfaces
Policy enabled: yes
Interface A Active : yes op mode : block (blocking) fail-safe: open policy : mixed tolerance: 1 Ports : pether3 pether4
To configure NX Appliance2:
1. Enable the CLI configuration mode:
hostname2 > enable
hostname2 # configure terminal
2. Configure pair A (interfaces A1 and A2) in inline block mode. Enter the policymgr
interface command.
hostname2 (config) # policymgr interface A op-mode block fail-safe open policy-type mixed
hostname2 (config) # policymgr interface A re-configure
3. Save your changes:
hostname2 (config) # write memory
4. Check your configuration. Enter the show policymgr interfaces command.
hostname2 (config) # show policymgr interfaces
Policy enabled: yes
Interface A Active : yes op mode : block (blocking) fail-safe: open policy : mixed tolerance: 1 Ports : pether3 pether4
Configuring InlineMulti-Proxy Mode Using theWebUIInline multi-proxy deployment requires two network port pairs. This can be accomplished using
an NX Series appliance with two port pairs, or one port pair from each of two NX Series
appliances.
For details about inline deployment with multiple proxy servers, refer to the Hardware
Administration Guide for your appliance model.
© 2015 FireEye 46
Prerequisites
l Operator or Admin access
Configuring InlineMulti-ProxyModeWith OneNXSeries Appliance
Use the Settings: Interfaces - Operational Modes page for inline multi-proxy mode to
configure a deployment with one NX Series appliance with two network port pairs. Interface A
connects the LAN-facing switch or router (A1) to the proxy server (A2). Interface B connects
the LAN-facing switch or router (B1) to the Internet-facing switch or router (B2). Additional
NX Series appliances connect to one or more additional proxy servers.
Operational modes for inline deployment are described in the following table.
Mode Description
Block Blocks malicious traffic (recommended).
l FS Open—In case of failure, all traffic passes through (recommended).
l FS Close—In case of failure, all traffic is blocked. (Use this setting only if
the device is actively monitored).
Monitor Monitors the traffic and generates alerts on malicious events.
Bypass Forced bypass wherein the NX Series appliance neither blocks nor analyzes traffic.
Use the Settings: Interfaces - Whitelists page for inline whitelists to configure interface A2 to
allow incoming traffic from the proxy server to pass through unblocked.
System Administration Guide CHAPTER 4: Operational Mode Configuration
47 © 2015 FireEye
Release 7.6 Configuring InlineMulti-Proxy Mode Using theWebUI
To configure interface A and interface B on NX Appliance1:
1. Click the Settings tab.
2. Click Inline Operational Modes on the sidebar.
3. Select a blocking option for pair A and pair B. (Inline Block FS Open is recommended).
4. Click Update: Operational Modes.
5. Select Inline Whitelists on the sidebar. Enter the information for the proxy server and
then click Add Whitelist.
To configure NX Appliance2 - NX Appliance n to connect to one or more proxy servers:
1. Click the Settings tab.
2. Click Inline Operational Modes on the sidebar.
3. Select a blocking option for pair A and pair B. (Inline Block FS Open is recommended).
4. Click Update: Operational Modes.
5. Select Inline Whitelists on the sidebar. Enter the information for the proxy server and
then click Add Whitelist.
6. Repeat Steps 1–5 on each additional NX Series appliance.
Configuring InlineMulti-ProxyModeWith TwoNXSeries Appliances
Use the Settings: Interfaces - Operational Modes page for inline multi-proxy mode to
configure deployment with two NX Series appliances with one network port pair each.
NX Appliance1 is inline between a LAN-facing switch or router and an Internet-facing switch or
router. The NX Series appliances NX Appliance2—NX Appliance n connect to multiple proxy
servers offline.
© 2015 FireEye 48
Operational modes for inline deployment are described in the following table.
Mode Description
Block Blocks malicious traffic (recommended).
l FS Open—In case of failure, all traffic passes through (recommended).
l FS Close—In case of failure, all traffic is blocked. (Use this setting only if
the device is actively monitored).
Monitor Monitors the traffic and generates alerts on malicious events.
Bypass Forced bypass wherein the NX appliance neither blocks nor analyzes traffic.
For each appliance connected to a proxy server, use the Settings: Interfaces - Whitelists page
to configure interface A2 to allow incoming traffic from the proxy server to pass through
unblocked.
To configure NX Appliance1:
1. Click the Settings tab.
2. Click Inline Operational Modes on the sidebar.
3. Select a blocking option for pair A. (Inline Block FS Open is recommended).
System Administration Guide CHAPTER 4: Operational Mode Configuration
49 © 2015 FireEye
Release 7.6 Configuring InlineMulti-Proxy Mode Using the CLI
4. Click Update: Operational Modes.
5. Select Inline Whitelists on the sidebar. Enter the information for the proxy server and
then click Add Whitelist.
To configure NX Appliance2 - NX Appliance n to connect to one or more proxy servers:
1. Click the Settings tab.
2. Click Inline Operational Modes on the sidebar.
3. Select a blocking option for pair A. (Inline Block FS Open is recommended).
4. Click Update: Operational Modes.
5. Select Inline Whitelists on the sidebar. Enter the information for the proxy server and
then click Add Whitelist.
6. Repeat Steps 1—5 on each additional NX Series appliance.
Configuring InlineMulti-Proxy Mode Using the CLIInline multi-proxy deployment requires two network port pairs. This can be accomplished using
an NX Series appliance with two port pairs, or one port pair from each of two NX Series
appliances.
Use the CLI commands in these topics to configure inline blocking mode for an inline
deployment with multiple proxies.
Setting Description
Operational Mode Inline deployment has three operational modes. It is highlyrecommended that you set your appliance to inline blocking mode.
If you set the operational mode to block traffic, input
a fail-safe setting (block open or block close).
l block—Blocks malicious traffic (recommended).
l open—In case of failure, all traffic passes
through (recommended).
l close—In case of failure, all traffic is blocked.
(Use this setting only if the device is actively
monitored).
l monitor—Monitors the traffic and generates alerts on
malicious events.
l bypass—Forced bypass wherein the NX Series
appliance neither blocks nor analyzes traffic.
© 2015 FireEye 50
Setting Description
Policy Type The following policy types are supported:
l mixed—Applies both local and global policies, and the
local policy overrides the global policy (recommended).
l global—Applies FireEye-defined global policy to the
specified interface.
l local—Applies user-defined local policy to the
specified interface.
l none—Does not apply any policy. No policy is used.
For details about inline deployment with multiple proxy servers, refer to the Hardware
Administration Guide for your appliance model.
Prerequisites
l Operator or Admin access
Configuring InlineMulti-ProxyModeWith OneNXSeries Appliance
Use the CLI commands in this topic to configure NX Series appliances with multiple network
port pairs. Interface A connects the LAN-facing switch or router (A1) to the proxy server (A2).
Interface B connects the LAN-facing switch or router (B1) to the Internet-facing switch or
router (B2). Additional NX Series appliances connect to one or more additional proxy servers.
To configure interface A and interface B on NX Appliance1:
1. Enable the CLI configuration mode:
hostname1 > enable
hostname1 # configure terminal
2. Configure pair A (interfaces A1 and A2) and pair B (B1 and B2) in inline block mode.
Enter the policymgr interface command.
hostname1 (config) # policymgr interface A op-mode block fail-safe open policy-type mixed
hostname1 (config) # policymgr interface A re-configure
hostname1 (config) # policymgr interface B op-mode block fail-safe open policy-type mixed
hostname1 (config) # policymgr interface B re-configure
3. Save your changes:
hostname1 (config) # write memory
System Administration Guide CHAPTER 4: Operational Mode Configuration
51 © 2015 FireEye
Release 7.6 Configuring InlineMulti-Proxy Mode Using the CLI
4. Configure interface A2 to allow incoming traffic from the proxy server to pass through
unblocked. Enter the policymgr network host command.
hostname1 (config) # policymgr network host Proxy_IP_address interface A2 allow
where interface A2 is the proxy server. where Proxy_IP_address is the IP address of the
server.
5. Save your changes:
hostname1 (config) # write memory
To configure NX Appliance2 - NX Appliance n to connect to one or more proxy servers:
1. Enable the CLI configuration mode:
hostname > enable
hostname # configure terminal
2. Configure appliances NX Appliance2 -NX Appliance n. Enter the policymgr interface
command to configure pair A (interfaces A1 and A2) in inline blocking mode on each
appliance:
hostname (config) # policymgr interface A op-mode block fail-safe open policy-type mixed
hostname (config) # policymgr interface A re-configure
3. Save your changes:
hostname (config) # write memory
4. Configure interface A2 to allow incoming traffic from the proxy server to pass through
unblocked on each appliance connected to a proxy server. Enter the policymgr network
host command.
hostname (config) # policymgr network host Proxy_IP_address interface A2 allow
where interface A2 is the proxy server. where Proxy_IP_address is the IP address of the
server.
5. Save your changes:
hostname (config) # write memory
6. Check your configuration. Enter the show policymgr interfaces command.
hostname (config) # show policymgr interfaces
Policy enabled: yes
Interface A Active : yes op mode : block (blocking) fail-safe: open policy : mixed tolerance: 1 Ports : pether3 pether4
Interface B Active : yes
© 2015 FireEye 52
op mode : block (blocking) fail-safe: open policy : mixed tolerance: 1 Ports : pether5 pether6
Configuring InlineMulti-ProxyModeWith TwoNXSeries Appliances
Use the CLI commands in this topic to configure deployment with two NX Series appliances
with one network port pair each. NX Appliance1 is inline between a LAN-facing switch or router
and an Internet-facing switch or router. NX Appliance2—NX Appliance n connect to multiple
proxy servers offline.
To configure NX Appliance1:
1. Enable the CLI configuration mode:
hostname1 > enable
hostname1 # configure terminal
2. Configure pair A (interfaces A1 and A2) in inline block mode. Enter the policymgr
interface command.
hostname1 (config) # policymgr interface A op-mode block fail-safe open policy-type mixed
hostname1 (config) # policymgr interface A re-configure
3. Save your changes:
hostname1 (config) # write memory
4. Check your configuration. Enter the show policymgr interfaces command.
hostname1 (config) # show policymgr interfaces
Policy enabled: yes
Interface A Active : yes op mode : block (blocking) fail-safe: open policy : mixed tolerance: 1 Ports : pether3 pether4
To configure NX Appliance2 - NX Appliance n to connect to one or more proxy servers:
1. Enable the CLI configuration mode:
hostname > enable
hostname # configure terminal
2. Configure appliances NX Appliance2—NX Appliance n. Enter the policymgr interface
command to configure pair A (interfaces A1 and A2) in inline block mode.
hostname (config) # policymgr interface A op-mode block fail-safe open policy-type mixed
System Administration Guide CHAPTER 4: Operational Mode Configuration
53 © 2015 FireEye
Release 7.6 Configuring TAP ModeUsing theWebUI
hostname (config) # policymgr interface A re-configure
3. Save your changes:
hostname (config) # write memory
4. Configure interface A2 to allow incoming traffic from the proxy server to pass through
unblocked on each appliance connected to a proxy server. Enter the policymgr network
host command.
hostname (config) # policymgr network host Proxy_IP_address interface A2 allow
where interface A2 is the proxy server. where Proxy_IP_address is the IP address of the
server.
5. Save your changes:
hostname (config) # write memory
6. Check your configuration. Enter the show policymgr interfaces command.
hostname (config) # show policymgr interfaces
Policy enabled: yes
Interface A Active : yes op mode : block (blocking) fail-safe: open policy : mixed tolerance: 1 Ports : pether3 pether4
Configuring TAPModeUsing theWebUIUse the Settings: Interfaces - Operational Modes page to configure Test Access Point (TAP)
mode.
In TAP mode, you can configure the appliance with one or two network port pairs. The
following example shows one network port pair.
The following example shows two network port pairs.
© 2015 FireEye 54
For details about TAP deployment, refer to the FireEye Hardware Administration Guide for your
appliance model.
Prerequisites
l Operator or Admin access
To configure TAP mode:
1. Click the Settings tab.
2. Click Inline Operational Modes on the sidebar.
3. Select the TAP operational mode for all available port pairs.
4. Click Update: Operational Modes.
Configuring TAPModeUsing the CLIUse the CLI commands in this topic to set the following options to configure the appliance for
Test Access Point (TAP) mode.
Setting Description
Operational Mode Select TAP mode to configure for TAP or SPAN deployments.
l tap—Monitors malicious traffic.
Policy Type The following policy types are supported:
l mixed—Applies both local and global policies, and the
local policy overrides the global policy (recommended).
l global—Applies FireEye-defined global policy to the
System Administration Guide CHAPTER 4: Operational Mode Configuration
55 © 2015 FireEye
Release 7.6 Configuring Port Mirroring (SPAN) Mode Using theWebUI
Setting Description
specified interface.
l local—Applies user-defined local policy to the
specified interface.
l none—Does not apply any policy. No policy is used.
For details about TAP deployment, refer to the FireEye Hardware Administration Guide for your
appliance model.
Prerequisites
l Operator or Admin access
To configure TAP mode:
1. Enable the CLI configuration mode:
hostname > enable
hostname # configure terminal
2. Configure pair A (interfaces A1 and A2) in inline block mode. Enter the policymgr
interface command.
hostname (config) # policymgr interface A op-mode tap policy-type mixed
hostname (config) # policymgr interface A re-configure
3. Save your changes:
hostname (config) # write memory
4. Check your configuration. Enter the show policymgr interfaces command.
hostname (config) # show policymgr interfaces
Policy enabled: yes
Interface A Active : yes op mode : tap (tapping) fail-safe: open policy : mixed tolerance: 1 Ports : pether3 pether4
Configuring Port Mirroring (SPAN) Mode Using theWebUIUse the Settings: Interfaces - Operational Modes page to configure port mirroring (SPAN)
mode.
© 2015 FireEye 56
In port mirroring (SPAN) mode, you can configure the appliance with one or two network port
pairs. The following example shows one network port pair.
The following example shows two network port pairs.
Prerequisites
l Operator or Admin access
To configure port mirroring (SPAN) mode:
1. Click the Settings tab.
2. Click Inline Operational Modes on the sidebar.
3. Select the TAP operational mode for all available port pairs.
4. Click Update: Operational Modes.
System Administration Guide CHAPTER 4: Operational Mode Configuration
57 © 2015 FireEye
Release 7.6 Configuring Port Mirroring (SPAN) Mode Using the CLI
Configuring Port Mirroring (SPAN) Mode Using the CLIUse the CLI commands in this topic to set the following options to configure the appliance for
port mirroring (SPAN) mode.
Setting Description
Operational Mode Select TAP mode to configure for TAP or SPAN deployments.
l tap—Monitors malicious traffic.
Policy Type The following policy types are supported:
l mixed—Applies both local and global policies, and the
local policy overrides the global policy (recommended).
l global—Applies FireEye-defined global policy to the
specified interface.
l local—Applies user-defined local policy to the
specified interface.
l none—Does not apply any policy. No policy is used.
For details about port mirroring (SPAN) deployment, refer to Hardware Administration Guide for
your appliance model.
Prerequisites
l Operator or Admin access
To configure port mirroring (SPAN) mode:
1. Enable the CLI configuration mode:
hostname > enable
hostname # configure terminal
2. Configure pair A (interfaces A1 and A2) in inline block mode. Enter the policymgr
interface command.
hostname (config) # policymgr interface A op-mode tap policy-type mixed
hostname (config) # policymgr interface A re-configure
3. Save your changes:
hostname (config) # write memory
4. Check your configuration. Enter the show policymgr interfaces command.
hostname (config) # show policymgr interfaces
© 2015 FireEye 58
Policy enabled: yes
Interface A Active : yes op mode : tap (tapping) fail-safe: open policy : mixed tolerance: 1 Ports : pether3 pether4
System Administration Guide CHAPTER 4: Operational Mode Configuration
59 © 2015 FireEye
Release 7.6 Basic Network Configuration
CHAPTER 5: Network Administration
This section covers the following topics:
l Basic Network Configuration below
l Updating the IPMI Firmware on page 62
l IP Filtering on page 64
For information about connecting to, configuring, and troubleshooting FireEye as a
Service, see the FireEye as a Service Quick Start Guide.
Basic Network ConfigurationBasic network settings (IP address, subnet mask, and default gateway) for the appliance
management interface, and the Domain Name Service (DNS) server addresses, can be defined
manually or obtained automatically from a Dynamic Host Configuration Protocol (DHCP) server
installed in your network.
Field Description
DHCP Specifies whether DHCP is enabled or disabled on the management interface.
SubnetMask
Specifies the network portion of the IP address. For example, 255.255.255.0 indicates that thefirst 24 bits of the IP address are used for the network portion of the address.
IP Address Specifies the IP address of the management interface.
DefaultGateway
Specifies the IP address of the default router.
PrimaryDNS Server
IP address of the primary DNS server used to translate the domain name into an IP address forrouting.
SecondaryDNS Server
IP address of the secondary DNS server. The secondary DNS server is used when the primaryserver is unavailable..
DomainName
The portion of the network address that identifies the domain to which the appliance belongs.
Hostname The hostname of the appliance.
© 2015 FireEye 60
Prerequisites
l Operator or Admin access
Configuring Basic Network Settings Using theWebUI
Use the Settings: Network page to configure basic network settings.
To view and configure network settings:
1. Click the Settings tab.
2. Select Network on the side bar.
3. To change the DNS configuration, enter the IP addresses of the primary and secondary
DNS servers and click Apply. The secondary DNS server is used when the primary server
is unavailable.
4. To add a domain name, enter the domain and click Add Domain Name. To delete a
domain name from the list, select the appropriate checkbox and click Remove Selected
Domain Name.
5. To assign a hostname for the appliance, enter the name in the Configure Hostname field
and click Apply.
System Administration Guide CHAPTER 5: Network Administration
61 © 2015 FireEye
Release 7.6 Updating the IPMI Firmware
Configuring Basic Network Settings Using the CLI
Use the commands in this topic to configure the network settings manually.
To configure basic network settings:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. To disable DHCP for the interface:
hostname (config) # no interface ether1 dhcp
If you use DHCP and there is no network connection for the management
interface, do the following:
1. Restore the network connection.
2. Disable DHCP.
3. Enable DHCP.
3. Set the interface IP address and network mask. For example:
hostname (config) # interface ether1 ip address 1.1.1.1 255.240.0.0
4. Specify the default gateway. For example:
hostname (config) # ip default-gateway 1.1.1.2 ether1
5. Specify a DNS server. For example:
hostname (config) # ip name-server 10.10.20.5
6. Save your changes:
hostname (config) # write memory
Updating the IPMI FirmwareNew Intelligent Platform Management Interface (IPMI) firmware is packaged with the appliance
software image, but is not automatically installed when you upgrade to a new appliance release. It
is important to update the IPMI firmware to ensure that you are using the latest, most secure
version.
By default, if the IPMI interface has been configured with an IP address, you are notified when a
newer version is available. The notice is displayed when you log in to the CLI and when you
view the Version Information section on the About > FireEye System Information page in
the Web UI.If you prefer, you can disable the notification from appearing again. For details, see
Disabling IPMI Firmware Notifications on page 64.
© 2015 FireEye 62
Updating the IPMI firmware reverts all settings to factory defaults, including the IPMI
username and password, network configuration, and event logs. Before starting the
update, gather all information you will need to reconfigure IPMI.
The IPMI Web UI will be unavailable during the IPMI firmware update.
The IPMI firmware type is specific to the appliance model, so it is possible that not all
appliances will get an IPMI firmware update in the same FireEye release.
Prerequisites
l Admin access
Updating the IPMI Firmware Using the CLI
Use the commands in this section to update the IPMI firmware, and to disable the new firmware
availability notices.
Updating the Firmware
To update the IPMI firmware:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. Update the IPMI firmware:
hostname (config) # ipmi firmware update latest
The update progress and final update status is displayed.
3. Verify the update. For example:
hostname (config) # show ipmi version
IPMI Firmware Installed----------------------------Firmware Version: 2.67Device: 1IPMI Version: 2.0
IPMI Firmware Available For Update--------------------------------------------------Update Version: 2.67Update Filename: FireEye_V267.binUpdate Notice: Firmware is up to date for this release.
System Administration Guide CHAPTER 5: Network Administration
63 © 2015 FireEye
Release 7.6 IP Filtering
If the update fails, enter the ipmi firmware update latest command again.
4. Save your changes:
hostname (config) # write memory
Disabling IPMI Firmware Notifications
To disable notifications about out-of-date firmware:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. Disable notifications:
hostname (config) # no ipmi firmware update notice enable
3. Save your changes:
hostname (config) # write memory
To re-enable notifications about out-of-date firmware:
1. Enable the CLI configuration mode:
hostname (config) # enablehostname (config) # configure terminal
2. Enable notifications:
hostname (config) # ipmi firmware update notice enable
3. Save your changes:
hostname (config) # write memory
IP FilteringThe IP Filtering feature allows you to manage IP filter rules to filter IP packets entering and
leaving an appliance on its management interfaces. IP filtering supports IPv4 and IPv6, by
separate but largely identical sets of CLI commands. See the FireEye CLI Reference for more
information about the CLI commands for IP filtering.
IP filtering is disabled by default for both IPv4 and IPv6. However, some appliances may have
IP filtering enabled by existing components on the system which will still be visible in the show
ip filter command output.
Enabling IPv6 filtering has no effect unless IPv6 is enabled.
When you use IP filtering, interfaces can be grouped into three sets:
© 2015 FireEye 64
1. Management interfaces: ether*. IP filtering rules apply to these interfaces. Some
appliances such as the NX Series appliance, have one management interface, ether 1. On
the CM Series platform and HX & HXD Series appliance, there are multiple management
interfaces, named ether1, ether2, and so on.
If an interface is not specified for a rule, the default is "ether+," which in IP filtering
matches any interface beginning with "ether".
2. Data ports: pether* . These interfaces cannot have IP filtering rules.
3. Other interfaces: lo, tun0 (if a VPN is enabled). These interfaces may have IP filtering
rules installed automatically by the system. You cannot configure the rules for these
interfaces.
When you view a list of IP filtering rules using the show ip filter or show ipv6 filter command,
rules added for management interfaces as described above and rules added automatically by the
system are listed together, in the order in which they are applied. If you are on the VPN, you
should use the show ipv6 filter command, which displays detailed information about the firewall
rules. The show ipv6 filter configured command, described below, does not include this
information.
Rules that are manually configured are shown with numbers in the left column, which correspond
to the rule numbers visible in show ip filter configured and show ipv6 filter configured
command output. Rules that are added automatically by the system do not have numbers.
The default filter configuration for the INPUT and OUTPUT chains is an ACCEPT rule with a
DROP policy for all traffic on all interfaces whose names begin with "ether". The default
configuration for the FORWARD is simply a DROP policy with no rules since appliances do not
forward packets. Enabling IP filtering has no effect on your network's function until you create
new IP filter rules.
When IP filtering is enabled, one additional rule is added automatically by the system after all
configured rules. This rule is to ACCEPT all inbound and outbound traffic on the loopback 'lo'
interface. The system requires the loopback interface to work for internal purposes.
When you enable FireEye as a Service, IP filters are automatically enabled. See the
FireEye as a Service Quick Start Guide for details.
This feature will affect integration with third-party services. Exercise caution and
common sense when adding IP filtering rules. If rules are set improperly, it may cause
problems such as dropping all traffic. For example, adding DROP rules on the OUTPUT
chain for ether1 or ether+ could interfere with remote syslog; or adding DROP rules on
the INPUT chain could interfere with external access to system services such as SNMP.
System Administration Guide CHAPTER 5: Network Administration
65 © 2015 FireEye
Release 7.6 IP Filtering
Prerequisites
l Operator or Admin access to configure IP filtering
l Monitor, Operator, or Admin access to view IP filtering
Enabling IP Filtering Using the CLI
To enable IP filtering, use one of the following commands:
l ip filter enable
l ipv6 filter enable
The default rules do not place any restrictions on incoming and outgoing packets on
ether* interfaces. You may add rules using the CLI. Use caution to not block access to
needed network services.
IP filtering is automatically enabled when you connect to FireEye as a Service, described
in the FireEye as a Service Quick Start Guide.
To view the active rules:
1. Enter the CLI enable mode:
2. View the rules:
hostname # show ip filter
hostname # show ipv6 filter
© 2015 FireEye 66
Release 7.6 Introduction
CHAPTER 6: The DTI Network
IntroductionThe FireEye Dynamic Threat Intelligence (DTI) network (cloud) provides subscriber platforms
with the latest intelligence on advanced cyber attacks and malware callback destinations. This
enables FireEye products to proactively recognize new threats and block attacks. The DTI cloud
is also used to enable automatic software updates. Finally, a connection to the DTI cloud is
required to utilize the license update feature.
Threat Intelligence
The FireEye DTI cloud interconnects FireEye platforms deployed within customer networks,
technology partner networks, and service provider networks around the world. The FireEye DTI
cloud serves as a global distribution hub to efficiently share automatically generated threat
intelligence such as new malware profiles, vulnerability exploits, and obfuscation tactics, as well
as new threat findings from the FireEye APT Discovery Center and verified third-party security
feeds. By leveraging the FireEye DTI cloud, the FireEye Threat Prevention Platform is more
efficient at detecting unknown zero-day, highly targeted attacks used in cybercrime, cyber
espionage, and cyber reconnaissance as well as known malware.
A subscription to the FireEye DTI cloud service is required before you can use the
features described in this section.
When the DTI cloud receives threat intelligence from customers and partners from around the
world, this information is analyzed and distributed to all customers with a DTI cloud
subscription. The information includes:
l New malware profiles
l Vulnerability exploits
l Obfuscation tactics
l New threat findings from the FireEye Labs and verified third-party security feeds
Each customer controls what information is shared with and received from with the DTI cloud.
© 2015 FireEye 67
Automatic License Updates
The license update feature enables appliances to automatically download the appropriate licenses
from the DTI cloud and install them. This feature provides the following benefits:
l Minimal initial configuration—The license update feature is enabled with the configuration
jump-start wizard during the initial configuration. This means the feature can be fully
functional after the jump-start wizard is completed.
l Simplified license management—There is never a need to contact FireEye for license keys
when new features are added or when licenses are renewed, because the new licenses are
automatically downloaded and installed.
l Scalability—Organizations, such as those with a large number of appliances, can benefit
from having all of them being updated automatically, instead of entering license keys
manually on each appliance, one at a time.
For more information on automatic license activation, see Automatic License Updates.
System Administration Guide CHAPTER 6: The DTI Network
68 © 2015 FireEye
Release 7.6 DTI Network Communication
System Health Monitoring and Software Updates
When connected to the DTI cloud, the appliance regularly provides system and diagnostic
information to the DTI cloud. This information is then analyzed to ensure that the appliance is
operating as expected.
The system and diagnostics checks include the following:
l Software Version
l Guest Image Profiles
l System Processes
l Hardware State
l Network State
If problems are found, the customer is alerted. If a new software or guest image is available,
administrators can choose to download and update these software packages on the appliance.
No customer-specific proprietary information is included this system and diagnostic
information exchange.
DTI Network CommunicationTo communicate with the DTI network, the appliance needs the following information:
l DTI server URL
l DTI network username
l DTI network user password
This information is pre-configured on new appliances. For older appliances, the information was
supplied in the box containing your appliance or otherwise provided by FireEye. The
DTI network is enabled during the initial appliance configuration if default values are accepted,
as described in Initial Configuration on page 17.
There are three DTI server settings:
l Download—The source for software updates (guest images, security content, and
appliance images).
l Upload—The destination for system statistics.
l Malware Intelligence Lab (MIL)—The destination for malware detection and callback
intelligence.
© 2015 FireEye 69
The default DTI download source for a standalone appliance is a content delivery network
(CDN) server; for a managed appliance, it is the CM Series platform server. You can select
another DTI source for a standalone appliance, and you can override the managed appliance
DTI source on individual appliances. The upload and MIL settings are not configurable. See
Changing the Active DTI Source on page 79 for details.
If you have a large number of appliances in your network, you might prefer to use the
same username and password on all of them. For more information, see Configuring
DTI Credentials on page 86.
Validating DTI AccessBefore using the features associated with the DTI network, you must establish communication
between the appliance and the DTI network. Use the following procedures to verify this
communication.
Prerequisites
l Operator or Admin access
l Appliance access to the DTI network
Validating DTI Access Using theWebUI
Use the Appliance Update page to validate DTI cloud communication.
To validate the DTI access:
1. Click the About tab.
2. Click the Update button in the upper right side.
3. For Source, select DTI or CMS.
4. On the Security Content row, click the Check Configuration icon.
5. Click the information triangle and review the Security Content Status.
System Administration Guide CHAPTER 6: The DTI Network
70 © 2015 FireEye
Release 7.6 Validating DTI Access
If the Security Content Status Check has failed, confirm that the DTI network user name
and password are correct. If your security content does not need to be updated, you will
see “No new security update available.”
Validating DTI Access Using the CLI
Use the CLI commands in this topic to validate DTI cloud communication.
To validate DTI access:
1. Enable the CLI configuration mode:
hostname > enable
hostname # configure terminal
2. Check the status of the DTI service:
hostname (config) # show fenet status
Dynamic Threat Intelligence Service:
Update source : onlineEnabled : yesAddress : cloud.fireeye.comUsername : DTIUser
HTTP Proxy:
Address :Username :User-agent :
Request Session:Timeout : 30Retries : 3Speed Time : 60Max Time : 14400Rate Limit :
Dynamic Threat Intelligence Lockdown:
Enabled : noLocked : noLock After : 5 failed attempts
UPDATESEnabled Notify Scheduled Last Updated At------- ------ -------------- ---------------
© 2015 FireEye 71
Security contents: yes yes daily 2014/07/13 12:30:01Stats contents : yes none 2014/07/15 21:36:00
3. Confirm the following information:
l DTI Service: Enabled
l DTI Service Address: cloud.fireeye.com
l DTI Service Username: User name provided with DTI subscription license
l Update source: online
Updating Security ContentYou can also manually update security content with DTI Update Portal. See the DTI
Offline Update Portal User’s Guide for more information.
When you validate DTI access, the system checks for new security content. If new content is
available, you can download the latest malware threat intelligence from the DTI cloud to your
appliance.
For more information on validating DTI access, see Validating DTI Access on page 70.
Prerequisites
l Operator or Admin access
Updating Security Content Using theWebUI
Use the Update page to update security content.
To update security content:
1. Click the About tab.
2. Click the Update button in the upper left side.
3. For Source, select DTI.
4. On the Security Content row, click the information triangle.
System Administration Guide CHAPTER 6: The DTI Network
72 © 2015 FireEye
Release 7.6 Updating Security Content
5. Click Refresh.
6. If new content is available, click Download.
When the download is finished, the appliance automatically updates the security content.
Updating Security Content Using the CLI
Use the CLI commands in this topic to update security content.
To update security content:
1. Enable the CLI configuration mode:
hostname > enable
hostname # configure terminal
2. Download and install the latest security content:
hostname (config) # fenet security-content apply-updateOperation initiated in the background.Run 'show fenet security-content status [progress]' for status
3. Review the download status:
hostname (config) # show fenet security-content status
DTI Security Content Status Information:
Dynamic Threat Intelligence ServiceUpdate source : onlineUpdate channel : cloudEnabled : yesAddress : cloud.fireeye.comUsername : DTIUserSC acceptance level : stableSC type connected : yes
Online Analysis Service:Service available : yesAV-suite enabled : yes
© 2015 FireEye 73
Local Security Content Auto-Generate:Enabled : yesInfections enable : yesCallbacks enabled : yes
Security Content AutoupdateEnabled : yesAction : update with uploadNotify (uploads) : yesNotify (downloads) : yesScheduled : daily at 12:30
Security Content UploadsEnabled : yesLast Uploaded At : 2014/06/27 23:52:46Status : apply-info: No new security contents detected on this
system
Security Content UpdatesEnabled : yesLast Checked At : 2014/07/15 23:40:04Last Applied At : 2014/07/13 12:30:01Status : fetch-done: New security-content available
Security Content Version: 341.209
4. Save your changes:
hostname (config) # write memory
Configuring Automatic Security UpdatesThe Security Content Settings specify how often the DTI network server and the appliance share
security content.
Prerequisites
l Admin access
Configuring Automatic Security Content Updates Using theWebUI
Use the Settings: DTI Network page to configure automatic security content updates.
System Administration Guide CHAPTER 6: The DTI Network
74 © 2015 FireEye
Release 7.6 Configuring Automatic Security Updates
To configure automatic security content updates:
1. Click the Settings tab.
2. Click DTI Network on the sidebar.
3. Click Security Contents.
4. (Optional) To receive email notification of each security content update, select the Notify
checkbox.
If you select the Notify checkbox, make sure that you have configured event
notifications.For more information on event notifications, see the Threat
Management Guide for your appliance.
5. Select the update frequency from the Update Frequency drop-down list.
You can select the following update frequencies:
l daily
l hourly
6. Set the update start time in the Time drop-down list.
l If you selected a daily update, set the time, based on a 24-hour clock, when the
update starts.
l If you selected an hourly update, set the minutes after the hour when the update
starts.
7. Click Apply Settings.
Configuring Automatic Security Content Updates Using the CLI
Use the CLI commands in this topic to configure automatic security content updates.
To configure automatic security content updates:
1. Enable the CLI configuration mode:
hostname > enable
hostname # configure terminal
2. Enable automatic updates of security content:
hostname (config) # fenet security-content autoupdate action update
3. Specify the automatic update time interval:
l To update daily, enter:
fenet security-content autoupdate schedule daily at <hh:mm>
where <hh:mm> specifies the time to start the update based on a 24-hour clock.
© 2015 FireEye 75
l To update hourly, enter:
fenet security-content autoupdate schedule hourly at <mm>
where <mm> is the number of minutes after the hour when the update starts.
l To update after a set number of minutes, enter:
fenet security-content autoupdate schedule every <mm>
where <mm> is the number of minutes between updates.
l To use the default interval, enter:
fenet security-content autoupdate schedule default
4. (Optional) To receive email notification of each security content update, enter the fenet
security-content autoupdate notification enable command. Notifications are disabled
by default. After enabling automatic update notifications, you can specify which kind of
notifications to receive:
l To receive an email notification if the automatic update of security content fails,
enter:
fenet security-content autoupdate notification class fail
This option is the default.
l To receive an email notification when the automatic update of security succeeds or
fails, enter:
fenet security-content autoupdate notification class info
5. Validate the update configuration:
hostname (config) # show fenet security-content status
DTI Security Content Status Information:
Dynamic Threat Intelligence ServiceUpdate source : <online>Update channel : develEnabled : yesAddress : cloud.fireeye.comUsername : engtestSC acceptance level : stableSC type connected : yes
Online Analysis Service:Service available : yesAV-suite enabled : yes
Local Security Content Auto-Generate:Enabled : yesInfections enable : yesCallbacks enabled : yes
Security Content AutoupdateEnabled : yesAction : update with upload
System Administration Guide CHAPTER 6: The DTI Network
76 © 2015 FireEye
Release 7.6 Configuring Automatic System Information Updates
Notify (uploads) : yesNotify (downloads) : yesScheduled : daily at 12:30
Security Content UploadsEnabled : yesLast Uploaded At : 2014/07/16 12:31:13Status : apply-info: Uploaded new security contents successfully
Security Content UpdatesEnabled : yesLast Checked At : 2014/07/16 12:30:00Last Applied At : 2014/07/16 12:30:00Status : apply-done: Updates installed successfully
Security Content Version: 341.268
6. Save your changes:
hostname (config) # write memory
Configuring Automatic System Information UpdatesThe Stats Content settings specify how often the DTI network and the appliance share system
statistical information. No customer-specific proprietary information is exchanged.
Prerequisites
l Admin access
Configuring Automatic System Information Updates Using theWebUI
Use the Settings: DTI Network page to configure automatic system information updates.
To configure automatic system information updates:
1. Click the Settings tab.
2. Click DTI Network on the sidebar.
3. Click Stats Contents.
4. Select the update frequency from the Update Frequency drop-down list.
You can select the following update frequencies:
l default
l none
l daily
l hourly
© 2015 FireEye 77
l monthly
l weekly
5. Set the time interval from the time interval drop-down lists.
6. Click Apply Settings.
Configuring Automatic System Information Updates Using the CLI
Use the CLI commands in this topic to configure automatic system information updates.
To configure automatic system information updates:
1. Enable the CLI configuration mode:
hostname > enable
hostname # configure terminal
2. Select the information to be collected:
l To collect database information, enter:
hostname (config) # fenet stats-content aggregator db-aggr enable
l To collect log method information, enter:
hostname (config) # fenet stats-content aggregator dmesg-aggr enable
l To collect malware detection information, enter:
hostname (config) # fenet stats-content aggregator pcaps-aggr enable
l To collect runtime system statistics, enter:
hostname (config) # fenet stats-content aggregator rt-stats-aggr enable
3. Set the automatic update schedule:
l To update hourly, enter:
fenet stats-content upload auto hourly at <mm>
where <mm> is the number of minutes within the hour when the update is triggered.
l To update daily, enter:
fenet stats-content upload auto daily at <hh:mm>
where <hh:mm> specifies the time to start the update based on a 24 hour clock.
l To update weekly, enter:
fenet stats-content upload auto weekly on <day>
where <day> is the day of the week the update should occur.
System Administration Guide CHAPTER 6: The DTI Network
78 © 2015 FireEye
Release 7.6 Changing the Active DTI Source
l sun
l mon
l tue
l wed
l thu
l fri
l sat
l To update monthly, enter:
fenet stats-content upload auto monthly on <dd>
where <dd> is the day the update should occur.
l To disable automatic updates, enter:
fenet stats-content upload auto none
4. Validate the update configuration:
hostname (config) # show fenet stats-content status
DTI Stats Content Status Information:
Dynamic Threat Intelligence ServiceEnabled : yesAddress : fenet1.fireeye.comUsername : engtest
Stats Content UploadsEnabled : yesAuto Upload Schedule : none(only rt-stats upload every 3 hours)Last Uploaded At : 2014/07/16 21:36:00Status : Uploads done successfully: rt-stats
Stats-content aggregators enabled (schedule):db-aggr no (default)dmesg-aggr no (default)pcaps-aggr no (default)rt-stats-aggr yes (default)
Stats Aggregators Version: AGVR_00052
Run 'show fenet stats-content aggregator <aggr-name>' for further details.
5. Save your changes:
hostname (config) # write memory
Changing the Active DTI SourceFor CM Series-managed appliances, this information pertains only to those appliances
that use the dual-port address type to communicate with the CM Series platform.
© 2015 FireEye 79
Managed appliances using the single-port address type must use the default
CMS DTI source. Appliances running Release 7.6.0 and later use the single-port
address type by default. For details, see Changing the Address Type for
DTI Network Service Requests on page 102.
Software updates (such as guest images, security content, and appliance images) can be
downloaded from the following DTI sources:
l Dynamic Threat Intelligence Network (DTI), the FireEye Dynamic Threat Intelligence
server
l Content Delivery Network (CDN), a content delivery network server
l The CM Series platform (CMS), available only to managed appliances
l A custom DTI source (CUSTOM, if configured). A custom DTI source is used only for
managed appliances in a Network Address Translation (NAT) deployment when the
CM Series platform is in an internal network behind a NAT gateway and the appliance uses
the dual-port address type to communicate with the CM Series platform.
By default, CDN is the DTI source for standalone appliances, and CMS is the global DTI source
for all appliances under the management of a CM Series platform. You can change the DTI
source for a standalone appliance, and you can override the global managed DTI source on
individual appliances.
Reasons for changing the active DTI source include:
l Network address translation. When the CM Series platform is behind a NAT gateway in
a dual-port configuration, an accessible IP address that managed appliances can reach must
be configured as a custom DTI source. For details, see Configuring and Activating an
Accessible DTI Server Address on page 284
l Faster download speed. A CDN server is typically geographically closer to standalone
appliances than the FireEye DTI server. The CDN server could be closer to managed
appliances than the CM Series platform.
l Security. Your security policies could require you to download the software updates
directly from the FireEye DTI server.
DTI Source Settings
The settings for DTI source servers are described in the following table.
Setting Description
Source The server from which to download software updates.
For standalone appliances, the available sources are Dynamic Threat Intelligence Network(DTI) and Content Delivery Network (CDN).
For managed appliances, the available sources are Dynamic Threat Intelligence Network
System Administration Guide CHAPTER 6: The DTI Network
80 © 2015 FireEye
Release 7.6 Changing the Active DTI Source
Setting Description
(DTI), Content Delivery Network (CDN), and CMS. The CUSTOM source is available in the NATdeployment.
Hostname(Address)
The hostname or IP address of the DTI source server.
Defaults:
DTI—staticcloud.fireeye.com
CDN—cloud.fireeye.com and download.fireeye.com
CMS—Managing CM Series platform IP address
Port The source HTTPS port (443 by default).
Username A user to authenticate access to the DTI source server.
Prerequisites
l Admin access
Changing the Active DTI Source Using theWebUI
Use the Settings: DTI Network page to change the DTI source from which the standalone
appliance downloads software updates.
For information about changing the active DTI source for a managed appliance, see
Overriding the Managed Appliance DTI Source Using the Web UI on page 83.
See DTI Source Settings on the previous page for a description of each source type.
© 2015 FireEye 81
To configure the DTI source:
1. Click the Settings tab.
2. Click DTI Network on the sidebar.
3. In the Content Source list, select the DTI source the appliance will use for software
updates, and then click Apply Settings.
Changing the Active DTI Source Using the CLI
Use the commands in this section to change the DTI source from which a standalone appliance
downloads software updates.
To change the active download source:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. View the current active and available DTI sources:
hostname (config) # show fenet dti configuration
3. Change the active download source:
hostname (config) # fenet dti source default type
where type is CDN orDTI
4. Verify your changes:
hostname (config) # show fenet dti configuration
5. Save your changes:
hostname (config) # write memory
Example
In this example, the active download source on a standalone appliance is changed from CDN to
DTI.
hostname (config) # show fenet dti configuration
DTI CLIENT CONFIGURATIONS:ACTIVE SETTINGS:
Mode : onlineDownload source : CDN ([email protected])Upload destination : DTI ([email protected])Mil service : DTI ([email protected])
AVAILABLE OPTIONS:--------------------------------------------------------------Download User Address--------------------------------------------------------------CDN DTIUser cloud.fireeye.comDTI DTIUser staticcloud.fireeye.com--------------------------------------------------------------
System Administration Guide CHAPTER 6: The DTI Network
82 © 2015 FireEye
Release 7.6 Overriding theManaged Appliance DTI Source
Upload User Address--------------------------------------------------------------DTI DTIUser up-staticcloud.fireeye.com--------------------------------------------------------------MIL User Address--------------------------------------------------------------DTI DTIUser mil-staticcloud.fireeye.com
hostname (config) # fenet dti source default DTIhostname (config) # show fenet dti configuration
DTI CLIENT CONFIGURATIONS:ACTIVE SETTINGS:
Mode : onlineDownload source : DTI ([email protected])Upload destination : DTI ([email protected])Mil service : DTI ([email protected])
.
.
hostname (config) # write memory
Overriding theManaged Appliance DTI SourceAll managed appliances use a global DTI source to download software updates. This is "CMS" by
default; an administrator can override this global DTI source for individual appliances.
Prerequisites
l Admin access
Overriding theManaged Appliance DTI Source Using theWebUI
Use the Settings: DTI Network page to override the DTI source specified by the CM Series
platform for a managed appliance.
© 2015 FireEye 83
To override the managed appliance DTI source:
1. Click the Settings tab.
2. Click DTI Network in the sidebar.
3. To use the CM Series platform (CMS) as the DTI source:
a. Select the Obtain Settings from CMS? checkbox. The CM Series settings are
displayed, as shown in the following example.
b. Click Apply Settings.
4. To use another DTI source:
a. Clear the Obtain Settings from CMS? checkbox, if it is selected.
b. In the Content Source list, select Content Delivery Network (CDN) or
Dynamic Threat Intelligence Network (DTI). The settings for the selected
server are displayed.
c. Click Apply Settings.
Overriding theManaged Appliance DTI Source Using the CLI
Use the commands in this topic to override the DTI source specified by the CM Series platform
for a managed appliance.
To change the DTI source:
1. Log in to the CLI.
2. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
3. View the current active and available DTI sources:
hostname > show fenet dti configuration
System Administration Guide CHAPTER 6: The DTI Network
84 © 2015 FireEye
Release 7.6 Overriding theManaged Appliance DTI Source
3. Prevent the CM Series platform from changing this appliance's DTI source address, port,
username, and password:
hostname (config) # no fenet dti source override enable
4. Specify the DTI download server for this appliance:
hostname (config) # fenet dti source default type
where type is CDN, CMS, orDTI.
5. Validate your changes:
hostname (config) # show fenet dti configuration
6. Save your changes:
hostname (config) # write memory
Example
In this example, CDN overrides the managed appliance DTI source of CMS.
hostname (config) # show fenet dti configuration
DTI CLIENT CONFIGURATIONS:ACTIVE SETTINGS:
Mode : onlineDownload source : CMS ([email protected]) - Managed by CMSUpload destination : CMS ([email protected]) - Managed by CMSMil service : CMS ([email protected]) - Managed by CMS
AVAILABLE OPTIONS:--------------------------------------------------------------Download User Address--------------------------------------------------------------CDN DTIUser cloud.fireeye.comCMS DTIUser 10.2.0.0DTI DTIUser staticcloud.fireeye.com--------------------------------------------------------------Upload User Address--------------------------------------------------------------CMS DTIUser 10.2.0.0DTI DTIUser up-staticcloud.fireeye.com--------------------------------------------------------------MIL User Address--------------------------------------------------------------CMS DTIUser 10.2.0.0DTI DTIUser mil-staticcloud.fireeye.com
hostname (config) # no fenet dti source override enablehostname (config) # fenet dti source default CDNhostname (config) # show fenet dti configuration
DTI CLIENT CONFIGURATIONS:ACTIVE SETTINGS:Mode : onlineDownload source : CDN ([email protected]) - Managed by ApplianceUpload destination : CMS ([email protected]) - Managed by CMSMil service : CMS ([email protected]) - Managed by CMS..
© 2015 FireEye 85
Configuring DTI CredentialsYou should not change DTI configuration settings, except in the following cases:
l When you need to configure a custom DTI source in a Network Address Translation
(NAT) deployment.
l In a deployment with multiple appliances, in which you want to use the same username
and password for all of them so you do not have to remember multiple credentials.
Prerequisites
l Administrator access
Configuring DTI Credentials Using the CLI
Use the commands in this topic to configure the DTI server user or password.
To configure DTI credentials:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. Specify the user and password:
hostname (config) # fenet dti source type type username user password password
where type is CDN, DTI, or CMS (for a managed appliance), or CUSTOM (if configured)
and user and password are the new credentials.
3. Verify your changes:
hostname (config) # show fenet dti configuration
4. Save your changes:
hostname (config) # write memory
System Administration Guide CHAPTER 6: The DTI Network
86 © 2015 FireEye
Release 7.6 Configuring Secure Shell (SSH) Authentication
CHAPTER 7: CM Series Platform Integration
The connection between an appliance and the CM Series platform can be initiated by either the
appliance or the CM Series platform. By default, a managed appliance uses the CM Series
platform as its source server for software downloads from the DTI network. In this
configuration, both management and DTI network traffic use a single port.
This section includes the following topics:
l Configuring Secure Shell (SSH) Authentication below
l Sending a Management Request to the CM Series Platform on page 98
l Changing the Address Type for DTI Network Service Requests on page 102
If your appliance is managed by the CM Series platform, you should generally avoid
changing shared configuration settings from the appliance Web UI or CLI. If you do so,
the changes could be overwritten by commands and actions issued from the CM Series
platform.
The CM Series platform can send alerts from managed appliances to the HX & HXD
Series appliance only if the HX & HXD Series appliance is running Release 2.6.0 or
later.
See the CM Series Administration Guide for information about accepting a management
request from the appliance. That guide also describes how to initiate the connection
from the CM Series platform.
Configuring Secure Shell (SSH) AuthenticationThe Secure Shell (SSH) protocol is used for secure communication between the CM Series
platform and the appliances it manages. When the CM Series platform initiates the connection, it
logs in as a remote user on the managed appliance. When the managed appliance initiates the
connection, it logs in as a remote user on the CM Series platform. SSH user authentication verifies
the identity of the remote user attempting the connection.
SSH host authentication verifies the identity of the CM Series platform to the managed appliance
and verifies the identity of the managed appliance to the CM Series platform.
© 2015 FireEye 87
The topics in this section describe how to configure SSH authentication for a client-
initiated connection (where a managed appliance administrator sends a request for
management to the CM Series platform, and a CM Series administrator accepts or rejects
the request). For information about a server-initiated connection (where the CM Series
platform administrator adds an appliance directly from the CM Series Web UI or CLI),
see the CM Series Administration Guide.
User Authentication
The remote user can authenticate using either a password or a public key. After the connection is
established, it is controlled by the configured password or the public key.
Password Authentication
With password authentication, a password is configured for the remote user. This is the initial
authentication type for an appliance that is added to the CM Series platform using the Web UI.
Public Key Authentication
Public key authentication uses a pair of keys—a public key and a private key. With public key
authentication, an SSH-DSA2 or SSH-RSA2 identity is configured for the remote user and is
pushed to the CM Series platform.
Benefits of public key authentication include:
l The private key remains on the appliance and cannot be computed from the public key.
This is an advantage over password authentication, where the password could be cracked.
l If you use password authentication, password change policies can break the connection
between the CM Series platform and the managed appliance. For example, suppose users
on the CM Series platform must change their passwords every 90 days. As an EX Series
administrator, you could be unaware of this policy. After the password for the remote user
changes, the connection to the CM Series platform will be broken until you change the
password on the EX Series appliance. Because password change policies apply only to
password authentication, FireEye recommends using public key authentication for this
connection.
For details, see:
l Creating a Public Key Using the CLI on the facing page
l Configuring User Authentication Using the CLI on page 90
System Administration Guide CHAPTER 7: CM Series Platform Integration
88 © 2015 FireEye
Release 7.6 Configuring Secure Shell (SSH) Authentication
Host-Key Authentication
Host-key authentication can be used to prevent man-in-the-middle attacks, in which another
server poses as the managed appliance or the CM Series platform and intercepts the traffic
between them. When the appliance and the CM Series platform connect the first time using a
client-initiated connection, a key exchange takes place. The CM Series platform sends a copy of
its host key to the appliance, where it is compared to the keys in the appliance's host-keys
database.
If strict host-key checking is enabled, the connection can be established only if the key that is
sent matches an entry in the local host-keys database for the appliance's remote user. If global
host-key checking is enabled, the connection can be established only if the key that is sent
matches an entry in the appliance's global host-keys database.
You can enforce strict host-key checking, global host-key checking, or both.
Host keys are stored in the configuration database, so they are included in the backup
file.
In compliance mode, both strict and global host-key checking is enforced. For details,
see the FIPS 140-2 and Common Criteria Addendum.
For details, see:
l Obtaining a Host Key Using the Web UI on page 92 orObtaining a Host Key
Using the CLI on page 93
l Importing a Host Key into the Global Host-Keys Database Using the CLI on
page 94
l Enabling Strict and Global Host-Key Checking Using the CLI on page 96
Prerequisites
l Admin access to configure authentication and create keys
l Monitor, Operator, or Admin access to obtain CM Series host keys
l The private key remains on the appliance and cannot be computed from the public key.
Creating a Public Key Using the CLI
Use the commands in this section to create a new public key for SSH user authentication. You
can use this key instead of the password to authenticate the remote user.
© 2015 FireEye 89
To create a public key:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. Create the public key:
hostname (config) # cmc auth keyType identity identityName generate
where keyType can be ssh-dsa2 or ssh-rsa2 and identityName is a user-friendly name.
3. Verify your change:
hostname (config) # show cmc auth identities
4. Save your change:
hostname (config) # write memory
To remove a public key:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. Remove the public key:
hostname (config) # no cmc auth keyType identity identityName
3. Verify your change:
hostname (config) # show cmc auth identities
4. Save your change:
hostname (config) # write memory
Example
The following example creates an SSH-DSA2 identity named "admin4" on the NX-04 appliance.
NX-04 (config) # cmc auth ssh-dsa2 identity admin4NX-04 (config) # show cmc auth identitiesDSA2 identity admin4:
Public Key:ssh-dss AAA3NzaC1kc3MAAACBAJl3PisWNnz/gYLvL4JC7xFMoq3HE89rai7trnJmpxjylArYhfMzaGndFA4qGRZMFzhiz9Jhi/+W1ufIrXLGzakC0lAAAAFQCuMCsMwMGN9zT5w2JCiDt7D6orNwAA...
Configuring User Authentication Using the CLI
Use the commands in this section to configure authentication parameters for the remote user the
managed appliance uses to log in to the CM Series platform to announce itself. This is an existing
user on the CM Series platform.
System Administration Guide CHAPTER 7: CM Series Platform Integration
90 © 2015 FireEye
Release 7.6 Configuring Secure Shell (SSH) Authentication
See the ssh and cmc commands in the FireEye CLI Reference for advanced authentication
options.
To configure password authentication:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. Specify the "password" authentication type:
hostname (config) # cmc client server auth authtype password
3. Specify the remote user (the CM Series user) to log in to the appliance:
hostname (config) # cmc client server auth password username username
4. Specify the password used to authenticate the remote user:
hostname (config) # cmc client server auth password password password
5. Save your changes:
hostname (config) # write memory
To configure SSH-DSA2 authentication:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. Specify the SSH-DSA2 authentication type:
hostname (config) # cmc client server auth authtype ssh-dsa2
3. Specify the remote user to log in to the appliance:
hostname (config) # cmc client server auth ssh-dsa2 username username
4. Specify the named identity used to authenticate the remote user:
hostname (config) # cmc client server auth ssh-dsa2 identity identityName
where identityName is the name of an existing identity.
5. Save your changes:
hostname (config) # write memory
To configure SSH-RSA2 authentication:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. Specify the SSH-RSA2 authentication type:
hostname (config) # cmc client server auth authtype ssh-rsa2
© 2015 FireEye 91
3. Specify the remote user to log in to the managed appliance:
hostname (config) # cmc client server auth ssh-rsa2 username username
4. Specify the named identity used to authenticate the remote user:
hostname (config) # cmc client server auth ssh-rsa2 identity identityName
where identityName is the name of an existing identity.
5. Save your changes:
hostname (config) # write memory
Example
The following example configures SSH-DSA2 authentication parameters used to log in to the
CM Series platform.
hostname (config) # cmc client server auth authtype ssh-dsa2hostname (config) # cmc client server auth ssh-dsa2 username cmcadmin3hostname (config) # cmc client server auth ssh-dsa2 identity admin3
Obtaining a Host Key Using theWebUI
Use the Certificates/Keyspage to obtain the host key of the CM Series platform. This is the
key that you will import into the global host-keys database of the managed appliance.
The host-key string may need to be modified in a Network Address Translation (NAT)
deployment. For details, see Configuring Global Host-Key Authentication in a
NAT Deployment on page 295.
To obtain a host key:
1. Log in to the CM Series Web UI.
2. Click the Settings tab.
3. Click Certificates/Keys on the sidebar.
4. Locate the Appliance Public Key string in the Keys section.
5. Copy the string starting with the IP address.
6. Do one of the following:
l Paste the key into the managed appliance CLI, as described in Importing a Host
Key into the Global Host-Keys Database Using the CLI on page 94.
l Paste the key into a text file and save it for later.
System Administration Guide CHAPTER 7: CM Series Platform Integration
92 © 2015 FireEye
Release 7.6 Configuring Secure Shell (SSH) Authentication
Obtaining a Host Key Using the CLI
Use the command in this section to obtain the host key of the CM Series platform. This is the
key that you will import into the global host-keys database of the managed appliance.
You must obtain the RSA v2 key.
The host-key string may need to be modified in Network Address Translation (NAT)
deployments. For details, see Configuring Global Host-Key Authentication in a
NAT Deployment on page 295.
To obtain the host key:
1. Log in to the CM Series CLI.
2. View the keys:
hostname > show ssh server host-keys interface ether1
3. Locate the RSA v2 host key entry.
4. Copy the key string, including the double quotation marks.
5. Do one of the following:
l Paste the key into the managed appliance CLI, as described in Importing a Host
Key into the Global Host-Keys Database Using the CLI on the next page.
l Paste the key into a text file and save it for later.
Example
This example displays the CM Series host keys. The RSA v2 key is highlighted for illustration.
CM-08 > show ssh server host-keys interface ether1SSH server configuration:
SSH server enabled: yes...Interface listen enabled: yesListen Interfaces:Interface: ether1
Host Key Finger Prints and Key Lengths:RSA v1 host key: 37:20:5f:af:65:33:e8:62:26:3c:25:d0:1f:2d:8a:54 (2048)RSA v2 host key: c7:64:12:8a:71:a6:da:14:3c:05:37:aa:7a:2e:2a:8c (2048)DSA v2 host key: 85:59:a8:a1:d8:3e:df:2e:74:fc:6a:be:be:d2:62:32 (1024)
Host Keys:RSA v1 host key: "10.11.121.13 2048 65537 2767892723557105143394492343612763
9420072994239434197952617478790730883193561581892416574428382880076651052317847902037474895252247975570054315595358600142845914848782710493540937857691486699538042052007295602744764036681566020303332538223563825872378195559416466034473245176374751379653304184889304215755398717002961974218227773055287228117309728679472422744200184844597327452806661880313000836518022137675657765205670872217927843062
© 2015 FireEye 93
157032172499589577136315879700789083029147987588619557961691104204933846230076323566554605149466931434034062601876531156968025568815192986073498446108395753542572032093143856912019598"
RSA v2 host key: "10.11.121.13 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZZJLE/ftkUddyNW6KdqEQXjS0PjbtzTn3OB51Qg0fdeQHrJgFHM2/4C9WtDkwuX5jd7gdWnSWYwrXDv657thlyRPIt4Wxjf0bpOolPKAe6shgYq35NxalYDt7Pa/oym51SN/x9dGaaTFOHvvdAf0Gu5E7nv3YjLjmSgdpSp7auHnYsyJ5O+xlYocXtoBq6jOueyxm8qm76IWL007JIJ7ZLgMI8FjZ5gp48r+Hnjrdio2rhKKUP/6B0jpHRxsd8yPxMgJpyz2Dwv9ZIJha67f6sgWYdt4yxfBc9yr7yG3iVWVJcLE+83aY24X7DBUXFnG3AeciDpEqAit2dPF586hJ"
DSA v2 host key: "10.11.121.13 ssh-dss AAAAB3NzaC1kc3MAAACBAMY7tSZt46Qrv/hqL1tazYjXNzkyLTWp54DjfkxzE//+qjE0AUr9hTU3ZmHYChzUVTEKj7syaxd+4Y+8IZ94eRVcnrH/jrqtEaJ64SvoUqGkbKKezUbCVfSrzGgTV/A0dUzLYMLbOEMrTMcXki+DnaUSd80PCWLvq0Mcg0IpXAAAAFQDItRIv/iH3AAy23h3cnWzp3dpOXQAAAIAS0AONTi0O8A+f1HNOm3PzS02ZQ9ittHxA1ISs7yE6dcbj9JrWVf1w2lJTEZAJPQz/c9NysGVJusll6Aj1aqQ6EKuhKlPcpY0PyCVKT3TGgY93i648umYZSs9+HzoLY1/aTnnkBGDQ8mFbjhyw3UdeiFjamVVr+4o8QwMbDXAfXAAAAIEAjBMXsp4gK5yvsAgBqcZeZm3vW4zYUpZZ374A3ANXENWTh2yyQd8Ig1gB0YKDBhSHD6sZpPg88WSDxK3IAdifYGx+FAhowiuWcI+kA0UeiAb9/C+A653zii1Nc85/fsIwl3GIjmp/xO23b+9YmHY8V5CsT+mmSIYQutCIzUVWbcYvEc="
Importing a Host Key into the Global Host-Keys Database Using the CLI
Use the commands in this section to import the host key from a CM Series platform into the
appliance global host-keys database. This procedure is required for global host-key
authentication, in which the connection will be allowed only if the host key the CM Series sends
is already in this database.
If you choose to use global host-key authentication, you must explicitly enable the
feature in addition to importing the host key. For details, see Enabling Strict and
Global Host-Key Checking Using the CLI on page 96.
Before you perform this procedure, you must obtain the host key from the CM Series
platform. For CM Series platforms running Release 7.6.0 or later, you can obtain this
key from the CM Series platform Web UI or CLI. For CM Series platforms running an
earlier release, you must obtain this key from the CLI. For details, see Obtaining a
Host Key Using the Web UI on page 92 orObtaining a Host Key Using the CLI
on the previous page.
The host-key string may need to be modified in a Network Address Translation (NAT)
deployment. For details, see Configuring Global Host-Key Authentication in a
NAT Deployment on page 295.
See the ssh commands in the FireEye CLI Reference for advanced authentication options.
To import a host key:
1. Log in to the appliance CLI.
2. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
System Administration Guide CHAPTER 7: CM Series Platform Integration
94 © 2015 FireEye
Release 7.6 Configuring Secure Shell (SSH) Authentication
3. Import the key into the global host-keys database:
hostname (config) # ssh client global known-host "keyString"
The key must start with the CM Series IP address and it must be enclosed in
double quotation marks. If the key starts with the hostname, replace the
hostname with the IP address.
4. Verify your change:
hostname (config) # show ssh server host-keys
5. Save your change:
hostname (config) # write memory
To remove a host key:
1. Log in to the appliance CLI.
2. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
3. Remove the key:
hostname (config) # no ssh client global known-host "keyString"
4. Verify your change:
hostname (config) # show ssh server host-keys
5. Save your change:
hostname (config) # write memory
If you delete a host key that is in use, the connection between the CM Series platform
and the managed appliance is broken.
Example
This example imports the host key from a CM Series platform into the appliance global host-key
database.
hostname (config) # ssh client global known-host "10.11.121.13 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZZJLE/ftkUddyNW6KdqEQXjS0PjbtzTn3OB51Qg0fdeQHrJgFHM2/4C9WtDkwuX5jd7gdWnSWYwrXDv657thlyRPIt4Wxjf0bpOolPKAe6shgYq35NxalYDt7Pa/oym51SN/x9dGaaTFOHvvdAf0Gu5E7nv3YjLjmSgdpSp7auHnYsyJ5O+xlYocXtoBq6jOueyxm8qm76IWL007JIJ7ZLgMI8FjZ5gp48r+Hnjrdio2rhKKUP/6B0jpHRxsd8yPxMgJpyz2Dwv9ZIJha67f6sgWYdt4yxfBc9yr7yG3iVWVJcLE+83aY24X7DBUXFnG3AeciDpEqAit2dPF586hJ"hostname (config) # show ssh server host-keysSSH client Strict Hostkey Checking: askMinimum protocol version: 2Cipher list: compatibleMinimum key length: 1024 bits
SSH Global Known Hosts:
© 2015 FireEye 95
Entry 1:Host: 10.11.121.13Finger Print: c7:64:12:8a:71:a6:da:14:3c:05:37:aa:7a:2e:2a:8cKey Length (bits): 2048
.
.
Enabling Strict andGlobal Host-Key Checking Using the CLI
Use the commands in this section to enable strict host-key checking, global host-key checking,
or both.
l With strict host-key checking, the connection will be allowed only if the local host-keys
database for the managed appliance remote user already has an entry that matches the key
the CM Series platform sends.
l With global host-key checking, the connection will be allowed only if the managed
appliance global host-keys database already has an entry that matches the key the
CM Series platform sends.
When you enable global host-key authentication, any established connections will be
broken until you explicitly add the host key to the global host-keys database. See
Importing a Host Key into the Global Host-Keys Database Using the CLI on
page 94 for instructions.
See the ssh and cmc commands in the FireEye CLI Reference for advanced authentication
options.
To enable strict host-key checking:
1. Log in to the appliance CLI.
2. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
3. Enable strict host-key checking:
hostname (config) # cmc auth ssh host-key strict
4. Verify your changes:
hostname (config) # show cmc auth ssh
5. Save your changes:
hostname (config) # write memory
System Administration Guide CHAPTER 7: CM Series Platform Integration
96 © 2015 FireEye
Release 7.6 Configuring Secure Shell (SSH) Authentication
To enable global host-key checking:
1. Log in to the appliance CLI.
2. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
3. Enable global host-key checking:
hostname (config) # cmc auth ssh host-key global-only
4. Verify your changes:
hostname (config) # show cmc auth ssh
5. Save your changes:
hostname (config) # write memory
To disable strict or global host-key authentication:
1. Log in to the appliance CLI.
2. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
3. Perform the following steps as needed.
l To disable strict host-key checking:
hostname (config) # no cmc auth ssh host-key strict
l To disable global host-key checking:
hostname (config) # no cmc auth ssh host-key global
4. Verify your changes:
hostname (config) # show cmc auth ssh
5. Save your changes:
hostname (config) # write memory
Example
This example enforces both strict and global host-key checking on a managed appliance.
hostname (config) # cmc auth ssh host-key stricthostname (config) # cmc auth ssh host-key global-onlyhostname (config) # show cmc auth ssh
CMC SSH configuration:Strict host key checking enabled: yesGlobal only known hosts enabled: yesMinimum protocol version: 2Cipher list: compatibleMinimum key length: 1024 bits
© 2015 FireEye 97
Sending aManagement Request to the CM SeriesPlatformYou can send a request to be added to the CM Series platform to be managed. A rendezvous
process enables appliances to attempt the request and allows the CM Series administrator to see
the list of pending requests.
To send a management request, you must enable the following:
l Rendezvous process on the CM Series platform (enabled by default)
l Automatic rendezvous attempts on the requesting appliance
l Auto connect feature on the requesting appliance so it automatically tries to connect to the
CM Series platform after the rendezvous attempt succeeds (enabled by default)
Instructions for verifying and enabling these settings are included in the Preparing an
Appliance to Send a Management Request below procedure.
The rendezvous process has an identifier (known as service name) that is set to "cmc" by
default. The CM Series platform and the requesting appliance must have the same
service name; if you change the service name on one, you must change it on the other as
well. The cmc rendezvous service-name hostname command changes the service
name; the no cmc rendezvous service-name command restores the default value. For
details, see the FireEye CLI Reference.
See Sending a Management Request in a NAT Deployment on page 289 for
procedures to follow in a Network Address Translation (NAT) deployment.
Prerequisites
l Operator or Admin access
l Unique hostname for each requesting appliance
l Remote user credentials. This is a CM Series user that the appliance uses to log in to the
CM Series platform to announce itself. See User Authentication on page 88 for details
about configuring the remote user.
Preparing an Appliance to Send aManagement Request
Use the commands in this section to prepare an appliance to send a request for management to
the CM Series platform.
System Administration Guide CHAPTER 7: CM Series Platform Integration
98 © 2015 FireEye
Release 7.6 Sending aManagement Request to the CM Series Platform
To prepare to send a request:
1. Log in to the requesting appliance CLI.
2. Enable the CLI configuration mode:
appl-hostname > enableappl-hostname # configure terminal
3. Enable automatic rendezvous attempts:
appl-hostname (config) # cmc rendezvous client auto
4. Verify that the auto connect feature is enabled:
a. View appliance (client) information:
appl-hostname (config) # show cmc client
b. If Autoconnect: no is shown, enable auto connect:
appl-hostname (config) # cmc client connection auto
5. Save your changes:
appl-hostname (config) # write memory
Sending aManagement Request Using theWebUI
Use the Settings: CMS Network page in the requesting appliance Web UI to initiate a request
to be added to the CM Series platform.
To initiate a request to be managed:
1. Click the Settings tab.
2. Click CMS Network on the sidebar.
3. In the CMS IP Address and Port boxes, enter the CM Series IP address and the remote
management port, which is 22 by default.
© 2015 FireEye 99
4. In the CMS Username and CMS Password boxes, enter the credentials of the
CM Series user the appliance should use to log in to the CM Series platform to announce
itself.
5. If the appliance is behind a NAT gateway, select the Appliance Behind NAT checkbox.
See Configuring Network Address Translation (NAT) on page 278 for
detailed NAT deployment information.
6. Click Send Request.
A message informs you that the request succeeded or failed, or that the appliance is already
being managed by the CM Series platform. If the request succeeded, a CM Series
administrator can accept or reject the request. Example messages follow.
Sending aManagement Request Using the CLI
Use the commands in this section to configure an appliance to initiate a request to added to the
CM Series platform.
To initiate a request to be managed:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. Specify the IP address of the CM Series platform:
hostname (config) # cmc client server address IPaddress
3. Specify the authentication type and the credentials of the CM Series user the appliance
should use to log in to the CM Series platform to announce itself.
hostname (config) # cmc client server auth authtype authtypehostname (config) # cmc client server auth authtype username usernamehostname (config) # cmc client server auth authtype {password password} |{identity identityName}
where:
System Administration Guide CHAPTER 7: CM Series Platform Integration
100 © 2015 FireEye
Release 7.6 Sending aManagement Request to the CM Series Platform
l authtype can be password, ssh-dsa2, or ssh-rsa2.
l password password is used with the password authentication.
l identity identityName is used with SSH-DSA2 and SSH-RSA2 authentication.
4. Enable automatic rendezvous attempts:
hostname (config) # cmc rendezvous client auto
5. Verify that the auto connect feature is enabled:
a. View appliance (client) information:
hostname (config) # show cmc client
b. If Autoconnect: no is shown, enable auto connect:
hostname (config) # cmc client connection auto
6. Save your changes:
hostname (config) # write memory
© 2015 FireEye 101
Changing the Address Type for DTI Network ServiceRequestsBy default, the CM Series platform and a managed appliance use a single port (the SSH port, 22
by default) for the following types of communication:
l Remote management— Initiates the connection and configures the appliance.
l DTI network service—Requests software updates (such as guest images, security content,
and appliance images) from the DTI network.
The single-port configuration uses the single-port address type. It reduces the complexity of
firewall rules, and provides an additional layer of security and privacy between the CM Series
platform and the appliances it manages. In environments in which the CM Series platform is
behind a Network Address Translation (NAT) gateway, using a single port also eliminates the
need to open an additional HTTPS port (443) for the managed appliance to request software
updates from the CM Series platform. (For details about NAT deployment, see Configuring
Network Address Translation (NAT) on page 278.)
You can instead configure the dual-port address type, in which the management traffic uses the
SSH port and the DTI network service traffic uses the HTTPS port (port 443). If you change the
address type on an appliance that was already added to the CM Series platform using a client-
initiated connection, that appliance will be briefly disconnected and then reconnected using the
new configuration.
The single-port or dual-port address type is configured on individual managed
appliances, not on the CM Series platform. This feature is available only on appliances
that use the CM Series platform as their DTI source server. It is not available if the
appliance uses another DTI source server (described in Changing the Active
DTI Source on page 79).
If the CM Series platform is in an internal network behind a NAT gateway, see
Switching to Single-Port or Dual-Port Communication in a NAT Deployment on
page 287 for additional information.
Prerequisites
l Admin access to the appliance
l For single-port communication, CMS must be configured as the DTI source type for the
appliance (see Changing the Active DTI Source on page 79 for details).
System Administration Guide CHAPTER 7: CM Series Platform Integration
102 © 2015 FireEye
Release 7.6 Changing the Address Type for DTI Network Service Requests
Configuring Single-Port CM Series Communication Using the CLI
Single-port communication is the default behavior, and requires no configuration. Use the
commands in this topic to restore single-port communication if dual-port communication was
enabled. This topic also describes how to enable dual-port communication.
Before you restore single-port communication, make sure CMS is the configured
DTI source (see Changing the Active DTI Source on page 79 for details).
To enable single-port communication:
1. Log in to the appliance CLI.
2. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
3. If your appliance has already been added to the CM Series platform, type yes to confirm
that you want to enter configuration mode:
********************* CMS notice *********************
This system is under management of a CMS. Please note that the CMS mayupdate this system's configuration, which could overwrite changes thatyou have made locally.
Enter 'YES' to enter configuration mode anyway: yes
4. Enable single-port communication:
hostname (config) # fenet dti source type CMS address-type cms-singleport
5. Verify the configuration:
hostname (config) # show fenet dti configuration
6. Save your changes:
hostname (config) # write memory
Alternatively, you can use the no fenet dti source type CMS address-type command
to restore single-port communication.
To enable dual-port communication:
1. Log in to the appliance CLI.
2. Enable dual-port communication:
hostname (config) # fenet dti source type CMS address-type cms-auto
© 2015 FireEye 103
3. Verify the configuration:
hostname (config) # show fenet dti configuration
4. Save your changes:
hostname (config) # write memory
Dual-port communication is the default behavior (and the only option) for appliances
running a release earlier than Release 7.6.0.
Examples
This example enables single-port communication.
hostname (config) # fenet dti source type CMS address-type cms-singleporthostname (config) # show fenet dti configuration
DTI CLIENT CONFIGURATIONS:
ACTIVE SETTINGS:
Mode : onlineDownload source : CMS ([email protected] : singleport) - Managed by CMSUpload destination : CMS ([email protected] : singleport) - Managed by CMSMil service : CMS ([email protected] : singleport) - Managed by CMS
AVAILABLE OPTIONS:
----------------------------------------------------Download User Address----------------------------------------------------CDN DTIUser cloud.fireeye.comCMS DTIUser 10.2.0.0DTI DTIUser staticcloud.fireeye.com...
This example enables dual-port communication.
hostname (config) # fenet dti source type CMS address-type cms-autohostname (config) # show fenet dti configuration
DTI CLIENT CONFIGURATIONS:
ACTIVE SETTINGS:
Mode : onlineDownload source : CMS ([email protected]) - Managed by CMSUpload destination : CMS ([email protected]) - Managed by CMSMil service : CMS ([email protected]) - Managed by CMS
AVAILABLE OPTIONS:
----------------------------------------------------Download User Address----------------------------------------------------CDN DTIUser cloud.fireeye.comCMS DTIUser 10.2.0.0DTI DTIUser staticcloud.fireeye.com...
System Administration Guide CHAPTER 7: CM Series Platform Integration
104 © 2015 FireEye
Release 7.6 Manual TimeConfiguration
CHAPTER 8: Setting Date and Time
You can set the appliance date and time manually, or configure one or more Network Time
Protocol (NTP) servers that synchronize the time automatically. You can also perform a one-time
synchronization of the system clock to the DTI server clock.
The date and time are stored as Coordinated Universal Time (UTC) in the database.
The Z character in syslog output indicates that the time displayed is in the UTC
time zone; for example, Oct 19 2012 16:10:10 Z. By default, the display time zone
is UTC.
l NTP Server Configuration on page 108
l Manual Time Configuration below
l Time Zone Configuration on page 110
l DTI Server Time Synchronization on page 112
Manual TimeConfigurationYou can manually set the date and time on your appliance.
l Setting the Date and Time Using the Web UI below
l Setting the Date and Time Using the CLI on the next page
Setting the Date and TimeUsing theWebUI
Use the top section of the Settings: Date and Time page to set the date and time for your
appliance.
NTP synchronization is set by default and must be disabled before you can manually
configure the date and time. For instructions about disabling NTP, see NTP Server
Configuration on page 108.
© 2015 FireEye 105
Prerequisites
l Admin access
To set the date and time:
1. Click the Settings tab.
2. If the Settings tabs are not visible, select Appliance Settings from the Admin menu, or
click the Appliance Settings tab at the top of the page.
3. Click Date and Time on the sidebar.
4. Select the date and time from the drop-down lists.
5. Click Update Time.
6. Set the timezone as described in Time Zone Configuration on page 110.
Setting the Date and TimeUsing the CLI
Use the CLI commands in this topic to manually set the date, time, and timezone on your
system.
NTP synchronization is set by default and must be disabled before you can manually
configure the date and time. For instructions about disabling NTP, see NTP Server
Configuration on page 108.
Prerequisites
l Admin access
To set the date and time:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
System Administration Guide CHAPTER 8: Setting Date and Time
106 © 2015 FireEye
Release 7.6 Manual TimeConfiguration
2. Specify the time and date:
hostname (config) # clock set HH:MM YYYY/MM/DD
The date parameter is optional; if you do not include it, the date remains the
same.
For example, the following command sets the time and date to 2:00 p.m. on July 21, 2014:
hostname (config) # clock set 14:00 2014/07/21
3. Specify the timezone:
hostname (config) # clock timezone timezone
For example, both of the following commands set the time zone to Pacific Standard Time:
hostname (config) # clock timezone UTC-offset UTC+8
hostname (config) # clock timezone America North United_States Pacific
The time zone is for display purposes and should match other security device
settings.
4. Restore the default time zone:
hostname (config) # no clock timezone
5. View the configured time and date settings:
hostname (config) # show clock
6. Save your changes:
hostname (config) # write memory
Examples
l Time and date using the North America Central Daylight time zone:
hostname > show clockTime: 16:39:35Date: 2014/06/25Time zone: America North United_States Central
(US/Central)UFC offset: -0500 (UTC minus 5 hours)
l Time and date settings using the default time zone:
hostname > show clockTime: 21:40:37Date: 2014/06/25Time zone: UTC
(Etc/UTC)UTC offset: same as UTC
© 2015 FireEye 107
NTP Server ConfigurationInstead of manually setting the system date and time, you can specify one or more Network Time
Protocol (NTP) servers to synchronize the time automatically. You can also specify a secondary
NTP server to be used if the primary NTP server is unavailable. By default, NTP version 4 is
used, but you can use the CLI change it to version 3 if that is the version your server supports.
You can also perform a one-time action that synchronizes the system clock to a specific
NTP server.
l Configuring NTP Servers Using the Web UI below
l Configuring NTP Servers Using the CLI on the facing page
Configuring NTPServers Using theWebUI
Use the middle section of the Settings: Date and Time page to configure NTP servers.
Prerequisites
l Admin access
To configure NTP servers:
1. Click the Settings tab.
2. Click Date and Time on the sidebar.
3. Enter the IP address or hostname of the NTP server that you want to use in the Add
NTP Server box.
4. Click Add NTP Server.
5. Repeat the previous two steps to add additional servers.
6. Set the timezone as described in Time Zone Configuration on page 110.
7. To update the time based on a selected NTP server, click Update Time next to the
server entry.
System Administration Guide CHAPTER 8: Setting Date and Time
108 © 2015 FireEye
Release 7.6 NTP Server Configuration
The time is updated, and the needed adjustment is displayed in a message on the page.
8. To delete an NTP server, select the checkbox next to the server and then click Remove
Selected NTP Servers.
Configuring NTPServers Using the CLI
Use the CLI commands in this topic to configure NTP servers.
Prerequisites
l Admin access
To enable and configure NTP servers:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. Enable NTP synchronization:
hostname (config) # ntp enable
3. Specify the primary NTP server:
hostname (config) # ntp server ipAddress_or_hostname
4. Specify the secondary NTP server:
hostname (config) ntp server ipAddress_or_hostname
5. Specify NTP version 3:
hostname (config) ntp peer address version 3
6. Disable NTP:
hostname (config) # ntp disable
or
hostname (config) # no ntp enable
7. View the current NTP runtime state and configuration:
hostname > show ntp
8. View the configured NTP servers and their settings:
hostname > show ntp configured
9. Update the system time once based on a specific NTP server:
hostname (config) # ntpdate ipAddress or hostname
10. Save your changes:
hostname (config) # write memory
© 2015 FireEye 109
Examples
l Enable NTP and specify both a primary and secondary server by their hostnames:
hostname (config) # enable peer 2.acme.pool.ntp.org server IP address1.acme.pool.ntp.org
l Disable NTP and then display the resulting NTP status:
hostname (config) # ntp disablehostname (config) # show ntpNTP is administratively disabled.Clock in unsynchronized.No NTP associations present.
l Display the current NTP runtime state and configuration:
hostname > show ntpNTP is administratively enabled.Clock is synchronized. Reference: 200.00.00.0 Offset: 1.713 ms.Active servers and peers:
Poll LastConf Offset Ref Interv Resp
Address Type Status Stratum (msec) Clock (sec) (sec)===========================================================================90.000.000.00 n/a candidat (+) 2 -0.233 200.00.000.000 1024 28470.000.000.0 n/a outlyer (-) 2 12.069 60.0.00.00 1024 80890.000.00.00 n/a candidat (+) 2 -0.958 50.000.000.000 1024 775200.00.00.0 n/a sys.peer (*) 2 1.713 100.0.000.00 1024 537
l Display the configured NTP servers and their settings:
hostname > show ntp configuredNTP enabled: yesNo NTP peers configured.NTP server 0.acme.pool.ntp.orgEnabled: yesNTP version: 4
NTP server 1.acme.pool.ntp.orgEnabled: yesNTP version: 4
NTP server 2.acme.pool.ntp.orgEnabled: yesNTP version: 4
NTP server 3.acme.pool.ntp.orgEnabled: yesNTP version: 4
Time Zone ConfigurationYou must set the timezone on your appliance whether you configure the date and time manually
or synchronize with an NTP server.
l Setting the Date and Time Using the Web UI on page 105
l Setting the Date and Time Using the CLI on page 106
System Administration Guide CHAPTER 8: Setting Date and Time
110 © 2015 FireEye
Release 7.6 Time Zone Configuration
Setting the Time Zone Using theWebUI
Use the bottom section of the Settings: Date and Time page to set the timezone for your
appliance.
Prerequisites
l Admin access
To set the time zone:
1. Click the Settings tab.
2. Click Date and Time on the sidebar.
3. Select the time zone from the drop-down list.
4. Select options from other drop-down lists, if present.
5. Click Set Time Zone.
Setting the Time Zone Using the CLI
Use the CLI commands in this topic to set the time zone on your appliance.
Prerequisites
l Admin access
To set the timezone:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. Specify the timezone:
hostname (config) # clock timezone timezone
For example, both of the following commands set the time zone to Pacific Standard Time:
© 2015 FireEye 111
hostname (config) # clock timezone UTC-offset UTC+8
hostname (config) # clock timezone America North United_States Pacific
The time zone is for display purposes and should match other security device
settings.
3. Restore the default time zone:
hostname (config) # no clock timezone
4. View the configured time and date settings:
hostname (config) # show clock
5. Save your changes:
hostname (config) # write memory
Examples
Time and Date Using the North America Central Daylight Timezone
hostname > show clockTime: 16:39:35Date: 2014/06/25Time zone: America North United_States Central
(US/Central)UFC offset: -0500 (UTC minus 5 hours)
Time and Date Settings Using the Default Timezone
hostname > show clockTime: 21:40:37Date: 2014/06/25Time zone: UTC
(Etc/UTC)UTC offset: same as UTC
DTI Server Time SynchronizationThe system time should match the DTI server time as closely as possible. This is necessary for
features such as the license update service, in which licenses are downloaded from the
DTI server and installed on the appliance. FireEye recommends that you perform this
synchronization before you enable the feature to prevent time gaps that could affect the validity
of your licenses.
The fenet time sync CLI command retrieves the time (in UTC) from the DTI server and then
synchronizes the system clock to it. This command is especially useful if you do not use
NTP servers to synchronize your system clock.
This action synchronizes the system clock to the DTI server a single time. It does not
change the system timezone.
System Administration Guide CHAPTER 8: Setting Date and Time
112 © 2015 FireEye
Release 7.6 DTI Server Time Synchronization
Prerequisites
l Admin access
To synchronize the system clock to the DTI server clock:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. Synchronize the clocks:
hostname (config) # fenet time sync
3. Save your changes:
hostname (config) # write memory
© 2015 FireEye 113
Release 7.6
CHAPTER 9: License Management
License keys are required for system operation. The appliance requires three license keys:
Appliance (FIREEYE_APPLIANCE)—Required to register your system and use the product
features.
Support (FIREEYE_SUPPORT)—Allows your system to receive software image updates and
the latest guest images.
Content (CONTENT_UPDATES)—Allows your system to access the Dynamic Threat
Intelligence (DTI) network, which provides the latest intelligence on advanced cyber attacks and
malware callback destinations. This enables FireEye products to proactively recognize new
threats and block attacks. There are two versions of the content update license:
l The two-way sharing license provides your appliance with malware intelligence from the
DTI network and shares data about malware analyzed by your appliance.
l The one-way sharing license provides your appliance with malware intelligence, but no
information is submitted to the DTI cloud.
IPS (IPS)—Allows your appliance to use FireEye integrated Intrusion Prevention System
features.
ATI (ATI) —Allows your appliance to use Advanced Threat Intelligence features.
Managed defense (MD_ACCESS)—Allows your appliance to use FireEye as a Service.
Sophos (AV_ENGINE_SOPHOS)—Allows your appliance to use Sophos scanning and
detection.
The functionality provided by the optional licenses is disabled if the FIREEYE_
APPLIANCE license is invalid.
Warnings are displayed on the Settings: Appliance Licenses page if licenses have expired or
will expire within 30 days. For details, see Viewing License Notifications Using the Web UI
on page 123.
There are two ways to manage licenses:
l Automatic License Updates on the next page
l Manual License Installation on page 119
© 2015 FireEye 114
Automatic License UpdatesThe license update feature enables an appliance with basic network connectivity to automatically
download licenses from the DTI network and install them. This feature provides the following
benefits:
l Minimal initial configuration—The license update feature is enabled with the configuration
jump-start wizard during the initial system configuration. This means the feature can be
fully functional after the jump-start wizard is completed.
l Simplified license management—There is no need to contact FireEye for license keys
when new features are added or when licenses are renewed, because the new licenses are
automatically downloaded and installed.
l Scalability—Organizations, such as those with a large number of appliances, can benefit
from all appliances being updated automatically, instead of entering license keys manually
on each appliance, one at a time.
How it Works
The license update feature, if enabled, downloads and applies licenses to which the customer is
contractually entitled. If an active license for a feature is already installed and the licensing
service downloads an active license for the feature, the installed license is replaced by the
downloaded license only if the downloaded license offers more functionality or a later expiry
date. This process is automatic; however, you can also explicitly update licenses.
The licensing service will not:
l Install a downloaded license that would cause a feature to become temporarily unlicensed.
l Install a product (FIREEYE_APPLIANCE) license that changes licensed features. If this
is your intention, you must install the new license manually.
You can manually force a downloaded license to be installed. In this case, if a downloaded license
and an installed license are both valid, the downloaded license takes precedence; the installed
license is removed and the downloaded license is installed in its place. If you use this option, the
license is installed even if it is less advantageous than the existing license, and even if it causes
the two scenarios listed above to occur.
You can synchronize the system time to the DTI server time to prevent a feature from being
temporarily unlicensed due to time differences. This is a one-time synchronization, but it can be
repeated.
System Administration Guide CHAPTER 9: LicenseManagement
115 © 2015 FireEye
Release 7.6 Automatic License Updates
When an appliance is managed by the CM Series platform, the CM Series platform acts as a proxy
between the managed appliance and the licensing service. The license update feature must still be
enabled on the managed appliance. In such an integrated environment, the CM Series platform
acts as the DTI server for the managed appliances, so the licensing service uses the CM Series
DTI network credentials instead of the appliance's credentials.
Managed appliances running release 7.5.0 or later can be configured to use a DTI server
other than the CM Series platform, as described in Changing the Active DTI Source
on page 79. (An exception to this is the 7.5.0 release of the FX Series appliance, which
does not provide this functionality.)
For more information, see Enabling Automatic License Updates.
Enabling Automatic License Updates
You can enable the license update feature using the configuration wizard or the CLI.
Configuration Wizard
The configuration wizard is typically used to initially configure a new system. The wizard steps,
which include the following license activation steps, allow a customer to have a functioning
system with only minimal configuration.
l Enable fenet service?
l Enable fenet license update service?
l Sync appliance time with fenet?
l Update licenses from fenet?
For details about the wizard steps, see Configuration Wizard Steps on page 21.
Enabling Automatic License Updates Using the CLI
The remaining topics in this section describe how to use CLI commands to enable and use the
license update feature.
Prerequisites
l An established connection between the appliance and the Internet.
l Operator or Admin access to enable the license update feature and download and install
licenses.
l DTI network access to allow the appliance to get updates directly from the DTI network.
l (Optional) Admin access to synchronize the system clock with the DTI server clock.
© 2015 FireEye 116
Using the Licensing Service
When the license update feature is enabled, license updates are automatic. You can also explicitly
update licenses.
Prerequisites
l Operator or Admin access
To verify and enable the feature:
1. Enable the CLI configuration mode:
hostname > enable
hostname # configure terminal
2. Verify the license update feature status:
hostname > show fenet licensefenet License Update Service
Licensing service: Administratively enabled
Last time licensing service was contacted: 2014/08/11 10:50:04Last time licensing service was contacted successfully: 2014/08/11 10:50:04Last time keys from licensing service were applied: 2014/08/07 17:50:03
3. If the license update feature service is disabled, enable it:
hostname (config) # fenet license update enable
4. Save your changes:
hostname (config) # write memory
(Optional) See DTI Server Time Synchronization on page 112 for information about
preventing potential licensing issues if there is a time gap between the two clocks.
To explicitly update licenses:
1. Enable the CLI configuration mode:
hostname > enable
hostname # configure terminal
2. Update licenses:
hostname (config) # fenet license update
3. Save your changes:
hostname (config) # write memory
System Administration Guide CHAPTER 9: LicenseManagement
117 © 2015 FireEye
Release 7.6 Automatic License Updates
To disable the feature:
1. Enable the CLI configuration mode:
hostname > enable
hostname # configure terminal
2. Disable the feature:
hostname (config) # no fenet license update enable
3. Save your changes:
hostname (config) # write memory
Forcing License Updates
When you force license updates, the licensing service downloads licenses from the DTI server,
removes existing licenses if there are conflicts, and installs the downloaded licenses in their
place. The licenses are installed even if they are less functional or of a shorter duration than the
existing licenses, and even if would cause the two scenarios listed inHow it Works on page 115
to occur.
Carefully consider the implications of forcing license updates before you perform this
procedure.
Prerequisites
l Operator or Admin access
To force license updates:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. Download the licenses and replace existing licenses with them if there are conflicts:
hostname (config) # fenet license update force
The system clearly indicates which licenses were replaced.
3. Save your changes:
hostname (config) # write memory
Examples
l The licensing service replaced an existing license with one that it downloaded:
hostname (config) # fenet license update forceAdded license(s) from fenet
LK2-CONTENT_UPDATES-33XX-00XX-XX00-0X0X-0000-X000-X000-X00X-0XXX-J00
© 2015 FireEye 118
Deleted installed license(s) (superceded by license(s) shown above):LK2-CONTENT_UPDATES-42XX-44XX-00XX-0000-H888-X00X-000R-XX22-XYZ-0
l The licensing service installed a license that did not exist:
hostname (config) # fenet license update forceAdded license(s) from fenet
LK2-FIREEYE-SUPPORT-000X-XX00-XX00-0X0X-0000-X000-X000-X00X-0XXX-X00XNo license(s) deleted
l All licenses were already installed and did not conflict with downloaded licenses:
hostname (config) # fenet license update forceAll licenses fetched from fenet have already been installed
Manual License InstallationIf the license update feature is not enabled, you need to install license keys manually. Licenses
need to be installed when an evaluation license expires or when a license expires or no longer
meets your needs. In addition, replacement licenses need to be installed after a Return Material
Authorization (RMA).
You can obtain your license keys from the Assets tab in the FireEye Customer Support Portal or
by sending an email that includes the MAC address of your appliance to key_
There are two ways to manually install licenses, described in the following topics:
l Installing Licenses Using the Web UI below
l Installing Licenses Using the CLI on the facing page
Installing Licenses Using theWebUI
Use the Settings: Appliance Licenses page to install licenses.
System Administration Guide CHAPTER 9: LicenseManagement
119 © 2015 FireEye
Release 7.6 Manual License Installation
This illustration is from a CM Series platform.
Prerequisites
l Admin or Operator access
To install license keys:
1. Click the Settings tab.
2. Click Appliance Licenses on the sidebar.
3. Paste the license key you obtained from FireEye in the License Key box.
4. Click Add License.
The page refreshes to show the license key in the table. If the key is valid, the Valid
column shows true and additional information is displayed about the license.
Removing Licenses Using theWebUI
Use the Settings: Appliance Licenses page to remove licenses.
Prerequisites
l Admin or Operator access
To remove license keys:
1. Click the Settings tab.
2. Click Appliance Licenses on the sidebar.
3. Click Remove in the row for the license you want to remove.
4. Click OK in the confirmation message that appears.
Installing Licenses Using the CLI
Use the CLI commands in this topic to install licenses.
Prerequisites
l Admin or Operator access
© 2015 FireEye 120
To install licenses:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. Install each license:
hostname (config) # license install Key1 Key2 Key3
You can enter the license keys sequentially separated by spaces as shown above,
or enter license install and then press Enter to be prompted to enter the
license keys one at a time.
3. Verify the licenses:
hostname (config) # show licensesLicense 1: LK2-FIREEYE_APPLIANCE-0000-0000-0000-0000-0000-0000-0000-0000-0000Feature: FIREEYE_APPLIANCEDescription: FireEye ApplianceValid: yesStart date: 2014/01/08 (ok)End date: 2017/01/17 (ok)Tied to MAC addr: 00:00:00:00:00:00 (ok)Product: eMPS (ok)Type: PROD (ok)Agreement: EULA (ok)Active: yes
License 2: LK2-CONTENT_UPDATES-0000-0000-0000-0000-0000-0000-0000-0000-0000Feature: CONTENT_UPDATESDescription: Content updatesValid: yesStart date: 2014/01/08 (ok)End date: 2017/01/17 (ok)Tied to MAC addr: 00:00:00:00:00:00 (ok)Sharing: all (ok)Active: yes
License 3: LK2-FIREEYE_SUPPORT-0000-0000-0000-0000-0000-0000-0000-0000-0000Feature: FIREEYE_SUPPORTDescription: FireEye SupportValid: yesStart date: 2014/01/08 (ok)End date: 2017/01/17 (ok)Tied to MAC addr: 00:00:00:00:00:00 (ok)Sharing: all (ok)Active: yes
4. Save your changes:
hostname (config) # write memory
The show licenses command output in this procedure shows the basic licenses
installed on an EX Series appliance. The output will vary depending on the
appliance type and the feature licenses that are installed.
System Administration Guide CHAPTER 9: LicenseManagement
121 © 2015 FireEye
Release 7.6 Manual License Installation
Removing Licenses Using the CLI
Use the CLI commands in this topic to remove licenses.
Prerequisites
l Admin or Operator access
To remove licenses:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. List the installed licenses:
hostname (config) # show licensesLicense 1: LK2-FIREEYE_APPLIANCE-0000-0000-0000-0000-0000-0000-0000-0000-0000Feature: FIREEYE_APPLIANCEDescription: FireEye ApplianceValid: yesStart date: 2014/01/08 (ok)End date: 2017/01/17 (ok)Tied to MAC addr: 00:00:00:00:00:00 (ok)Product: wMPS (ok)Type: PROD (ok)Agreement: EULA (ok)Active: yes
License 2: LK2-CONTENT_UPDATES-0000-0000-0000-0000-0000-0000-0000-0000-0000Feature: CONTENT_UPDATESDescription: Content updatesValid: yesStart date: 2014/01/08 (ok)End date: 2017/01/17 (ok)Tied to MAC addr: 00:00:00:00:00:00 (ok)Sharing: all (ok)Active: yes
License 3: LK2-FIREEYE_SUPPORT-0000-0000-0000-0000-0000-0000-0000-0000-0000Feature: FIREEYE_SUPPORTDescription: FireEye SupportValid: yesStart date: 2014/01/08 (ok)End date: 2017/01/17 (ok)Tied to MAC addr: 00:00:00:00:00:00 (ok)Sharing: all (ok)Active: yes
3. Do one of the following:
l Remove the license using the license ID. For example, to remove the Support
license listed above:
hostname (config) # license delete 3
l Remove all licenses:
hostname (config) # license delete all
© 2015 FireEye 122
4. Save your changes:
hostname (config) # write memory
The show licenses command output in this procedure shows the basic licenses
installed on an NX Series appliance. The output will vary depending on the appliance
type and the feature licenses that are installed.
Viewing License Notifications Using theWebUIFunctionality associated with a license stops when a license expires. For example, when the
FIREEYE_APPLIANCE license expires, the appliance will block access to all pages except the
Settings: Appliance Licenses page, and CLI commands (except those that install licenses) are
disabled or their execution fails. For example, the report generate command will not create a
report, and on an EX Series appliance, the show email-analysis statistics command will return
FIREEYE_APPLIANCE license has expired, cannot show xxx details.
To help prevent a gap in functionality, the Settings: Appliance Licenses page displays
notification details about expired license and licenses that will expire within 30 days. For
example:
See Automatic License Updates on page 115 for information about enabling the
appliance to automatically download licenses from the DTI network when it is time to
renew them.
System Administration Guide CHAPTER 9: LicenseManagement
123 © 2015 FireEye
Release 7.6
CHAPTER 10: Upgrading Your Appliance
The appliance automatically checks for new software images and guest images versions. Updates
are made on an ongoing basis and are easy to download and install. For an appliance that is
managed by the CM Series platform, software updates should be performed entirely from the
CM Series Web UI. For more information, see the CM Series Administration Guide.
Refer to the FireEye DTI Offline Update Portal Guide for upgrade instructions if your
appliance is offline and cannot download updates from the DTI network.
The appliance also checks for new security content versions, and if configured,
automatically downloads and installs them. For more information, see Updating
Security Content on page 72 and Configuring Automatic Security Updates on
page 74.
PrerequisitesReview the items in this section before you begin your upgrade.
l User Role—You must have admin access to upgrade the appliance.
l Licenses—Before performing upgrades, confirm that the following licenses are installed
and valid:
l CONTENT_UPDATES license (needed for security updates)
l FIREEYE_SUPPORT license (needed for software updates)
See License Management on page 114 for more information. If you need to
obtain the licenses, send an email to [email protected].
l End-User License Agreement (EULA)—The upgrade could require acceptance of the
End User License Agreement (EULA). If it is required, the appliance will not function
until the EULA is accepted. To review the EULA before the upgrade, download a copy
from the FireEye Customer Support Portal at http://csportal.fireeye.com.
l Minimum Version to Upgrade—Refer to the Release Notes to determine whether you
can upgrade directly from the current release to the new release.
l Download Time—Downloading the operating system software requires about 45 minutes
when upgrading from the CLI. Downloading the guest images typically requires 2 ½ to 9
© 2015 FireEye 124
hours from the CLI, depending on connection speed and whether the full set of guest
images is downloaded. A complete set can require 24 hours or more.
l Network Proxy Configuration—If you have an intelligent proxy appliance that is
required for access to the Internet, ensure that it does not perform secure sockets layer
(SSL) terminations with certificate replacement. An example of such a proxy is the Blue
Coat ProxySG appliance. If the proxy does perform SSL terminations, then you must
whitelist the CM Series platform, the FireEye Dynamic Threat Intelligence (DTI) network
server (staticcloud.fireeye.com, or the Content Distribution Network (CDN) server
(cloud.fireeye.com or download.fireeye.com in the proxy configuration.
For third-party integration, such as ArcSight, Juniper STRM, Blue Coat ProxySG, or Q1
Lab QRadar, contact FireEye Technical Support. Refer also to the vendor documentation
for proxy configuration information.
Upgrading the Appliance Using theWebUIUse the Update page to upgrade the appliance. To open the Update page, click the About tab
and then click Update.
The following is an example of the Update page for a standalone appliance.
The following is an example of the Update page for an appliance that is managed by the
CM Series platform.
Task List for Upgrades
Perform the following steps (detailed in the sections that follow) to upgrade the appliance.
If your appliance is offline and cannot download updates from the DTI network,
perform Select an Update Source on the facing page and then refer to the FireEye
DTI Offline Update Portal Guide for additional instructions.
System Administration Guide CHAPTER 10: Upgrading Your Appliance
125 © 2015 FireEye
Release 7.6 Upgrading the Appliance Using theWebUI
1. Select an Update Source below.
2. Check for Available Update Software on the next page.
3. Download the Software on the next page.
4. Install the Software Update on the next page.
5. Reload or Refresh the Appliance on page 128.
6. Validate the Software Updates on page 128.
Select an Update Source
The update source is the location from which the software updates will be downloaded.
Online Options
l DTI—The software is downloaded from the Dynamic Threat Intelligence (DTI) server or
a Content Delivery Network (CDN) server. The server address is displayed at the top right
of the page. See Changing the Active DTI Source on page 79 for details about these
options.
l CMS—This option is displayed instead of DTI if the appliance is being managed by the
CM Series platform. The default source server is the CM Series platform, but can be
overridden by the three DTI options specified above.
Offline Options
The following options can be used if your appliance cannot download updates from a DTI source
server.
l Local—Upload a local file (obtained from the FireEye DTI Update Portal for offline
appliances).
l URL—Upload a local file (obtained from FireEye via the DTI Update Portal for offline
appliances and hosted on a local site identified by a URL). Click URL and specify a URL
to the update software.
For offline guest image updates, downloads are more efficient if Source is set to
URL, not Local.
If neither offline option is feasible, you can do the following:
1. Use secure copy (SCP) to download the update package from the DTI Update Portal.
2. Save the package on a UNIX-like system accessible to the appliance.
© 2015 FireEye 126
3. Run the following command:
# scp package applianceAddress:/data/updates
For example:
# scp femeta.ensig 192.168.1.100:/data/updates
Check for Available Update Software
Do one of the following:
l Click the Check For Update icon in the Tasks column for a resource row to
determine if update software is available.
l Click the orange arrow to expand the software image resource row (for example, security
content, software image, or guest images) and then click Check to check for available
update software.
The status is displayed in the expanded Status area.
If the Check For Update icon is disabled, then the software is already available for
download or an update has recently taken place. The Check For Update icon is also
disabled during software downloads.
Download the Software
If a software update is available for a software image, guest image, or security content update, the
Download icon in the Tasks column is enabled (green).
Do one of the following:
l Click the Download icon to begin the software download.
l Click the orange arrow to expand the resource row, and then click Download for a DTI
download.
The download status is displayed in the expanded Status area.
Install the Software Update
Installation status is displayed in the expanded Status area. After you download a software
update, do one of the following to install it:
l Click the Install icon in the Tasks column.
l Click the orange arrow to expand the resource row, and then click Install.
System Administration Guide CHAPTER 10: Upgrading Your Appliance
127 © 2015 FireEye
Release 7.6 Upgrading the Appliance Using the CLI
Installation status is displayed in the expanded Status area. If prompted, read the End User
License Agreement agreement (EULA), and then accept it if you agree to its terms. If you do not
accept it, the appliance will not function.
If an upgrade process is interrupted or fails, the appliance software automatically
falls back to the currently installed image.
Reload or Refresh the Appliance
When installation of guest images or security content is complete, click the Refresh button.
When installation of the software image is complete, click the Reload button to complete the
update process.
Validate the Software Updates
After all appliance software and guest images are installed, verify the installations:
l Click the Settings tab, and then click Guest Images on the sidebar to verify and view
the installed guest images version.
l Click the About tab. The current software image, guest images, and security content
version information is displayed on the FireEye System Information page.
l Click the Settings tab, and then click Appliance Licenses on the sidebar to verify and
view installed licenses.Valid and active licenses display the attribute “True.” Without
activation of the latest licenses, the updates are not functional.
Upgrading the Appliance Using the CLIUse the commands in the following sections to upgrade the appliance.
Task List for Upgrades
Perform the following steps (detailed in the sections that follow) to upgrade the appliance.
1. Download and Install the Appliance Software Image on the next page
2. Restart the Appliance and Accept the EULA on the next page
3. Download Guest Images on page 130.
4. Install Downloaded Guest Image Profiles on page 132.
5. Verify the Upgrade on page 132.
© 2015 FireEye 128
Be sure to download the software image and guest image files from the configured
DTI source server before beginning any installations.
Download and Install the Appliance Software Image
To download and install the software image:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. Check for downloads:
hostname (config) # fenet image checkhostname (config) # show fenet image status
3. Download the software image:
hostname (config) # fenet image fetch
4. View download progress:
hostname (config) # show fenet image status
Progress of latest action taken: action fetch initiated Tue Aug 25 13:04:44 2015
applying fetch for image lms fetching checksum of the requested image done fetching requested image 7.6.0 initiated fetching requested image 7.6.0 done action fetch completed Tue Aug 25 10 13:06:03 2015 fetch-done: OS image downloaded successfully: image-lms_7.6.0.img status
5. Install the downloaded software image:
hostname (config) # image install image-lms_7.6.0.img
hostname (config) # image boot next
If an upgrade process is interrupted or fails, the appliance software automatically
falls back to the currently installed image.
6. Save your changes:
hostname (config) # write memory
Restart the Appliance and Accept the EULA
To restart the appliance and accept the EULA:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
System Administration Guide CHAPTER 10: Upgrading Your Appliance
129 © 2015 FireEye
Release 7.6 Upgrading the Appliance Using the CLI
2. Restart the appliance:
hostname (config) # reload
3. After restarting the appliance, the system could display the FireEye End User License
Agreement (EULA). Read the EULA. Click Yes if you agree to its terms, and then click
Submit. If you do not accept the EULA, the appliance will not function.
After accepting the EULA, the login page is displayed. Wait a few minutes before logging
in because database records are undergoing an update in preparation for the upgrade.
DownloadGuest Images
Default guest images are automatically downloaded and installed from the DTI source
server. To download and install a guest image bundle or profile, you must first use the
guest-images configure command to select the guest image.
This procedure depends on whether default or non-default guest images are to be installed.
To download guest images:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. View the guest images configured for the appliance:
hostname (config) # show guest-images config
3. Download the guest images, but do not install them yet. Downloading guest images will
take some time, so allow the download to run in the background.
hostname (config) # guest-images download
Wait for the appliance to fully download the guest images before beginning any
installations.
You can perform automatic downloads of available guest images. For details, see
the fenet guest-images auto download and fenet guest-images auto update
commands in the FireEye CLI Reference.
4. Confirm the guest image downloads are completed:
hostname (config) # show guest-images download
To cancel a download in progress:
hostname (config) # guest-images download cancel
To resume a download that has been interrupted for any reason:
hostname (config) # guest-images download resume
© 2015 FireEye 130
5. To download non-default guest images:
Perform this step if you do not want or need all guest images currently available.
a. Download the server manifest:
hostname (config) # guest-images download manifest
b. Display available guest image bundles:
hostname (config) # show guest-images available bundles
c. Note the bundle ID of the bundle of guest images that you want from the list
displayed (only one bundle can be selected).
d. Select the guest image bundle to be installed where bundle_id is obtained from Step
c:hostname (config) # guest-images configure bundle bundle-id
e. Verify that the bundle is properly selected:
hostname (config) # show guest-images config
f. Download the guest images from the FireEye network:
hostname (config) # guest-images download
g. Monitor the download progress:
hostname (config) # show guest-images download
6. To update guest images with one or more profiles (mutually exclusive with default and
bundle sets):
a. Download the server manifest:
hostname (config) # guest-images download manifest
b. Display available guest image profiles:
hostname (config) # show guest-images available profiles
c. Note the profile ID of the needed profile(s) from the list displayed.
d. Select the guest image profile to be installed
hostname (config) # guest-images configure profile profileID
where profileID is the profile you noted in Step c.
e. Repeat the previous step for each additional profile needed.
f. Verify that all needed profiles are configured:
hostname (config) # show guest-images configuration
System Administration Guide CHAPTER 10: Upgrading Your Appliance
131 © 2015 FireEye
Release 7.6 Upgrading the Appliance Using the CLI
g. Download the guest images:
hostname (config) # guest-images download
h. Monitor the download progress:
hostname (config) # show guest-images download
If you encounter a problem with a download, the output of the show
guest-images download command will describe the issues, including
notification about the specific file that was involved in the failure. Network
connectivity issues cause download failures. Repeat the download using the
guest images download command. The system will restart the download
at the point at which it was interrupted or failed. If the problem persists,
contact FireEye Technical Support.
7. Save your changes:
hostname (config) # write memory
Install DownloadedGuest Image Profiles
To download default guest images:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. After the download is complete, install the guest images:
hostname (config) # guest-images install
3. Verify that guest images are properly installed:
hostname (config) # show guest-images
4. Save your changes:
hostname (config) # write memory
Verify the Upgrade
To verify the upgrade:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. Display the version information for the current system image:
hostname (config) # show version
© 2015 FireEye 132
3. Display all guest images:
hostname (config) # show guest-images
Configuring Auto-Mounting on a USB DeviceYou can configure auto-mounting on a USB device attached to an appliance. Only one USB
device can be mounted at a time. You can configure HTTP access to install guest images,
security content, or software images from the USB device onto the appliance.
You can configure auto-mounting on a USB device only using the CLI.
Prerequisites
l Admin access
Enabling or Disabling Auto-Mounting on a USBDevice Using the CLI
Use the commands in this topic to enable or disable auto-mounting on a USB device attached to
the appliance. You must enable auto-mounting when the USB device is attached. By default,
auto-mounting is disabled. Auto-mounting will not mount the USB device when it is already
attached to the appliance.
Prerequisites
l Administrator access
To enable auto-mounting on a USB device:
1. Enable the CLI configuration mode:
hostname > enable
hostname # configure terminal
2. Enable auto-mounting on a USB device attached to the appliance:
hostname (config) # media usb auto-mount enable
3. Plug the USB device in to the appliance immediately.
4. Verify the USB device auto-mount configuration. Enter the show media usb command.
hostname (config) # show media usb
USB auto-mount configuration:
Enabled: yes
System Administration Guide CHAPTER 10: Upgrading Your Appliance
133 © 2015 FireEye
Release 7.6 Configuring Auto-Mounting on a USB Device
Local web access: yes
Top-level directory: fireeye
To disable auto-mounting on the USB device:
1. Enable the CLI configuration mode:
hostname > enable
hostname # configure terminal
2. Disable auto-mounting on the USB device:
hostname (config) # no media usb auto-mount enable
3. Verify the USB device auto-mount configuration. Enter the show media usb command.
USB auto-mount configuration:
Enabled: no
Local web access: yes
Top-level directory: fireeye
Configuring HTTPAccess to Install Guest Images Using the CLI
Use the commands in this topic to configure HTTP access to install guest images from a USB
device onto the appliance. By default, you can access only the contents locally in the fireeye
directory for the first partition from a specified URL.
Prerequisites
l Admin access
l Enable auto-mounting on the USB device to the attached appliance. For details about how
to enable auto-mounting, see Enabling or Disabling Auto-Mounting on the USB Device.
l Complete the steps in the following order to set up the files correctly to install guest
images from a USB device:
1. Download the guest images tar file from the FireEye network.
2. Extract the contents on the USB device.
3. Remove the version numbers. Copy the following file names:
l server-manifest.VERSION to server-manifest
l server-manifest.VERSION.md5 to server-manifest.md5
l server-manifest.VERSION.v2 to server-manifest.v2
l server-manifest.VERSION.v2.md5 to server-manifest.v2.md5
© 2015 FireEye 134
To configure HTTP access to install guest images from a USB device:
1. Enable the CLI configuration mode:
hostname > enable
hostname # configure terminal
2. Enable HTTP access on the loopback interface on the appliance:
hostname (config) # media usb web-access enable local
Local web access is enabled by default.
3. Specify the top-level directory as the location to extract guest images on a USB device:
hostname (config) # media usb web-access top-dir fireeye
This directory will be used as the URL to extract the images on the USB device. For
example, if you specified the install directory as fireeye/gi-13.0701, the URL for the
installation is http://localhost/media/usb1/fireeye/gi-13.0701
4. Verify that the USB device is mounted. Enter the show media usb command.
hostname (config) # show media usb
USB auto-mount configuration:
Enabled: yes
Local web access: yes
Top-level directory: fireeye
USB auto-mount status:
Device mounted: yes
Access URL: N/A
5. Download guest images using the specified URL as the location to install the guest images:
hostname (config) # guest-images download url URL
where URL is the location that you specified as the top-level directory for the installation.
Wait for the appliance to fully download the guest images before beginning any
installations.
6. Verify the download progress:
hostname (config) # show guest-images download
7. After the download is complete, install the guest images:
hostname (config) # guest-images install
8. Verify that guest images are properly installed:
hostname (config) # show guest-images
System Administration Guide CHAPTER 10: Upgrading Your Appliance
135 © 2015 FireEye
Release 7.6 Configuring Auto-Mounting on a USB Device
Mounting or Unmounting a USBDevice Using the CLI
Use the commands in this topic to manually mount or unmount a USB device to the attached
appliance. We recommend that you physically remove the USB device from the port. Use the
media usb mount command before you attach the drive, and use the media usb eject
command after you unplug it.
The media usb eject command will not have any effect if the USB device is not
mounted.
Prerequisites
l Admin access
To mount a USB device:
1. Enable the CLI configuration mode:
hostname > enable
hostname # configure terminal
2. Mount the USB device to the attached appliance:
hostname (config) # media usb mount
To unmount a USB device:
1. Enable the CLI configuration mode:
hostname > enable
hostname # configure terminal
2. Unmount the USB device from the attached appliance:
hostname (config) # media usb eject
© 2015 FireEye 136
Release 7.6 Retrieving SNMP Data
CHAPTER 11: Configuring SNMP
FireEye appliances send Simple Network Management Protocol (SNMP) data to convey
abnormal conditions to administrative computers that monitor and control them. The
administrative computers are called SNMP managers.
SNMP data includes the following:
l Information that is retrieved (pulled) by the SNMP manager. This information is sent in
response to requests the SNMP manager sends to the appliance.
l Events (known as traps) that are sent (pushed) by the appliance to the SNMP manager.
Traps typically report alarm conditions such as a disk failure or excessive temperature.
They are unsolicited; that is, they are not sent in response to requests from the
SNMP manager.
Retrieving SNMP DataThis section describes how to retrieve SNMP information from the appliance.
A Management Information Base (MIB) is a text file written in a specific format in which all of
the manageable features of a device are arranged in a tree. Each branch of the tree contains a
number and a name, and the complete path from the top of the tree down to the point of interest
forms the Object Identifier, or OID. The OID is a string of values separated by periods, such as
.1.3.6.1.2.1.1.3.0.
You can send requests for data on an object using the OID, but it can be simpler to use the
symbolic name for the object instead. A MIB allows SNMP tools to translate the symbolic names
into OIDs before sending the requests to the managed device. Symbolic names for objects in the
FireEye MIB include feSerialNumber.0, feHardwareModel.0, feProductLicenseActive0,
feFanIsHealthy.1, and so on.
The FireEye MIB, named FE-FIREEYE-MIB, needs to be downloaded from the appliance to the
SNMP manager so it can be loaded into an SNMP browser or other tool. A typical SNMP
browser can retrieve the values the appliance supports, and then display them in a hierarchy so
you can navigate to the value you need to include in the request.
This section contains the following topics:
l Configuring Access to SNMP Data
l Downloading the MIB
© 2015 FireEye 137
l Sending Requests for SNMP Information
Configuring Access to SNMPData
To allow access to SNMP v3 data, configure a username and password.
Prerequisites
l Operator or Admin access
To enable access to SNMP data:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. Verify that SNMP is enabled:
hostname (config) # show snmp
If the output shows SNMP enabled: no, enter the snmp-server enable command.
3. SNMP v3: Specify the SNMP user and password:
hostname (config) # snmp-server user username v3 enablehostname (config) # snmp-server user username v3 auth sha password
4. Save your changes:
hostname (config) # write memory
Downloading theMIB
You can download the MIB from the Web UI or from the command prompt.
Downloading the MIB Using the Web UI
Use the Settings: Notifications page to download the MIB.
This illustration is from an EX Series appliance.
System Administration Guide CHAPTER 11: Configuring SNMP
138 © 2015 FireEye
Release 7.6 Retrieving SNMP Data
Prerequisites
l Analyst, Operator, or Admin access
To download the MIB:
1. Click the Settings tab.
2. Click Notifications on the sidebar.
3. Click the snmp link.
4. In the SNMP Settings section, click Download our MIB file.
Downloading the MIB Using the Command Prompt
This section describes how to download the FE-FIREEYE-MIB to SNMP managers that run on
Microsoft Windows, Linux, and Apple devices. The MIB file is retrieved using a program that
connects using port 22, which is normally used for protocols such as SSH, SCP, and PSCP.
Because file-level access is denied by policy, the direct path to the MIB file needs to be
specified.
To download the FireEye MIB to Windows devices:
1. Download the pscp.exe tool (available from PuTTY download page).
2. Navigate to a command prompt window .
3. Change to the directory in which you downloaded the pscp.exe tool:
cd Downloads
4. Copy the MIB file from the appliance:
pscp.exe -r -scp admin@applianceIPAddress:/usr/share/snmp/mibs \Temp\mibs\
5. When prompted for the password, enter admin.
The files are copied to the \Temp\mibs directory on the Windows device.
6. Change to the mibs directory:
cd C:\Temp\mib
7. Load the MIB into an SNMP browser or tool, or open the MIB file:
FE-FIREEYE-MIB.txt
To download the FireEye MIB to Linux devices:
1. Copy the MIB file from the appliance using the OpenSSH client:
scp -r admin@applianceIPAddress:/usr/share/snmp/mibs /usr/userDirectoryName
2. When prompted for the password, type admin.
© 2015 FireEye 139
The files are copied to the mibs directory that resides in the /usr/userDirectoryName
directory.
3. Change to the mibs directory:
cd mibs
4. Load the MIB into an SNMP browser or tool, or open the MIB file:
vi FE-FIREEYE-MIB.txt
To download the FireEye MIB to Apple devices:
1. Navigate to the terminal emulator.
2. Copy the MIB files from the appliance:
scp -r admin@applianceIPAddress:/usr/share/snmp/mibs ~/
3. When prompted for the password, type admin.
The files are copied to the mibs directory that resides in the user directory.
4. Load the MIB into an SNMP browser or tool, or open the MIB file:
vi ~/mibs/FE-FIREEYE-MIB.txt
Sending Requests for SNMP Information
This topic describes two ways to retrieve SNMP information.
l The snmpget command retrieves the value of a specific object.
l The snmpwalk command walks through the object hierarchy, automatically retrieving the
values of objects for the subtree or node that you specified.
Examples of basic commands that retrieve SNMP data follow. The commands are entered from
the SNMP manager application. The IP address in the commands is the appliance IP address.
SNMP v3 commands:
snmpmgr # snmpget -m +FE-FIREEYE-MIB -v 3 -u myname -a MD5 -A mypassword -lauthNoPriv 172.0.0.0 feTemperatureValue.0
snmpmgr # snmpwalk -m +FE-FIREEYE-MIB -v 3 -u myname -a MD5 -A mypassword -lauthNoPriv 172.0.0.0 enterprises.25597
SNMP v2c commands:
snmpmgr # snmpget -m +FE-FIREEYE-MIB -v 2c -c public 172.0.0.0feSupportLicenseActive.0
snmpmgr # snmpwalk -m +FE-FIREEYE-MIB -v 2c -c public 172.0.0.0 fireeye
snmpmgr # snmpwalk -v 2c -c public 172.0.0.0 enterprises.25597
To query license expiration dates formatted in a table, use a command similar to the following
(different commands are required by different SNMP manager applications):
snmpmgr # snmptable -c public -Of -v 2c localhost feLicenseFeatureTable
System Administration Guide CHAPTER 11: Configuring SNMP
140 © 2015 FireEye
Release 7.6 Sending Traps
Check the number of days in the rightmost column. If the value is less than 30, contact your
system administrator.
Sending TrapsThis section describes how to configure basic SNMP support on the appliance, enable and
configure traps, and set up trap logging. For detailed information about SNMP commands and
options for more advanced configurations, see the FireEye CLI Reference.
Enabling and Configuring Traps
Various events can trigger the appliance to send traps to the SNMP manager. Most of the events
are enabled by default. This topic describes how to enable the appliance to send traps, configure
the IP address of the SNMP manager that receives the traps, and disable and enable individual
events.
Prerequisites
l Operator or Admin access
To enable traps and events:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. SNMP is enabled by default. Verify that it is enabled:
hostname (config) # show snmp
If the output shows SNMP enabled: no, enter the snmp-server enable command.
3. Enable the appliance to send notifications to the SNMP manager:
hostname (config) # snmp-server enable notify
4. Specify the IP address of the SNMP manager:
hostname (config) # snmp-server hostIPAddress traps public
5. Save your changes
hostname (config) # write memory
To specify the events that you want to view:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
© 2015 FireEye 141
2. View a list of all events that can be enabled:
hostname (config) # snmp-server notify event ?
3. View the events that are currently enabled:
hostname (config) # show snmp events
4. Save your changes:
hostname (config) # write memory
To disable or enable specific events:
1.1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. Disable an event:
hostname (config) # no snmp-server notify event event
For example, the following command stops a trap from being sent when the temperature of
the appliance is normal:
hostname (config) # no snmp-server notify event normal-temperature
3. Enable an event:
hostname (config) # snmp-server notify event event
For example, the following command enables the appliance to send a trap when there is a
change in an interface link:
hostname (config) # snmp-server notify event if-link-change
4.1. Save your changes:
hostname (config) # write memory
Logging TrapMessages
The snmptrapd service receives and logs trap messages.
To set up trap logging:
1. Log into the SNMP manager application.
2. Enable the snmptrapd service:
snmptrapd
3. Specify the log location:
/var/log/snmptrapd.log
System Administration Guide CHAPTER 11: Configuring SNMP
142 © 2015 FireEye
Release 7.6
CHAPTER 12: Customizing Login Messages
You can customize or remove the messages that appear when users log in to the appliance. You
can configure three messages:
l Remote Banner—Shown on the Web UI and SSH login pages.
l Local Banner—Shown after the username is entered in the CLI session.
l Message of the Day—Shown after the user is authenticated and logged into the
appliance CLI.
The default remote banner is shown in the following illustration.
The default local banner and message of the day are shown in the following illustration.
© 2015 FireEye 143
You can use the Web UI or CLI to change the messages.
l Customizing Login Messages Using the Web UI
l Customizing Login Messages Using the CLI
Customizing LoginMessages Using theWebUIUse the Settings: Login Banner page to configure the messages users see when they log in to
the appliance.
System Administration Guide CHAPTER 12: Customizing LoginMessages
144 © 2015 FireEye
Release 7.6 Customizing LoginMessages Using theWebUI
Prerequisites
l Operator or Admin access
To configure login messages:
1. Click the Settings tab.
2. Click Login Banner on the sidebar.
3. In the Remote Banner Text box, clear any existing text, and then enter the message to
be displayed in the Web UI and SSH login pages. You can enter up to 2000 characters.
If you change the banner text later with the banner login CLI command, the
new text will also appear in the Web UI and SSH login pages, overwriting the text
you specify here.
4. In the Local Banner Text box, clear any existing text, and then enter the message to be
displayed in the CLI after the username is entered. You can enter up to 2000 characters.
5. In theMessage of the Day Text box, clear any existing text, and then enter the message
to be displayed in the CLI after the user is authenticated. You can enter up to 2000
characters.
© 2015 FireEye 145
6. Click Update.
The messages will appear the next time the user logs in.
Customizing LoginMessages Using the CLIUse the CLI commands in this topic to configure the messages users see when they log in to the
appliance.
l The login message is shown after the username is entered.
l The message of the day is shown after the password is entered and the user is authenticated.
Messages can be longer than one line. To add a new line, type >. Each message can
contain up to 2000 characters.
Prerequisites
l Operator or Admin access
To customize the messages:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. Display the current banner text:
hostname (config) # show banner
3. Perform the following tasks as needed.
l To change the login message:
hostname (config) # banner login "text"
This also changes the message that is displayed on the Web UI and
SSH login pages. Use the Customizing Login Messages Using the Web
UI on page 144 to specify a unique Web UI and SSH login message.
l To change the message of the day:
hostname (config) # banner motd "text"
l To clear the messages so no text is displayed:
hostname (config) # banner login ""hostname (config) # banner motd ""
System Administration Guide CHAPTER 12: Customizing LoginMessages
146 © 2015 FireEye
Release 7.6 Customizing LoginMessages Using the CLI
(The pair of double quotation marks indicates an empty string.)
l To restore the default messages:
hostname (config) # no banner loginhostname (config) # no banner motd
4. Save the configuration:
hostname (config) write memory
Examples
The following example changes the login message and the message of the day.
hostname (config) # banner login "This FireEye appliance is the property of Acme, Inc.
>Unauthorized access is prohibited and is punishable by law."
hostname (config) # banner motd “There are no maintenance
activities scheduled for this week.”
The following example shows the current messages.
hostname > show bannerBanners:
Message of the Day (MOTD): There are no maintenance activities scheduled for thisweek.
Login: This FireEye appliance is the property of Acme, Inc.Unauthorized access is prohibited and is punishable by law.
© 2015 FireEye 147
Release 7.6
CHAPTER 13: Configuring System Email Settings
The appliance can send email notifications triggered by system health events, such as low disk
space or a power supply failure. It can also send scheduled reports containing appliance traffic
and malware analysis data, and email notifications triggered by malware alerts.
Health Check Notifications
The system email server can send notifications about appliance health-check events to
configured recipients. You configure the email server and recipients for these events on the
Settings: Email page of the Web UI or by using the email notify CLI commands. You can also:
l Specify whether each recipient should receive notifications for "fail" events, "info" events,
or both "fail" and "info" events.
l Specify whether each recipient should receive detailed or summarized notifications.
l Enable or disable specific events from triggering notifications.
For details, see:
l Configuring the Mail Server on the next page
l Adding and Removing Email Recipients on page 153
l Configuring System Events on page 157
Scheduled Reports
Scheduled reports use the same email server and recipient list as the system events. If you use
the CLI, you configure them using the report email commands instead of the email notify
commands, as described in Configuring the Mail Server for Scheduled Reports Using the
CLI on page 152. You configure the report data and schedule on the Reports > Schedule page
of the Web UI or by using the report schedule CLI commands. See the "Reports" section of
the Threat Management Guide for details.
Malware Alert Notifications
You configure email settings for malware alert notifications on the Settings: Notifications page
of the Web UI or by using the fenotify email CLI commands. See the "Notifications" section of
the Threat Management Guide for details.
© 2015 FireEye 148
Configuring theMail ServerHealth check event notifications and scheduled reports can use the same mail server. If you use
the CLI to configure the server, you must use two separate sets of CLI commands. The mail
server settings are described in the following table.
System Mail Server Settings
WebUI Field
HealthCheckCLI
Parameter
ReportCLI
ParameterDescription
Enableemail
— — Enables the email delivery of health check notifications andscheduled reports.
Mail hub mailhub server The hostname or IP address of the mail server.
Port mailhub-port port The SMTP port used to send the emails. The default is 25.
Domain domain domain The domain name from which emails will appear to come. Thedefault is the active domain for the appliance.
ReturnAddr
return-addr return-addr Health check parameter: The username or fully qualified returnaddress from which emails are sent. If the string contains the @character, it is considered fully qualified. Otherwise, it isconsidered a username, and by default takes the [email protected]. The default username is do-not-reply.
Report parameter: The fully qualified return address from whichemails are sent.
Incl.hostname
return-host — Whether the appliance hostname is included in the returnaddress. If it is excluded, the return address takes the formusername@domain.
This setting is ignored if the provided return address is fullyqualified.
Prerequisites
l Operator or Admin access
Configuring theMail Server Using theWebUI
Use the Settings: Email page to configure settings for the mail server.
System Administration Guide CHAPTER 13: Configuring System Email Settings
149 © 2015 FireEye
Release 7.6 Configuring theMail Server
To configure the mail server:
1. Click the Settings tab.
2. Click Email on the sidebar.
3. Specify settings as described in System Mail Server Settings on the previous page.
4. Click Update to save your changes.
Configuring theMail Server for Health Check Notifications Using the CLI
Use the CLI commands in this topic to configure the mail server that sends health check
notifications. See System Mail Server Settings on the previous page for a description of each
parameter.
See Adding and Removing Email Recipients Using the CLI on page 155 for
information about configuring the notification recipients. See Configuring System
Event Notifications Using the CLI on page 158 for information about configuring
the events that trigger notifications.
To configure the mail server for system notifications:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. Specify the hostname or IP address of the mail server:
hostname (config) # email mailhub {hostname | ipAddress}
3. Specify the SMTP port used by the mail server to send notifications:
hostname (config) # email mailhub-port port
4. Specify the domain name from which emails will appear to come:
hostname (config) # email domain domainName
5. Specify the username or fully qualified return address from which emails are sent:
hostname (config) # email return-addr {username | returnAddress}
6. (Optional) Include the hostname of the mail server in the return address:
hostname (config) # email return-host
© 2015 FireEye 150
7. Verify your changes:
hostname (config) # show email
8. Save your changes:
hostname (config) # write memory
To remove a configuration or restore a default setting, append no to the command. For
example, to exclude the hostname in the return address, use the no email return-host
command, and to restore the default domain name, use the no email domain
command.
Examples
In this example, the return address is not fully qualified, so the hostname ("hostname") and
domain are appended to it.
hostname (config) # email mailhub 10.1.0.0hostname (config) # email domain mail.acme.comhostname (config) # email return-addr adminhostname (config) # show emailMail hub: 10.1.0.0Mail hub port: 25Domain override: mail.acme.comReturn address: adminInclude hostname in return address: yes
Current reply address: [email protected]..
In this example, the return address is fully qualified, so the hostname and domain are not
included.
hostname (config) # email mailhub 10.1.0.0hostname (config) # email domain mail.acme.comhostname (config) # email return-addr [email protected] (config) # show emailMail hub: 10.2.0.0Mail hub port: 25Domain override: mail.acme.comReturn address: [email protected] hostname in return address: yes
Current reply address: [email protected]..
In this example, all settings are restored to their default values.
hostname (config) # show emailMail hub: 10.3.0.0Mail hub port: 26Domain override: mailhost.acme.comReturn address: adminInclude hostname in return address: no
Current reply address: [email protected]
System Administration Guide CHAPTER 13: Configuring System Email Settings
151 © 2015 FireEye
Release 7.6 Configuring theMail Server
.
.hostname (config) # no email mailhubhostname (config) # no email mailhub-porthostname (config) # no email return-addrhostname (config) # email return-hosthostname (config) # show emailMail hub:Mail hub port: 25Domain override:Return address: do-not-replyInclude hostname in return address: yes
Current reply address: [email protected]..
Configuring theMail Server for Scheduled Reports Using the CLI
Use the CLI commands in this topic to configure the mail server that sends scheduled reports.
See System Mail Server Settings on page 149 for a description of each parameter.
If you use the CLI to configure the mail server, the changes will not appear on the
Settings: Email page in the Web UI.
See Adding and Removing Scheduled Report Recipients on page 156 for
information about configuring the report recipients using the CLI.
To configure the mail server for scheduled reports:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. Specify the hostname or IP address of the mail server:
hostname (config) report email smtp server {hostname | ipAddress}
3. Specify the SMTP port used by the mail server to send reports:
hostname (config) # report email smtp port port
4. Specify the domain name from which emails will appear to come:
hostname (config) # report email smtp domain domainName
5. Specify the fully qualified return address from which emails are sent:
hostname (config) # report email smtp return-addr returnAddress
6. Verify your changes:
hostname (config) # show report email
7. Save the configuration:
hostname (config) # write memory
© 2015 FireEye 152
To remove a configuration or restore the default setting, append no to the command.
For example, to restore the default return address, use the no report email return-
addr command, and to remove the configured domain name, use the no report email
smtp domain command.
Examples
In this example, the email server is configured to send scheduled reports.
hostname (config) # report email server 10.4.0.0hostname (config) # report email smtp domain mailer.acme.comhostname (config) # report email smtp return-addr [email protected] (config) # show report email
Report email configurations:SMTP server: 10.4.0.0SMTP server port: 25SMTP Domain: mailer.acme.comSMTP Return addr: [email protected]..
In this example, all configuration settings are restored to their default values.
hostname (config) # show report email
Report email configurations:SMTP server: 10.4.0.0SMTP server port: 26SMTP Domain: acme.comSMTP Return addr: [email protected]..
hostname (config) # no email report smtp serverhostname (config) # no email report smtp porthostname (config) # no email report smtp domainhostname (config) # no email report smtp return-addrhostname (config) # show report email
Report email configurations:SMTP server:SMTP server port: 25SMTP Domain:SMTP Return addr: do-not-reply... .
Adding and Removing Email RecipientsThe same users can receive both system event notifications and scheduled reports. If you use the
CLI to configure them, you must use two separate sets of CLI commands.
Each new recipient will receive detailed notifications for all enabled system health check events.
You can customize the notifications for individual users, and configure which specific events
trigger notifications. (See Configuring System Events on page 157 for details.)
System Administration Guide CHAPTER 13: Configuring System Email Settings
153 © 2015 FireEye
Release 7.6 Adding and Removing Email Recipients
If you use the CLI to configure a scheduled report recipient, the change will not be
reflected in the Web UI. For example:
l You add [email protected] using the report email recipient
[email protected] CLI command. That recipient will be listed in the show
report email command output, but will not be added to the recipient list on the
Settings: Email page in the Web UI.
l The recipient list on the Settings: Email page includes [email protected], but
the Report checkbox is not selected. You then add that recipient using the
report email recipient [email protected] CLI command. The Report
checkbox will still not be selected on the Settings: Email page.
If you use the Web UI to add an email recipient, the recipient will be enabled to receive
both system event notifications and scheduled reports. However, if you use the email
notify recipient CLI command to add this recipient, the recipient will receive only
system event notifications, not scheduled reports (the Report check box will be cleared
on the Settings: Email page).
Prerequisites
l Operator or Admin access
Adding and Removing Email Recipients Using theWebUI
Use the Settings: Email page to add or remove the email recipients for system event
notifications and for scheduled reports.
To configure a system event notification recipient:
1. Click the Settings tab.
2. Click Email in the sidebar.
3. Enter the email address of the user in the Add Email Recipient box and then click Add
Recipient.
© 2015 FireEye 154
4. (Optional) Clear the Info, Fail, and Detail checkboxes as needed to customize the
notifications the user will receive. (See Configuring System Event Notifications Using
the Web UI on page 157 for details.)
To add a scheduled report recipient:
1. Enter the email address of the user in the Add Email Recipient box and then click Add
Recipient.
2. Make sure the Report checkbox remains selected.
3. (Optional) Clear the Info, Fail, and Detail checkboxes to prevent the user from receiving
system event notifications as well as scheduled reports.
To remove an email recipient:
1. Click the icon in the Delete column.
2. When prompted, click OK to confirm the action.
Adding and Removing Email Recipients Using the CLI
Use the commands in this section to add or remove email recipients for system event
notifications and scheduled reports.
If you use the CLI to add or remove a scheduled report recipient, the changes will not
appear on the Settings: Email page in the Web UI.
Adding and Removing System Event Notification Recipients
To add system event notification recipients:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. To add a recipient:
hostname (config) # email notify recipient emailAddress
3. To remove a recipient:
hostname (config) # no email notify recipient emailAddress
4. Verify your changes:
hostname (config) # show email
5. Save your changes:
hostname (config) # write memory
System Administration Guide CHAPTER 13: Configuring System Email Settings
155 © 2015 FireEye
Release 7.6 Adding and Removing Email Recipients
Adding and Removing Scheduled Report Recipients
To configure scheduled report recipients:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. To add a recipient:
hostname (config) # report email recipient emailAddress
3. To remove a recipient:
hostname (config) # no report email recipient emailAddress
4. Verify your changes:
hostname (config) # show report email
5. Save your changes:
hostname (config) # write memory
Examples
This example adds [email protected] as a system event notification recipient and removes
hostname (config) # show email...Email notification recipients:[email protected] (all events, in detail)[email protected] (failure events only, in detail)[email protected] (all events, summarized)
...hostname (config) # email notify recipient [email protected] (config) # no email notify recipient [email protected] (config) # show email...Email notification recipients:[email protected] (all events, in detail)[email protected] (all events, in detail)[email protected] (failure events only, in detail)
This example adds [email protected] as a scheduled report recipient, and removes
hostname (config) # show report email
Report email configurations:...Email recipients:
[email protected]@acme.com
hostname (config) # report email recipient [email protected] (config) # no report email recipient [email protected] (config) # show report email
Report email configurations:
© 2015 FireEye 156
...Email recipients:
[email protected]@acme.com
Configuring System EventsBy default, configured users receive detailed notifications about all enabled system events.
Informational events are logged when there is a change in the system. Failure events are logged
when there is a failure in the system.
You can use the CLI to change which events are enabled. For example, you could disable
informational events, such as system log file rotations, from triggering notifications.
For each recipient, you can specify whether failure notifications, informational notifications, or
both are sent. For example, a user might want to know that a disk failed, but not that an
excessive temperature condition returned to normal.
You can also specify whether a user receives summarized or detailed notifications.
Prerequisites
l Operator or Admin access
Configuring System Event Notifications Using theWebUI
Use the Settings: Email page to configure system email event notifications for each configured
recipient.
To configure system events:
1. Click the Settings tab.
2. Click Email in the sidebar.
3. Select or clear the Info and Fail checkboxes to specify the severity of events for which
the user receives notifications.
System Administration Guide CHAPTER 13: Configuring System Email Settings
157 © 2015 FireEye
Release 7.6 Configuring System Events
4. Select or clear the Detail checkbox to specify whether the user receives detailed or
summarized notifications.
5. Click Update to save your changes.
Configuring System Event Notifications Using the CLI
Use the commands in this topic to customize system event notifications for each user and to
configure which events trigger notifications.
Viewing System Events
You can view all system events, or the system events that are currently enabled to trigger
notifications, ordered by their severity.
To view all system events:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. View the events:
hostname (config) # email notify event ?
To view enabled system events and their severity:
l View the events by severity:
hostname > show email events
Configuring System Event Notifications for Each User
To configure system event notifications for each user:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. View the current configuration:
hostname (config) # show email
3. Specify the severity of events for which each user should receive notifications.
l To receive "info" events:
hostname (config) # email notify recipient emailAddress class info
l To stop receiving "info" events:
hostname (config) # no email notify recipient emailAddress class info
© 2015 FireEye 158
l To receive "failure" events:
hostname (config) # email notify recipient emailAddress class failure
l To stop receiving "failure" events:
hostname (config) # no email notify recipient emailAddress class failure
4. Specify the notification format.
l To receive detailed notifications:
hostname (config) # email notify recipient emailAddress detail
l To receive summarized notifications:
hostname (config) # no email notify recipient emailAddress detail
Configuring Which Events Trigger Notifications
To configure which events trigger notifications:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. View the current configuration as described in Viewing System Events on the previous
page.
3. To enable an event:
hostname (config) # email notify event event
4. To disable an event:
hostname (config) # no email notify event event
5. Verify your changes:
hostname (config) # show email events
6. Save your changes:
hostname (config) # write memory
Examples
This example stops [email protected] from receiving "info" notifications and changes the
message format to a summary.
hostname (config) # show email..Email notification recipients:[email protected] (all events, in detail)[email protected] (failure events only, in detail)[email protected] (all events, in detail)
.
.hostname (config) # no email notify recipient [email protected] info
System Administration Guide CHAPTER 13: Configuring System Email Settings
159 © 2015 FireEye
Release 7.6 Configuring Auto Support for System Event Notifications
hostname (config) # no email notify recipient [email protected] detailhostname (config) # show email..Email notification recipients:[email protected] (failure events only, summarized)[email protected] (failure events only, in detail)[email protected] (all events, in detail)
This example disables log file rotations from triggering event notifications:
hostname (config) # no email notify event syslog-rotation
Configuring Auto Support for System Event NotificationsYou can configure the appliance to send emails to [email protected] when specific
system events occur.
This includes configuring settings to ensure the emails are sent securely. You can specify one of
the following security types:
l none—Do not use TLS to secure the autosupport emails.
l tls—Use TLS over the default server port to secure autosupport emails. Do not send the
emails if TLS fails.
l tls-none—Use TLS over the default server port to secure autosupport email. The email is
sent in plain text if TLS fails.
Prerequisites
l Operator or Admin access
Configuring Auto Support for System Event Notifications Using the CLI
Use the commands in this section to configure autosupport for system event notifications. (See
Viewing System Events on page 158 for information about viewing a full list of events.)
To configure autosupport:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. Enable autosupport email notifications (disabled by default):
hostname (config) # email autosupport enable
3. Display the current configuration for generating autosupport emails for system events:
hostname (config) # show email
© 2015 FireEye 160
4. Specify each event for which autosupport email notifications should be sent:
hostname (config) # email autosupport event event
5. Configure the supplemental Certificate Authority (CA) certificates that are used to verify
the server certificates.
l To use only the built-in list:
hostname (config) # email autosupport ssl ca-list none
l To use the default supplemental CA certificate list:
hostname (config) # email autosupport ssl ca-list default-ca-list
6. Configure a security type to use for autosupport email.
l No TLS:hostname (config) # email autosupport ssl mode none
l TLS:hostname (config) # email autosupport ssl mode TLS
l TLS none:hostname (config) # email autosupport ssl mode tls-none
7. Verify the server certificates:
hostname (config) # email autosupport cert-verify
8. Save your changes:
hostname (config) # write memory
System Administration Guide CHAPTER 13: Configuring System Email Settings
161 © 2015 FireEye
Release 7.6 Managing Logs Using theWebUI
CHAPTER 14: Managing Logs
You can manage logs from the Web UI or CLI.
l Managing Logs Using the Web UI below
l Managing Logs Using the CLI on the next page
Prerequisitesl Admin access
Managing Logs Using theWebUIThe Log Manager allows granular customization of log generation for a variety of time period
options. Use the Log Management page to manage appliance logs.
You may need to download logs and provide them to FireEye Technical Support
for troubleshooting. You may also need to upload the logs to FireEye as requested.
© 2015 FireEye 162
To manage logs:
1. Click the About tab.
2. Click Log Manager.
3. Select which log categories to include by clicking Log categories shown below or
Everything.
4. Select or clear checkboxes to specify the categories you want to include in the logs.
5. If a drop-down list is present, select the time period the log should cover. The default is
today. The other options are past week, past 2 weeks, and past month.
6. If you want to view the log files you download, clear the Password-protect generated
log archive checkbox.
If this checkbox is selected, you will be unable to open the files.
7. Click Create. The log is added to the Archives area.
8. To download a log, click Download.
The log archive is downloaded to your local file system. The archive name begins with the
hostname of the appliance.
9. If FireEye requests that you upload an archive, click Upload. The file is automatically
uploaded to FireEye.
10. To delete an archive, click Delete.
Managing Logs Using the CLILog management commands allow you to view the appliance log files, send log messages to one
or more syslog servers, and manage the log files saved on the local disk. Use the CLI commands
in this topic to manage logs. For a full list and for details about command usage and parameters,
see the FireEye CLI Reference.
You may need to download logs and provide them to FireEye Technical Support
for troubleshooting.
System Administration Guide CHAPTER 14: Managing Logs
163 © 2015 FireEye
Release 7.6 Managing Logs Using the CLI
Prerequisites
To manage logs:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. Display the current logging configuration:
hostname (config) # show loggingLocal logging level: notice Override for class mgmt-back: notice Override for class mgmt-front: notice
Remote syslog default level: noticeRemote syslog servers:
10.10.20.62
Receive messages from remote hosts: yes
Log file rotation: Log rotation size threshold: 256 megabytes Archived log files to keep: 40
Log format: Overall format: standard Subsecond timestamp field: disabled
3. Specify a syslog server to which logging messages are sent. For example:
hostname (config) # logging 10.10.20.62
4. Specify the minimum severity level of messages sent to syslog servers:
hostname (config) # logging trap severity-level
where severity-level is one of the following:
l none—Disables logging.
l emerg—System failure.
l alert—Immediate action required.
l crit—Critical condition.
l err—Error condition.
l warning—Warning condition.
l notice—Normal but significant condition.
l info—Informational message.
l debug—Debug-level message.
5. Specify the minimum severity level of messages stored on the local disk:
hostname (config) # logging local severity-level
© 2015 FireEye 164
where severity-level is one of the following:
l none—Disables logging.
l emerg—System failure.
l alert—Immediate action required.
l crit—Critical condition.
l err—Error condition.
l warning—Warning condition.
l notice—Normal but significant condition.
l info—Informational message.
l debug—Debug-level message.
l override—Override a log level.
6. Upload the active log file to a specified network location using file transfer protocol
(FTP), trivial file transfer protocol (TFTP), or secure copy (SCP). For example:
hostname (config) # logging files upload currentscp://[email protected]/logs/FireEye_log.gz
Password (if required): ***********
hostname (config) #
7. Save your changes.
hostname (config) # write memory
System Administration Guide CHAPTER 14: Managing Logs
165 © 2015 FireEye
Release 7.6
CHAPTER 15: System Health and Performance
The appliance provides information about its health and performance.
l Checking System Health and Status on the next page
l Deployment Verification on page 174
l Utilization and Performance Checks on page 187
© 2015 FireEye 166
Checking System Health and StatusYou can use the Web UI or CLI to view health and status information.
Prerequisites
l Monitor, Operator, Analyst, or Admin access
Checking System Health Using theWebUI
Use the FireEye System Information page to check appliance health and status.
This illustration is from an EX Series appliance.
See Deployment Verification on page 174 for details about the information that is
displayed when you click Deployment Check at the top of this page.
To view health and status:
1. Click the About tab.
2. Click Health Check.
The results of the last check are displayed.
3. Review the system information.
4. To update the results, click the Initiate Recheck.
The following tables contain descriptions of the information in each section of the page.
System Administration Guide CHAPTER 15: System Health and Performance
167 © 2015 FireEye
Release 7.6 Checking System Health and Status
Version Information
The Version Information section provides an up-to-date view of the software running on your
appliance platform and compares that with the available software on the FireEye DTI network.
Information Description
SoftwareVersion
Compares the software version running on the system to the available software on the DTInetwork. If a newer version exists, administrators are prompted to upgrade the software.
InstalledVersion
Displays the current software version running on the system.
AvailableVersion
Displays the current software version available on the DTI network.
ContentVersion
Compares the security content version on the appliance to the available version on the DTInetwork and displays the status and the version that is currently installed. If a newer versionexists, or if an error condition exists, administrators are prompted to take appropriate action.
Last UpdatedAt
Shows the last time the security content was updated.
IPMI Version Compares the IPMI firmware version running on the system to the available version on theDTI network. If a newer version exists, administrators are prompted to upgrade the firmware.
InstalledVersion
Displays the current IPMI firmware version.
AvailableVersion
Displays the latest available IPMI firmware version.
Guest Images Information
The Guest Images Information section provides an up-to-date view of the guest images
installed on your appliance.
Information Description
Profiles Compares the profile versions within your installed guest image and compares them profilesto the latest profiles available on the DTI network. If newer profiles are available,administrators are prompted to update their guest images.
ProfileVersions
For each profile found in the current guest image, the profile version number is displayed.
System Information
The System Information status section provides an up-to-date status of the hardware running on
your appliance and alerts administrators when problems are found.
© 2015 FireEye 168
Information Description
Product Info Compares system hardware performance and if a problem is found, alerts the administrator.
Model The hardware model.
Name The product name.
Type The product type.
License Displays whether the software license has been successfully installed.
ProcessingLoad
Provides analysis of the overall load the system is carrying. If it is nearing capacity, theadministrator is alerted.
Average Load The average processing load handled by the system.
Elapsed The current uptime of the system in days, hours, minutes, and seconds.
DetectionEngine
Displays the status of the detection engine. If the Detection Engine is not running, theadministrator is alerted.
VM Analyzing The number of virtual machines currently analyzing suspect content.
VM Allowed The maximum number of VMs that can run concurrently to analyze suspect content.
Hardware
The Hardware Information provides status on the appliance’s hardware components.
Information Description
Disk Provides a quick status check on the hard disks. If a problem is found, the administrator isalerted.
Device State Displays the current state of the hard disk.
Device Support Displays the type of back up available on the system.
Self Assessment Provides the status of the disk provided by the disk.
User Capacity Shows the disk capacity on the appliance.
Chassis Provides a quick status of the hardware chassis data. If a problem is found, theadministrator is alerted.
Lock Provides the state of the chassis lock.
Boot Up State Provides the boot up status.
Power SupplyState
Provides the state of the power supply.
System Administration Guide CHAPTER 15: System Health and Performance
169 © 2015 FireEye
Release 7.6 Checking System Health and Status
Dynamic Threat Intelligence Cloud
The Dynamic Threat Intelligence Cloud section displays the status of the connection
between the appliance and the DTI network.
Information Description
DTI Client Shows whether the DTI client is running on the system.
Username Displays the current user the system.
Support Updates Displays the status of the support license.
Security Content Displays whether security content sharing is enabled on the system.
Sharing Displays the type of content update license purchased.
Content Updates Displays the status of the content update license.
Interfaces
The Interfaces section shows information about each available Ethernet port on the appliance.
Information Description
Ethern or Pethern Whether the Ethernet port is up or down.
Auto Negotiation Whether auto negotiation is enabled.
Duplex The type of duplex communication used by the Ethernet port.
Link Detected Whether the Ethernet port is currently linked to another port.
Link Transceiver The location of the link transceiver used to generate Ethernet traffic.
Link Speed The maximum data speed available on the Ethernet port.
MAC Address The MAC address of the Ethernet port.
RX Packet The number of packets received by the Ethernet port during the life of this connection.
TX Packet The number of packets transmitted by the Ethernet port during the life of this connection.
Checking System Health Using the CLI
Use the CLI commands in this topic to view health and status information about appliance
components. This topic describes selected commands that return system, hardware status, DTI
network, and interface information. For a full list of commands and details about their usage and
parameters, see the FireEye CLI Reference.
© 2015 FireEye 170
l Monitor, Operator, or Admin access
l Admin access for the show ipmi command
The examples in this section are from an NX Series appliance.
To check appliance health:
1. Enable the CLI enable mode:
hostname > enable
2. Display detailed information about the system and the software running on it.
hostname > show versionProduct name: Web MPS [licensed]Product model: FireEyeNX900Bandwidth: 100 MbProduct release: wMPS (wMPS) 7.6.0.352454Build ID: #232454Build date: 2015-08-06 23:46:20Build arch: x86_64Built by: root@vta114Version summary: wmps wMPS (wMPS) 7.6.0.352454 #352454 2015-05-05 23:46:20 x86_64 build@vta114:FireEye (xxx)Content Version: 385.314Appliance ID: 002590AEE884
Product model: FireEyeNX900Host ID: 17ab40a3729dSystem serial num: SM1346AH00YSystem UUID: 49434d53-0200-90ae-2500-ae90250084e8
Uptime: 11d 6h 34m 34.205sCPU load averages: 0.23 / 0.52 / 1.10Number of CPUs: 8System memory: 7503 MB used / 8562 MB free / 16065 MB totalSwap: 0 MB used / 65536 MB free / 65536 MB total
3. Display the IPMI configuration:
hostname # show ipmiIPMI LAN Settings----------------------------------------Admin Shut Down : noShut Down : noIP Address Source : Static AddressIP Address : 192.168.42.27Subnet Mask : 0Default Gateway IP : 0
IPMI Firmware Installed-------------------------------Firmware Version: 2.67Device: 1IPMI Version: 2.0
IPMI Firmware Available For Update-----------------------------------New Firmware Version: 2.67New Firmware Filename: FireEye_V267.bin
System Administration Guide CHAPTER 15: System Health and Performance
171 © 2015 FireEye
Release 7.6 Checking System Health and Status
Firmware Update Notice: Firmware is up to date for this release
IPMI Firmware Availability Notice is enabled
4. Display overall system status:
hostname > show system health
Overall system feature status: Good
5. Display information about the Dynamic Threat Intelligence (DTI) network:
hostname # show fenet status
Dynamic Threat Intelligence Service:
Update source : <online>Enabled : yesDownload : [email protected] : [email protected] Mil : [email protected]
HTTP Proxy:
Address :Username :User-agent :
Request Session:
Timeout : 30Retries : 3Speed Time : 60Max Time : 14400Rate Limit :
Speed Limit : 1
Dynamic Threat Intelligence Lockdown:
Enabled : noLocked : noLock After : 5 failed attempts
UPDATESEnabled Notify Scheduled Last Updated At------- ------ --------- -------------------
Security contents : yes no every 2015/08/07 20:17:56Stats contents : yes none 2015/08/07 18:32:01
6. Display status and traffic statistics for all interfaces:
hostname # show interfaces
Interface ether1 status:Comment:Admin up: yesLink up: yesDHCP running: noIP address: 172.00.00.00Netmask: 255.000.0.0IPV6 enabled: noSpeed: 1000Mb/s (auto)Duplex: full (auto)Interface type: ethernetInterface ifindex: 12
© 2015 FireEye 172
Interface source: physicalMTU: 1500HW address: 00:25:90:D0:A3:76
RX bytes: 3114981133 TX bytes: 227921679RX packets: 31934013 TX packets: 367951RX mcast packets: 31564 TX discards: 0RX discards: 296 TX errors: 0RX errors: 1 TX overruns: 0RX overruns: 0 TX carrier: 0RX frame: 0 TX collisions: 0
TX queue len: 1000
Interface ether2 status:Comment:Admin up: yesLink up: noDHCP running: noIP address:Netmask:IPV6 enabled: noSpeed: UNKNOWNDuplex: UNKNOWNInterface type: ethernetMTU: 1500HW address: 00:25:90:D0:A3:77
RX bytes: 0 TX bytes: 0RX packets: 0 TX packets: 0RX mcast packets: 0 TX discards: 0RX discards: 0 TX errors: 0RX errors: 0 TX overruns: 0RX overruns: 0 TX carrier: 0RX frame: 0 TX collisions: 0
TX queue len: 0
Interface pether2 status:Comment:Admin up: yesLink up: noDHCP running: noIP address:Netmask:IPV6 enabled: noSpeed: UNKNOWNDuplex: UNKNOWNInterface type: ethernetInterface ifindex: 9Interface source: physicalBridge group: ether2MTU: 1500HW address: 00:25:90:D0:A3:77
RX bytes: 0 TX bytes: 0RX packets: 0 TX packets: 0RX mcast packets: 0 TX discards: 0RX discards: 0 TX errors: 0RX errors: 0 TX overruns: 0RX overruns: 0 TX carrier: 0RX frame: 0 TX collisions: 0
TX queue len: 1000
System Administration Guide CHAPTER 15: System Health and Performance
173 © 2015 FireEye
Release 7.6 Deployment Verification
Interface pether3 status:Comment:Admin up: yesLink up: yesDHCP running: noIP address: 127.0.0.10Netmask: 255.255.255.0IPV6 enabled: noSpeed: 1000 MB/s (auto)Duplex: full (auto)Interface type: ethernetInterface ifindex: 6Interface source: physicalMTU: 1500HW address: 00:25:90:D0:A3:67
RX bytes: 31628620500 TX bytes: 0RX packets: 46795 TX packets: 0RX mcast packets: 367056 TX discards: 0RX discards: 212322 TX errors: 0RX errors: 0 TX overruns: 0RX overruns: 0 TX carrier: 0RX frame: 0 TX collisions: 0
TX queue len: 1000
Deployment VerificationThe Deployment Check > FireEye System Information page contains three sections:
l Dynamic Threat Intelligence Cloud—Checks whether the appliance can receive
security content updates from and upload analysis statistics to the DTI network. See
Checking DTI Services Using the Web UI below.
l Detection Verification—Checks whether the appliance can detect the callback, callback
block, Web analysis, binary analysis, domain match, and IPS alert types. See Checking
Alert Detection on the next page.
l Network Deployment Check—Captures all TCP traffic for a specific duration, and
checks for network issues including duplicate packets, asymmetric TCP traffic, packet
loss, and out-of-order packets. See Checking Network Deployment on page 179.
Checking DTI Services Using theWebUI
The Dynamic Threat Intelligence Cloud section shows whether the appliance can receive
security content updates from and upload analysis statistics to the DTI network. See Validating
DTI Access on page 70 if the services in this section are not reachable.
The other two sections on the FireEye System Information page do not depend on
DTI cloud services being reachable.
© 2015 FireEye 174
Prerequisites
l Monitor, Analyst, Operator, or Admin access
To refresh the DTI cloud status information:
1. On the Web UI, select the About tab.
2. Click Deployment Check.
3. Click Initiate Recheck.
Checking Alert Detection
Alert detection tests allow you to check whether the appliance can detect callback, callback
block, Web analysis, binary analysis, domain match, and IPS alerts. You can perform these tests
from the Deployment Check > FireEye System Information page or by sending test URLs
from a Web browser.
The laptop or device from which you are testing must be in the network in which the
NX Series appliance is deployed inline.
Checking Alert Detection Using the Web UI Procedure
Use the Deployment Check > FireEye System Information page to check NX Series
appliance alert detection.
System Administration Guide CHAPTER 15: System Health and Performance
175 © 2015 FireEye
Release 7.6 Deployment Verification
Prerequisites
l Monitor, Analyst, Operator, or Admin access
l NX Series appliance is deployed inline.
l Laptop or device from which you are testing is in the network in which the NX Series
appliance is deployed.
l Alerts and notifications are configured.
To check alert detection:
1. Click the About tab.
2. Click Deployment Check.
3. Click the Check icon in the Perform Check column in the Detection Verification
table to test whether the appliance can detect the following alert types:
l Callback
l Callback block
l Web analysis
l Binary Analysis
l Domain Match
l IPS check (not shown above)
4. Click Initiate Recheck to display the check results in the Detection Verification table.
If any of the checks fails, check that the hardware is installed correctly for your deployment (see
the Hardware Administration Guide for your NX Series appliance for installation and deployment
instructions). If the hardware is installed correctly, contact FireEye Technical Support.
Checking Alert Detection Using the Test URL
You can check NX Series appliance alert detection by sending test URLs from a Web browser.
The test URLs and the buttons in the Web UI point to the same test pages.
Prerequisites
l Monitor, Analyst, or Admin access
l NX Series appliance is deployed inline.
l Laptop or device from which you are testing is in the network in which the NX Series
appliance is deployed.
l Alerts and notifications are configured.
© 2015 FireEye 176
To check alert detection using test URLs:
1. To test NX Series appliance callback communication detection:
a. Send the following test URL:
http://fedeploycheck.fireeye.com/appliance-test/alert.html
The following test page opens:
b. Select the Alerts tab in the Web UI.
c. Click Alerts and look for an "FETestEvent" alert.
2. To test NX Series appliance callback blocking:
a. Send the following test URL:
http://fedeploycheck.fireeye.com/appliance-test/block.html
This test actively blocks a simulated malware callback. The following test page
opens:
b. Select the Alerts tab in the Web UI.
c. Click Alerts and look for an alert detecting the blocking event.
3. To test NX Series appliance detection of Web-based malware and IPS events:
a. Send the following test URL:
http://fedeploycheck.fireeye.com/appliance-test/test-infection.pdf
This URL points to a simulated malicious PDF, and is used to check both the Web
analysis and IPS check alert types. A PDF file with the following content opens:
System Administration Guide CHAPTER 15: System Health and Performance
177 © 2015 FireEye
Release 7.6 Deployment Verification
b. Select the Alerts tab in the Web UI
c. Click Alerts and look for an alert detecting the event.
4. To test NX Series appliance detection of a binary-analysis executable file:
a. Send the following test URL:
http://fedeploycheck.fireeye.com/appliance-test/test-infection.exe
A browser-specific message prompts you to open or save the file:
b. Click Cancel.
c. Select the Alerts tab in the Web UI.
d. Click Alerts and look for an alert detecting the event.
5. To test NX Series appliance detection of domain matched URLs:
a. Send the following test URL:
http://fedeploymentcheck.dns.fireeye.com
b. A browser-specific page opens:
© 2015 FireEye 178
c. Select the Alerts tab in the Web UI.
d. Click Alerts and look for an alert detecting the event.
If any of the checks fails, check that the hardware is installed correctly for your deployment (see
the Hardware Administration Guide for your NX Series appliance for installation and deployment
instructions). If the hardware is installed correctly, contact FireEye Technical Support.
Checking Network Deployment
The NX Series software automatically checks for network status information that might indicate
appliance deployment problems. The system automatically runs the deployment check process at
midnight. You can explicitly start a deployment check from the appliance Web UI or CLI,
provided that a deployment check process is not already running.
A network deployment check captures all TCP traffic that enters and exits the monitoring ports
for a certain duration and then analyzes the captured traffic for duplicate packets, out-of-order
packets, packet loss, and asymmetric traffic flows. Based on packet counts, the network
deployment check produces an overall score of success or failure. If the network deployment
check fails, the Web UI and CLI output identify the specific packet counts that indicate network
deployment problems. To investigate appliance network deployment problems, you can upload
the most recent packet capture file to a remote host and then use a packet browser to analyze the
captured traffic.
The following events trigger network deployment check notifications:
l The deployment check results transition from success to failure.
l The system restarts and the last deployment check fails.
l Any managed process restarts and the last deployment check resulted in failure.
If the deployment-check-failure and deployment-check-recover notifications are configured and enabled on
your appliance, network deployment check notifications are sent by email and SNMP traps. For
instructions, see Sending Traps on page 141.
This section contains the following topics:
l Viewing Network Deployment Check Results on the facing page
l Starting a Network Deployment Check on page 184
l Clearing Network Deployment Check Results on page 186
l Configuring the Maximum Packet Capture Duration on page 185
System Administration Guide CHAPTER 15: System Health and Performance
179 © 2015 FireEye
Release 7.6 Deployment Verification
Viewing Network Deployment Check Results
You can view the network deployment check results. The system automatically runs the network
deployment check every day at midnight.
Prerequisites
l Monitor, Analyst, Operator, or Admin access
Viewing Network Deployment CheckResults Using theWebUI
The bottom section of the Deployment Check > FireEye System Information page displays
the results..
The following table describes the fields for the network deployment check results.
Field Description
Status Overall results of packet capture analysis:
success—No network deployment errors were detected.
failed—Network deployment check errors were found.
Check starttime
Date and time the packet capture started.
Checkcompletiontime
Date and time the analysis finished.
Totalcapturedpkts
Size (in packets) of analyzed packet capture.
If this number is below a system-defined threshold, an asterisk (*) indicates that the value mightindicate a network deployment problem.
Re-Transmittedpkts
Number of packets retransmitted.
If this number exceeds a system-defined threshold, an asterisk (*) indicates that the value mightindicate a network deployment problem.
Dup Ackpkts
Number of TCP DUP ACK records in the capture.
If this number exceeds a system-defined threshold, an asterisk (*) indicates that the value mightindicate a network deployment problem.
© 2015 FireEye 180
Field Description
Out-of-Order pkts
Number of reordered packets in the capture.
If this number exceeds a system-defined threshold, an asterisk (*) indicates that the value mightindicate a network deployment problem.
Ackedunseenpkts
Number of TCP ACKed unseen segments in the capture.
If this number exceeds a system-defined threshold, an asterisk (*) indicates that the value mightindicate a network deployment problem.
Previousseg notcapturedpkts
Number of packets that arrived with a sequence number greater than the next expectedsequence number on that connection.
If this number exceeds a system-defined threshold, an asterisk (*) indicates that the value mightindicate a network deployment problem.
Malformedpkts
Number of packets in the capture that are malformed. A sender might transmit a malformedpacket, or a packet can become corrupted in transit.
If this number exceeds a system-defined threshold, an asterisk (*) indicates that the value mightindicate a network deployment problem.
Asymmetricstreamcount
Number of asymmetric streams in the capture.
If this number exceeds a system-defined threshold, an asterisk (*) indicates that the value mightindicate a network deployment problem.
Messages Latest deployment check is still running. Following is status for previous check:
If you run this command while a previous network deployment check is still in progress, thismessage is displayed. The results of the previous network deployment check are displayed.
Captured network output is available in file deployment_check.pcap. It can be uploaded with'file tcpdump upload deployment_check.pcap'.
Whether the network deployment check overall result is success or failed, you can upload thecaptured and analyzed network traffic to a remote host by using the file tcpdump uploaddeployment_check.pcap command, and then use a packet browser to analyze the capturedtraffic.
To display network deployment check results:
1. Click the About tab.
2. Click Deployment Check.
Review the results at the bottom of the page.
Viewing Network Deployment CheckResults Using the CLI
Use the CLI commands in this topic to view the results.
System Administration Guide CHAPTER 15: System Health and Performance
181 © 2015 FireEye
Release 7.6 Deployment Verification
The following table describes the fields for the network deployment check results.
Field Description
Status Overall results of packet capture analysis:
success—No network deployment errors were detected.
failed—Network deployment check errors were detected.
Start time Date and time the packet capture started.
End time Date and time the analysis finished.
Captured datasize (bytes)
Size (in bytes) of the packet capture analyzed.
Capturedpacket count
Size (in packets) of analyzed packet capture.
If this number is below a system-defined threshold, an asterisk (*) indicates that the valuemight indicate a network deployment problem.
Re-transmitpacket count
Number of packets retransmitted.
If this number exceeds a system-defined threshold, an asterisk (*) indicates that the valuemight indicate a network deployment problem.
Dup ACKpacket count
Number of TCP DUP ACK records in the capture.
If this number exceeds a system-defined threshold, an asterisk (*) indicates that the valuemight indicate a network deployment problem.
Out-of-orderpacket count
Number of reordered packets in the capture.
If this number exceeds a system-defined threshold, an asterisk (*) indicates that the valuemight indicate a network deployment problem.
Acked unseenpacket count
Number of TCP ACKed unseen segments in the capture.
If this number exceeds a system-defined threshold, an asterisk (*) indicates that the valuemight indicate a network deployment problem.
Previous segnot capturedpacket count
Number of packets that arrived with a sequence number greater than the next expectedsequence number on that connection.
If this number exceeds a system-defined threshold, an asterisk (*) indicates that the valuemight indicate a network deployment problem.
Malformedpacket count
Number of packets in the capture that are malformed. A sender might transmit a malformedpacket, or a packet can become corrupted in transit.
If this number exceeds a system-defined threshold, an asterisk (*) indicates that the valuemight indicate a network deployment problem.
© 2015 FireEye 182
Field Description
Stream count Number of active streams in the capture.
If this number exceeds a system-defined threshold, an asterisk (*) indicates that the valuemight indicate a network deployment problem.
Asymmetricstream count
Number of asymmetric streams in the capture.
If this number exceeds a system-defined threshold, an asterisk (*) indicates that the valuemight indicate a network deployment problem.
Messages Latest deployment check is still running. Following is status for previous check:
If you run this command while a previous network deployment check is still in progress, thismessage is displayed. The results of the previous network deployment check aredisplayed.
Captured network output is available in file deployment_check.pcap. It can be uploadedwith 'file tcpdump upload deployment_check.pcap'.
Whether the network deployment check overall result is success or failed, you can savethe captured and analyzed network traffic by using the file tcpdump upload deployment_check.pcap CLI command.
Please run 'deployment check network start'
If you cleared the results of the last network deployment check, this message is displayedinstead of the status lines.
To display network deployment check results:
1. Enter the CLI enable mode:
hostname > enable
2. Show full results. Enter the show deployment check network command.
hostname # show deployment check network
Network deployment check configuration:Packet Capture Duration: 120
Network deployment check status:Status: successStart time: 2014/07/21 00:00:00End time: 2014/07/21 00:00:19Captured data size (bytes): 10712908Message: Captured network output is available in file deloyment_check.pcap. It
can be downloaded with 'file tcpdump upload deployment_check.pcap'.
3. Show configuration information only. Enter the show deployment check network
config command.
hostname # show deployment check network config
System Administration Guide CHAPTER 15: System Health and Performance
183 © 2015 FireEye
Release 7.6 Deployment Verification
Network deployment check configuration:
Packet Capture Duration: 120
4. Show status information only. Enter the show deployment check network status
command.
hostname # show deployment check network status
Network deployment check status:
Status: success
Start time: 2014/12/02 01:19:55
End time: 2014/12/02 01:20:56
Captured data size (bytes): 10277941
Message: Captured network output is available in file deployment_check.pcap.It can be uploaded with 'file tcpdump upload deployment_check.pcap'.
5. Show status details only. Enter the show deployment check network status detail
command.
hostname # show deployment check network status detail
Latest deployment check is still running. Following is status for previous check
Network deployment check status:Status: failedStart time: 2014/07/24 08:44:38End time: 2014/07/24 08:44:48Captured data size (bytes): 10691225Captured packet count: 97239Re-transmit packet count: 12079Dup ACK packet count: 870Out-Of-Order packet count: 21303 *Acked unseen packet count: 162Previous seg not captured packet count: 4180Malformed packet count: 0Stream count: 1260Asymmetric stream count: 94Message: Captured network output is available in file deployment_check.pcap. It
can be downloaded with 'file tcpdump upload deployment_check.pcap'.* Indicates error
Starting a Network Deployment Check
You can explicitly start a network deployment check from the NX Series Web UI or CLI.
Prerequisites
l Monitor, Analyst, Operator, or Admin access
l Monitoring interfaces are "up"
Starting a Network Deployment CheckUsing theWebUI
You can manually start a network deployment check from the NX Series Web UI if another
check is not running.
© 2015 FireEye 184
To start a network deployment check:
1. Click the About tab.
2. Click Deployment Check.
3. Click Re/initiate Network Deployment Check.
For information about viewing the results, see Viewing Network Deployment Check
Results on page 180.
Starting a Network Deployment CheckUsing the CLI
You can manually start a network deployment check from the CLI if another check is not
running.
To start a network deployment check:
1. Enter the enable CLI mode:
hostname > enable
2. Start the check:
hostname # deployment check network startNetwork deployment check has been started. Please run 'show deployment checknetwork status' for status update
For information about viewing the results, see Viewing Network Deployment Check Results
on page 180.
For command details, see the FireEye CLI Reference.
Configuring the Maximum Packet Capture Duration
You can override the default maximum packet capture duration used by the network deployment
checking feature. The default value is 120 seconds. The maximum capture number is 100,000
packets, regardless of the packet capture duration.
Prerequisites
l Operator or Admin access
To configure the maximum packet capture duration:
1. Enter the CLI enable mode:
hostname > enable
System Administration Guide CHAPTER 15: System Health and Performance
185 © 2015 FireEye
Release 7.6 Deployment Verification
2. (Optional) Display the current duration:
hostname # show deployment check network
3. Specify the new duration:
hostname # deployment check network duration seconds
The following example sets the upper limit for packet capture duration to 60 seconds:
hostname # deployment check network duration 60
For command details, see the FireEye CLI Reference.
Clearing Network Deployment Check Results
You can clear the results of the last network deployment check. This operation leaves the packet
capture itself intact. The packet capture data is stored in the deployment_check.pcap file, which
you can upload to a remote host and then use a packet browser to analyze the captured traffic.
The next network deployment check, whether started automatically at 00:00 (midnight) or
started explicitly using the CLI or Web UI, generates a new set of results.
If a network deployment check results in the failed status, network deployment check
notifications are triggered to report the failed events. If you do not clear the results,
subsequent system restarts and managed process restarts will trigger new notifications
for the same events.
Prerequisites
l Monitor, Analyst, Operator, or Admin access
To clear the last network deployment check results:
1. Enter the CLI enable mode:
hostname > enable
2. Clear the results:
hostname # deployment check network clear
Example
The following example shows the network deployment check status after the results are cleared.
hostname # show deployment check network status detailNetwork deployment check status:Message: Please run 'deployment check network start'* Indicates error
For command details, see the FireEye CLI Reference.
© 2015 FireEye 186
Utilization and Performance ChecksThe NX Series appliance continuously gathers and reports relevant data about its utilization.
There are recommended levels of utilization, known as rated limits, that are specific to each
appliance model. Exceeding these limits can cause reduced malware detection efficacy, packet
loss, and queuing errors.
You can use the utilization data as a tool for future capacity planning. When your appliance
continuously or critically exceeds the rated limits, prominent messages and event notifications
advise you to contact FireEye for guidance.
Utilization data and the associated rated limits are reported in the Appliance Utilization section
on the Dashboard in the Web UI and in the show sizing stats CLI command output. On the
Dashboard, you can view statistics for the current day, past week, or past month.
The Appliance Utilization section of the NX Series Dashboard includes a verdict that states the
utilization zone your appliance is operating in (based on the most recent one-hour average) and
recommended actions to take. The warning verdict is shown in the following illustration:
The Dashboard section also includes the following charts:
l Utilization Summary shows the overall appliance utilization level.
l MVX Web Analysis shows the Web pages waiting to be analyzed by the NX Series MVX
engine, displayed as a percentage of capacity.
l Total Bandwidth (Mbps) shows the total amount of traffic going through the monitoring
ports, measured in Mbps. The thresholds are based on the rated bandwidth for the
appliance.
In the following example, the appliance is operating in the good zone. Although it exceeded the
rated limit for total bandwidth during the reporting period, it was back in the good range at the
time the chart was rendered.
System Administration Guide CHAPTER 15: System Health and Performance
187 © 2015 FireEye
Release 7.6 Utilization and Performance Checks
Prerequisites
l Monitor, Operator, or Admin access
l NX Series Release 7.6.1 or later
Viewing Utilization Statistics Using theWebUI
Use the Appliance Utilization section of the NX Series Dashboard to view utilization statistics
for the current day, past week, or past month.
To view the utilization statistics:
1. Click the Dashboard button at the top of the NX Series Web UI to open the Dashboard.
2. If your appliance is operating in the warning or critical zone, the Appliance Utilization
section is displayed at the top of the Dashboard. If it is operating in the good zone, scroll
to the bottom of the Dashboard to view this section.
3. To specify the time period to report, click the Day, Week, orMonth button at the
bottom of the section.
© 2015 FireEye 188
.
4. To refresh the data, click the icon.
To hide all other Dashboard sections, click the icon. Click the icon again to show
the other sections.
Viewing Utilization Statistics Using the CLI
Use the show sizing stats command to view utilization statistics.
To view utilization statistics:
1. Enter the CLI enable mode:
hostname > enable
2. Display the statistics:
hostname # show sizing stats
Example
As shown in the following example, this command displays the current status and value for each
measurement, as well as the benchmarks from which the measurements are made.
hostname # show sizing stats
Stat Status Value Warning CriticalLevel Level
Utilization summary: Warning 1 1 2Web analysis MVX utilization(%): ok 9 75 95Total bandwidth (Mbps): Warning 888 750 950
System Administration Guide CHAPTER 15: System Health and Performance
189 © 2015 FireEye
Release 7.6
CHAPTER 16: AAA
AAA (authentication, authorization, and accounting) is a security framework that validates user
identities, enforces access to resources, and audits user activities and usage.
This chapter includes the following sections:
l Authentication
l User Accounts
l Managing Your Own Account
l Local Access Control
l Configuring Password Validation Policies
l Configuring Password Change Policies
l Authentication Order
l Local Overrides
l Mapping Remote Users to Default Local Users
l RADIUS Server Configuration
l TACACS+ Server Configuration
l LDAP Server Configuration
l Example Authentication Configuration
l Authorization
l Roles
l Capabilities
l Accounting
l Audit Logs
© 2015 FireEye 190
AuthenticationAuthentication validates users before they are allowed to access the system. Each user has a
unique identity and associated credentials. The authentication process compares the login
credentials the user provides with the user credentials stored in a database. If the credentials
match, the user is granted access to the system; otherwise, the authentication fails and the user is
denied access.
FireEye supports four remote authentication methods:
l Local—The appliance authenticates users against the local username database. For
information about adding users to this database, see User Accounts.
l RADIUS—The appliance authenticates users against a remote RADIUS security server.
l TACACS+—The appliance authenticates users against a remote TACACS+ security
server.
l LDAP—The appliance authenticates users against a remote LDAP server.
The appliance uses the remote authentication methods as a client and does not become
an authentication server itself.
When remote users are authenticated by a remote server, they are logged in to the appliance as a
local user and are granted the same access privileges as that user. For any remote authentication
method, the mapping of a remote user to a local user is configured in a method-specific attribute
string that is returned by the remote server after a user is authenticated. If the string is not
returned, the remote user is logged in as the default local user specified by the aaa
authorization map default-user CLI command, as described in Mapping Remote Users to
Default Local Users.
You can use the aaa authorization rules rule command to configure rules in the local
configuration to override this mapping when specified conditions are met. For more information,
see Local Overrides of Remote User Mappings.
For security, the provided Monitor user account is locked out by default. This account must be
enabled before remote users can be mapped to it. See Local Access Control for more
information.
For details about configuring method-specific attribute strings, see:
l Configuring a RADIUS Server
l Configuring a TACACS+ Server
l Configuring an LDAP Server
l Configuring an Active Directory Server
System Administration Guide CHAPTER 16: AAA
191 © 2015 FireEye
Release 7.6 Authentication
Order of Authentication
An authentication methods list defines the order in which authentication should be attempted,
and provides backup methods in the event that a method fails to authenticate a user. The local
method must be included in the list, preferably first to reduce the risk of local account access
issues.
If a method denies a user or is not reachable, the next method in the list is tried. If there are
multiple servers within a method (assuming the method is contacting authentication servers), and
a server timeout is encountered, then the next server in the list is tried.
If the current server being contacted issues an authentication reject, no other servers for that
method are tried and the next method in the list is attempted. If no method validates a user, the
user is denied access to the appliance.
You can configure the system to track authentication attempts, limit authentication based on
previous failures, and so on.
See the following topics for more information:
l Defining the Authentication Order
l Example: Configuring Authentication
l Configuring Failed Authentication Attempts
User Accounts
Users must be created before they can log in to the appliance. User accounts include the
following information:
l User Name—The name with which the user logs in to the appliance.
l Role—The role that determines what the user can do on the appliance. For details, see
Roles.
l Password—The password that along with the user name, authenticates the user and
permits access to the appliance. You can configure rules for stricter password security. For
details, see Configuring Password Validation Policies on page 200 and Configuring
Password Change Policies on page 207.
l Account Status—The status that determines whether and how the user can log in to the
appliance locally. For details, see Local Access Control.
There is a permanent user account that corresponds to each role. These are system accounts and
cannot be deleted or modified, with the exception of being locked out so they cannot be used to
log in. The self user account is the account of the logged-in user.
© 2015 FireEye 192
All users can change their own passwords. For more information, see Managing Your Own
Account.
You can create and update user accounts using either the Web UI or the CLI. For instructions,
see the following topics:
l Managing Users Using the Web UI
l Managing Users Using the CLI
Managing Users Using the Web UI
Use the Settings: User Accounts page to add and update user accounts using the Web UI.
Prerequisites
l Admin access
To add or modify a user account:
1. Click the Settings tab.
2. Click User Accounts on the sidebar.
System Administration Guide CHAPTER 16: AAA
193 © 2015 FireEye
Release 7.6 Authentication
3. If you are updating a user account, click the appropriate link in the User column in the
table at the bottom of the page.
4. Under Add New User or Update User, enter the User Name, which is the login name
for the user. It must be between 1 and 16 characters, is case sensitive, and must be unique.
Use only letters, numbers, and underscores.
5. Select a role from the Role list. For detailed information about the functionality each role
provides, see Roles.
6. Enter a case-sensitive password for the user in the Create Password and Confirm
Password boxes. In the default configuration, the password must be between 8 and 32
characters.
You can change the password requirements as described in Configuring Password
Validation Policies.
7. (Optional) Specify a subnet, subnet mask, and VLAN for the user (Monitor user only).
8. If needed, change the Account Status for the user. For information about each status, see
Local Access Control.
The Password set account status is set automatically for new users because you
cannot create a new user from the Web UI without a password.
9. To delete one or more users, select the check box to the left of each user name, and then
click Remove Selected Users.
The user configuration is displayed at the bottom of the page, along with the following additional
information:
l Last Login—The date and time the user last logged in to the appliance in the UTC time
standard.
l Login Count—The number of times the user has logged in to the appliance since the user
account was created.
l Last Action—The date and time the user last logged in to or out of the appliance, in the
UTC time standard.
l IP Address—The IP address from which the user logged in to the appliance.
Managing Users Using the CLI
Use the CLI commands in this topic to add and update user accounts.
Prerequisites
l Admin access
© 2015 FireEye 194
To add a new user:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. Create a new user:
hostname (config) # username username
User names must be between 1 and 16 characters, is case sensitive, and must be unique.
Use only letters, numbers, and underscores.
3. Assign a role to a specified user:
hostname (config) # username username role role
where role is admin, monitor, operator, analyst, or auditor.
4. Assign a password to a specified user:
hostname (config) # username username password password
5. (Optional) Configure a subnet for the specified user:
hostname (config) # username username subnet network_prefix
6. (Optional) Configure a VLAN ID for the specified user:
hostname (config) # username username vlan vlan_identifier
7. If needed, change the account status for the user. For information about each status, see
Local Access Control on page 199.
8. To delete a specified user:
hostname (config) # no username username
9. Save your changes:
hostname (config) # write memory
For command usage and parameters, see the FireEye CLI Reference.
Managing Your Own Account
Users in all roles can manage their own accounts in the following ways:
l Change their passwords.
l Install secure shell (SSH) authorized keys that permit them to log in from remote hosts
using an SSH identity.
l Create and manage SSH identities that permit them to log in to another host on which the
corresponding authorized key was installed.
System Administration Guide CHAPTER 16: AAA
195 © 2015 FireEye
Release 7.6 Authentication
l Remove SSH known host entries so they can log in to remote hosts whose host keys have
changed.
l Restrict the ways they can log in locally.
l View their account information, including when their password will expire and whether
they authenticate using a password or an SSH authorized key
You can use the Web UI to change your password, and use the CLI to change your password and
perform the other account management functions available to you.
Prerequisites
l Any role
Managing Your Own Account Using the Web UI
Use the Settings: My Account page to change your own password.
Users with the Admin role do not have access to this page, they must instead use the
Settings: User Accounts page to manage their own accounts.
To change your own password:
1. Click the Settings tab.
2. Click My Account on the sidebar.
3. Enter your current password in the Current Password box (if present).
4. Enter your new password in the New Password box.
© 2015 FireEye 196
5. Enter your new password again in the Confirm Password box.
6. Click Update User.
Managing Your Own Account Using the CLI
Use the CLI commands in this topic to perform management functions on your own account.
Prerequisites
l Any role
To manage your own account:
1. Log in to the CLI as yourself.
2. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
3. To change your password:
hostname (config) # username username password password
If your administrator requires you to enter your current password when you change your
password, do one of the following:
l Append curr-password currentPassword to the command. For example:
hostname (config) # username tsmith password ABCDE12345 curr-passwordFGHIJ678910
l Wait for the system to prompt for your current password:
hostname (config) # username tsmith password ABCDE12345Current password:***********hostname (config) #
If you enter an invalid current password, you must wait three seconds before trying again:
hostname (config) # username tsmith password ABCDE12345Current password:*********%Current password does not match. Please retry after 3 seconds.
4. To change your local account status:
l To specify that you cannot log in to the appliance locally using a password, but can
do so using an SSH authorized key:
hostname (config) # username username disable login
If your role is Monitor, Analyst, or Auditor, the CLI session will end
immediately after you run this command.
System Administration Guide CHAPTER 16: AAA
197 © 2015 FireEye
Release 7.6 Authentication
l To specify that you cannot log in to the appliance locally, but can log in remotely:
hostname (config) # username username disable local-login
5. To generate a new identify that allows you to open a Secure Shell (SSH) session on
another device from this appliance:
hostname (config) # ssh client user username ...
(See the FireEye CLI Reference for command usage and parameters.)
6. To show your own SSH client identities:
hostname (config) # show ssh client
7. To display your own account information:
hostname (config) # show usernames user username
or
hostname (config) # show whoami
8. (Operator role only): Save your changes:
hostname (config) # write memory
Although you can change your own password with a Monitor, Analyst, or Auditor
role, you cannot save the changes to memory. Your changes could be lost if an
administrator reboots without saving changes or reverts to the last saved
configuration.
Example
In this example, Marie changes her password and then displays her account information two
ways.
hostname (config) # username marieb password 12345ABCDEhostname (config) # show usernames user mariebLocal username: mariebFull name:Account status: Password setRole: operatorVLAN: not setSubnet: not setPassword last set: 2014/11/21 15:51:31Passsword age: 20 days 12 hr 17 min 50 secPassword expires: in 69 days 23 hr 58 min 20 secMust change password: no
hostname (config) # show whoamiUsername: mariebLocal username: mariebFull name:Account status: Password setRole: operatorVLAN: not setSubnet: not setPassword last set: 2014/11/21 15:51:30Password age: 20 days 12 hr 17 min 55 secPassword expires: in 69 days 23 hr 58 min 15 sec
© 2015 FireEye 198
Must change password: noLogin time: 2014/12/12Auth method: local (password)Remote address: 10.10.0.0Line: pts/1Session ID: 25614
Local Access Control
Each user has an account status that determines whether and how the user can log in to the
appliance locally. The account statuses are described in the following table.
AccountStatus Description
Password set The user can log in to the appliance locally using a username and password.
Localpasswordlogindisabled
The user cannot log in to the appliance locally using a password, but can log in using anSSH authorized key.
Local logindisabled
The user cannot log in to an appliance locally, using either a password or an SSH authorizedkey. A user with this account status can still authenticate remotely and be mapped to this useraccount.
Accountlocked out
The user cannot log in at all. This could be due to the account status being configured thisway explicitly, or due to too many unsuccessful login attempts.
The provided Operator, Analyst, and Auditor system accounts have the "local login disabled"
status set by default, so they cannot log in until an administrator changes their account status by
setting passwords for them. The provided Monitor account defaults to the "account locked out"
status for security.
For information about changing a user's account status, see the following topics:
l Defining Account Status Using the Web UI
l Defining Account Status Using the CLI
Defining Account Status Using the Web UI
Use the Settings: User Accounts page to set the account status for a user. For a description of
each account status, see Local Access Control.
Prerequisites
l Admin access
System Administration Guide CHAPTER 16: AAA
199 © 2015 FireEye
Release 7.6 Authentication
To set an account status:
1. Click the Settings tab.
2. Click User Accounts on the sidebar.
3. Click the user name in the User column.
4. In the Update User section, select an account status from the Account Status list.
5. Click Update User.
Defining Account Access Using the CLI
Use the CLI commands in this topic to set the account status for a user.
Prerequisites
l Admin access
To set an account access:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. Change the password for the specified user:
hostname (config) # username username password
3. Disable the means to log in to this account:
hostname (config) # username username disable
4. Save your changes:
hostname (config) # write memory
For command usage and parameters, see the FireEye CLI Reference.
Configuring Password Validation Policies
You can define rules to validate user passwords and enable stricter password security. Note the
following:
l The validation rules are enforced only when the user sets a plain text string as the
password. They are not applied to passwords that are configured as a hashed value. For full
enforcement, you can prevent administrators from configuring passwords as hashed values,
described in Prohibiting Hashed Passwords Using the CLI on page 206.
l The rules are enforced only when a password is being set. They are not applied to
passwords that already exist.
© 2015 FireEye 200
The password validation features described in this section are disabled by default.
You must use the CLI to configure password policies.
Configuring Password Strength
You can require that passwords be a certain length; have a minimum number of uppercase or
lowercase characters, numerals, or special characters; and limit the number of times characters
can be repeated in a password. You can also configure a minimum length for the password used
to log in to the LCD panel on the front of most appliances. For details, see Configuring
Password Strength Rules Using the CLI on the facing page.
Requiring the Current Password for Password Changes
You can require users to enter their current passwords when they change their passwords. The
following things change when you do so:
l The Settings: My Account page in the Web UI includes a Current Password field.
l Local login commands such as username username password password prompt for the
current password if the user does not supply it as a command parameter.
Custom scripts that use the CLI to configure user accounts may need to be updated if
the current password is required. For example, a script that sets the password for a user
needs to be modified to accommodate the prompt for the current password.
This feature currently applies to those users with a role other than Admin.
For details, see Requiring the Current Password for Password Changes Using the CLI on
page 204.
Prohibiting Matching Username and Password
By default, users can select a password that is the same as their username. For stricter password
security, you can prevent this. For details, see Preventing a Password from Matching the
Username Using the CLI on page 204.
System Administration Guide CHAPTER 16: AAA
201 © 2015 FireEye
Release 7.6 Authentication
Configuring Password Reuse Criteria
You can configure how many password changes are required before users can reuse a password.
When this feature is enabled, the system maintains a history of the configured number of
passwords. For example, if you specify the number 5, users must change their passwords five
times before they can reuse their first password. If the configured number is changed to a lower
number, the oldest excess passwords are removed from the history.
The password history is cleared in the following cases:
l An administrator disables the feature.
l An administrator clears the history.
A password can be reused immediately after the password history is cleared or the feature is
disabled. In both cases, information about the current password, such as the date and time it was
set, is retained.
For details, see Configuring Password Reuse Policy Using the CLI on page 205.
Prohibiting Hashed Passwords
Password validation rules can be enforced only on plain text passwords; they cannot be enforced
on hashed passwords. You can prevent administrators from using the username username
password 7 hashValue command to set passwords as hashed values. For details, see Prohibiting
Hashed Passwords Using the CLI on page 206.
The show configuration command output contains commands that restore system user
accounts. These commands include hashed passwords. If you prohibit hashed
passwords, the accounts cannot be restored and those commands will be commented
out in the output.
Prerequisites
l Admin access
Configuring Password Strength Rules Using the CLI
Use the commands in this section to configure the criteria that determine the strength of your
password security.
To configure password strength rules:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. Configure rules as needed:
© 2015 FireEye 202
l To set the minimum number of lowercase letters:
hostname (config) # aaa authentication password local character-type lower-case minimum number
where number is 0 by default.
l To set the minimum number of uppercase letters:
hostname (config) # aaa authentication password local character-type upper-case minimum number
where number is 0 by default.
l To set the minimum number of special characters:
hostname (config) # aaa authentication password local character-typespecial minimum number
where number is 0 by default.
l To set the minimum number of numerals:
hostname (config) # aaa authentication password local character-typenumeral minimum number
where number is 0 by default.
l To set the maximum times a character can repeat consecutively:
hostname (config) # aaa authentication password local max-char-repeatsmaximum number
where the default is no limit, and number is a number greater than 1. To specify that
characters cannot repeat, enter 1.
l To set the minimum length of the LCD password:
hostname (config) # aaa authentication password lcd length minimum number
where number is 0 by default.
Before you can change the number, you must change the LCD password to
at least the minimum length, using the lcd password password command.
2. Verify your changes:
hostname (config) # show aaa authentication password
3. Save your changes:
hostname (config) # write memory
To restore the default settings, append no to each command. For example, to remove a
restriction on the number of characters that can be repeated, use the no aaa
authentication password local max-chars-repeats command; to remove the
minimum number of upper-case characters, use the no aaa authentication password
local character-type upper-case minimum command, and so on.
System Administration Guide CHAPTER 16: AAA
203 © 2015 FireEye
Release 7.6 Authentication
Example
See Example: Configuring Password Validation Policies on page 206.
Requiring the Current Password for Password Changes Using the CLI
Use the commands in this section to require users to enter their current password as well as their
new password when they change passwords.
To require current passwords:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. Enable the current password feature:
hostname (config) # aaa authentication password local change require-current non-admin
3. Verify that it is enabled:
hostname (config) # show aaa authentication password
4. Save your changes:
hostname (config) # write memory
To disable the feature, use the no aaa authentication password local change
require-current command.
Example
See Example: Configuring Password Validation Policies on page 206.
Preventing a Password from Matching the Username Using the CLI
Use the commands in this section to prevent users from setting a password that matches their
username.
To prevent a matching username and password:
1. Enable the CLI configuration mode:
hostname (config) # enablehostname (config) # configure terminal
2. Prevent users from using their username as a password:
hostname (config) # aaa authentication password local no-userid
3. Verify your change:
hostname (config) # show aaa authentication password
© 2015 FireEye 204
4. Save your change.
hostname (config) # write memory
To allow the username and password to match, use the no aaa authentication
password local no-userid command.
Example
See Example: Configuring Password Validation Policies on the facing page.
Configuring Password Reuse Policy Using the CLI
Use the commands in this section to configure the number of times users must change a
password before using it again, and to clear the password history for a specific user or all users.
To configure the number of passwords:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. Specify the number of previous passwords to maintain:
hostname (config) # aaa authentication password local history compare number
where number is the number of times a password must be changed before an earlier
password can be reused. Valid values are 1–50.
3. Verify your change:
hostname (config) # show aaa authentication password
4. Save your change:
hostname (config) # write memory
To disable the feature, use the no aaa authentication password local history
compare or aaa authentication password local history compare 0 command.
To clear the password history:
1. Clear the password history:
l To clear the history for a specific user:
hostname (config) # aaa authentication password local history clear userusername
l To clear the history for all users:
hostname (config) # aaa authentication password local history clear all
2. Save your change:
hostname (config) # write memory
System Administration Guide CHAPTER 16: AAA
205 © 2015 FireEye
Release 7.6 Authentication
Example
See Example: Configuring Password Validation Policies below.
Prohibiting Hashed Passwords Using the CLI
Use the commands in this section to prevent administrators from setting a hashed (already
encrypted) value as a password for a user. This will cause all passwords to be in plain text, and
therefore subject to the password validation rules described in Configuring Password
Validation Policies on page 200. (Password validation rules cannot be enforced on hashed
passwords.)
The show configuration command output contains commands to restore system user
accounts. These commands include hashed passwords, which are needed because plain-
text passwords are unavailable. If you prohibit hashed passwords, this restoration cannot
be done, and those commands will be commented out in the output.
To prohibit hashed passwords:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. Prohibit hashed passwords:
hostname (config) # no aaa authentication password local change allow-encrypted
3. Verify your change:
hostname (config) # show aaa authentication password
4. Save your change:
hostname (config) # write memory
To allow administrators to set hashed passwords, use the aaa authentication password
local change allow-encrypted command.
Example
See Example: Configuring Password Validation Policies below.
Example: Configuring Password Validation Policies
This example specifies that a password must include at least one uppercase character, two
numerals, and one special character; that a character cannot be repeated consecutively; and that
the password must be changed five times before it can be used again. It also specifies that the
password must be different from the username, that non-admin users must enter their current
passwords to change their passwords, that admin users cannot use hashed passwords when they
create new users, and that the LCD password must be at least eight characters.
© 2015 FireEye 206
hostname (config) # aaa authentication password local character-type upper-caseminimum 1hostname (config) # aaa authentication password local character-type numeral minimum 2hostname (config) # aaa authentication password local character-type special minimum 1hostname (config) # aaa authentication password local character max-char-repeats 1hostname (config) # aaa authentication password local history compare 5hostname (config) # aaa authentication password local no-useridhostname (config) # aaa authentication password local change require-current non-adminhostname (config) # no aaa authentication password local change allow-encryptedhostname (config) # aaa authentication password lcd length minimum 8hostname (config) # show aaa authentication passwordLocal password requirements:
Minimum length: 8Maximum length: 32Maximum character repeats: 1Minimum lower case characters: 0Minimum upper case characters: 1Minimum special characters: 1Minimum numeric characters: 2Recent passwords to check against: 5Allowed to match userid: no
Require current password on change: yes(non-admin users only)
Allow set of encrypted password: no(admin users only)
Require password change on local accounts:
Require password change for new account: noMaximum password age before change required: noneWarn user before password expires: 7 days ahead
LCD password requirements:
Minimum length: 8
Configuring Password Change Policies
You can require users who authenticate locally to change their passwords in the following
circumstances:
l After new users log in the first time
l After a specific period of time elapses
l At the next login attempt, for a specific user or all users
The new password must be different from the current password, even if no password reuse
restrictions are configured. After users change their passwords, they must log out and then log in
again to access the functionality their role allows.
You can also configure when the system should start warning users that their passwords will
expire. The warnings are displayed on the Dashboard in the Web UI and in the CLI after the user
logs in.
System Administration Guide CHAPTER 16: AAA
207 © 2015 FireEye
Release 7.6 Authentication
If the password is not changed before it expires, the account will not be locked. However, in the
Web UI, users will be taken directly to the Settings: My Account page where a message is
displayed. Until the password is changed and users log out and then log in again, they can do
nothing in the Web UI except change their passwords.
In the CLI, a similar message is displayed. Users will be unable to do anything except change
their passwords and run a small number of basic commands that do not impact the system or
show sensitive information (such as show whoami, show cli, and cli session).
These policies apply only to users who authenticate locally. They are not enforced if a
user authenticates remotely and is then mapped to a local user account that requires a
password change, or if a user authenticates using an SSH authorized key.
The connection between the CM Series platform and its managed appliances requires
remote user credentials for the appliance (if the CM Series platform initiated the
connection) or the CM Series platform (if the appliance initiated the connection). If the
password expires, the connection between the CM Series platform and the managed
appliance will be lost until the password is changed and the connection is reset. To
work around this scenario, you can use an SSH authorized key for authentication. For
details, see User Authentication on page 88.
The password change features described in this section are disabled by default.
© 2015 FireEye 208
You must use the CLI to configure password change policies. For details, see Configuring
Password Change Policies Using the CLI below.
Prerequisites
l Admin access
Configuring Password Change Policies Using the CLI
Use the commands in this section to configure when users must change their passwords, and
how far in advance a warning message should be presented.
To configure the password change frequency:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. Specify the number of days before a password must be changed:
hostname (config) # aaa authentication password local require-change max-password-age days
where days is the number of days. Valid values are 1–999.
3. Verify your change:
hostname (config) # show aaa authentication password
4. Save your change:
hostname (config) # write memory
To require new users to change their passwords after their first login:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. Enable the requirement:
hostname (config) # aaa authentication password local require-change new-account
3. Verify your change:
hostname (config) # show aaa authentication password
4. Save your change:
hostname (config) # write memory
This setting affects only users who are created after this change was made. It does not
affect users who were created earlier, even if those users have not logged in yet.
System Administration Guide CHAPTER 16: AAA
209 © 2015 FireEye
Release 7.6 Authentication
To force a password change on the next login:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. Configure the policy:
l To set the policy on all users:
hostname (config) # aaa authentication password local require-change forceall
l To set the policy on a single user:
hostname (config) # aaa authentication local require-change force userusername
3. Verify your change:
l For all users:
hostname (config) # show usernames password-status
l For a single user:
hostname (config) # show usernames username username
4. Save your change:
hostname (config) # write memory
To configure the advance notice about a pending password change:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. Specify the number of days:
hostname (config) # aaa authentication password local require-change advance-warning days
where days is the number of days. Valid values are 1–999.
When you specify 1, the unit of measurement is minutes, not days. This allows
you to test your configuration without having to wait a full day to see the results.
3. Verify your change:
hostname (config) # show aaa authentication password
4. Save your change:
hostname (config) # write memory
To remove a configuration, append no to the command. For example, to remove the
requirement for all users to change their passwords the next time they log in, use the no
aaa authentication password local require-change force all command.
© 2015 FireEye 210
Example
This example requires new users to change their passwords after the first login, requires all other
passwords to be changed every 90 days, and specifies that users should be warned 15 days before
their passwords expire. It also requires Harry to change his password the next time he logs in.
hostname (config) # aaa authentication password local require-change new-accounthostname (config) # aaa authentication password local require-change max-password-age90hostname (config) # aaa authentication password local require-change advance-warning15hostname (config) # aaa authentication password local require-change force user harryhostname (config) # show aaa authentication passwordLocal password requirements:
Minimum length: 8Maximum length: 32Maximum character repeats: no limitMinimum lower case characters: 0Minimum upper case characters: 0Minimum special characters: 0Minimum numeric characters: 0Recent passwords to check against: 0Allowed to match userid: yes
Require current password on change: no(non-admin users only)
Allow set of encrypted password: yes(admin users only)
Require password change on local accounts:
Require password change for new account: yesMaximum password age before change required: 90Warn user before password expires: 15 days ahead
LCD password requirements:
Minimum length: 0
hostname (config) # show usernames username harryLocal username: harryFull name:Account status: Password setCurrent role: adminConfigured role: operator
VLAN: Not setSubnet: Not set
Password last set: 2014/12/12 20:13:41Password age: 7 hr 20 min 27 secMust change password: yes (set by administrator)
hostname (config) # show usernames password-statusUSERNAME FULL NAME LOCAL PASSWORD AGE CHANGE REQUIRED?baker 11h 35m 44s yes (*)harry 7h 20m 29s yes (*)admin System Administrator 21d 11h 32m 41s no..
System Administration Guide CHAPTER 16: AAA
211 © 2015 FireEye
Release 7.6 Authentication
.* Password change required by administrator regardless of age
Defining the Authentication Order
Use the CLI commands in this topic to specify the order in which methods will be tried when
authenticating users.
Prerequisites
l Admin access
To define the authentication order:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. Specify the authentication methods in the sequence that you want used. For example:
hostname # (config) aaa authentication login default local radius ldap tacacs+
For more information, see Example: Configuring Authentication.
Configuring Failed Authentication Attempts
Use the CLI commands in this topic to clear authentication history or to unlock accounts.
Prerequisites
l Admin access
To configure failed authentication attempts:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. Display the configuration and history of authentication failures:
hostname (config) # show aaa authentication attempts
3. Reset a specified user account:
hostname (config) # aaa authentication attempts reset user
4. Reset all user accounts:
hostname (config) # aaa authentication attempts reset all
5. Save your changes:
hostname (config) # write memory
© 2015 FireEye 212
Local Overrides of Remote User Mappings
When a remote user logs into an appliance, a remote authentication server typically determines
which local user account on the appliance the remote user should use. It uses one of the
following methods to do this:
l Mapping to a local user account according to rules set by the aaa authorization map
order CLI command. The mapping can come from the local configuration or from an
attribute in the remote authentication server's response.
l Directly from an attribute in the remote authentication server's response.
An administrator can use the aaa authorization rules rule CLI command to configure rules in
the local configuration that override this mapping when the specified conditions are met. Rule
criteria include the following:
l Authentication type
l Remote user name
l Local user name (before the override)
l LDAP group
l LDAP search filter
The first rule that evaluates as "true" will override the initial mapping, and the remaining rules
will not be considered. If a rule includes multiple criteria, every criterion must be met before the
rule itself can evaluate as true. For example, if a rule specifies that the remote username must be
"alice" and that the LDAP group cannot be "group_a" , the rule will evaluate as true if the user is
Alice, but only if she is in a group other than Group A.
For more information, see Locally Overriding Remote User Mappings.
Locally Overriding Remote User Mappings
Use the CLI commands in this topic to override remote user mappings.
Prerequisites
l Admin access
To configure local override rules:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. Displays all authorization rules, including whether they are enabled:
hostname (config) # show aaa authorization rules
System Administration Guide CHAPTER 16: AAA
213 © 2015 FireEye
Release 7.6 Authentication
3. Enable all authorization rules:
hostname (config) # aaa authorization rules enable
4. Disable all authorization rules:
hostname (config) # no aaa authorization rules enable
5. Delete the specified rule:
hostname (config) # no aaa authorization rules rule rule_number
6. Create a new rule or to modify an existing rule:
hostname (config) # aaa authorization rules rule word-pair
where word-pair is one of the following:
l append tail creates a new rule after the highest-numbered existing rule or at
position 1 if there are no rules.
l insert rule_number creates a new rule at the specified number. If another rule is
already at that position, it is shifted up by one, along with the other existing rules
above it.
l set rule_number creates a new rule at the specified number. If another rule is at that
position, it is replaced.
l modify rule_number creates or modifies the rule at the specified number. If another
rule is at that position, its values are preserved, except when they are overwritten by
new values specified in this command.
7. Save your changes:
hostname (config) # write memory
For command usage and parameters, see the FireEye CLI Reference.
Mapping Remote Users to Default Local Users
As described in Authentication Overview, if a remote authentication method does not return a
local user attribute string after a remote user is authenticated, the remote user will be mapped to
a default local user account.
Prerequisites
l Admin access
© 2015 FireEye 214
To specify the default local user account:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. Specify the default local user account:
hostname (config) # aaa authorization map default-user username
Any nonmapped users will default to the specified local user account.
3. Save your changes:
hostname (config) # write memory
The no aaa authorization map default-user command not only removes the
specified default local user account, but also sets it to "admin." This allows any partially
or incorrectly configured user to have "admin" privileges.
Configuring a RADIUSServer
Use the CLI commands in this topic to configure a RADIUS server to return Local-User
attributes.
This topic describes how to configure the RADIUS server, not the FireEye appliance.
Your configuration should follow standard RADIUS protocol; the examples in this topic
are provided for illustration only.
To configure a RADIUS server:
1. Configure a code on the authentication server to match the appliance key.
2. Create a dictionary to reference the following mapping data:
VENDOR FireEye 25597BEGIN-VENDOR FireEyeATTRIBUTE FireEye-Local-User 1 stringEND-VENDOR FireEye
where Local-User is the mapping attribute with an index of 1 that matches the FireEye
code.
3. Store the dictionary, typically in the /user/share/radius/dictionary directory.
4. Use the authentication types shown in the following example to create user authentications
against the RADIUS server login credentials, and authentication against “on-the-fly”
passwords:
<username> Auth-Type := SystemFireEye-Local-User = “admin”
r-admin Auth-Type := Local, User-Password == “test123”FireEye-Local-User = “admin”
System Administration Guide CHAPTER 16: AAA
215 © 2015 FireEye
Release 7.6 Authentication
r-monitor Auth-Type := Local, User-Password == “test123”FireEye-Local-User = “monitor”
Both r-admin and r-monitor are authenticated against “on-the-fly” passwords. Local-User
is the string defined in the dictionary and used by the authentication server to map to the
local user. In the example above, both <username> and r-admin are admin users on the
appliance while r-monitor is mapped to the appliance’s monitor role.
5. Restart the RADIUS server after authentication mappings are modified. For example, enter
service radiusd restart.
Auth-Type := System causes the RADIUS server to use the password file on the server
for user passwords. Passwords for users with the "admin" or "monitor" role must be
specified on an individual basis.
Configuring a TACACS+ Server
Use the CLI commands in this topic to configure a TACACS+ server to return Local-User
attributes.
This topic describes how to configure the TACACS+ server, not the FireEye
appliance. Your configuration should follow standard TACACS+ protocol; the examples
in this topic are provided for illustration only.
To configure a TACACS+ server:
1. Define users on the authentication server.
2. In the tac_plus.conf file on the authentication server, configure a key that matches the
appliance key.
3. Store the file, typically in the /usr/local/etc/ directory.
4. Create user authentications against the TACACS+ server login credentials:
user=t-admin {pap = cleartext “test123”service = fireeye-exec { "local-user-name-fireeye” = “admin”
}}
user=t-monitor { pap = cleartext “test123”service = fireeye-exec {“local-user-name-fireeye” = “monitor”
}}
where local-user-name-fireeye is the mapping attribute that matches the FireEye code,
and fireeye-exec matches the service definition. The t-admin user maps to the appliance
admin role, and the t-monitor user maps to the appliance monitor role.
© 2015 FireEye 216
5. On the appliance, define the server host and key attributes, where the appliance key
matches the server key:
tacacs-server host <hostname>tacacs-server key <keyData>
6. After configuring authentication mappings, put the following line in the /etc/rc.local file
to start the authentication mapping on reboot:
/usr/local/bin/tac_plug -g -C /usr/local/etc/tac_plus.conf
LDAPServer Configuration
This section describes how to configure LDAP servers to authenticate users. It contains the
following topics:
l Configuring an LDAP Server
l Defining LDAP Search Filters
l Example: Configuring an LDAP Server
l Configuring Active Directory
Configuring an LDAP Server
For LDAP configuration, localUserNameFireEye is the attribute name for mapping to the Admin
or Monitor role.
This topic describes how to configure the LDAP server, not the FireEye appliance.
Your configuration should follow standard LDAP protocol; the examples in this topic
are provided for illustration only.
To configure an LDAP server:
1. Add local user attributes:
a. Define a schema at /etc/openldap/schema/fireeye.schema.
b. Refer to the schema in your sldap.conf file on the LDAP server.
c. On the authentication server, add the localUserNameFireEye attribute to the
schema so that it can be defined and referenced in the user definition.
2. Define users.
3. On the appliance, define the server host, base-dn, and login-attribute.
4. Run the service ldap start CLI command after configuring authentication mappings.
System Administration Guide CHAPTER 16: AAA
217 © 2015 FireEye
Release 7.6 Authentication
Defining LDAP Search Filters
An administrator can define an LDAP search filter in the local configuration that controls which
users can log in using LDAP. For example, the filter could prevent users who are not part of a
certain LDAP group from logging in. A negative response from the filter takes precedence over a
remote authentication server that permits the user to log in.
Prerequisites
l Admin access
To specify or remove an LDAP search filter:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. Configure the LDAP search filter:
hostname (config) # ldap search-filter filterString
3. Remove a search filter:
hostname (config) # no ldap search-filter
4. Save your changes:
hostname (config) # write memory
For command usage and parameters, see the FireEye CLI Reference.
Example: Configuring an LDAP Server
The following example shows how to add the FireEye attribute to the schema file:
attributetype ( FEattributeType:1NAME ‘localUserNameFireEye’DESC ‘local username to map this user to
the appliance’EQUALITY caseIgnoreMatchSUBSTR caseIgnoreSubstringMatchSYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32}SINGLE-VALUE )
The following example shows how to define users:
# 1-admindn: cn=ldap-admin,ou=users,dc=fireeye,dc=comobjectclass: topobjectclass: FireEyeEmployeecn: ldap-adminsn: ldap-adminuid: 1-adminlocalUserNameFireEye: adminuserPassword: gaNoLdT7LYczjvD1F3oSUQCMvRy7gwk2
# 1-monitordn: cn=ldap-monitor,ou=users,dc=fireeye,dc=com
© 2015 FireEye 218
objectclass: topobjectclass: FireEyeEmployeecn: ldap-monitorsn: ldap-monitoruid: 1-monitorlocalUserNameFireEye: monitoruserPassword: gaNoLdT7LYczjvD1F3oSUQCMvRy7gwk2
In this example, the password "test123" is encrypted as
gaNoLdT7LYczjvD1F3oSUQCMvRy7gwk2 .
The following example shows how to define attributes on the appliance:
ldap host hostnameldap base-dn cn=ldap-monitor,ou=users,dc=fireeye,dc=com ldap login-attribute uid
Configuring an Active Directory Server
Because Active Directory (AD) supports the LDAP protocol, FireEye appliances can also
authenticate through an AD server.
The binding user or bind-dn as seen in the FireEye configuration is a read-only user that is used
to query the directory structure starting from the base-dn. The localUserNameFireEye attribute is
an addition that needs to be made above other attributes used by default on Active Directory.
Adding the localUserNameFireEye as an attribute to the AD schema is not without risks. Refer
to the following resource for more information:
http://technet.microsoft.com/en-us/magazine/2008.05.schema.aspx?pr=blog
The localUserNameFireEye attribute requires a non-administrator “binding user” for
searching and browsing AD server records.
Prerequisites
l Admin access
To configure Active Directory authentication:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. Configure the host to send LDAP authentication requests:
hostname (config) # ldap host AD_server_hostname_IP_address
3. Configure the LDAP user search base:
hostname (config) # ldap base-dn LDAP_base_DN
4. Set the Distinguished Name used to bind to the server:
hostname (config) # ldap bind-dn Search_user_DN
System Administration Guide CHAPTER 16: AAA
219 © 2015 FireEye
Release 7.6 Authentication
5. Configure the credentials used to bind to the server:
hostname (config) # ldap bind-password Search_user_password
6. Configure which attribute holds the login name. For example:
hostname (config) #ldap login-attribute sAMAccountName
where sAMAccountName is fixed and replaces the uid attribute defined for LDAP
authentication.
7. Save your changes:
hostname (config) # write memory
Example: Configuring Authentication
This topic provides an example of how to configure authentication for an appliance.
Prerequisites
l Admin access
To configure the authentication:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. Authenticate first from the local user/password settings, then from RADIUS if that does
not work, then from LDAP if RADIUS does not work, and finally from TACACS+ if
LDAP does not work:
hostname (config) # aaa authentication login default local radius ldap tacacs+
3. For users who do not exist in the local user/password settings, if there is no Local-User
attribute returned by the RADIUS, LDAP, or TACACS+ server at login time, the login
will have the same capabilities as the Monitor user. Otherwise, it will have the capabilities
of the username given by the attribute.
hostname (config) # aaa authorization map default-user monitorhostname (config) # aaa authorization map order remote-first
4. Configure the IP address and secret of the RADIUS server:
hostname (config) # radius-server host 10.1.0.58 key myradius123
5. Configure the IP address and secret of the TACACS+ server:
hostname (config) # tacacs-server host 10.1.0.58 key mytac123
6. Configure the fully-qualified hostname of the LDAP server. The hostname (not the IP
address) is needed for the optional TLS certificate validation to work.
hostname (config) # ldap host orange.purple.com
© 2015 FireEye 220
7. Configure the IP address of the LDAP server, as a fallback mechanism:
hostname (config) # ldap host 10.1.0.58
8. Configure the base of the user tree for LDAP:
hostname (config) # ldap base-dn ou=users,dc=orange,dc=com
9. Configure the LDAP user schema name for LDAP:
hostname (config) # ldap login-attribute uid
10. Configure the base of the group tree for LDAP:
hostname (config) # ldap group-dn cn=authgroup1,ou=groups,dc=orange,dc=com
11. Configure the LDAP group schema name for membership:
hostname (config) # ldap group-attribute member
12. Save your changes:
hostname (config) # write memory
AuthorizationAuthorization provides access control, and is accomplished by assigning users roles, which offer
a specific set of capabilities.
This section contains the following topics:
l Roles Overview
l Capabilities Overview
l Assigning Roles Using the Web UI
l Assigning Roles Using the CLI
Roles
Roles give system administrators finer control over what users can do and see on an appliance.
Each user account is associated with a single role, which is a collection of capabilities that allow
the user to perform certain operations. The following roles are provided:
admin—The system administrator is a "super user" who has all capabilities except those that
allow access to the FireEye Web services API. The primary function of this role is to configure
the system.
monitor—The system monitor has read-only access to some things the admin role can change or
configure, and has access to some malware analysis functions.
operator—The system operator has a subset of the capabilities associated with the admin role.
Its primary function is configuring and monitoring the system.analyst—The system analyst focuses on the detection of malware and taking appropriate action, including
System Administration Guide CHAPTER 16: AAA
221 © 2015 FireEye
Release 7.6 Authorization
setting up alerts and reports.
auditor—The system auditor reviews audit logs and performs forensic analysis to trace how
events occurred.
api_analyst, api_monitor—CM Series platform Only. Web services API roles. The api_analyst
and api_monitor roles must be assigned from the CM Series Web UI or CLI. Users with these
roles cannot log into the CLI or the Web UI. Users with any other role (including the admin role)
cannot access the API.
fe_services—The system analyst focuses on providing FireEye as a Service.
For every role, there is a corresponding system account by the same name that has the role.
System accounts cannot be deleted or modified, with the exception of being locked out so they
cannot be used to log in.
By default, each new user is granted the monitor role. An administrator can change the role or
give a user no role; a user with no role cannot log in to the appliance. If a role is changed while
the affected user is logged in, the user will be forcibly logged out. When the user logs in again,
the capabilities provided by the new role are available to the user.
Users in all roles can change their passwords and perform other account management functions.
For details, see Managing Your Own Account.
For details about the capabilities associated with each role, see Capabilities Overview.
For information about assigning roles to users, see Assigning Roles Using the Web UI and
Assigning Roles Using the CLI.
Capabilities
The following sections provide detailed information about the roles and their associated
capabilities.
l Capability Categories
l Capability Descriptions
l Access Messages
Capability Categories
The capabilities associated with the roles are divided into five categories: System Administration,
Malware Analysis, Auditing, All Users, and Web Services API. The following tables list the
capabilities in each category and show which roles have access to the functionality granted by the
capabilities.
The FireEye services role has the same capabilities as the Monitor role but allows access
to the FireEye as a Service feature.
© 2015 FireEye 222
SystemAdministration
The following table lists the System Administration capabilities and associated roles.
Capability Admin Monitor Operator Analyst Auditor
Authentication (AAA) X
Authentication (AAA) (view) X X X
CM Series X X
CM Series (view) X X X
CM Series Proxy X
CM Series Proxy (view) X X X
CM Series Client (LMS) X X
CM Series Client (LMS) (view) X X X
Crypto X X
Crypto (view) X X X
Detection X X
Detection (view) X X X X
Diagnostics X X
Health (view) X X X X
FireEye Database (fedb) X X
FireEye Database (fedb) (view) X X X
Licenses X X
Licenses (view) X X X
Network X X
Network (view) X X X
Stats X X
Stats (view) X X X
System Admin X
System X X
System Administration Guide CHAPTER 16: AAA
223 © 2015 FireEye
Release 7.6 Authorization
Capability Admin Monitor Operator Analyst Auditor
System (view) X X X
System Logs X X X
Malware Analysis
The following table lists the Malware Analysis capabilities and associated roles.
Capability Admin Monitor Operator Analyst Auditor
Alerts X X X
Alerts (view) X X X
Analysis X X
Analysis (view) X X X
Monitor Legacy X X
Notifications X X
Notifications (view) X X X X
Reports X X X
Reports (view) X X X
Auditing
The following table lists Auditing capabilities and associated roles.
Capability Admin Monitor Operator Analyst Auditor
Audit Logs X X X
All Users
The following table lists the capabilities available to all roles (except API Analyst and
API Monitor).
Capability Admin Monitor Operator Analyst Auditor
Manage Own Account X X X X X
All Users X X X X X
WebServices API
The following table lists the Web Service API capabilities and associated roles.
© 2015 FireEye 224
Capability API Analyst API Monitor Admin
Alerts X X
Alerts Create X
Alerts View X X X
All Users X X X
Analysis X X
Analysis View X X X
Email Analysis X X
Email Analysis View X
File Analysis X
File Analysis View X X
Reports View X X X
Web Services Access X X
Capability Descriptions
The following table describes the functionality provided by each capability.
Capability Description
Alerts Ability to annotate or acknowledge alerts, which indicate the detection of malware.
Alerts (view) Read-only access to the "Alerts" functionality. If a subnet is configured on the local account,the view could be filtered by subnet.
All Users Commands and functionality available to users in all roles (except API Analyst andAPI Monitor).
Analysis Ability to analyze malware.
Analysis (view) Read-only access to "Analysis" functionality.
Audit Logs Ability to view audit logs, but not system logs.
Authentication(AAA)
Configuration of authentication, authorization, and accounting (AAA).
Authentication(AAA) (view)
Read-only access to "Authentication (AAA)" functionality.
System Administration Guide CHAPTER 16: AAA
225 © 2015 FireEye
Release 7.6 Authorization
Capability Description
CM Series Ability to configure managed appliances and appliance records remotely.
NOTE: The "CM Series" capabilities are available only on the CM Series platform.
CM Series(view)
Read-only access to "CM Series" functionality.
CM SeriesClient (LMS)
Management of appliances by the CM Series platform. (A managed appliance is alsoknown as a client or LMS.)
CM SeriesClient (LMS)(view)
Read-only access to "CM Series Client (LMS)" functionality.
CM SeriesProxy
Ability to fully control remote managed appliances both by executing commands remotelyfrom the CM Series platform and by sending proxied actions and queries.
CM SeriesProxy (view)
Read-only access to "CM Series Proxy" functionality.
Crypto Management of cryptological functions such as Internet Protocol Security (IPsec) andcertificates.
Crypto (view) Read-only access to "Crypto" functionality. Sensitive information such as private keys maybe obfuscated.
Detection Management of system configuration and data that affect malware detection efficacy, suchas downloading and managing guest images and security content.
Detection(view)
Read-only access to "Detection" functionality.
Diagnostics Access to diagnostic tools such as debug dumps (sysdumps), ping, and traceroute.
FireEyeDatabase(fedb)
Management of the FireEye database, such as backing it up and restoring it.
FireEyeDatabase(fedb) (view)
Read-only access to "FireEye Database (fedb)" functionality.
Health Ability to view summary information about current system status. (Detailed information isavailable with the "System (view)" capability.)
Licenses Management of license keys.
© 2015 FireEye 226
Capability Description
Licenses (view) Read-only access to "Licenses" functionality.
Manage OwnAccount
Ability to change one's own local account password and to manage local SSH clientfunctionality (authorized keys, identities, and known hosts) for one's own local account.
This functionality is available only to locally authenticated users; that
is, users who were authenticated using the configuration they are now
attempting to change. Remotely authenticated users cannot change
local account information, even if they are mapped to the same or a
different local user name.
Monitor Legacy Functionality that the "monitor" capability had prior to the introduction of roles, which is notpermitted according to the strict interpretation of the "monitor" role.
Network Ability to manage network configuration, such as interfaces and routers.
Network (view) Read-only access to "Network" functionality.
Notifications Ability to configure user notifications about malware-related events (such as alerts) andsystem-related events (such as low disk space).
Notifications(view)
Read-only access to "Notifications" functionality.
Reports Ability to generate reports.
Reports (view) Read-only access to "Reports" functionality, such as viewing generated reports.
Stats Ability to manage statistics.
Stats (view) Read-only access to "Stats" functionality.
System General system administration functions.
System Admin Both general system administration functions and sensitive functions that require a higherlevel of authorization.
System (view) Read-only access to the "System" and "System Admin" functionality.
System Logs Ability to read system logs, but not audit logs.
Access Messages
The functionality that is available to a user depends on the user's role, which includes a set of
capabilities.
System Administration Guide CHAPTER 16: AAA
227 © 2015 FireEye
Release 7.6 Authorization
l If a user enters an unavailable command, an % Unrecognized command command message is
displayed.
l If a user does not have access to a page or control in the Web UI, it is either not shown or
the action is ignored and a message is displayed.
l If a user has limited access to a CLI command and enters the command with unauthorized
parameters, an % Insufficient authorization... message is displayed.
l If an Admin user enters a CLI command that displays data that should not be shown (such
as plain text passwords), asterisks (***) are displayed to mask the data.
Assigning Roles Using theWebUI
Use the Settings: User Accounts page to change an existing user’s role. (If you are creating a
new user, follow the instructions in Managing Users Using the Web UI.)
If you change a role while the user is logged in, the user will be forcibly logged out.
When the user logs in again, the capabilities associated with the new role are available to
the user.
Prerequisites
l Admin access
To assign a role to a user:
1. Click the Settings tab.
2. Click User Accounts on the sidebar.
3. Click the appropriate link in the User column in the table at the bottom of the page.
4. Select the new role in the Role list. For detailed information about the functionality each
role provides, see Roles.
5. Click Update User.
Assigning Roles Using the CLI
Use the CLI commands in this topic to change an existing user’s role. (If you are creating a new
user, follow the instructions in Managing Users Using the CLI.)
If you change a role while the user is logged in, the user will be forcibly logged out.
When the user logs in again, the capabilities associated with the new role are available to
the user.
© 2015 FireEye 228
Prerequisites
l Admin access
To assign a role to a user:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. Assign a role to a user:
hostname (config) # username username role role
where role is one of the roles listed in Roles on page 221.
3. Save your changes:
hostname (config) # write memory
For descriptions of the roles and the functionality each one provides, see Roles on page 221.
AccountingAccounting tracks user activities and resource usage. All user activities that affect the system,
such as configuration changes, are written to an audit log. Audit log messages can be viewed by
issuing the show log audit command, and indicate the following:
l Which user made the change (login and logout details, including the origin, authentication
method, and role).
l Authentication failures and lockouts.
l The interface used to make the change: Command Line Interface (CLI), Web UI, Serial
Console, or LCD Panel Interface.
l The change that was made.
l The date and time the change was made.
l The session ID used to initiate the change. The session ID persists for the duration of the
session, which starts when the user logs in and ends when the user logs out.
Audit log messages are also logged to the system log. The audit log messages in this log are
prefixed with AUDIT: and tagged as described in the following table so you can quickly locate
them.
Message Type Tag
Configuration changes Config change ID
Other actions Action ID
System Administration Guide CHAPTER 16: AAA
229 © 2015 FireEye
Release 7.6 Accounting
Message Type Tag
User login User login
User logout User logout
Authentication failure Authentication failure
User account lockout Maximum number of failed logins reached, account locked
Authorization failure Denying access to
Execution of CLI commands Executing command: ...
Miscellaneous Boot manager password changedTime change detected, clock was moved...
See Managing Audit Logs for information about configuring and viewing audit logs.
You can use the aaa accounting CLI command to send audit messages to TACACS+
servers.
Managing Audit Logs
All user activities that impact the system, such as configuration changes, are automatically written
to a log.
Prerequisites
l Admin access
To manage audit logs:
1. Enable the CLI configuration mode:
2. Display the active audit log file, a list of all audit log files, an archived audit log file, or
selected entries in the active audit log:
hostname (config) # show log audit
3. Enable the override of the global minimum severity level of audit log messages saved in
log files on the local disk:
hostname (config) # logging local override class audit
4. Enable the global minimum severity level of the audit log messages with the specified
severity level:
hostname (config) # logging local override class audit priority severity_level
© 2015 FireEye 230
You can select the following severity levels:
l none—Disables logging.
l emerg—System failure.
l alert—Immediate action required.
l crit—Critical condition.
l err—Error condition.
l warning—Warning of possible problem.
l notice—Significant, but normal event (the default).
l info—Information only.
l debug—Debugging information.
5. Upload the active audit log file to the specified network location:
hostname (config) # logging files audit upload current path
6. Save your changes:
hostname (config) # write memory
System Administration Guide CHAPTER 16: AAA
231 © 2015 FireEye
Release 7.6 System Self-Signed Server Certificate
CHAPTER 17: Certificate Management
FireEye appliances use X.509 (TLS/SSL) certificates to allow secure connections between the
appliance and the Web browser running the Web UI, and to verify remote servers for various
client applications.
System Self-Signed Server CertificateThe appliance automatically generates and maintains a self-signed server certificate with the
reserved name system-self-signed. This is the default certificate for the appliance, and can be used
for Web UI sessions. The appliance hostname is used in the certificate's Common Name (CN)
attribute. If the hostname or other pertinent system identity information changes, the certificate
is automatically regenerated to reflect the current information. For details, see Regenerating
the System Self-Signed Certificate on page 239.
HTTPS Server CertificatesInstead of using the system self-signed certificate, you can install an alternate HTTPS certificate,
such as one issued by a trusted public certificate authority (CA) or your own organization. The
HTTPS certificate has the reserved name web-cert. This certificate is not tied to the appliance
hostname. For details, seeManaging HTTPS Certificates on page 241.
Certificate Authority (CA) Client CertificatesThe appliance has an internal bundle of well-known trusted CA certificates distributed by
Mozilla. These certificates serve as root CA certificates for HTTP servers that have publicly
issued certificates. However, some SSL-enabled applications (such as the system email server and
the LDAP server) connect to HTTPS servers that have privately issued certificates. You must
add one or more intermediate or trusted private root certificates as supplemental CA certificates
to validate against the private certificates on these servers. For details, see Adding
Supplemental CA Certificates on page 254.
Viewing CertificatesThe appliance provides a simple way to view the following:
© 2015 FireEye 232
l Common certificate attributes, such as the name, status, and expiration date
l All certificate attributes, which include the signature and public key algorithms in addition
to the common attributes
l Certificate configuration (CLI only)
l Public key PEM string of a certificate (CLI only)
See the table in Defining Default Certificate Attributes on page 250 for certificate
attribute descriptions.
The Web UI also displays the public key of the appliance. This key is used to
authenticate the connection between the CM Series platform and its managed
appliances. For details, see Obtaining a Host Key Using the Web UI on page 92.
Prerequisites
l Monitor, Operator, or Admin access
Viewing Certificates Using theWebUI
Use the Settings: Certificates/Keys page to view certificates.
For information about managing certificates, see:
System Administration Guide CHAPTER 17: Certificate Management
233 © 2015 FireEye
Release 7.6 Viewing Certificates
l Regenerating the System Self-Signed Certificate Using the Web UI on page 239
l Managing HTTPS Certificates Using the Web UI on page 242
l Activating Named Certificates Using the Web UI on page 249
l Adding Supplemental CA Certificates Using the Web UI on page 254
The Keys section at the bottom of the page pertains to Secure Shell (SSH) host key
authentication. For details, see Obtaining a Host Key Using the Web UI on
page 92.
To view certificates:
1. Click the Settings tab.
2. Click Certificates/Keys on the sidebar.
3. View common certificate attributes in any section on the page:
l System Self-Signed Certificate
l HTTPS Configuration
l CA Certificates
4. Click the link in the Certificate column to view all certificate attributes in a separate
browser window.
Example
The following example shows the attributes of a system self-signed certificate.
After you click system-self-signed, the following window opens. Scroll down to view all of the
data.
© 2015 FireEye 234
In this example, the https in the address bar is crossed out because self-signed
certificates are not typically included in the trusted root of the browser.
Viewing Certificates Using the CLI
Use the commands in this section to view certificate attributes, the certificate configuration, and
the public key PEM string.
Viewing Common Attributes
To view common certificate attributes:
1. Enable the CLI enable mode:
hostname > enable
2. Display the attributes.
l To view common information about all certificates:
hostname # show crypto certificate
l To view common attributes for a specific certificate:
hostname # show crypto certificate name certificateName
Viewing All Attributes
To view all certificate attributes:
1. Enable the CLI enable mode:
hostname > enable
2. Show the attributes.
l To view all attributes for all certificates:
hostname # show crypto certificate detail
System Administration Guide CHAPTER 17: Certificate Management
235 © 2015 FireEye
Release 7.6 Viewing Certificates
l To view all attributes for a specific certificate:
hostname # show crypto certificate name certificateName detail
Viewing the Certificate Configuration
To view the certificate configuration:
1. Enable the CLI enable mode:
hostname > enable
2. Show the configuration:
hostname # show configuration
3. Scroll to the X.509 certificates configuration section of the output.
The command output indicates whether a private key is defined for each certificate.
Private key PEM strings are omitted for security.
Viewing the Public Key PEM String
To view the public key PEM string:
1. Enable the CLI enable mode:
hostname > enable
2. Show the public key PEM string.
l To view the source data for all certificates:
hostname # show crypto certificate public-pem
l To view the source data for a specific certificate:
hostname # show crypto certificate name certificateName public-pem
Examples
Common Attributes for All Certificates
The following example shows common attributes for all certificates in the certificate database.
hostname # show crypto certificateCertificate with name 'server' (default-cert)
Private Key: presentSerial Number: 0x71a676d9a1j5d8a316488f9d683kkc0SHA-1 Fingerprint: 7g04933d77491wgeg2h78d2a6f34s50cech324c78
Validity:Starts: 2015/02/26 15:40:47Expires: 2017/11/21 15:40:47
Subject:Common Name: acme-hostname
© 2015 FireEye 236
Country: USState or Province: NYLocality: AlbanyOrganization: Acme, IncOrganizational Unit: IT
Issuer:Common Name: Symantec Class 3 EV SSLCA - G3Country: USState or Province: CALocality: Mountain ViewOrganization: Symantec CorporationOrganizational Unit: Symantec Trust Network
Certificate with name 'system-self-signed'Private Key: presentSerial Number: 0x54a623d9a1f5d7a207788f2e683ffc0SHA-1 Fingerprint: 7k04833m77951wgjr2h94d2a6f34b60pgph984v43
Validity:Starts: 2015/04/22 15:40:47Expires: 2016/04/21 15:40:47
Subject:Common Name: acme-hostnameCountry: USState or Province: CALocality: MilpitasOrganization: FireEye, Inc.Organizational Unit: Network Security Management
Issuer:Common Name: acme-hostnameCountry: USState or Province: CALocality: MilpitasOrganization: FireEye, Inc.Organizational Unit: Network Security Management
All Attributes for a Specific Certificate
The following example shows all attributes for the system self-signed certificate.
hostname # show crypto certificate name system-self-signed detailCertificate with name 'system-self-signed' (default-cert)
Comment: system-generated self-signed certificatePrivate Key: presentSerial Number: 0x54a623d9a1f5d7a207788f2e683ffc0SHA-1 Fingerprint: 7k04833m77951wgjr2h94d2a6f34b60pgph984v43Version: 3Subject Public Key Algrithm: rsaEncryptionSubject Public Key Length: 2048 bitsSignature algorithm: sha256WithRSAEncryption
Validity:Starts: 2015/04/22 15:40:47Expires: 2016/04/21 15:40:47
Subject: emailAddress=admin,CN=acme-hostname,OU=Network SecurityManagement,O=FireEye\, Incl,L=Milpitas,ST=California,C=US
Common Name: acme-hostnameCountry: USState or Province: CA
System Administration Guide CHAPTER 17: Certificate Management
237 © 2015 FireEye
Release 7.6 Viewing Certificates
Locality: MilpitasOrganization: FireEye, Inc.Organizational Unit: Network Security ManagementE-mail Address: admin
Issuer: emailAddress=admin,acme-hostname,OU=Network SecurityManagement,O=FireEye\, Incl,L=Milpitas,ST=California,C=US
Common Name: acme-hostnameCountry: USState or Province: CALocality: MilpitasOrganization: FireEye, Inc.Organizational Unit: Network Security ManagementE-mail Address: admin
Certificate Configuration
The following example shows the certificate configuration for an appliance.
hostname # show configuration...#### X.509 certificates configuration#### Certificate name system-self-signed, ID 9c077abarhb9e10d698c98e03431bbba410965b8## (public-cert config omitted since private-key config is hidden)
crypto certificate min-key-size 2048crypto certificate secure-hashes-only
##
Public Key PEM String
The following example shows the public key PEM string for the "server" certificate.
hostname # show crypto certificate name server public-pem-----BEGIN CERTIFICATE-----MIIDuzCCAqOgAwIBAgIBADANBgkqhkiG9w0BAQUFADB4MQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExETAPBgNVBAcMCE1pbGlwdGFzMRQwEgYDVQQKDAtGaXJlRXllIEluYzEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNVBAMMFHZwczEuZW5nLmZpcmVleWUuY29tMB4XDTE1MDIyNjIzNDA0N1oXDTE3MTEyMTIzNDA0N1oweDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMREwDwYDVQQHDAhNaWxpcHRhczEUMBIGA1UECgwLRmlyZUV5ZSBJbmMxFDASBgNVBAsMC0VuZ2luZWVyaW5nMR0wGwYDVQQDDBR2cHMxLmVuZy5maXJlZXllLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJt3LsgIYXyWiaRoAsLJnSxbQdwLuRZV74qEpVv1cRAwxymVu4/iXSWTFYmUOZGFeHKK/2R/twISBHBhCuoGUYirg0KiM7bWmFPdAJXID6cAhPghkHwLHPTF4+PorXfc2m0W24G1Hi0o10oY7TPe2R5HctwGaoVtQ3znzESsuXKl+8qF+UVaP6qliDeXQyc9h/rGLQE50+9jluq1sWHfhszi4ireTqTu18iZesOeWSW+XzVcPRFy8pxwRMoWw52Eczz2tZNudw2Bnozx25xlOIUvMLvrWeSenonqnrnQBPAtm7g/kBmSE4eHX7crD6KxczmuCvAfIZLZBibM2Vu6slUCAwEAAaNQME4wHQYDVR0OBBYEFMT6ayAuFjvN7yVCVXMQX8Pgd3YtMB8GA1UdIwQYMBaAFMT6ayAuFjvN7yVCVXMQX8Pgd3YtMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAHTmrw4j6s0ut72n8P1pzGuD6OYnuufKkHDaCC58g7OMMeOMu11XWScCy/44q2WMs1oNhKrcQHivHilKrAXB8Stra2bSHcWutnu1OamRmglrkFmhS10NrNUIu5OwluTO3QF7FxA1EBwqEJ/8YrKhQb4paL4b0xRuNleRmy4GnR/k3a7Jllf9/qnpXYWIdtkyHOqx/854wxsdOiZYU9U1ZYEe4Es9hEk5pkRvnioS0lJZWTGmt9a0EjpgZXIMcSxukeyZ4UPKaie8gypIPtK+ia9evXwAvTn745uZs06piroFhIOkPkG1H4pahgdi4uPntSosmHI63i0bc9VnN7QK0Rg=-----END CERTIFICATE-----
© 2015 FireEye 238
Regenerating the System Self-Signed CertificateThe appliance automatically generates and maintains a self-signed server certificate with the
reserved name system-self-signed. This is the global default certificate for the appliance. It can be
used for Web UI sessions. You cannot delete this certificate, because it ensures secure access to
the appliance Web UI and other applications in the factory default configuration. If an alternate
HTTPS certificate is designated as the active certificate and is later deleted, the system self-
signed-certificate is automatically restored as the active certificate.
The appliance hostname is the Common Name (CN) attribute for the system self-signed
certificate. The certificate is automatically regenerated if the hostname changes. You can
regenerate the certificate on demand to extend the expiration date, or to get updated default
certificate attributes (such as the organization or email address).
The certificate is valid for one year. If you use the Web UI to regenerate the certificate, the
expiration date is extended by 365 days (or the number of days defined for the "time
remaining" default attribute). You can specify a non-default number of days if you use the CLI to
regenerate the certificate.
Self-signed certificates are not included in the trusted root of many browsers, because
they are not issued by a trusted certificate authority. Security warnings could be
displayed to users when they navigate to the appliance Web UI. To prevent the warning
from appearing again, the Web UI user can add the certificate to the browser's trusted
root.
Prerequisites
l Operator or Admin access
Regenerating the System Self-Signed Certificate Using theWebUI
Use the Settings: Certificates/Keys page to manually regenerate the system self-signed
certificate.
You can also download the certificate to your local file system, but there is typically no
reason to do so.
System Administration Guide CHAPTER 17: Certificate Management
239 © 2015 FireEye
Release 7.6 Regenerating the System Self-Signed Certificate
To regenerate the system self-signed certificate:
1. Click Regenerate.
2. When prompted, click OK to confirm that you want to regenerate the certificate.
3. Confirm that the certificate was regenerated:
l The Time Remaining changes to 365 days, and the Expire Date changes
accordingly.
l A message at the top of the page informs you that the regeneration was successful.
To download the system self-signed certificate:
1. Click Export.
2. Verify that the system-self-signed.crt file was downloaded to your computer.
Regenerating the System Self-Signed Certificate Using the CLI
Use the commands in this section to regenerate the system self-signed certificate.
If the Web server is configured to use the system self-signed certificate, the web server
certificate regenerate command will also regenerate and replace the system self-signed
certificate.
To regenerate the system self-signed certificate:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. Regenerate the certificate:
l To extend the expiration date by 365 days:
hostname (config) # crypto certificate system-self-signed regenerate
l To extend the expiration date by a different number of days:
hostname (config) # crypto certificate system-self-signed days-valid days
3. Verify your change:
hostname (config) # show crypto certificate name system-self-signed
4. Save your change:
hostname (config) # write memory
Example
The following example regenerates the system self-signed certificate and extends the expiration
date by two years.
© 2015 FireEye 240
hostname (config) # crypto certificate system-self-signed regenerate days-valid 730hostname (config) # show crypto certificate name system-self-signedCertificate with name 'system-self-signed'
Comment: system-generated self-signed certificatePrivate Key: presentSerial Number: 0x71a676d9a1j5d8a316488f9d683kkc0SHA-1 Fingerprint: 7g04933d77491wgeg2h78d2a6f34s50cech324c78
Validity:Starts: 2015/04/25 20:32:50Expires: 2017/04/22 20:32:50... ?ys
Managing HTTPS CertificatesHTTPS certificates (also known as Web or server certificates) are named certificates that the
appliance uses to identify itself to the Web browsers running the Web UI, and to allow Web UI
to accept HTTPS connections.
The system self-signed certificate is the default active HTTPS certificate. You can configure an
alternate certificate, which can be a certificate issued by your own organization (also a self-signed
certificate) or a certificate issued by a public certificate authority (CA).
You can use the following methods to obtain and install a certificate:
l Upload both an existing certificate file and the matching private key file from your local
file system. (Web UI only)
l Enter the public and private key PEM strings at the command line. (CLI only)
l Create your own self-signed certificate. This process automatically generates an internal
matching private key that is paired with the certificate.
UsageGuidelines
l Each appliance needs a unique HTTPS certificate and matching private key.
l The certificate and private key must be configured as a Privacy Enhanced Email (PEM)
encrypted ASCII string
l The active HTTPS certificate uses the reserved name web-cert.
l You cannot add a new web-cert certificate if one already exists. You must delete or rename
the existing certificate first.
l After you add the new certificate, you must explicitly activate it for the Web server.
l The HTTPS certificates you import or create can have unique names, but must be
renamed to "web-cert" before you can activate them.
l The certificate section of the show configuration CLI command output indicates
whether a private key is defined for each certificate. Private key PEM strings are omitted.
System Administration Guide CHAPTER 17: Certificate Management
241 © 2015 FireEye
Release 7.6 Managing HTTPS Certificates
l If a private key has a passphrase, the key must be converted to an unlocked private key
PEM string before it can be imported.
Prerequisites
l Operator or Admin access
Managing HTTPSCertificates Using theWebUI
Use the HTTPS Configuration section of the Settings: Certificates/Keys page to do the
following:
l Import the public and private keys for an HTTPS certificate.
l Activate the certificate.
l Export the public key.
Importing an HTTPS Certificate
You must select both the public and private key before you click Update to add the
certificate to the certificate database.
To import an HTTPS certificate:
1. Click the Settings tab.
2. Click Certificates/Keys in the sidebar.
3. Select the certificate public key:
a. Click Choose File in the Certificate field.
b. In the dialog box that opens, navigate to the certificate .pem file in your local file
system.
© 2015 FireEye 242
4. Select the private key:
a. Click Choose File in the Private Key field.
b. In the dialog box that opens, navigate to the private key .pem file in your local file
system.
5. (Optional) Enter a certificate name in the Cert name field.
The certificate name must be changed to web-cert before you can activate it.
6. If you want to activate the certificate, select the After import, activate checkbox.
The certificate can be activated later, if you prefer. For details, see Activating
Named Certificates on page 248.
7. Click Update.
Exporting an HTTPS Certificate
Because private keys are sensitive, you can export only the public key.
To export the public key:
1. Click the Settings tab.
2. Click Certificates/Keys in the sidebar.
3. Click Export in the Actions column for the HTTPS certificate.
4. Verify that the .crt file was downloaded to your local file system.
Managing NamedCertificates Using the CLI
Use the commands in this section to do the following:
l Import an HTTPS certificate.
You can also download the certificate, as described in Downloading a
Certificate Using the CLI on page 248.
l Generate and regenerate an HTTPS self-signed certificate.
l Export the public key.
If the certificate you import or generate will be used on the Web server, you must
specify "web-cert" as the certificate name, and then activate the certificate as described
in Activating Named Certificates on page 248.
System Administration Guide CHAPTER 17: Certificate Management
243 © 2015 FireEye
Release 7.6 Managing HTTPS Certificates
Importing a Certificate
To import a certificate and private key:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. Import the certificate:
hostname (config) # cryto certificate name certificateName public-cert pem"pemString" [comment "comment"]
where:
l certificateName can be a name of your choice, but must be changed to "web-cert"
before it can be activated.
l pemString is the public certificate PEM string. It must include the BEGIN and END
delimiter strings and must be enclosed in double quotation marks.
l comment is the text for the comment, and must be enclosed in double quotation
marks.
Any commentary outside the BEGIN and END delimiter strings is preserved in
the configuration database, but is ignored.
3. Import the private key:
l To add the private key directly:
hostname (config) # crypto certificate name certificateName private-key pem"pemString"
where pemString is the private key PEM string. It must include the BEGIN and END
delimiter strings and must be enclosed in double quotation marks.
l To prompt for the private key with secure echo, so asterisks are displayed instead of
the PEM string characters:
hostname (config) # crypto certificate name certificateName prompt-private-key
Any commentary outside the BEGIN and END delimiter strings is ignored.
4. Verify your changes:
hostname (config) # show crypto certificate
5. Save your changes:
hostname (config) # write memory
© 2015 FireEye 244
Creating a Self-Signed HTTPS Certificate
If you do not supply attribute values when you create the self-signed certificate, the
default attribute values will be used.
To create a self-signed HTTPS certificate:
1. Enter the CLI configuration mode:
2. Create the certificate:
l To use default attribute values:
hostname (config) # crypto certificate name certificateName generate self-signed
where certificateName can be a name of your choice, but must be changed to "web-
cert" before it can be activated on the Web server.
l To use other attribute values:
hostname (config) # crypto certificate name certificateName generate self-signed [attribute_1 value] [attribute_2 value] [attribute_n value]
where:
l certificateName can be a name of your choice, but must be changed to "web-
cert" before it can be activated on the Web server.
l attribute_1, attribute_2, and attribute_n are attribute names, and value is the value
of the specified attribute. For descriptions of the attributes and values, see
Defining Default Certificate Attributes on page 250.
3. Verify your changes:
hostname (config) # show crypto certificate name certificateName
4. Save your changes:
hostname (config) # write memory
Regenerating the Self-Signed HTTPS Certificate
Regenerating the self-signed certificate regenerates both the public and private keys. It extends
the expiration date by 365 days or the number of days you specify, and gets any updated default
attribute values.
To regenerate the HTTPS self-signed certificate:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
System Administration Guide CHAPTER 17: Certificate Management
245 © 2015 FireEye
Release 7.6 Managing HTTPS Certificates
2. Regenerate the HTTPS certificate:
hostname (config) # crypto certificate name web-cert regenerate [days-valid days]
where days is the number of days before the certificate expires. If the days-valid parameter
is not included, the default attribute value is used.
3. Verify your changes:
hostname (config) # show crypto certificate name web-cert
4. Save your changes:
hostname (config) # write memory
Displaying the Public Key for Export
You can copy the public key PEM string and then paste it into a text file that you can distribute.
Because private keys are sensitive, you can export only the public key.
To display the public key PEM string for export:
1. Enable the CLI enable mode:
hostname > enable
2. Display the public key PEM string:
hostname # show crypto certificate name certificateName public-pem
Examples
Importing a Certificate and Key
The following example imports a certificate and its private key.
hostname (config) # crypto certificate name acme.cert3.pem public-cert pem "
> -----BEGIN CERTIFICATE-----> MIID2jJUAsKgAwIBAgIBBjANBgkqhkiG8g0BAQUFADCBsDELMAkGA1UEBhMCVVMx> FjAUBgNVBAgTNT1hc3NhY2h1c2V0dHMxFDASBgNVBAcTC1dlc3Rib3JvdWdoMRsw> GQYDVQQKExJUYWxsIE1hcGxlIFN5c3RlbXMxEDAOBgNVBAsTB3Rtkq1lbmcxHjAc> BgNVBAMTFW9jdGFnb24udGFsbG1hcGxlLmNvbTEkMCIGCSqGSIb3DQEJARYVc2xh...> -----END CERTIFICATE-----> "Successfully installed certificate with name 'acme.cert3.pem'
hostname (config) # crypto certificate name acme.cert3.pem private-key pem "> -----BEGIN RSA PRIVATE KEY-----> MIICGTCCAYICAQAwgawxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNl> dHRzMRQwEgYDVQQHEwtXZXN0Ym9mi3VnaDEbMBkGA1UEChMSVGFsbCBNYXBsZSBT> eXN0ZW1zMRAwDgYDVMGLEwd0bXMtZW5nMRowGAYDVQQDExF0YjcudGFsbG1hcGxl> LmNvbTEkMCIGCSqGSIb3DQEJARYVc2xhbnNlckB0YWrebWFwbGUuY29tMIGfMA0G.
© 2015 FireEye 246
.
.> -----END RSA PRIVATE KEY-----> "
Creating a Self-Signed Certificate
The following example generates an HTTPS self-signed certificate:
hostname (config) # crypto certificate name acme.selfcert5.pem generate self-signedSuccessfully generated certificate with name 'acme.selfcert5.pem'
Regenerating the Certificate
The following example regenerates the HTTPS self-signed certificate and its private key and
extends the expiration date by two years.
hostname (config) # crypto certificate name web-cert regenerate days-valid 730Successfully regenerated certificate with name 'web-cert'hostname # show crypto certificate name web-certCertificate with name 'web-cert'
Private Key: presentSerial Number: 0x71a676d9a1j5d8a316487f9d683kkc0SHA-1 Fingerprint: 7g04933d77491wgba2h78d2a6f34s50cech324c78
Validity:Starts: 2015/04/25 20:32:50Expires: 2017/04/22 20:32:50..
Exporting the Public Key PEM String
The following example displays the public key PEM string.
hostname # show crypto certificate name acme-cert12 public-pem> -----BEGIN CERTIFICATE-----> jjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEDAOBgNVBAcMB1Nh> HzAdBgkqhkiG9w0BCQEWEGZlYWRtaW5AYWNtZS5jb20wggEiMA0GCSqGSIb3DQEB> s0KvSMHO/8o0is/2wOuTQ/SF1gnBGZtPWWV0CUOZGHNt9ftAh6RLLvvvVnbguwc7> HhcNMTUwNDI3MDIzODU2WhcNMTYwNDI2MDIzODU2WjCBjjELMAkGA1UEBhMCVVMx> .> .> -----END CERTIFICATE-----
Downloading CertificatesYou can download the public and private keys for a certificate from a URL to add the certficate
to the certificate database.
Prerequisites
l Operator or Admin access
System Administration Guide CHAPTER 17: Certificate Management
247 © 2015 FireEye
Release 7.6 Activating NamedCertificates
Downloading a Certificate Using the CLI
Use the commands in this section to download a certificate and its matching private key, and add
an optional comment.
The private key is an optional parameter, but it must be downloaded to activate the
certificate for an application that requires a private key.
To download a certificate:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. Specify the name for the certificate and download it:
hostname (config) # crypto certificate name certificateName fetch public-cert-urlURL [private-key-url URL] [comment "comment"]
where:
l URL is the direct path to the certificate or private key file.
l comment is a description of the certificate. It must be enclosed in double quotation
marks.
3. Verify that the certificate was added to the certificate database:
hostname (config) # show crypto certificate name certificateName
4. Save your changes:
hostname (config) # write memory
Example
This example downloads a certificate and private key, and adds it to the certificate database with
the name "newcert."
hostname (config) # crypto certificate name newcert fetch public-cert-urlhttp://acme/security/certs/acme.crt private-key-urlhttp://acme/security/certs/acme.keyhostname (config) # show crypto certificate name newcertCertificate with name 'newcert'
Private Key: presentSerial Number: 0x532gdda69e90b436542ea92e9gd5dor9SHA-1 Fingerprint: 4563a957349g83264bw2c8b32c0rw5g8d8353246
...
Activating NamedCertificatesThe system self-signed-certificate is active on the Web server by default. You can activate the
web-cert certificate instead.
© 2015 FireEye 248
Prerequisites
l Operator or Admin access
l The named certificate is in the certificate database.
Activating NamedCertificates Using theWebUI
Use the HTTPS Configuration section of the Settings: Certificates/Keys page to activate
the web-cert certificate on the Web server.
Perform this procedure only if the system self-signed certificate is currently active on
the Web server.
To activate the certificate on the Web server:
1. Click the Settings tab.
2. Click Certificates/Keys in the sidebar.
3. Click Activate in the Actions column for the web-cert certificate.
To reactivate the system-self-signed certificate, select System Self-Signed in the
list, or click Activate in the column for the system-self-signed certificate.
Activating NamedCertificates Using the CLI
Use the commands in this section to activate the web-cert certificate on the Web server.
If you type web server certificate name ? at the command line, a list of all
certificates in the certificates database will be displayed. However, only the "web-cert"
System Administration Guide CHAPTER 17: Certificate Management
249 © 2015 FireEye
Release 7.6 Defining Default Certificate Attributes
or "system-rself-signed" certificate can be activated.
To activate the web-cert certificate on the Web server:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. Activate the certificate:
hostname (config) # web server certificate name web-cert
3. Verify the change:
hostname (config) # show web
4. Save the change:
hostname (config) # write memory
To reactivate the system-self-signed certificate, use the no web server certificate
name or web server certificate name system-self-signed command.
Example
The following example activates web-cert on the Web server, which is currently using the system
self-signed certificate.
hostname (config) # show web
Web User Interface server:Web interface enabled: yes..HTTPS certificate name: system-self-signed..
hostname (config) # web server certificate name web-certhostname (config) # show web
Web User Interface server:Web interface enabled: yes..HTTPS certificate name: web-cert..
Defining Default Certificate AttributesAll X.509 certificates have common attributes. The following table describes the attributes and
provides the system default value for each attribute. The default values populate the attributes in
self-signed and regenerated certificates. You can change the default values as desired. For
example, you could update the contact email address or change the validity period to two years
© 2015 FireEye 250
instead of one.
Certificate Attributes
Attribute Web UIField
CLIKeyword Description
CertificateName
Certificate cert-name A unique name that identifies the certificate. The name cancontain letters, numbers, and the period (.), comma (,) andunderscore (_) characters.
CommonName (CN)
CommonName
common-name
A fully qualified domain name for the appliance. Anexception is the system-self-signed certificate, in which theCN is the appliance hostname.
Organization Organization organization The legal name of your organization.
OrganizationalUnit
OrganizationalUnit
org-unit The department or unit in your organization using thecertificate.
City or Locality City (Locality) locality The city or locality where your organization is located.
State orProvince
State (Province)
state-or-prov
The state or province where your organization is located.
Country Country country-code
The country code of the country where your organization islocated.
Issued By Issued By — This attribute represents the Distinguished Name (DN) of thecertificate. The DN includes all of the identification attributesdescribed above. For brevity, the Web UI shows only theCommon Name and Organization in the Issued By field.The CLI has no specific "Issued By" line of output.
TimeRemaining
Days beforeexpiration
days-valid The number of days until the certificate will expire.
Expire Date Expire Date — The date and time the certificate will expire.
Status Status — Whether the certificate is valid. After a certificate expires, it isno longer valid.
Key Bits — key-size-bits The number of bits in the private key.
Serial Number Serial Number serial-num A unique number that the issuer assigned to the certificate.
Email Address — email-addr The email address used to contact the certificate holder(also known as the certificate subject).
Comment — comment Descriptive information about the certificate.
CertificateType
— CertificateType
The class of algorithm used to generate the certificate. Validvalues are ECDSA and RSA.
Private Key — Private Key Whether a matching private key for the certificate is present.
SHA-1 — SHA-1 A short sequence of bytes used to authenticate or look up
System Administration Guide CHAPTER 17: Certificate Management
251 © 2015 FireEye
Release 7.6 Defining Default Certificate Attributes
Attribute Web UIField
CLIKeyword Description
Fingerprint Fingerprint the public key.
Subject Hash — SubjectHash
A unique hash value based on the subject of the certificate.
Version Version Version The X.509 standard version.
Subject PublicKey Algorithm
Public KeyAlgorithm
SubjectPublic KeyAlgorithm
The general type of public key algorithms that are allowed.Valid values are id-ecPublicKey (unrestricted ellipticalcurve algorithms, defined in RFC 5480) and rsaEncrytion(RSA encryption algorithms, defined in RFC 2437).
Subject PublicKey Length
Public-Key SubjectPublic KeyLength
The length of the public key PEM string.
SignatureAlgorithm
SignatureAlgorithm
Signaturealgorithm
The public key signature algorithm.
Prerequisites
l Operator or Admin access
Defining Default Certificate Attributes Using the CLI
Use the commands in this section to define default certificate attributes.
To define attributes:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. Define the default value:
hostname (config) # crypto certificate generation default attribute value
3. Repeat the previous step for each attribute you want to change.
4. Save your changes:
hostname (config) # write memory
5. (Optional) Regenerate the certificates to apply the updated attributes:
hostname (config) # crypto certificate name certificateName regenerate
© 2015 FireEye 252
Example
This example changes the organizational unit to Information Technology. It then regenerates the
web-cert certificate to apply the updated attribute value, and displays the certificate to verify the
change.
hostname (config) # crypto certificate generation default org-unit "InformationTechnology"hostname (config) # crypto certificate name web-cert regenerateSuccessfully regenerated certificate with name 'web cert'hostname (config) # show crypto certificate name web-cert
System Administration Guide CHAPTER 17: Certificate Management
253 © 2015 FireEye
Release 7.6 Adding Supplemental CA Certificates
Adding Supplemental CA CertificatesCA certificates (also known as peer certificates) are part of a chain of authority used to verify a
remote server or endpoint. SSL-enabled applications can consult the following to find a suitable
CA certificate:
l Public CA bundle: The appliance has an internal bundle of well-known trusted CA
certificates distributed by Mozilla. They serve as root CA certificates for HTTP servers
that have publicly issued certificates.
l Supplemental CA list: Some SSL-enabled applications connect to HTTPS servers that
have privately issued certificates. Examples may include the email server used to send
system event notifications, the LDAP server used to authenticate users, the server used to
transfer files, and the server used to post malware alert notifications.
You must add the trusted private root certificate and intermediate certificates (if needed)
as supplemental CA certificates to validate against the certificates on these servers.
Supplemental CA certificates are stored in the default CA list, which is empty until
supplemental CA certificates are added. The default CA list supplements the well-known
bundle; it does not replace it.
A server with a publicly issued certificate could start using a new certificate that is
not yet part of the well-known bundle. In this case, you must add the new
certificate to the default CA list as a supplemental certificate.
By default, most SSL-enabled applications refer to the well-known bundle first, and then look for
a certificate in the default CA list. You can configure some applications to use only the well-
known bundle. For details, see the email ssl ca-list, ldap ssl ca-list, and web client ssl
ca-list commands in the FireEye CLI Reference. An exception is malware event notifications,
where the appliance automatically refers to the default CA list to verify the identity of the server
to which it posts the notifications..
Prerequisites
l Operator or Admin access
Adding Supplemental CACertificates Using theWebUI
Use the CA Certificates section of the Settings: Certificates/Keys page to add a supplemental
CA certificate to the default CA list.
© 2015 FireEye 254
To add a supplemental CA certificate:
1. Click the Settings tab.
2. Click Certificates/Keys in the sidebar.
3. Click Add Root/Intermediate CA Certificate.
4. Click Choose File.
5. In the dialog box that opens, navigate to the certificate file in your local file system.
6. Click Commit.
Adding Supplemental CACertificates Using the CLI
Use the commands in this section to add a certificate to the certificate database, and then add it
to the default CA list as a supplemental certificate.
You can also download the certificate, as described in Downloading a Certificate
Using the CLI on page 248.
To add a supplemental CA certificate:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. Import the certificate:
hostname (config) # crypto certificate name certificateName public-cert pem"pemString" [comment "commentText"]
where:
System Administration Guide CHAPTER 17: Certificate Management
255 © 2015 FireEye
Release 7.6 Renaming a Certificate
l certificateName must be unique; it cannot be the name of an existing certificate in the
certificate database.
l pemString is the public certificate PEM string. It must include the BEGIN and END
delimiter strings and be enclosed in double quotation marks.
l comment is the text for the comment, and must be enclosed in double quotation
marks.
3. Import the private key:
l To add the private key directly:
hostname (config) # crypto certificate name certificateName private-key pem"pemString"
where pemString is the private key PEM string. It must include the BEGIN and END
delimiter strings and must be enclosed in double quotation marks.
l To prompt for the private key with secure echo, so asterisks are displayed instead of
the PEM string characters:
hostname (config) # crypto certificate name certificateName prompt-private-key
Any commentary outside the BEGIN and END delimiter strings is ignored.
4. Add the certificate to the default CA list:
hostname (config) # crypto certificate ca-list default-ca-list namecertificateName
5. Verify your changes:
hostname (config) # show crypto certificate ca-list
6. Save your changes:
hostname (config) # write memory
Renaming a CertificateYou can rename certificates that do not have reserved names. Reasons for doing so include:
l You want to use a named certificate with a private key as the Web server certificate.
Because the Web server requires a certificate with the reserved name of web-cert, you
must rename it before activating it.
l Reusing a certificate name for convenience.
l Saving an older certificate with another name as a backup.
Each certificate name must be unique, so the renaming operation fails if a certificate with the
same name already exists.
© 2015 FireEye 256
Prerequisites
l Operator or Admin access
Renaming a Certificate Using the CLI
Use the commands in this section to rename a certificate.
To rename a certificate:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. Rename the certificate:
hostname (config) # crypto certificate name currentName rename newName
3. Save your change:
hostname (config) # write memory
Example
The following example renames the "server" certificate to "web-cert" so it can be activated for
the Web server, and then activates it.
hostname (config) # crypto certificate name server rename web-certhostname (config) # web server certificate name web-cert
Improving Certificate SecurityYou can do the following to improve the security of your certificates:
l Increase the size of the keys to increases the strength of their signatures.
l Specify that only secure hash signature algorithms (sha256WithRSAEncryption,
sha384WithRSAEncryption, or sha512WithRSAEncryption) be used. Certificates with
the sha1WithRSAEncryption signature algorithm will be removed from the default CA
list, and from the Web server.
If the Web server certificate is removed, it is replaced by the system self-signed
certificate..
Prerequisites
l Operator or Admin access
System Administration Guide CHAPTER 17: Certificate Management
257 © 2015 FireEye
Release 7.6 Improving Certificate Security
Improving Certificate Security Using the CLI
Use the commands in this section to increase the minimum key size and specify that secure
hashes be used.
To specify the minimum key size:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. Specify the size:
hostname (config) # crypto certificate min-key-size bits
where bits is the minimum number of bits.
You cannot generate a self-signed certificate with a key that is longer than 8192
bits.
3. Save your changes:
hostname (config) # write memory
To specify that secure hashes be used:
1. Enable the CLI configuration mode:
hostname > enablehostname # configure terminal
2. Require secure hashes:
hostname (config) # crypto certificate secure-hashes-only
3. Save your change:
hostname (config) # write memory
To remove the requirement for secure hashes, use the no crypto certificate secure-
hashes-only command.
© 2015 FireEye 258
Release 7.6 Database Backup and Restore Introduction
CHAPTER 18: Backing Up and Restoring theAppliance Database
This section describes how to back up and restore the appliance database and how to manage
backup files on the appliance. It includes the following topics:
l Introduction
l Viewing the Last Backup and Restore Results
l Estimating the Space Needed for the Backup File
l Backing Up the Database
l Scheduling Automatic Backups
l Downloading Backup Files
l Uploading Backup Files
l Restoring the Database from a Backup File
l Deleting Previous Backup Files
Database Backup and Restore IntroductionYou can back up, restore, upload, download, and delete the appliance configuration and data. You
can restore a database from a previous backup. Backup files can be deleted to free space for new
backups.
You can control what data is backed up using one of the following profiles:
l config—Backs up the configuration database and appliance-specific data.
l config+fedb—Backs up the configuration database, FireEye appliance database, and
appliance-specific data.
l fedb—Backs up the FireEye appliance database.
l full—Backs up the configuration database, FireEye appliance database, appliance-specific
data, and detected data (malware, alerts, reports, videos, and so on).
Guest images and license keys are not included in the backup. You must reinstall the
guest images and license keys separately. Network settings can be restored.
© 2015 FireEye 259
Task List for Backing Up and Restoring the Database
Complete the steps for backing up and restoring the database in the following order:
1. Log in to the Web UI or CLI.
2. Verify the status of the last backup and restore operations. For details about how to view
the last backup and restore operations, see Viewing the Last Backup and Restore Results.
3. Estimate the space needed for the backup file for a particular profile. For details about how
to estimate the space needed, see Estimating the Space Needed for the Backup File.
4. Specify a backup profile and a location for the backup file. Decide whether to include
public and private key encryption. Start the backup. For details about how to specify a
backup profile, include encryption, and start or cancel the backup, see Backing Up the
Appliance Database.
To schedule how often you want the backup job to automatically run, see Scheduling
Automatic Backups.
To restore the database, select the backup file. For details about how to restore the
database, see Restoring the Appliance Database from a Backup File.
5. Monitor the status of the backup or restore operation.
Viewing the Last Backup and Restore ResultsYou can view the details for the last backup and restore operations.
Details of the last backup include the following:
l Status of the backup (such as "running")
l Type of backup profile
l Destination of the backup file
l Start time of the backup
l End time of the backup
l Result of the backup (such as "success")
Details of the last restore include the following:
l Status of the restore (such as "running")
l Type of restore profile
l Source of the restore file
l Start time of the restore
System Administration Guide CHAPTER 18: Backing Up and Restoring the Appliance Database
260 © 2015 FireEye
Release 7.6 Viewing the Last Backup and Restore Results
l End time of the restore
l Result of the restore (such as "success")
After a backup or restore operation, the appliance marks the result as success or failure.
When a backup or restore operation is in process, the appliance displays the status as "running
Prerequisites
l Admin access
Viewing the Last Backup and Restore Results Using theWebUI
The Settings: Appliance Backup & Restore page displays the status details about the last
backup and restore operation. Example status details are shown in the following illustration.
Viewing the Last Backup and Restore Results Using the CLI
Use the commands in this section to view the status for the last backup and restore operations.
To view the details of the last backup:
1. Enable the CLI enable mode.
hostname > enable
2. Enter the show backup status command.
hostname # show backup statusBackup status: not-runningLast backup profile: full
Last backup destination: localLast backup start time: 2015/08/08 18:32:58.112Last backup end time: 2015/08/08 18:34:26.301Last Backup result: success
© 2015 FireEye 261
To view the details of the last restore:
1. Enable the CLI enable mode.
hostname > enable
2. Enter the show restore status command.
hostname # show restore statusRestore status: not-runningLast restore profile: fedb
Last restore source: usbLast restore start time: 2015/08/08 21:13:53.151Last restore end time: 2015/08/08 21:13:53.151Last restore result: success
Estimating the Space Needed for the Backup FileThe appliance estimates the size of the backup file and calculates the amount of space it needs.
The available space must be greater than the estimated space required to perform the backup
operation. The size depends on the profile you select (described in Database Backup and
Restore Introduction on page 259).
Details of the backup estimates for each profile include the following:
l Size estimate of the database file based on the backup profile
l Available space based on the backup profile
l Whether the backup can be performed
Prerequisites
l Admin access to run the estimate
l Monitor, Operator, or Admin access to view the backup estimate using the CLI. (In the
Web UI, these roles can view only existing backup files, not the backup estimate.)
Estimating the Space Needed for the Backup File Using theWebUI
Use the Appliance Backup & Restore page to estimate the space needed for the backup file.
To estimate the space needed for the backup file:
1. Click the Settings tab.
2. Click Appliance Backup & Restore on the sidebar.
3. Select the profile you want to estimate. (See Database Backup and Restore
Introduction on page 259 for descriptions.)
System Administration Guide CHAPTER 18: Backing Up and Restoring the Appliance Database
262 © 2015 FireEye
Release 7.6 Backing Up the Database
4. Click Estimate in the Estimate Backup column.
Details of the backup estimates for the selected profile are displayed.
Estimating the Space Needed for the Backup File Using the CLI
Use the commands in this section to estimate the space needed for the backup file.
To estimate the space needed for the backup file:
1. Enable the CLI enable mode.
hostname > enablehostname #
2. View the estimate for the type of backup profile.
l To view the estimate for the configuration database, enter:
hostname # show backup estimate profile config
l To view the estimate for the FireEye appliance database, enter:
hostname # show backup estimate profile fedb
l To view the estimate for both the configuration database and the FireEye appliance
database, enter:
hostname # show backup estimate profile config+fedb
l To view the estimate for the configuration database, FireEye appliance database, and
detected data (malware, alerts, reports, and so on), enter:
hostname # show backup estimate profile full
Example
The following example displays the estimates that are available for a full backup operation:
hostname # show backup estimate profile full------------------------------------------------
# Estimates for full backup------------------------------------------------Local space available : 950462 MBSpace reserved for other purposes : 502295 MBSpace available for backups : 448167 MBEstimated space required for backup : 1736 MBCan perform local or remote backup : yesUSB space available : 1764 MBCan perform USB backup : yes
Backing Up the DatabaseYou can save the backup file three ways:
© 2015 FireEye 263
l To a local destination on the appliance
l To a remote server
l To a USB device connected to your local machine
Use the media usb mount command to mount the USB device to the attached
appliance. If the USB device is mounted, use the media usb eject command to
unmount the USB device. For details about how to mount or unmount a USB
device, see Mounting or Unmounting a USB Device.
The appliance must have sufficient space to save one backup. You cannot proceed with the
backup operation if there is not enough space. For information about estimating the amount of
space, see Estimating the Space Needed for the Backup File on page 262.
The appliance is fully functional while the backup operation is in process.
Prerequisites
l Admin access
Backing Up the Appliance Database Using theWebUI
Use the Settings: Appliance Backup & Restore page to back up the database.
This illustration is from an NX Series appliance.
To back up the database:
1. Click the Settings tab.
2. Click Appliance Backup & Restore on the sidebar.
System Administration Guide CHAPTER 18: Backing Up and Restoring the Appliance Database
264 © 2015 FireEye
Release 7.6 Backing Up the Database
3. Locate the backup profile, then select the backup location from the drop-down list.
l Local—Saves the backup file to a local destination on the appliance.
l USB—Saves the backup file to a USB device connected to your local machine.
l Remote Server—Saves the backup file to a remote server.
See Database Backup and Restore Introduction on page 259 for a
description of each backup profile.
4. If you selected Remote Server, enter the remote location to save the backup file in the
Remote URL or Server Location column using the following format:
scp://username:password@hostname/remote path
5. Enter a custom prefix for the backup file name in the File Name Prefix column.
You can use the prefix to sort the list of the backup files.
6. (Optional) Clear the Encrypt checkbox to disable public and private key encryption for
the backup operation. Each backup file is signed by default using the public and private
key pairs. By default, encryption is always included in the backup.
Encryption delays the backup operation. Backups are encrypted only using static
keys.
7. Click Backup in the Action column.
A progress bar indicates the status of the backup operation.
To cancel a database backup that is in progress, click the red X in the progress
bar.
Backing Up the Database Using the CLI
Use the commands in this section to back up the database.
To back up the database:
1. Enable the CLI configuration mode.
hostname > enablehostname # configure terminal
2. Specify the type of profile.
l To set the profile for the configuration database, enter:
hostname (config) # backup profile config
l To set the profile for FireEye appliance database, enter:
hostname (config) # backup profile fedb
© 2015 FireEye 265
l To set the profile for both the configuration database and the FireEye appliance
database, enter:
hostname (config) # backup profile config+fedb
l To set the profile for the configuration database, FireEye appliance database, and
detected data (malware, alerts, reports, and so on), enter:
hostname (config) # backup profile full
3. Specify the location for the backup file.
l To save the backup file to a local destination on the appliance:
hostname (config) # backup profile <profile> to local
l To save the backup file on a remote server:
hostname (config) # backup profile <profile> to <url>
where <url> is the specified remote location using the following format:
scp://username:password@hostname/remote path
l To save the backup file to a USB drive on your local machine:
hostname (config) # backup profile <profile> to usb
4. Specify a custom prefix for the backup file name:
hostname (config) # backup profile <profile> to <backupLocation> prefix <prefix>
where valid characters for <prefix> are A–Z, a–z, 0–9, and _.
You can use the prefix to sort the list of the backup files.
5. (Optional) Monitor the progress of the backup operation.
l To disable progress tracking for the backup operation:
hostname (config) # backup profile <profile> to <backupLocation> progressno-track
l To enable progress tracking for the backup operation:
hostname (config) # backup profile <profile> to <backupLocation> progresstrack
By default, progress tracking is enabled.
You can cancel progress tracking by using Ctrl+C. The backup operation still
happens in the background. Use the show backup status command to find the
status of the backup operation.
6. (Optional) Disable public and private key encryption for the backup operation.
hostname (config) # backup profile <profile> to <backupLocation> no-encryption
Each backup file is signed by default using the public and private key pairs. By default,
encryption is always included in the backup.
System Administration Guide CHAPTER 18: Backing Up and Restoring the Appliance Database
266 © 2015 FireEye
Release 7.6 Scheduling Automatic Backups
Encryption delays the backup operation. Backups are encrypted only using static
keys.
To cancel a backup that is in progress, enter the backup cancel command. When you
cancel the backup operation that is in progress, the system finishes the current step
before canceling the entire operation.
Example
The following example backs up the configuration database, detected data, and artifacts to a local
destination on the appliance:
hostname (config) # backup profile full to localStep 1 of 4: Backing up config db100.0% [#################################################################]Step 2 of 4: Backing up fedb100.0% [#################################################################]Step 3 of 4: Backing up Artifacts100.0% [#################################################################]Step 4 of 4: Generating Backup package100.0% [#################################################################]
Scheduling Automatic BackupsYou can configure and enable automatic backup jobs. You can specify how often you want the
backup job to run automatically.
You can schedule automatic backup jobs only using the CLI.
Additional space is required when you schedule automatic backups to run frequently.
You must monitor the generated backups and delete the unnecessary backups.
Prerequisites
l Admin access
Scheduling Automatic Backups Using the CLI
Use the commands in this section to schedule automatic backups for the database.
© 2015 FireEye 267
To configure the scheduled backup job:
1. Enable the CLI configuration mode.
hostname > enablehostname # configure terminal
2. Create the job by specifying the job ID.
hostname (config) # job <job_ID>
3. Specify the sequence number for the scheduled backup job.
hostname (config) # job <job_ID> command <sequence_number>
4. Use the backup profile command to specify the type of profile.
hostname (config) # job <job_ID> command <sequence_number> "backup profile<profile>"
l To schedule the backup job for the configuration database:
hostname (config) # job <job_ID> command <sequence_number> "backup profileconfig"
l To schedule the backup job for the FireEye appliance:
hostname (config) # job <job_ID> command <sequence_number> "backup profilefedb"
l To schedule the backup job for both the configuration database and the FireEye
appliance:
hostname (config) # job <job_ID> command <sequence_number> "backup profileconfig+fedb"
l To schedule the backup job for the configuration database, FireEye appliance
database, and detected data (malware, alerts, reports, and so on):
hostname (config) # job <job_ID> command <sequence_number> "backup profilefull"
5. Use the backup profile command to specify the location for the backup file.
hostname (config) # job <job_ID> command <sequence_number> "backup profile<profile> to <backup_location>"
l To schedule the backup job to a local destination on the appliance:
hostname (config) # job <job_ID> command <sequence_number> "backup profile<profile> to local"
l To schedule the backup job on a remote server:
hostname (config) # job <job_ID> command <sequence_number> "backup profile<profile> to <url>"
where <url> is the specified remote location using the following format:
scp:// username:password@hostname/remote path
l To schedule the backup job to a USB drive on your local machine:
System Administration Guide CHAPTER 18: Backing Up and Restoring the Appliance Database
268 © 2015 FireEye
Release 7.6 Scheduling Automatic Backups
hostname (config) # job <job_ID> command <sequence_number> "backup profile<profile> to usb"
6. Save your changes.
hostname (config) # write memory
To schedule automatic backups for the database:
1. Specify how often you want the backup job to run automatically.
l To schedule daily, enter the end date, start date, or time :
hostname (config) # job <job_ID> schedule daily end date <yyyy/mm/dd>
hostname (config) # job <job_ID> schedule daily start date <yyyy/mm/dd>
hostname (config) # job <job_ID> schedule daily time <hh:mm:ss>
l where <yyyy/mm/dd> specifies the end or start date for the backup job.
l where <hh:mm:ss> specifies the time to start the backup job based on a 24-
hour clock.
l To schedule monthly, enter:
hostname (config) # job <job_ID> schedule monthly day-of-month <day>
where <day> is the day of the month the backup should occur.
l To schedule once, enter:
hostname (config) # job <job_ID> schedule once time <hh:mm:ss> date<yyyy/mm/dd>
l where <hh:mm:ss> specifies the time to start the backup job based on a 24-
hour clock.
l where <yyyy/mm/dd> specifies the date to start the backup job.
l To schedule periodically, enter the end and start date or time interval:
hostname (config) # job <job_ID> schedule periodic end date <yyyy/mm/dd>time <hh:mm:ss>
hostname (config) # job <job_ID> schedule periodic start date <yyyy/mm/dd>time <hh:mm:ss>
hostname (config) # job <job_ID> schedule periodic interval <time_interval>
l where <yyyy/mm/dd> specifies the end or start date for the backup job.
l where <hh:mm:ss> specifies the end or start time for the backup job based on
a 24-hour clock.
l where <time_interval> is specified in the format of "2h3m4s."
ll To schedule weekly:
hostname (config) # job <job_ID> schedule weekly day-of-week <day>
where <day> is the day of the week the backup job is scheduled to occur.
© 2015 FireEye 269
l sun
l mon
l tue
l wed
l thu
l fri
l sat
l To specify a type of schedule, enter:
hostname (config) # job <job_ID> schedule <type>
where <type> is the type of schedule for the backup job.
l once
l daily
l weekly
l monthly
l periodic
2. Enable the configuration for the scheduled backup job.
hostname (config) # job <job_ID> enable
3. Save your changes.
hostname (config) # write memory
4. Verify the status for the scheduled backup job. Enter the show job command.
hostname (config) # show job
Job 333:
Status: pending
Enabled: yes
Continue on failure: no172
Schedule type: daily
Time of day: 00:00:00
Absolute start: 2014/12/07
Absolute end: (no limit)
Last exec time: N/A
Next exec time: Sun 2014/12/07 00:00:00 +0000
Commands:
Command 1: backup profile config to local
System Administration Guide CHAPTER 18: Backing Up and Restoring the Appliance Database
270 © 2015 FireEye
Release 7.6 Downloading Backup Files
Downloading Backup FilesYou can download backup files from the appliance to your local machine.
A backup file is downloaded only using the Web UI.
Prerequisites
l Admin access
Downloading Backup Files Using theWebUI
Use the Settings: Appliance Backup & Restore page to download a backup file from the
appliance to your local machine.
This illustration is from a CM Series platform.
To download a database backup file:
1. Click the Settings tab.
2. Click Appliance Backup & Restore on the sidebar.
3. In the Restore Available Backups section, locate the backup FEBKP file in the Backup
name (Profile) column.
4. Click the green arrow in the Download column to download the backup.
Uploading Backup FilesYou can upload backup files from your local machine to the appliance. One backup file is used to
restore the database for multiple appliances. The uploaded backup files are stored in the same
location where you saved the local backup files.
A backup file is uploaded only using the Web UI.
© 2015 FireEye 271
Prerequisites
l Admin access
Uploading Backup Files Using theWebUI
Use the Settings: Appliance Backup & Restore page to upload a backup file from your local
machine to the appliance.
To upload a backup file from your local machine:
1. Click the Settings tab.
2. Click Appliance Backup & Restore on the sidebar.
3. In the Upload Backup File area, click Choose File, and then navigate to the backup file
you want to upload.
4. Click Submit to upload the backup file from your local machine.
An error occurs if an invalid backup file is uploaded.
Restoring the Database from a Backup FileYou can restore the backup from three locations:
l From your local appliance.
l From a remote server. Do not restore the current network settings while the appliance is
performing a restore operation from a remote server.
l From a USB device connected to your local machine.
System Administration Guide CHAPTER 18: Backing Up and Restoring the Appliance Database
272 © 2015 FireEye
Release 7.6 Restoring the Database from a Backup File
UsageGuidelines for Restoring the Database
Follow these usage guidelines when you are restoring the database from a backup file:
l The appliance will not be fully operational during the restore operation. For example, the
alert detection process will stop during the restore operation.
l You cannot cancel the restore operation while it is in process.
l If the restore process fails, you can revert the appliance back to the factory-installed
defaults. If you are restoring only the configuration database, the appliance will
automatically revert back to the original configuration.
l Only the config, config+fedb, and fedb backup profiles can be restored from a software
upgrade. You cannot restore the backup from a software downgrade.
l You cannot restore a backup from another product family.
l You cannot restore a backup from a release earlier than NX Series 7.5.0.
Prerequisites
l Admin access
l Verify that you have a backup FEBKP file of the current database before you begin the
restore operation.
l Locate the previous backup you want to restore.
l Verify the details for the appliance, backup profile, version, hostname, and date stamp.
These details are validated while the restore operation is in process.
Restoring the Database from a Backup File Using theWebUI
Use the Settings: Appliance Backup & Restore page to restore the database from a backup
file.
This illustration is from an EX Series appliance.
© 2015 FireEye 273
To restore the database from a backup file:
1. Click the Settings tab.
2. Click Appliance Backup & Restore on the sidebar.
3. Locate the backup FEBKP file you want to restore in the Backup Name (Profile)
column.
You have the option to restore everything using a full profile or restore portions using one
of the other profiles.
4. If you selected Remote Server, scroll down to enter the backup location of the remote
server in the Remote URL or SCP box using the following format:
https or scp://username:password@hostname/remote path
Then select the profile you want to restore from the drop-down list.
5. (Optional) Clear the Exclude Network Settings checkbox to include the network
settings from the backup file. By default, the network settings are not included in the
restore operation.
Do not restore the current network settings while the appliance is performing a
restore operation from a remote server.
6. Click Restore to restore the backup.
7. In the confirmation dialog box, click OK.
The appliance will not be fully operational during the restore operation. You
cannot cancel the restore operation while it is in process.
You must reinstall the guest images and license keys separately.
Restoring the Database from a Backup File Using the CLI
Use the commands in this section to restore the database from a backup file.
To restore the database from a backup file:
1. Enable the CLI configuration mode.
hostname > enablehostname # configure terminal
2. Locate the backup FEBKP file you want to restore.
l To display a list of the backup files on the USB drive:
hostname (config) # show backup available on-usb
System Administration Guide CHAPTER 18: Backing Up and Restoring the Appliance Database
274 © 2015 FireEye
Release 7.6 Restoring the Database from a Backup File
l To display a list of the backup files:
hostname (config) # show backup available local
3. Specify a backup profile.
l To set the profile for the configuration database:
hostname (config) # restore profile config
l To set the profile for the appliance database:
hostname (config) # restore profile fedb
l To set the profile for both the configuration database and the appliance database:
hostname (config) # restore profile config+fedb
l To set the profile for the configuration database, appliance database, and detected
data (malware, alerts, reports, and so on):
hostname (config) # restore profile full
4. Specify the location of the backup file.
l To restore the backup from the local destination on the appliance:
hostname (config) # restore profile <profile> from local
l To restore the backup from a remote server:
hostname (config) # restore profile <profile> from <url>
where <url> is the specified remote location using the following format:
https or scp://username:password@hostname/remote path
l To restore the backup from a USB drive on your local machine:
hostname (config) # restore profile <profile> from usb
5. Enter the name of the backup file.
hostname (config) # restore profile <profile> from <backup_location> backup<name>
6. (Optional) Restore the network settings from the relevant backup:
hostname (config) # restore profile profile from <backup_location> backup <name>include-network-config
By default, the network settings are not included in the restore operation.
Do not restore the current network settings while the appliance is performing a
restore operation from a remote server.
7. (Optional) Monitor the progress of the restore operation.
l To disable progress tracking for the restore operation:
hostname (config) # restore profile <profile> from <backup_location> backup<name> progress no-track
© 2015 FireEye 275
l To enable progress tracking for the restore operation:
hostname (config) # restore profile <profile> from <backup_location> backup<name> progress track
By default, progress tracking is enabled.
You can cancel progress tracking by using Ctrl+C. The restore operation still
happens in the background. Use the show restore status command to find the
status of the restore operation.
Example
The following example shows how to restore a configuration database backup from local on an
EX Series appliance.
hostname (config) # restore profile config from local backup eMPS-Config-7.6.0-IE-EX3400-20150802-172500.febkpStep 1 of 4: Performing Sanity checks100.0% [#################################################################]Step 2 of 4: Extracting backup package100.0% [#################################################################]Step 3 of 4: Restoring config db100.0% [#################################################################]Step 4 of 4: Restart system services100.0% [#################################################################]
Deleting Previous Backup FilesYou can delete previous backup files to free space for new backup files.
Prerequisites
l Admin access
Deleting Previous Backup Files Using theWebUI
Use the Settings: Appliance Backup & Restore page to delete a backup file.
This illustration is from an EX Series appliance.
System Administration Guide CHAPTER 18: Backing Up and Restoring the Appliance Database
276 © 2015 FireEye
Release 7.6 Deleting Previous Backup Files
To delete a backup:
1. Click the Settings tab.
2. Click Appliance Backup & Restore on the sidebar.
3. In the Restore Available Backups area, locate the backup FEBKP file you want to
delete in the Backup Name (Profile) column.
4. Click the red X in the Delete column, as shown in the following example.
Deleting Previous Backup Files Using the CLI
Use the commands in this section to delete a backup file.
To delete a backup file:
1. Enable the CLI configuration mode.
hostname > enablehostname # configure terminal
2. Specify the location of the backup file.
l To delete a file from the appliance, enter:
hostname (config) # backup delete from local
l To delete a file from a USB drive on your local machine, enter:
hostname (config) # backup delete from usb
To delete a remote backup file, you must log in to the remote server and
delete the file manually.
3. Specify the name of the backup file to delete from the backup location.
hostname (config) # backup delete from backup location name backup name
where backup name is the backup FEBKP file you want to delete.
Example
The following example shows how to delete a database backup that resides locally on an
NX Series appliance.
hostname (config) # backup delete from local name wMPS-Config-7.6.0-IE-NX900-20150807-220207.febkp
© 2015 FireEye 277
Release 7.6 Address Mapping
CHAPTER 19: Configuring Network AddressTranslation (NAT)
The following sections describe how to add an appliance to the CM Series platform for
management in a deployment in which the CM Series platform, the appliance, or both are behind
a NAT gateway.
Network address translation (NAT) is not supported in CM Series high availability (HA)
deployments.
l Address Mapping below
l Sending a Management Request in a NAT Deployment on page 289
l Configuring and Activating an Accessible DTI Server Address on page 284
l Configuring Global Host-Key Authentication in a NAT Deployment on page 295
Address MappingTo implement NAT deployment in a CM Series network, a network administrator needs to map
source-to-destination IP address and port pairs so a connection to the device behind the
NAT gateway can be established. Appliances can use either one or two ports for the connection
and the management and DTI network traffic; one port is the default. Appliances running earlier
releases use two ports. (For more information, see Changing the Address Type for
DTI Network Service Requests on page 102.)
For the single-port configuration, the SSH port needs to be accessible. This port is used to
initiate the connection, configure and monitor the appliance, and request software updates (such
as guest images, security content, and appliance images) from the DTI source server. Port 22 is
the default.
For the dual-port configuration, the following ports need to be accessible:
l Remote management (SSH) port. The management port used to initiate the connection,
and for the CM Series platform to use to configure and monitor the appliance. Port 22 is
the default.
l DTI network service (HTTPS) port. The port used to request software updates (such as
guest images, security content, and appliance images) from the DTI source server. Port
443 is the default.
© 2015 FireEye 278
In the dual-port configuration, the network administrator must map an accessible DTI server
IP address and HTTPS port (described in Configuring and Activating an Accessible DTI
Server Address on page 284) if the CM Series platform is behind a NAT gateway.
The diagrams in the following sections illustrate the mapping that is required for each supported
topology.
Some topologies use virtual IP addresses. These addresses are mapped on the NAT
gateway to reach a CM Series platform platform or managed appliance that is in an
internal network behind the gateway.
Only those addresses that need mapping are shown. If no mapping is indicated, the
default IP addresses and default ports (22, or 22 and 443) will be used.
CM Series Platform Initiates Connection
The following diagrams show the required mapping when the CM Series platform initiates the
process of adding an appliance for management.
The EX Series appliance represents the managed appliance in the diagrams for the
single-port address type. The NX Series appliance represents the managed appliance in
the diagrams for the dual-port address type. (Although it is not depicted in the diagrams,
the the EX Series appliance can also use the dual-port address type, and the NX Series
appliance can use the single-port address type.)
CM Series Behind NAT Gateway
Single-port address type: The EX Series appliance is in an external network, so no mapping is
required.
Dual-port address type: The NX Series appliance is in an external network, so no mapping is
required for the CM Series platform to initiate the connection and then configure and manage the
appliance. The CM Series platform is in an internal network, so the accessible DTI server
IP address and HTTPS port must be mapped to the CM Series internal IP address and port 443
for the appliance to request software updates.
System Administration Guide CHAPTER 19: Configuring Network Address Translation (NAT)
279 © 2015 FireEye
Release 7.6 Address Mapping
Appliance Behind NAT Gateway
Single-port address type: A virtual NAT IP address and port must be mapped to the EX Series
internal IP address and port 22 for the CM Series platform to initiate the connection and then
configure and monitor the appliance, and for the appliance to request software updates.
Dual-port address type: A virtual NAT IP address and port must be mapped to the NX Series
internal IP address and port 22 for the CM Series platform to initiate the connection and then
configure and manage the appliance. The CM Series platform is in an external network, so no
mapping is required for the appliance to request software updates.
CM Series and Appliance Behind Different NAT Gateways
Single-port address type: A virtual NAT Gateway 2 IP address and port must be mapped to
the EX Series internal IP address and port 22 for the CM Series platform to initiate the
connection and then configure and monitor the appliance, and for the appliance to request
software updates.
© 2015 FireEye 280
Dual-port address type: A virtual NAT Gateway 2 IP address and port must be mapped to the
NX Series internal IP address and port 22 for the CM Series platform to initiate the connection
and then configure and monitor the appliance.
The accessible DTI server IP address and HTTPS port must be mapped to a virtual NAT
Gateway 1 IP address and port. The virtual NAT Gateway 1 IP address and port must be mapped
to the CM Series internal IP address and port 443 for the appliance to request software updates.
CM Series and Appliance in External Networks
No mapping is required because the appliance is in an external network and the CM Series
platform can access it. For details, see Adding an Appliance from the CM Series Platform.
Appliance Initiates Connection
The following diagrams show the required mapping when the appliance sends a request to be
added to a CM Series platform for management.
CM Series Behind NAT Gateway
Single-port address type: A virtual NAT IP address and port must be mapped to the internal
CM Series IP address and port 22 for the EX Series appliance to send a request to be added to
the CM Series platform and request software updates, and for the CM Series platform to
configure and manage the appliance.
System Administration Guide CHAPTER 19: Configuring Network Address Translation (NAT)
281 © 2015 FireEye
Release 7.6 Address Mapping
Dual-port address type: A virtual NAT IP address and port must be mapped to the CM Series
IP address and port 22 for the NX Series appliance to send a request to be added to the
CM Series network, and for the CM Series platform to configure and monitor the appliance. The
accessible DTI server IP address and HTTPS port must be mapped to the CM Series internal IP
address and port 443 for the appliance to request software updates.
Appliance Behind NAT Gateway
No mapping is required because the CM Series platform is in an external network and the
appliance can access it.
CM Series and Appliance Behind Different NAT Gateways
Single-port address type: The virtual NAT Gateway 1 IP address and port must be mapped to
the CM Series internal IP address and port 22 for the appliance to send a request to be added to
the CM Series platform and request software updates, and for the CM Series platform to
configure and monitor the appliance.
Dual-port address type: The virtual NAT Gateway 1 IP address and port must be mapped to
the CM Series internal IP address and port 22 for the appliance to send a request to be added to
the CM Series platform, and for the CM Series platform to configure and monitor the appliance.
The NX Series internal IP address and port 443 must be mapped to a virtual NAT Gateway 2
IP address and port. The virtual NAT Gateway 1 IP address and port must be mapped to the
CM Series internal IP address and port 443 for the appliance to request software updates.
© 2015 FireEye 282
CM Series and Appliance in External Networks
No mapping is required because the CM Series platform is in an external network and the
appliance can access it. For details, see Sending a Management Request to the CM Series
Platform on page 98.
System Administration Guide CHAPTER 19: Configuring Network Address Translation (NAT)
283 © 2015 FireEye
Release 7.6 Configuring and Activating an Accessible DTI Server Address
Configuring and Activating an Accessible DTI ServerAddressThe CM Series platform can act as the DTI source for its managed appliances to download
software updates (such as guest images, security content, and appliance images). In a dual-port
configuration, management traffic goes through the SSH port, and DTI traffic goes through the
HTTPS port. When the CM Series platform is behind a NAT gateway, it has an internal IP
address that the managed appliances cannot reach.
In this environment, you must configure and activate an accessible address that the managed
appliances will use as the DTI source for software updates. This address is the virtual NAT IP
address and port that are mapped to the CM Series internal IP address and port 443. For details,
see Configuring and Activating an Accessible DTI Server Address Using the CLI on the
next page .
The accessible DTI server address must be configured and activated on each managed appliance.
In addition, on managed appliances running a supported release (see note below), a "no override"
flag needs to be set to prevent the default CM Series address from overriding the accessible
address.
Any appliances behind the same NAT gateway as the CM Series platform will use the
default CM Series platform as their DTI source and require no additional configuration.
An accessible DTI server address is required only in a dual-port configuration. If you
change from dual-port to single-port communication, you must remove the "no
override" flag and instead set an "override" flag to allow the CM Series platform to push
the single-port settings to the managed appliance. For details, see Switching to Single-
Port or Dual-Port Communication in a NAT Deployment on page 287.
Dual-port is the default configuration for appliances running releases earlier than Release
7.6.0. For details, see Changing the Address Type for DTI Network Service
Requests on page 102.
Prerequisites
l Admin access
© 2015 FireEye 284
Configuring and Activating an Accessible DTI Server Address Using the CLI
Use the CLI commands in this section to configure a custom DTI source, and activate it as an
accessible DTI server address for managed appliances using the dual-port address type. This is
the address that should be used when the CM Series platform is behind a NAT gateway and in
another network.
Do not use this procedure for any reason other than the scenario described above.
You must enter the commands in the order shown.
This configuration must be performed on each managed appliance. You can repeat the
procedure on each appliance, or use appliance group functionality to configure the
accessible address on multiple appliances at the same time.
Only one custom DTI source can be configured.
To configure the accessible address:
1. Log in to the appliance CLI.
2. Enable the CLI configuration mode:
appl-hostname > enableappl-hostname # configure terminal
3. Configure the accessible address as the DTI source:
a. Prevent the local address from overriding the accessible address:
appl-hostname (config) # no fenet dti source override enable
b. Configure the IP address and port:
appl-hostname (config) # fenet dti source type CUSTOM address ipAddressport port
where ipAddress is the NAT IP address. The port parameter is optional and defaults
to 443 if it is not specified.
c. Specify the DTI server user and password:
appl-hostname (config) # fenet dti source type CUSTOM username usernamepassword password
d. Set "CUSTOM" as the default DTI source type:
appl-hostname (config) # fenet dti source default CUSTOM
System Administration Guide CHAPTER 19: Configuring Network Address Translation (NAT)
285 © 2015 FireEye
Release 7.6 Configuring and Activating an Accessible DTI Server Address
4. Configure the accessible address as the DTI upload destination:
a. Prevent the local address from overriding the accessible address:
appl-hostname (config) # no fenet dti upload destination override enable
b. Configure the address and port:
appl-hostname (config) # fenet dti upload destination type CUSTOM addressipAddress port port
where ipAddress is the NAT gateway IP address and port is the HTTPS port. (The
port parameter is optional if the port is 443.)
c. Specify the DTI server user and password:
appl-hostname (config) # fenet dti upload destination type CUSTOM usernameusername password password
d. Set "CUSTOM" as the default DTI upload destination type:
appl-hostname (config) # fenet dti upload destination default CUSTOM
5. Configure the accessible address as the "mil" service address:
a. Prevent the local address from overriding the accessible address:
appl-hostname (config) # no fenet dti mil service override enable
b. Configure the address and port:
appl-hostname (config) # fenet dti mil service type CUSTOM addressipAddress port port
where ipAddress is the virtual NAT IP address and port is the HTTPS port. (The port
parameter is optional if the port is 443.)
c. Specify the DTI server user and password:
appl-hostname (config) # fenet dti mil service type CUSTOM usernameusername password password
d. Set "CUSTOM" as the default DTI source type:
appl-hostname (config) # fenet dti mil service default CUSTOM
6. Verify the configuration:
appl-hostname (config) # show fenet
7. Save your changes:
appl-hostname (config) # write memory
Deleting the Custom DTI Source
You can delete the custom DTI source, which removes it from the list of available options.
You cannot delete the custom DTI source if it is an active DTI source for managed
appliances.
© 2015 FireEye 286
To delete the custom DTI source:
1. Enable the CLI configuration mode:
cm-hostname (config) > enablecm-hostname # configure terminal
2. Delete the custom DTI source:
cm-hostname (config) # no fenet dti source type CUSTOM
3. Verify your changes:
cm-hostname (config) # show fenet dti configuration
4. Save your changes:
cm-hostname (config) # write memory
Example
The following example configures a custom address and prevents the CM Series platform from
overriding it with the CM Series local address.
appl-hostname (config) # no fenet dti source override enableappl-hostname (config) # fenet dti source type CUSTOM address 3.3.3.6 port 2000appl-hostname (config) # fenet dti source type CUSTOM username user8 password123ABCXYZappl-hostname (config) # fenet dti source default CUSTOMappl-hostname (config) # no fenet dti upload destination override enableappl-hostname (config) # fenet dti upload destination type CUSTOM address 3.3.3.5 port2000appl-hostname (config) # fenet dti upload destination type CUSTOM username user8password 123ABCXYZappl-hostname (config) # fenet dti upload destination default CUSTOMappl-hostname (config) # no fenet dti mil service override enableappl-hostname (config) # fenet dti mil service type CUSTOM address 3.3.3.5 port 2000appl-hostname (config) # fenet dti mil service type CUSTOM username user8 password123ABCXYZappl-hostname (config) # fenet dti mil service default CUSTOMappl-hostname (config) # write memoryappl-hostname (config) # show fenetDTI CLIENT CONFIGURATION:Download source : CUSTOM ([email protected])Upload destination : CUSTOM ([email protected])Update channel : CUSTOM ([email protected])Http proxy : NoneConnect timeout : 30 (max tries: 3)Speed Time : 60Max Time : 14400Rate Limit : NoneLockdown enabled : No
Switching to Single-Port or Dual-Port Communication in a NATDeployment
Managed appliances communicate with the CM Series platform over a single port by default, but
they can be configured to use two ports. (For details, see Changing the Address Type for
DTI Network Service Requests on page 102.)
System Administration Guide CHAPTER 19: Configuring Network Address Translation (NAT)
287 © 2015 FireEye
Release 7.6 Configuring and Activating an Accessible DTI Server Address
In the dual-port configuration, if the CM Series platform is in an internal network behind a NAT
gateway, a custom DTI source address must be configured. The custom address allows the
managed appliance to access the HTTPS port on the CM Series platform to request software
updates from the DTI network. (For details, see Configuring and Activating an Accessible
DTI Server Address on page 284.)
To configure the custom address, you must set a flag to prevent the CM Series platform from
overriding the custom address settings. If you switch from dual-port to single-port
communication, you must remove this flag so the CM Series platform can push the single-port
settings to the managed appliance.
To switch from dual-port to single-port communication:
1. Log in to the appliance CLI.
2. Enable the CLI configuration mode.
appl-hostname > enableappl-hostname # configure terminal
3. Allow the CM Series platform to push the single-port settings:
appl-hostname (config) # fenet dti source override enableappl-hostname (config) # fenet dti upload destination override enableappl-hostname (config) # fenet dti mil service override enable
4. Verify your changes:
appl-hostname (config) # show fenet
5. Save your changes:
appl-hostname (config) write memory
To switch from single-port to dual-port communication:
l Perform the procedure in Configuring and Activating an Accessible DTI Server
Address Using the CLI on page 285.
Example
The following example allows the CM Series platform to push the single-port settings to the
appliance, after the address type was changed from dual-port to single-port.
appl-hostname (config) # fenet dti source override enableappl-hostname (config) # fenet dti upload destination override enableappl-hostname (config) # no fenet dti mil service override enableappl-hostname (config) # write memoryappl-hostname (config) # show fenet dti configuration
DTI CLIENT CONFIGURATION:Download source : CMS ([email protected] : singleport) - Managed by CMSUpload destination : CMS ([email protected] : singleport) - Managed by CMSUpdate channel : CMS ([email protected] : singleport) - Managed by CMS
.
.
© 2015 FireEye 288
.
Sending aManagement Request in a NAT DeploymentAn appliance (for example, an NX Series) administrator can send a request to add the appliance to
the CM Series platform. A rendezvous process enables the appliance to attempt the request and
allows the CM Series administrator to see the list of pending requests.
Requirements for Establishing a Successful Connection
To send a management request and successfully establish and maintain the connection, the
following must be in place:
l Automatic rendezvous attempts are enabled on the requesting appliance (disabled by
default).
l The auto connect feature is enabled on the requesting appliance so it automatically
tries to connect to the CM Series platform after the rendezvous attempt succeeds (enabled
by default).
See Preparing an Appliance to Send a Management Request in a
NAT Deployment on the facing page to verify and enable these settings.
l The appliance has a unique and permanent hostname. Pending requests from
appliances with the same hostname or IP address will be rejected. If the hostname is
changed, the connection will be broken and cannot be reset. If this happens, the appliance
must be removed from the CM Series platform and then added again using the new
hostname.
l The CM Series platform and the appliance have the same rendezvous service
name. The rendezvous process has an identifier (known as service name) that is set to "cmc"
by default. The CM Series platform and the requesting appliance must have the same
service name; if you change the service name on one, you must change it on the other as
well. The cmc rendezvous service-name hostname command changes the service name;
the no cmc rendezvous service-name command restores the default value. For details,
see the FireEye CLI Reference.
Appliance-initiated connections are not supported in CM Series high availability (HA)
deployments.
System Administration Guide CHAPTER 19: Configuring Network Address Translation (NAT)
289 © 2015 FireEye
Release 7.6 Sending aManagement Request in a NAT Deployment
Prerequisites
l Operator or Admin access
l Network address translation (NAT) mapping, as described in Address Mapping
l If the requesting appliance is behind a NAT gateway: The virtual NAT address and port that map
to the requesting appliance internal IP address and SSH port
l If the CM Series platform is behind a NAT gateway:
l The virtual NAT address and port that map to the CM Series internal IP address and
SSH port
l One of the following:
l The accessible CM Series IP address and port, described in Configuring and
Activating an Accessible DTI Server Address on page 284
l Single-port communication enabled on the appliance, described in Changing
the Address Type for DTI Network Service Requests on page 102
Preparing an Appliance to Send aManagement Request in aNAT Deployment
Use the commands in this section to prepare an appliance in a NAT deployment to send a
request for management to the CM Series platform.
To prepare to send a request:
1. Log in to the requesting appliance CLI.
2. Enable the CLI configuration mode:
appl-hostname > enableappl-hostname # configure terminal
3. Enable automatic rendezvous attempts:
appl-hostname (config) # cmc rendezvous client auto
After automatic rendezvous is enabled, when the requesting appliance is behind a
NAT gateway, the local IP address of the appliance will be included in the
request instead of the mapped address. You must prevent the local IP address of
the appliance from being part of the request, and then force the request to be sent
again using the mapped address. These commands are included in the relevant
procedures.
4. Verify that the auto connect feature is enabled:
a. View appliance (client) information:
appl-hostname (config) # show cmc client
© 2015 FireEye 290
b. If Autoconnect: no is shown, enable auto connect:
appl-hostname (config) # cmc client connection auto
5. Save your changes:
appl-hostname (config) # write memory
Sending aManagement Request in a NAT Deployment Using the ApplianceWebUI
Use the Settings: CMS Network page in the requesting appliance Web UI to initiate a request
to be added to a CM Series platform.
To send a management request:
1. If the appliance has never sent a management request, ensure that it meets the
requirements described in Preparing an Appliance to Send a Management Request
in a NAT Deployment on the previous page.
2. Log in to the requesting appliance Web UI.
3. Select the Settings tab.
4. Click CMS Network on the sidebar.
5. In the CMS IP Address and Port boxes, do one of the following:
l If the CM Series is not behind a NAT gateway or is behind the same NAT gateway as the
appliance: Enter the CM Series IP address and remote management port. The default
port is 22.
l If the CM Series is behind a NAT gateway different from the appliance NAT gateway: Enter
the accessible CM Series IP address and port.
6. In the CMS Username and CMS Password boxes, enter the admin credentials the
appliance should use to log in to the CM Series platform to announce itself.
7. If the appliance is behind a NAT gateway, select the Appliance Behind NAT checkbox.
System Administration Guide CHAPTER 19: Configuring Network Address Translation (NAT)
291 © 2015 FireEye
Release 7.6 Sending aManagement Request in a NAT Deployment
8. Click Send Request.
A message informs you that the request succeeded or failed, or that the appliance is already
being managed by the CM Series platform. If the request succeeded, a CM Series
administrator can accept or reject the request. An example success message is shown
below:
See Accepting a Management Request in a NAT Deployment Using the Web UI
for information about accepting the requests and adding the appliances to the
CM Series platform.
Sending aManagement Request in a NATDeployment Using the ApplianceCLI
Use the commands in this section to send a management request from an appliance in a
NAT deployment to the CM Series platform.
The following topologies are supported:
l CM Series and Appliance Behind the Same NAT Gateway below
l Appliance Behind NAT Gateway and CM Series in External Network on the next
page
l CM Series Behind NAT Gateway and Appliance in External Network on page 294
l CM Series and Appliance Behind Different NAT Gateways on page 294
If the appliance has never sent a management request, ensure the requirements
described in Preparing an Appliance to Send a Management Request in a
NAT Deployment on page 290 are in place before you attempt to send the request.
CM Series and Appliance Behind the Same NAT Gateway
To send a management request:
1. Log in to the requesting appliance CLI.
2. Enable the CLI configuration mode:
appl-hostname > enableappl-hostname # configure terminal
© 2015 FireEye 292
3. Specify the IP address of the CM Series platform:
appl-hostname (config) # cmc client server address IPaddress
4. Specify the authentication type and admin credentials the appliance should use to log in to
the CM Series platform to announce itself.
appl-hostname (config) # cmc client server auth authtype authtypeappl-hostname (config) # cmc client server auth authtype username usernameappl-hostname (config) # cmc client server auth authtype password password |identity identity
where authtype can be password, ssh-dsa2, or ssh-rsa2. (See Configuring User
Authentication Using the CLI on page 90 for details.)
5. Save your changes:
appl-hostname (config) # write memory
Appliance Behind NAT Gateway and CM Series in External Network
To send a management request:
1. Log in to the requesting appliance CLI.
2. Enable the CLI configuration mode:
appl-hostname > enableappl-hostname # configure terminal
3. Specify the IP address of the CM Series platform:
appl-hostname (config) # cmc client server address IPaddress
4. Specify the authentication type and admin credentials the appliance should use to log in to
the CM Series platform to announce itself.
appl-hostname (config) # cmc client server auth authtype authtypeappl-hostname (config) # cmc client server auth authtype username usernameappl-hostname (config) # cmc client server auth authtype password password |identity identity
where authtype can be password, ssh-dsa2, or ssh-rsa2. (See Configuring User
Authentication Using the CLI on page 90 for details.)
5. Prevent the local IP address of the appliance behind the NAT gateway from being part of
the request:
appl-hostname (config) # no cmc rendezvous client send-client-address
6. Send the request again without including the local IP address of the appliance:
appl-hostname (config) # cmc rendezvous client force
7. Save your changes:
appl-hostname (config) # write memory
System Administration Guide CHAPTER 19: Configuring Network Address Translation (NAT)
293 © 2015 FireEye
Release 7.6 Sending aManagement Request in a NAT Deployment
CM Series Behind NAT Gateway and Appliance in External Network
To send a management request:
1. Log in to the requesting appliance CLI.
2. Enable the CLI configuration mode:
appl-hostname > enableappl-hostname # configure terminal
3. Specify the virtual NAT IP address and port that are mapped to the CM Series internal
IP address and SSH port:
appl-hostname (config) # cmc client server address IPaddress
where IPaddress is the mapped IP address.
4. (Optional) Specify the virtual NAT port that is mapped to the CM Series internal
SSH port:
appl-hostname (config) # cmc client server port port
The port defaults to 22 if it is not specified.
5. Specify the authentication type and admin credentials the appliance should use to log in to
the CM Series platform to announce itself.
appl-hostname (config) # cmc client server auth authtype authtypeappl-hostname (config) # cmc client server auth authtype username usernameappl-hostname (config) # cmc client server auth authtype password password |identity identity
where authtype can be password, ssh-dsa2, or ssh-rsa2. (See Configuring User
Authentication Using the CLI on page 90 for details.)
6. Save your changes:
appl-hostname (config) # write memory
CM Series and Appliance Behind Different NAT Gateways
To send a management request:
1. Log in to the requesting appliance CLI.
2. Enable the CLI configuration mode:
appl-hostname > enableappl-hostname # configure terminal
3. Specify the virtual CM Series NAT IP address that is mapped to the CM Series internal
IP address:
appl-hostname (config) # cmc client server address IPaddress
where IPaddress is the mapped IP address.
© 2015 FireEye 294
4. (Optional) Specify the virtual CM Series NAT port that is mapped to the CM Series
internal SSH port:
appl-hostname (config) # cmc client server port port
The port defaults to 22 if it is not specified.
5. Specify the authentication type and admin credentials the appliance should use to log in to
the CM Series platform to announce itself.
hostname (config) # cmc client server auth authtype authtypehostname (config) # cmc client server auth authtype username usernamehostname (config) # cmc client server auth authtype password password | identityidentity
where authtype can be password, ssh-dsa2, or ssh-rsa2. (See Configuring User
Authentication Using the CLI on page 90 for details.)
6. Prevent the local IP address of the appliance behind the NAT gateway from being part of
the request:
appl-hostname (config) # no cmc rendezvous client send-client-address
7. Send the request again without including the local IP address of the appliance:
appl-hostname (config) # cmc rendezvous client force
8. Save your changes:
appl-hostname (config) # write memory
Configuring Global Host-Key Authentication in a NATDeploymentWhen global host-key authentication is enforced on the managed appliance, you must obtain the
public host-key from the CM Series platform and import it into the managed appliance global
host-keys database. This is described inHost-Key Authentication on page 89.
The CM Series host-key string includes its IP address. If the CM Series platform is in an internal
network behind a NAT gateway, the IP address in the key string you obtain from the CM Series
Web UI or CLI must be replaced with the virtual IP address that is mapped to the CM Series on
the NAT gateway.
Example
In this example, the CM Series platform is behind the NAT gateway. Its IP address is 1.1.1.5,
and its virtual IP address is 3.3.3.5.
System Administration Guide CHAPTER 19: Configuring Network Address Translation (NAT)
295 © 2015 FireEye
Release 7.6 Configuring Global Host-Key Authentication in a NAT Deployment
The host-key string you obtain from the CM Series Web UI or CLI starts with "1.1.1.5". For
example:
1.1.1.5 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzd5JwKBjHLe/jxkF0JzWcXOTw9l0bz2SctkQrihkqg/zXqrmxAfgbzYulDSIxOKZTh2VBnKsy0qRWrCps64Itlh6iRlr7Jxa+jAtTAGsy..
Before you import the host-key into the EX Series global host-keys database, you must replace
"1.1.1.5" with "3.3.3.5." For example:
3.3.3.5 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzd5JwKBjHLe/jxkF0JzWcXOTw9l0bz2SctkQrihkqg/zXqrmxAfgbzYulDSIxOKZTh2VBnKsy0qRWrCps64Itlh6iRlr7Jxa+jAtTAGsy..
© 2015 FireEye 296
© 2015 FireEye 297
GLOSSARY
A
Access Control List (ACL)
A mechanism for enforcing user privileges. For
example, an ACL determines who has access to a
certain service and whether the user has
read/write privileges. See also Capability and
Role.
Advanced Persistent Threat (APT)
A sophisticated cyber attack that employs
advanced stealth techniques to remain undetected
for extended periods of time.
Advanced Targeted Attack (ATA)
Another name for an advanced persistent threat.
AX Series (formerly known as Malware
Analysis System or MAS)
Appliance equipped with a virtual execution
engine that enables users to manually inspect
objects suspected of containing malware.
B
Baiting
A social-engineering attack in which physical
media (such as a USB Flash drive) containing
malware is deliberately left in proximity to a
targeted organization.
Blacklist
A list or register of entities to be denied a
specified access or privilege. During FireEye
VXE analysis, when content matches any pattern
on the blacklist, the content is deemed malicious
and an alert or block action is enacted
immediately.
Blended threat
A cyber attack incorporating a combination of
attacks against different vulnerabilities.
Bot
An infected computer (or endpoint) centrally
controlled by a command and control (CnC)
server.
Botnet
Set of software “robots” or “zombies” that are
controlled remotely by a command and control
server.
Botnet server
Command and control server that directs the
operation of a botnet.
Bring Your Own Device (BYOD)
An organizational policy of employees bringing
personally owned devices to their place of work
in order to access the organization’s data.
Buffer overflow attack
An attack accomplished by placing more data
into the buffer than it is configured to hold which
ends up enabling the attacker to run custom code
(oftentimes with the escalated privileges granted
to the vulnerable application or network service).
C
Capability
A group of related CLI commands and Web UI
functions. Each capability belongs to one of the
following categories: System Administration,
Malware Analysis, Auditing, All Users, and Web
Services API. Each user is assigned to a role,
which is a collection of capabilities.
Central Management (CM) Series
A FireEye rack-mount appliance with a Web-
based graphical user interface responsible for
monitoring and managing appliances within an
NGTP environment.
Command and Control (CnC)
A server operated by a cybercriminal to provide
instructions to bots.
Command-line Interface (CLI)
An interface in which you type commands in lieu
of choosing them from a menu or selecting an
icon. The FireEye appliance has a CLI for
administering the appliance.
Cybercriminal
A hacker illegally stealing data from another
computer for personal financial gain.
Cyberwar
Politically motivated hacking to conduct sabotage
and/or espionage against a nation-state.
D
Darkspace
Currently unused address space.
Data Leakage Prevention (DLP)
A system designed to detect potential data loss
based on patterns (such as Social Security
numbers) in a timely manner.
DB-9
Serial port connector used to connect a computer
to the FireEye appliance.
Defense-in-depth strategy
Installing a series of cybersecurity defenses so that
a threat missed by one layer of security may be
caught by another.
Demilitarized Zone (DMZ)
An area of the network where systems have direct
access to the Internet or an external network.
Denial-of-Service (DoS) attack
A cyber attack intended to disrupt or disable a
targeted host by flooding it with benign
communication requests from a single host.
Domain Name Service
An Internet service that translates domain names
into IP addresses.
Glossary
298 © 2015 FireEye
Dynamic Host Configuration Protocol
(DHCP)
A network protocol used to configure devices
that are connected to a network so that they can
communicate on an IP network.
Dynamic Threat Intelligence (DTI) network
The DTI network exchanges anonymized threat
intelligence through the DTI cloud. FireEye
customers receive contextual visibility of global
attacks. The DTI network accurately captures
shared volume of working security content while
supporting Guest Images, and detecting
multivector algorithms.
E
Egress traffic
Computer network traffic flowing from inside
the network to hosts outside the network.
Event
Indicates a type of security intrusion or attack.
Execution anomaly
Type of event triggered by a memory anomaly
(such as a buffer overflow).
F
Fail open
The ability of copper interfaces on a network
appliance to maintain connectivity in order to
prevent network disruption upon appliance
power loss or interference.
False negative
Misclassifying a file containing malware as
benign.
False positive
Misclassifying a benign file as containing
malware.
G
Graphical User Interface (GUI)
An interface utilizing windows and icons rather
than text as a way for users to interact with the
computer.
Greylist
Greylists provide control over the priority of
workorders for known IP addresses and URLs.
Greylists have files that contain either URLs or
IP addresses and are used by the FireEye VXE
analysis engine to check if the specified URLs or
IP addresses contain a malicious rule match.
Guest Image
Software image for an operating system and
applications that is run in a virtual machine to
analyze suspicious or captured traffic.
H
Hacktivism
The use of computers and computer networks as
a means to protest and/or promote political ends.
I
Inline (active)
Signature-based security device that monitors
network traffic and blocks known cyber attacks
upon detection.
Inline mode
Placement of a network appliance directly in the
line of network traffic, enabling it to block cyber
attacks.
Glossary
© 2015 FireEye 299
Intrusion Detection System (IDS)
An out-of-band, signature-based security device
that monitors network traffic and creates alerts
upon detecting known cyber attacks.
Intrusion Protection System (IPS)
A security appliance that monitors network
activities for malicious activity. The main
functions of intrusion protection systems are to
identify malicious activity, log information about
said activity, attempt to block/stop said activity,
and report the activity.
K
Keylogger
An application that records computer keystrokes,
usually unbeknownst to the user.
Known botnet server bot command
Events that are triggered when the appliance sees
any of the common IRC bot commands or
communication to known botnet servers.
L
Live mode
Analysis mode in which the malware is allowed
to detonate inside the VX engine and is even
permitted to contact external entities, including
the CnC servers.
M
Malware
Malicious software (such as a computer virus,
worm, or Trojan) created to disrupt computer
operation, gather sensitive information, or gain
access to private computer systems. See also
spyware, Trojan, and worm.
Malware Protection Cloud (MPC)
See Dynamic Threat Intelligence (DTI) network.
Malware Protection System (MPS)
A rack-mount appliance responsible for detecting
suspicious network objects and forwarding them
to the virtual execution engine (which it also
hosts) for signature-less analysis.
Multi-staged
A cyber attack incorporating multiple types of
malware designed to be launched at different
phases of an advanced cyber attack.
Multivector
A cyber attack designed to target multiple target
hosts within the same organization using multiple
attack techniques.
Multivector Virtual Execution (MVX) Engine
A component on an MPS appliance that is
responsible for signature-less analysis of
suspicious objects in the safety of a virtual
machine.
MVX Engine-verified
Type of event triggered by a drive-by or social
engineering attack and verified as a malicious
behavior in the FireEye Multivector Virtual
Execution (MVX) engine.
MVX Engine-verified outbound
communications
A post-infection event that signals the presence of
malicious software attempting to contact an
external CnC server inside the MVX engine.
N
Network Time Protocol (NTP)
A networking protocol for clock synchronization
between computer systems.
Glossary
300 © 2015 FireEye
Next-generation threat
A new breed of cyber attacks not easily detected
by signature-based security defenses. Examples
include polymorphic malware, zero-day threats,
and APTs.
Next-Generation Threat Protection (NGTP)
Software installed on purpose-built, rack-mount
appliances that is designed to detect and block
today’s new breed of cyber attacks.
O
Open Shortest Path First (OSPF)
A protocol that computes an optimal path for
traffic in a TCP/IP network.
Operating System anomaly
Events that indicate modification of the
operating system.
Out-of-band mode
The mode of operation of a network appliance
that enables it to analyze traffic copied from a
network TAP or switch SPAN port.
P
Phishing
The act of sending an email to a user falsely
claiming to be a legitimate entity in an attempt to
scam the user into surrendering private
information, such as credit card and Social
Security numbers.
Polymorphic threat
Malware that changes its signature (binary
pattern) every time it replicates in order to evade
detection by a security device or application.
R
Remote Administration Tool (RAT)
Software that provides the hacker with a
backdoor into the infected system to snoop or
take control of the host.
Role
A collection of capabilities that allow a user to
perform certain operations. Each user is assigned
one of the following roles: Admin, Monitor,
Operator, Analyst, Auditor, API Analyst, or
API Monitor.
S
Sandbox
A software application designed to analyze
suspicious binaries in the safety of a virtual
machine, while often evading sophisticated
cyberattackers.
Sandbox mode
Mode in which malware is permitted to run, but
results of the malware action are restricted to the
virtual machine and not permitted to escape.
Secure Sockets Layer (SSL)
A protocol that uses multiple layers to manage
the security of a message transmission on the
Internet.
Simple Network Management Protocol
(SNMP)
A set of protocols for exchanging management
information between network devices.
Spear phishing
A phishing attempt directed toward a specific
organization or person(s) within that
organization.
Glossary
© 2015 FireEye 301
Spyware
A type of malware that collects information about
users, with or without their knowledge.
State-sponsored threat actor
A cybercriminal employed by a nation-state to
conduct cyber attacks against enemies of the state
for politically-motivated purposes.
Structured Query Language injection attack
(SQL injection attack)
A form of attack on a database-driven Web
application in which the attacker executes
unauthorized SQL commands in order to exploit
insecure code.
T
Transport Layer Security (TLS)
Encrypted protocols that provide secure
communication over the Internet.
Trojan
Malware that masquerades as a legitimate file or
helpful application with the ultimate purpose of
granting a hacker unauthorized access to a
computer.
V
Virtual Execution Engine (VXE)
See Multivector Virtual Execution (MVX)
Engine.
Virtual Local Area Network (VLAN)
A network of computers that act as if they are
connected to the same wire despite actually being
physically located on different segments of a local
area network.
Virtual Machine (VM)
FireEye software program that runs an instance
of an operating system. The operating system runs
on top of a program which emulates a hardware
system.
VX Engine-verified
Type of event triggered by a drive-by or social
engineering attack and verified as a malicious
behavior in the FireEye Virtual Execution
Engine.
VX Engine-verified outbound
communications
A post-infection event that signals the presence of
malicious software attempting to contact an
external CnC server inside the VX engine.
W
Whaling
A cyber attack directed specifically at senior
executives and other high-profile targets within
businesses.
Workorders
Identify traffic that needs to be analyzed by the
appliance. Workorders are generated for the
suspicious traffic identified by the appliance, and
for the manually-defined traffic capture policies
(if any).
Worm
A form of malware that exploits network
vulnerabilities in order to propagate itself onto
other computers.
Z
Zero-day attack
An attack by malware that exploits unknown or
newly-discovered vulnerabilities in software
Glossary
302 © 2015 FireEye
before they become known or before security
patches are applied to fix them.
Glossary
© 2015 FireEye 303
© 2015 FireEye 304
INDEX
A
AAA
accounting 229
authentication 191, 212, 220
authorization 221
LDAP 217
local access 199-200
overview 190
password rules 200, 207
password, changing 192, 195
RADIUS 215
remote users 213-214
roles 221, 228
TACACS+ 216
user accounts 192-194
account status 199
accounting 229-230
Active Directory (AD) 219
address type for CM Series
communication 102, 287
admin password 21
Admin role 221
aggregators 78
analyst role 221
api_analyst role 222
api_monitor role 222
appliance license 114
ArcSight 125, 162
audit logging 224, 229-230
auditor role 222
authentication
example 220
failed attempts 212
local-to-remote user mappings 214
local override rules 213
methods 191
order 192, 212
SSH 87
authorization 221-222
B
backup, database
estimating space 262
overview 259
scheduling with CLI 267
task list 260
uploading files 271
using CLI 265
viewing results 260
Blue Coat ProxySG 125
C
CA certificates 232
capabilities
all users 224
auditing 224
descriptions 225
malware analysis 224
overview 222
system administration 223
Web services API 224
Certificate Authority (CA)
certificates 232
certificates
activating 248
Certificate Authority (CA) 232, 254
client 232, 254
default attributes 250
downloading 247
HTTPS 232, 254
key size 257
LDAP server 232, 254
Mozilla bundle 232, 254
renaming 256-257
secure hash 257
supplemental CA 232, 254
system self-signed 232, 239
viewing 232
Web server 232, 241
X.509 (TLS/SSL) 232
checks, health 167
client-initiated connections 87
CM Series authentication 87, 287, 295
CM Series integration
changing address type 102
initiating request for management 87,
98, 103
CONTENT_UPDATE license 114
current password requirement 204
D
database 259-260, 262-263, 267, 271-
272, 276
date and time settings 105-106, 108-112
deployment modes 36
deployment testing 174, 179-180
from the Web UI 175
DNS settings, configuring 61
DSA2 public keys 88-90
DTI network
automatic updates 74, 77
Index
305 © 2015 FireEye
changing source server 69, 79, 81-84,
86
configuring credentials 86
overview 67
security updates 72
stats uploads 77
status 167
upgrading from 125-126, 128
validating 70-71
E
Ethernet port status 170
EULA (End User License Agreement)
18-19, 124-125, 129
F
FIREEYE_APPLIANCE license 114
FIREEYE_SUPPORT license 114
front panel, removing 30
G
Guest Images 124, 130
guest images status 168
H
hardware status 169
health checks 167, 170
host-key authentication 92-94, 96
HTTPS certificates 232
I
inline deployment mode 36
IP filtering 64, 66
IPMI port 24
J
Juniper STRM 125
L
LCD 19, 30
LDAP
configuring 217
example configuration 218
overview 217
search filters 218
liquid crystal display 19, 30
Log Manager 162
logs 162-163
M
malware analysis capabilities 224
MIB, downloading
to Apple devices 140
to Linux devices 139
to Windows devices 139
monitor role 221
Mozilla certificates 232
N
Network Address Translation (NAT)
278, 284, 287, 290, 295
network administration 60, 62, 64, 66
network proxy 125
network requirements 13
Index
© 2015 FireEye 306
notifications 148
NTP (Network Time Protocol) 108-109
O
operator role 221
order of authentication 192
P
password authentication 88
passwords
changing admin 21
changing your own 196-197
configuring password change
policies 207, 209
configuring validation rules 202, 204-
206
public key authentication 88-89
Q
Q1 Lab QRadar 125
R
RADIUS 215
resolution, screen 27
restore, database
guidelines 273
overview 259
task list 260
using CLI 274
viewing results 260
roles
admin 221
analyst 221
api_analyst 222
api_monitor 222
assigning 228
auditor 222
capabilities 222
fe_services 222
monitor 221
operator 221
RSA2 public keys 88, 90
S
screen resolution 27
Secure Shell (SSH) authentiction 87
serial port
accessing from a terminal server 19
accessing from a Linux system 18
accessing from a PC laptop 18
accessing from an Apple laptop 18
settings 17
single-port communication 102, 287
SNMP notifications 137
SPAN deployment mode 36
SSH-DSA2, SSH-RSA2 public keys 88-
90
SSL certificates 232
status
DTI network 170
Ethernet port information 170
guest images information 168
Index
307 © 2015 FireEye
hardware information 169
system informantion 168
version information 168
supplemental CA certificates 232
support license 114
system administration capabilities 223
system self-signed certificate 232
system status 168
T
TACACS+ 216
TAP deployment mode 36
testing deployment 174, 179-180
time and date settings 105, 108, 110-111
time zone settings 110-111
TLS certificates 232
two-port communication 102, 287
U
upgrades 124
user accounts
adding 193-194
local access 199-200
managing your own 195-197
overview 192
permanent 199
status 199
updating 193-194
user authentication 87, 90
user interfaces
IPMI 33
LCD 19
Web UI 26, 28-29
V
version status 168
W
Web server certificates 232
Web services API capabilities 224
Web UI 28-29
X
X.509 certificates 232
Index
© 2015 FireEye 308