CM Administration Guide 8.7.0 en

F I R E E Y E T E C H N I C A L D O C U M E N T A T I O N CENTRAL MANAGEMENT ADMINISTRATION GUIDE RELEASE 8.7 CENTRAL MANAGEMENT / 2019 FireEye and the FireEye logo are registered trademarks of FireEye, Inc. in the United States and other countries. All other trademarks are the property of their respective owners. FireEye assumes no responsibility for any inaccuracies in this document. FireEye reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Copyright © 2019 FireEye, Inc. All rights reserved. This product is part of the Helix platform. CM Administration Guide Software Release 8.7.0 Revision 4 FireEye Contact Information: Website: www.fireeye.com/company/contact-us.html Technical Support: https://csportal.fireeye.com Phone (US): 1.408.321.6300 1.877.FIREEYE Contents PART I: Overview 23 CHAPTER 1: About the Central Management Appliance 25 Terminology In the User Interface 25 "Single Pane of Glass" 26 Alert Management 26 Alert Correlation 27 Signature Distribution 27 Submit to Malware Analysis for Deep Forensics 27 Appliance Groups 27 Central Management Deployment 28 Standard Deployment 28 Network Address Translation (NAT) Deployment 28 Single-Port Deployment 29 High Availability (HA) Deployment 29 FireEye Network Security (MVX Cluster) Deployment 30 Split DTI Traffic Deployment 30 Management Path 31 Central Management Appliances That Receive DTI Updates 31 Environments That Restrict Outbound Access to Certain IP Addresses 31 CM Appliances with Domain-based Proxy ACL Rules 32 Integrated CM Communications Protocol and Port Configurations 32 FIPS 140-2 and Common Criteria Compliance CHAPTER 2: User Interfaces Overview of CM User Interfaces © 2019 FireEye 32 35 36 3 Contents The CM Appliance Web UI Browser Support 37 Screen Resolution Requirements 37 Logging In Locally to the Helix Appliance Web UI 38 Notifications of Appliance Health Problems 39 The Central Management Appliance Dashboard 39 Central Management Web UI Tabs 54 PDF Generation 56 The CM Appliance Command-Line Interface 56 The CM Appliance LCD Display 57 Navigating the LCD Menus 57 LCD Panel Menus 58 The CM Appliance IPMI Interface 4 37 60 IPMI Browser Support 61 Logging In to the IPMI Interface 61 Power Cycling and Resetting the Device 62 Accessing the Device Serial Console 63 Checking the Status of Device Sensors 64 Resetting the IPMI Interface Using the CLI 64 PART II: Configuration 67 CHAPTER 3: Accessing the Physical or Serial Console 69 CHAPTER 4: Initial Configuration 73 Initial Configuration Overview 74 Initial Configuration Prerequisites 74 Configuring Initial Settings Using a Keyboard and Monitor 75 Configuring Initial Settings Using the Serial Console Port 76 Using a Windows or Mac Laptop 76 Using a Linux System 77 Using a Terminal Server 77 © 2019 FireEye Contents Configuration Wizard Steps 78 Configuring Initial Settings Using the LCD Panel 81 Configuring the IPMI Interface 82 Viewing the IPMI Configuration 82 Configuring the IPMI Port 83 CHAPTER 5: Virtual Central Management Appliances Deploying Virtual Central Management Appliances on VMware ESXi 85 86 VMware ESXi System Requirements 86 Installing a Virtual Appliance in VMware ESXi 88 Performing the Initial Configuration 93 Deploying Virtual Central Management Instances on Amazon Web Services (AWS) 96 AWS System Requirements 97 Launching a Virtual Central Management Instance on AWS 98 Configuring the Activation Code and Initial Admin Password on AWS 99 Performing the Initial Configuration Deploying Virtual Central Management Appliances on KVM Servers 100 101 KVM System Requirements 101 Installing a Virtual Central Management Appliance on KVM 102 Performing the Initial Configuration 105 Understanding Virtual Appliance Licensing 108 Viewing Virtual Appliance License Status Using the CLI Viewing System Entropy Status Viewing System Entropy Status Using the CLI 109 112 113 CHAPTER 6: License Keys 115 About FireEye License Keys 115 Overriding One-Way Sharing License 117 Override One-Way Sharing License Using the CLI Automatic License Updates 117 118 How It Works 118 Enabling Automatic License Updates 119 © 2019 FireEye 5 Contents Manual License Installation 121 Installing Licenses Using the Web UI 121 Removing Licenses Using the Web UI 122 Installing Licenses Using the CLI 122 Removing Licenses Using the CLI 124 Viewing License Notifications Using the Web UI 125 CHAPTER 7: The DTI Network 127 About the DTI Network 127 Threat Intelligence 127 Automatic License Updates 128 System Health Monitoring and Software Updates 129 About DTI Network Communication 130 Changing the Active Setting for a DTI Service 131 Changing the Active Source for a Central Management Appliance Using the Web UI 132 Changing the Active Source for a Central Management Appliance Using the CLI 133 Changing the Global Active Source for Managed Appliances Using the Web UI 134 Changing Global Active DTI Settings for Managed Appliances Using the CLI Using an HTTP Proxy for DTI Service Requests 136 Understanding the DTI Cache 137 Downloading Software Updates to the DTI Cache 139 Managing the DTI Cache 144 Validating DTI Access 149 Validating DTI Access Using the Web UI 150 Validating DTI Access Using the CLI 150 Configuring DTI Credentials Configuring DTI Credentials Using the CLI Automatic Validation of Security Content 6 134 152 152 153 About Automatic Validation of Security Content 153 Conditions That Indicate a Compatible Security Content Package 153 © 2019 FireEye Contents Error Codes for Incompatible Security Content Packages Sharing Anonymized Data 154 155 About Sharing Anonymized Data With the DTI Cloud 155 Uploading Anonymized Data Automatically Using the CLI 157 Uploading Anonymized Data Manually Using the CLI 158 CHAPTER 8: System Security 161 AAA 161 Certificates 161 CHAPTER 9: System Email Settings Configuring the Mail Server 163 164 Configuring the Mail Server Using the Web UI 165 Configuring the Mail Server for Health Check Notifications Using the CLI 166 Configuring the Mail Server for Scheduled Reports Using the CLI 168 Configuring Email Recipients 169 Configuring Email Recipients Using the Web UI 170 Configuring Email Recipients Using the CLI 171 Configuring System Events 172 Configuring System Event Notifications Using the Web UI 173 Configuring System Event Notifications Using the CLI 174 Configuring Auto Support for System Event Notifications Configuring Auto Support for System Event Notifications Using the CLI CHAPTER 10: Date and Time Settings Manual Time Configuration 176 177 179 179 Setting the Date and Time Using the Web UI 179 Setting the Date and Time Using the CLI 180 NTP Server Configuration 181 Configuring NTP Servers Using the Web UI 182 Configuring NTP Servers Using the CLI 183 Configuring NTP Authentication Using the CLI 186 © 2019 FireEye 7 Contents Time Zone Configuration Setting the Time Zone Using the Web UI 191 Setting the Time Zone Using the CLI 191 Synchronizing the System Clock to DTI Server Time Using the CLI 192 PART III: Administration 195 CHAPTER 11: Network Administration 197 Basic Network Configuration 197 Configuring Basic Network Settings Using the Web UI 199 Configuring Basic Network Settings Using the CLI 202 IPMI Firmware Updates Enabling and Disabling IPMI Firmware Notifications Using the CLI IP Filtering 203 204 204 Interfaces Supported by IP Filtering Rules 205 Viewing IP Filtering Rules 205 Enabling IP Filtering Using the CLI 206 Configuring HTTP Proxy Server Settings 207 Configuring HTTP Proxy Server Settings Using the CLI 207 Disabling HTTP Proxy Server Settings Using the CLI 208 Defining Another Management Interface Defining Another Management Interface Using the CLI DTI Traffic and Management Traffic Splitting DTI and Management Traffic Using the CLI CHAPTER 12: Upgrading the FireEye Software 8 190 209 210 212 214 219 Before You Begin the Upgrade 219 Upgrading the Appliance Using the Web UI 221 Select an Upgrade Source 221 Check for Available Update Software 222 Download the Software 222 Install the Software Update 222 © 2019 FireEye Contents Validate the Software Updates Upgrading the Appliance Using the CLI 223 223 Download and Install the Appliance Software Image 224 Restart the Appliance and Accept the EULA 224 Verify the Upgrade 225 Configuring Auto-Mounting on a USB Device 225 Enabling or Disabling Auto-Mounting on a USB Device Using the CLI 226 Configuring HTTP Access to Install Software Updates Using the CLI 227 Installing Guest Images from a USB Device Using the CLI 228 Mounting or Unmounting a USB Device Using the CLI 229 Upgrading Firmware to IPMI 3.11 and BIOS 1.9 Upgrading IPMI 3.11 and BIOS 1.9 Firmware for Specific Platforms 230 230 CHAPTER 13: Log Management 233 Managing Logs Using the Web UI 233 Viewing the Current Log Configuration 236 Configuring a Syslog Server Using the CLI 237 Configuring the Minimum Severity of Messages Sent to Syslog Servers Using the CLI 238 Configuring the Minimum Severity of Messages Stored on the Local Drive Using the CLI 240 Configuring the Timestamp Format Using the CLI 242 Uploading the Active Log File to a Network Location Using the CLI 244 CHAPTER 14: Database Backup and Restore 245 Database Backup and Restore Introduction 245 Task List for Database Backup and Restore 246 Viewing the Last Backup and Restore Results 246 Viewing the Last Backup and Restore Results Using the Web UI 247 Viewing the Last Backup and Restore Status Using the CLI 247 Estimating the Space Needed for the Backup File Estimating the Space Needed for the Backup File Using the Web UI © 2019 FireEye 248 248 9 Contents Estimating the Space Needed for the Backup File Using the CLI 249 Backing Up the Database 249 Backing Up the Database Using the Web UI 250 Backing Up the Database Using the CLI 251 Scheduling Automatic Backups 253 Scheduling Automatic Backups Using the CLI 254 Downloading Backup Files 256 Downloading Backup Files Using the Web UI 257 Uploading Backup Files 257 Uploading Backup Files Using the Web UI 258 Restoring the Database from a Backup File 258 Restoring the Database from a Backup File Using the Web UI 259 Restoring the Database from a Backup File Using the CLI 260 Deleting Previous Backup Files 262 Deleting Previous Backup Files Using the Web UI 262 Deleting Previous Backup Files Using the CLI 263 CHAPTER 15: System Health and Performance 265 Viewing System Health and Performance Check Results 265 Viewing System Health and Performance Check Results Using the Web UI Checking System Health and Status 269 Checking System Health Using the Web UI 269 Checking System Health Using the CLI 274 CHAPTER 16: SNMP Data 279 Retrieving SNMP Data 279 Providing Access to SNMP Data 280 Downloading the MIB 280 Sending Requests for SNMP Information 282 Sending Traps 10 266 283 Enabling and Configuring Traps 283 Logging Trap Messages 284 © 2019 FireEye Contents CHAPTER 17: Login Banners and Messages 287 About Login Banners and Messages 287 Customizing Login Banners and Messages Using the Web UI 289 Customizing Login Banners and Messages Using the CLI 290 CHAPTER 18: Supported Features Viewing Supported Features Using the Web UI CHAPTER 19: Event Notifications Configuring Event Notifications Using the Web UI 293 293 295 295 Configuring Event Notifications 296 CSV Fields for Daily Digest Notifications 297 Configuring Email Notifications Using the Web UI 299 Configuring HTTP Notifications Using the Web UI 301 Configuring Rsyslog Notifications Using the Web UI 305 Configuring SNMP Notifications Using the Web UI 309 Configuring Event Notifications Using the CLI 311 Configuring Event Notifications 312 Configuring Email Notifications Using the CLI 313 Configuring HTTP Notifications Using the CLI 321 Configuring Rsyslog Notifications Using the CLI 328 Configuring SNMP Notifications Using the CLI 335 Configuring the Proxy Server for Notifications Configuring the Proxy Server for Notifications Using the CLI Configuring ATI Alert Updates for Notifications Configuring ATI Alert Updates for Notifications Using the CLI CHAPTER 20: Disk Space Management On-Demand Cleanup Using Profiles 340 340 341 342 345 345 Viewing a Summary of Disk Space Use Using the CLI 346 Viewing Disk Space Use By Profile Using the CLI 347 Deleting Data to Free Disk Space Using the CLI 347 © 2019 FireEye 11 Contents CHAPTER 21: Boot Manager Utilities 349 Working with the Tools Menu 350 System Requirements 350 Setting the Tools Menu Password 352 Accessing the Tools Menu 354 Disabling the Tools Menu 356 Viewing Tools Menu Availability 357 Wiping Persistent Media 358 Wiping Persistent Media Using the Tools Menu 359 PART IV: Appliances 361 CHAPTER 22: Adding and Removing Appliances 363 Adding an Appliance (Using the Central Management Appliance) 363 Adding an Appliance Using the Central Management Web UI 364 Adding an Appliance Using the Central Management CLI 365 Accepting a Management Request 366 Preparing the Central Management to Accept a Management Request 367 Accepting a Management Request Using the Central Management Web UI 368 Accepting a Management Request Using the Central Management CLI 369 Removing a Managed Appliance from the Central Management Network 371 Removing a Managed Appliance from the Central Management Network Using the Web UI 371 Removing a Managed Appliance from the Central Management Network Using the CLI 372 CHAPTER 23: Viewing and Modifying Managed Appliance Information 373 12 Viewing Managed Appliance Information Using the Web UI 375 Viewing Managed Appliance Information Using the CLI 378 Modifying Managed Appliance Information Using the Web UI 379 Modifying Managed Appliance Information Using the CLI 380 © 2019 FireEye Contents CHAPTER 24: Configuring Managed Appliances 383 Configuring Managed Appliances Using the Web UI 384 Configuring Network Settings for Managed Appliances Using the Web UI 385 Setting the Appliance Date and Time Manually on Managed Appliances Using the Web UI 385 Managing Licenses for Managed Appliances Using the Web UI 385 Configuring NTP Servers for Managed Appliances Using the Web UI 386 Configuring System Email Settings for Managed Appliances Using the Web UI 386 Configuring DTI Network Settings for Managed Appliances Using the Web UI 386 Customizing Appliance Login Messages for Managed Appliances Using the Web UI 387 Configuring Guest Images for Managed Appliances Using the Web UI 387 Uploading Certificates to Managed Appliances Using the Web UI 387 Managing Users on Managed Appliances Using the Web UI 388 Configuring Event Notifications for Managed Appliances Using the Web UI 388 Configuring File Types for Managed Malware Analysis Appliances to Analyze Using the Web UI 388 Generating Reports for Managed Appliances Using the Web UI 389 Scheduling Reports for Managed Appliances Using the Web UI 389 Enabling or Disabling Riskware Detection Custom Policy Rules for Managed Appliances Using the Web UI 391 Configuring Inline Operational Modes for Managed NX Series Appliances Using the Web UI 391 Configuring Inline Policy Exceptions for Managed NX Series Appliances Using the Web UI 392 Configuring Whitelists for Managed NX Series Appliances Using the Web UI 392 Defining Filters for Managed NX Series Appliances Using the Web UI 392 Uploading YARA Rules to Managed Appliances Using the Web UI 393 Uploading Custom Rules to Managed NX Series Appliances Using the Web UI 393 Configuring Forensic Analysis Integration on Managed NX Series Appliances Using the Web UI 394 Configuring IPS Settings for Managed NX Series Appliances Using the Web UI 394 Configuring SSL Interception for Managed NX Series Appliances Using the Web UI © 2019 FireEye 394 13 Contents Allowing Increased Detection for Managed Appliances Using the Web UI 395 Enabling Advanced URL Defense on Managed CM Appliances Using the Web UI 396 Configuring Email MTA Settings for Managed CM Appliances Using the Web UI 397 Configuring Email Policy Using the Web UI 397 Configuring Impersonation Rules Using the Web UI 397 Configuring Rules on an Allowed List for Managed CM Appliances Using the Web UI 398 Configuring Rules on a Blocked List for Managed CM Appliances Using the Web UI 398 Configuring Attachment Decryption Settings for Managed CM Appliances Using the Web UI 399 Configuring Malware Analysis Settings for Managed AX Series Appliances Using the Web UI 399 Configuring File Types for Managed Malware Analysis Appliances to Analyze Using the Web UI 399 Configuring Malware Repository Settings for Managed AX Series Appliances Using the Web UI 400 Configuring and Managing Scans for Managed FX Series Appliances Using the Web UI 400 Configuring and Managing Storage for Managed FX Series Appliances Using the Web UI Configuring Managed Appliances Using the CLI 401 Canceling Outstanding Commands 403 CHAPTER 25: Using Appliance Groups and Command Profiles Grouping Appliances 14 401 405 405 Creating and Managing Groups Using the Web UI 406 Creating and Managing Groups Using the CLI 408 Adding Appliances to Groups Using the Web UI 410 Adding Appliances to Groups Using the CLI 410 Removing Appliances from Groups Using the Web UI 411 Removing Appliances from Groups Using the CLI 412 © 2019 FireEye Contents Working with Command Profiles 412 Creating and Managing Profiles Using the CLI 413 Adding Commands to Profiles Using the CLI 415 Removing Commands from Profiles Using the CLI 417 Applying Profiles Using the CLI 418 CHAPTER 26: Monitoring Aggregated Alert Data Managing the Distribution of Alert Notifications 421 421 Centralized Notifications 421 Mixed Notifications 422 Decentralized Notifications 423 Monitoring Appliances Using the Web UI 424 Viewing Alerts and Events for Managed NX Series Appliances Using the Web UI 424 Managing Suppressed Alerts on Managed NX Series Appliances Using the Web UI 425 Monitoring Malware and Callback Activity for Managed NX Series Appliances Using the Web UI 426 Viewing Malware Summaries for Managed NX Series Appliances Using the Web UI 426 Viewing Riskware for Managed Appliances Using the Web UI 426 Viewing SmartVision Alerts on SmartVision Appliances Using the Web UI 427 Viewing the Campaigns for Managed CM Appliances Using the Web UI 427 Managing Quarantined Emails for Managed CM Appliances Using the Web UI 428 Viewing Email Analysis Results for Managed CM Appliances Using the Web UI 428 Viewing and Exporting the Results of Processed Emails on a Managed CM Appliance Using the Web UI 429 Viewing the Messages in the Email Queue on a Managed CM Appliance Using the Web UI 429 Viewing URL Click Reports for Managed EX Series Appliances Using the Web UI 429 Viewing Malware Analysis Results for Managed AX Series Appliances Using the Web UI 431 © 2019 FireEye 15 Contents Managing File Quarantines for Managed FX Series Appliances Using the Web UI 431 Managing File Alerts for Managed FX Series Appliances Using the Web UI Monitoring Appliances Using the CLI 432 NX Series and CM Event Correlation 433 Reviewing Email Alerts Correlated with Web Events 434 Reviewing Web Alerts Correlated with Email Events 437 Enabling Remote CM Appliance Event Correlation 439 Endpoint Security Event Correlation 440 Sending Alerts to the Helix Web UI Using the CLI 440 CHAPTER 27: Working with Reports for Managed Appliances 443 About Reports 443 Predefined Report Templates 443 Custom Reports 443 Customizing Reports for Managed Appliances 444 Task List for Customizing Reports for Managed Appliances 444 Creating and Configuring Settings for a Custom Report 445 Configuring Graphs for Custom Reports 450 Configuring Tables for Custom Reports 460 Creating a Custom Report from a Predefined Report Template 471 Editing and Cloning Reports That Have Been Generated 475 Sending, Downloading, and Deleting Custom Reports 481 Generating and Scheduling Reports for Managed Appliances 485 Generating Reports for Managed Appliances Using the Web UI 485 Scheduling Reports for Managed Appliances Using the Web UI 486 Generating and Scheduling Reports for Managed Appliances Using the CLI 487 CHAPTER 28: Checking Status and Health of Managed Appliances 489 Checking Status and Health of Managed Appliances Using the Web UI 490 Refreshing the Status Information Checking Status and Health of Managed Appliances Using the CLI 16 432 491 492 © 2019 FireEye Contents Defining Status and Health Check Settings for Managed Appliances Using the CLI 496 CHAPTER 29: Updating Managed Appliances 499 Updating Managed Appliances Using the Web UI 500 Updating Managed Appliances Using the CLI 503 CHAPTER 30: Configuring Custom IOC Feeds 505 About Custom IOC Feeds Task List for Managing Custom IOC Feeds Enabling or Disabling Custom IOC Feeds 505 506 507 Enabling or Disabling Third-Party IOC Feeds on All Appliances Using the CLI 508 Enabling or Disabling the Local Feed on All Appliances Using the CLI 509 Enabling or Disabling Third-Party IOC Feeds on a Specific Appliance Using the CLI 511 Enabling or Disabling the Local IOC Feed on a Specific Appliance Using the CLI 513 Creating a Custom Blacklist from Third-Party Feeds 514 Uploading a Third-Party Feed 516 Uploading a Third-Party Feed Using the Web UI Viewing Custom Feed Details 516 518 Viewing Custom Feed Details Using the Web UI 519 Viewing Custom Feed Details Using the CLI 519 Viewing Custom Feed Details Grouped by Alert Using the Web UI 520 Deleting Third-Party IOC Feeds Using the Web UI 521 Downloading a Third-Party Feed Using the Web UI 523 CHAPTER 31: Filtering Alerts Using Tags and Rules Overview of Filtering Alerts Using Tags and Rules Task List for Filtering Alerts Using Tags and Rules Configuring Tags and Values 525 525 525 526 Adding Tags Using the Web UI 527 Editing Tags Using the Web UI 528 © 2019 FireEye 17 Contents Deleting Tags Using the Web UI 529 Adding Values to a Tag Using the Web UI 530 Editing Values for a Tag Using the Web UI 531 Deleting Values From a Tag Using the Web UI 533 Configuring Rules to Manage Alert Tags 534 Adding a Rule to Match a Condition for a Particular IP Address Using the Web UI 535 Adding a Rule to Match a Condition for a Particular VLAN Using the Web UI 537 Adding a Rule to Match a Condition for a Particular Appliance Using the Web UI 538 Adding a Rule to Match a Condition for a Particular Product Type Using the Web UI 540 Adding a Rule to Match a Condition for a Particular Severity Type Using the Web UI 542 Adding a Rule to Match a Condition for a Particular Email Using the Web UI 543 Editing a Rule Using the Web UI 545 Deleting a Rule for an Alert Tag Using the Web UI 547 Setting or Changing the Priority of Rules Using the Web UI 548 Viewing Tags for an Alert for Managed Email Security — Server Edition Appliances Using the Web UI 549 Viewing Tags for an Alert for Managed Network Security Appliances Using the Web UI 550 Adding Tags to Alerts Manually for Managed Appliances Using the Web UI 550 Adding a Tag to an Alert for Managed Appliances Using the Web UI 551 Editing a Tag for an Alert for Managed Appliances Using the Web UI 552 Deleting a Tag From an Alert for Managed Appliances Using the Web UI 553 PART V: Appendices 555 APPENDIX A: Configuring Secure Shell (SSH) Authentication 557 About SSH Authentication 557 User Authentication 558 Creating a Public Key Using the CLI 18 559 © 2019 FireEye Contents Pushing a Public Key Using the CLI 560 Configuring User Authentication Using the Web UI 562 Configuring User Authentication Using the CLI 563 Host-Key Authentication 565 Obtaining a Host Key Using the Web UI 566 Obtaining a Host Key Using the CLI 567 Importing a Host Key into the Global Host-Keys Database Using the Web UI 568 Importing a Host Key into the Global Host-Keys Database Using the CLI 570 Enabling Strict and Global Host-Key Checking Using the CLI 572 APPENDIX B: Configuring Network Address Translation (NAT) About NAT Address Mapping 575 575 Port Accessibility for Single-Port Communication 576 Port Accessibility for Dual-Port Communication 576 Mappings Used When the Central Management Appliance Initiates the Connection 576 Central Management Appliance Is Behind a NAT Gateway 577 Managed Appliance Is Behind a NAT Gateway 578 Central Management and Managed Appliance Are Behind Different NAT Gateways 579 Central Management and Managed Appliance Are In an External Network 580 Mappings Used When the Managed Appliance Initiates the Connection 580 Central Management Appliance Is Behind a NAT Gateway 581 Managed Appliance Is Behind a NAT Gateway 582 Central Management and Managed Appliance Are Behind Different NAT Gateways 582 Central Management and Managed Appliance Are in External Networks 584 Adding an Appliance in a NAT Deployment (Using the Central Management Appliance) 584 Adding an Appliance in a NAT Deployment Using the Central Management CLI Accepting a Management Request in a NAT Deployment Accepting a Management Request in a NAT Deployment Using the Central Management Web UI © 2019 FireEye 584 586 587 19 Contents Accepting a Management Request in a NAT Deployment Using the Central Management CLI Configuring Global Host-Key Authentication in a NAT Deployment 588 590 APPENDIX C: Configuring the CM Peer Service 591 About CM Peer Service 591 Task List for Configuring the CM Peer Service 592 Enabling or Disabling the CM Peer Service 593 Enabling or Disabling the CM Peer Service Using the CLI 594 Generating and Importing Authentication Tokens Between CM Peers 595 Generating and Importing Tokens for CM Peers Using the CLI 596 Importing New Tokens for an Existing CM Peer Using the CLI 598 Exporting an Existing Token from a CM Peer Using the CLI 599 Enabling or Disabling All the Features of the CM Peer Service on the Peers 600 Enabling or Disabling All the Features of the CM Peer Service on the Peers Using the CLI 601 Deleting a CM Peer Using the CLI 603 CM Peer Distributed Correlation 603 Enabling or Disabling CM Peer Distributed Correlation Using the CLI 604 Viewing CM Peer Distributed Correlation Alerts in the Web UI 606 CM Peer Signature Sharing 607 Enabling or Disabling CM Peer Signature Sharing Using the CLI 607 Viewing the Number of Rules for CM Peer Signature Sharing Using the CLI 609 Allowing or Preventing a CM Peer to Use a Proxy Server Allowing or Preventing a CM Peer to Use a Proxy Server Using the CLI 610 611 APPENDIX D: Monitoring Email Alerts from the Email Security - Cloud Edition. 613 Enabling the ETP Cloud Endpoint Using the CLI 613 ETP Cloud Aggregation 614 Solving Connection Issues Viewing Email Alerts from the ETP Cloud in the Web UI 20 615 615 © 2019 FireEye Contents Index 617 Technical Support 625 Documentation © 2019 FireEye 625 21 Contents 22 © 2019 FireEye Central Management Administration Guide PART I: Overview l About the Central Management Appliance on page 25 l User Interfaces on page 35 © 2019 FireEye 23 Central Management Administration Guide 24 PART I: Overview © 2019 FireEye Central Management Administration Guide Terminology In the User Interface CHAPTER 1: About the Central Management Appliance The FireEye Central Management appliance provides a centralized way to configure, manage, and update groups of connected FireEye security appliances. It serves as both a security event storehouse and central management device for the appliances it manages. This section highlights the primary Central Management appliance features. Terminology In the User Interface Some FireEye Network Security components are referred to differently in the user interface. The following table maps the component name to the user interface term. Product or Component Name User Interface name On-Premises MVX Smart Grid MVX Cluster Network Smart Node Network Security Sensor Email Smart Node Email Security — Server Edition Sensor Content Smart Node File Security Sensor MVX Smart Grid Broker Broker Node MVX Smart Grid Element Compute Node Cloud MVX Smart Grid Cloud MVX Network Smart Node Network Security Sensor Email Smart Node Email Security — Server Edition Sensor © 2019 FireEye 25 Central Management Administration Guide CHAPTER 1: About the Central Management Appliance Product or Component Name User Interface name Content Smart Node File Security Sensor MVX Smart Grid Broker Cloud MVX Broker "Single Pane of Glass" Rather than using several interfaces for multiple appliances, the Central Management appliance streamlines the workflow by consolidating the functions of all managed appliances into a single interface—all individual or grouped appliances are fully configurable and operational from the Central Management appliance. You can perform the following functions remotely from the Central Management appliance on behalf of its managed appliances: l Application configuration l Policy enforcement l Alert monitoring l Software image, security content, and guest images updates l Report generation l Appliance health monitoring Alert Management The Central Management Dashboard provides tables, graphs, and charts that afford instant visibility into malware threats and appliance status. You can drill down to view details and take appropriate action. The pages you access from the Alerts tab in the Central Management Web UI mirrors the comprehensive information available on the managed appliances about detected malware. As with the Dashboard, you can drill into this information for deeper forensic analysis. You can use the following methods to send alerts to notification servers: l l l Centralized—Notifications are sent from the Central Management appliance only Mixed—Notifications are sent from both the Central Management appliance and from managed appliances. Decentralized—Notifications are sent from managed appliances only. For details, see Managing the Distribution of Alert Notifications on page 421. 26 © 2019 FireEye Release 8.7 Alert Correlation Alerts in Central Management are retained in the CM database as long as they are retained by the connected FireEye appliances. When the data is removed from the databases of connected FireEye appliances, it is removed from Central Management. See the documentation for the connected FireEye appliances for details about their alert retention periods. Alert Correlation All results of malware detected by any managed appliance can be monitored by the Central Management appliance. To offer advanced protection against spearphishing attacks and converged threats, the Central Management appliance identifies correlations between email- and Web-based malware events. When characteristics of malware detected by an Network Security appliance are identified in an Email Security — Server Edition event, the Central Management appliance alerts users of a blended attack. For details, see NX Series and CM Event Correlation on page 433. Signature Distribution Locally generated malware profiles and detection information can be shared among appliances using the Central Management appliance. Once malware is detected by one blocking appliance, its profile can be uploaded to other appliances in the network to make it easier to identify and protect against that threat in the future. Submit to Malware Analysis for Deep Forensics Malware detected by any managed appliance can be submitted from the Central Management Web UI to the Malware Analysis appliance for deeper forensic analysis. Appliance Groups You can manage and monitor appliances individually or in groups. By default, a group is created for each product type when an appliance of that type is added to the Central Management appliance. You can create custom groups and add appliances to them as needed. The benefits of appliance groups include: © 2019 FireEye 27 Central Management Administration Guide l l l CHAPTER 1: About the Central Management Appliance Limiting the displayed event data to specific appliances. Making the same configuration changes to multiple appliances at one time, instead of individually. Organizing appliances in logical groups (for example, based on geographic region or security level) and specifying configuration and policy settings accordingly. For details, see Grouping Appliances on page 405. Central Management Deployment This section describes the supported Central Management deployment scenarios. Standard Deployment To manage other FireEye appliances, the Central Management appliance simply needs a connection that allows it to communicate with the managed appliances. This connection can be practically anywhere in the network. The diagram below illustrates the typical deployment of managed appliances and a CM 9400 connected to a typical network device. Network Address Translation (NAT) Deployment When the Central Management appliance or the managed appliance is behind a network address translation (NAT) gateway, it has an internal address that cannot be reached. NAT techniques hide the internal address, so requests appear to originate from the NAT gateway instead of the internal network. For details about the required address mapping and the procedures for establishing a connection between the Central Management 28 © 2019 FireEye Release 8.7 Central Management Deployment appliance and the appliances, see Configuring Network Address Translation (NAT) on page 575. Single-Port Deployment By default, the Central Management appliance and a managed appliance use a single port (the SSH port, 22 by default) for the following types of communication: l l Remote management—Initiates the connection and configures the managed appliance. DTI network service—Requests software updates (such as guest images, security content, and system images) from the DTI network. The single-port configuration reduces the complexity of firewall rules, and provides an additional layer of security and privacy between the Central Management appliance and the appliances it manages. In environments in which the Central Management appliance is behind a Network Address Translation (NAT) gateway, using a single port also eliminates the need to open an additional HTTPS port (443) for the managed appliance to request software updates from the Central Management appliance. (For details about NAT deployment, see Configuring Network Address Translation (NAT) on page 575.) You can instead configure the dual-port address type, in which the management traffic uses the SSH port (22) and the DTI network service traffic uses the HTTPS port (443). If you change the configuration on an appliance that was already added to the Central Management appliance using a client-initiated connection, that managed appliance will be briefly disconnected and then reconnected using the new configuration. NOTE: Single- and dual-port communication is configured on the managed appliance, not on the Central Management appliance. For details, see the System Administration Guide or Administration Guide for the managed appliance. High Availability (HA) Deployment With Central Management high availability (HA), you can cluster two Central Management appliances for failover. The primary Central Management appliance (or node) is available continuously. If the primary node fails, your entire configuration fails over automatically to the secondary node; the secondary node then becomes the primary appliance. Central Management HA can be configured for high availability in local area network (LAN) environments and for disaster recovery in wide area network (WAN) environments. The following configurations fail over to the secondary node: l Security content l Software updates l Aggregated FireEye database information © 2019 FireEye 29 Central Management Administration Guide l CHAPTER 1: About the Central Management Appliance Central Management management configuration (except interface, licensing, and host-specific configurations) IMPORTANT! Network address translation (NAT) is not supported in Central Management HA deployments. Client-initiated connections are only supported in a Central Management HA LAN deployment with a configured VIP address. Central Management HA is not supported on all virtual CM models. See Limitations on page 87. For details about Central Management HA deployment, see the Central Management High Availability Guide. FireEye Network Security (MVX Cluster) Deployment A standard (or integrated) appliance performs both monitoring and analysis. FireEye Network Security separates these two functions. Network Security appliances that function as sensors extract objects and URLs from the traffic they monitor, and send submissions to an MVX cluster for inspection and analysis. The sensors generate alerts based on the analysis results. The sensors can be standalone or managed appliances. The same Central Management appliance can manage both sensors and integrated appliances. l l On-Premises Deployment—The MVX cluster components (VX Series appliances that function as brokers or compute nodes) must be managed by the same Central Management appliance. Although the brokers and compute nodes only need reliable IP connectivity, FireEye recommends that they be deployed on the same LAN. The MVX cluster, the sensors, and the Central Management appliance can be in different physical locations. However, FireEye does not recommend transcontinental deployments due to throughput, reliability, and latency issues. Cloud Deployment—The MVX cluster components are hosted in the FireEye public cloud. The sensors send submissions to the cloud broker. For details, see the MVX Smart Grid Deployment Guide and the Cloud MVX Deployment Guide. Split DTI Traffic Deployment By default, both management and DTI traffic use the ether1 network interface, which needs Internet access for DTI network downloads and uploads. For security, you might want to isolate the management traffic by streaming it from an out-of-band network interface with no Internet access. For details, see DTI Traffic and Management Traffic on page 212. IMPORTANT! Splitting DTI traffic is not currently supported in Central Management HA deployments. 30 © 2019 FireEye Release 8.7 Management Path Management Path CM appliances can download security content and software updates from the FireEye Dynamic Threat Intelligence (DTI) network. With a two-way content license, the appliance can also upload threat intelligence information to the DTI network. Central Management Appliances That Receive DTI Updates The Central Management appliance and standalone appliances use the ether1 port to communicate with the DTI network. In the default configuration, where you receive updates from the DTI network (cloud.fireeye.com), allow outbound access to all IP addresses on the following ports: l DNS (UDP/53) l HTTPS (TCP/443) Management interface ether1 requires a static IP address or reserved DHCP address and subnet mask. Environments That Restrict Outbound Access to Certain IP Addresses If your security policy requires that you restrict outbound access to certain IP addresses, you cannot use the DTI network. Instead, point to staticcloud.fireeye.com for DTI updates, and allow access to the *incapdns.net domain. For appliances that get threat intelligence from the DTI cloud, you need to enable access to the Amazon Web Services (AWS) cloud for ATI communication. The intel context service is hosted in multiple AWS regions and resolves to multiple IP addresses based on geographic location. To configure and access staticcloud.fireeye.com: 1. Enable CLI configuration mode. hostname > enable hostname # configure terminal 2. Enter the following command from the appliance CLI: hostname (config) # fenet dti source default DTI 3. Save your configuration. hostname (config) # write mem 4. Add the following block of IP addresses to the firewall: l © 2019 FireEye 199.16.196.0/22 31 Central Management Administration Guide CHAPTER 1: About the Central Management Appliance To allow access to *incapdns.net: 1. Add the block of IP addresses found at https://incapsula.zendesk.com/hc/enus/articles/200627570-Restricting-direct-access-to-your-website-Incapsula-s-IPaddresses-to the firewall. 2. Allow access to the *.incapdns.net domain at the proxy device. To allow access to the AWS cloud for threat intelligence:: 1. Go to https://dnschecker.org/#A/context.fireeye.com to determine the IP addresses for your location. 2. See the AWS IP address range documentation for information about whitelisting the IP addressses. CM Appliances with Domain-based Proxy ACL Rules If your configuration includes domain-based proxy ACL rules, allow access to *.fireeye.com. Integrated CM Communications Protocol and Port Configurations Establish SSH connectivity between the Central Management appliance and each managed appliance. For details about port and protocol configuration, see the CM Hardware Administration Guide. FIPS 140-2 and Common Criteria Compliance Use the Compliance Settings page to configure compliance features on the CM appliance. You can instead use the following CLI commands to configure compliance features on the appliance: 32 l compliance apply standard l compliance declassify zeroize l compliance options l show compliance l show compliance options l show compliance standard © 2019 FireEye Release 8.7 FIPS 140-2 and Common Criteria Compliance For details, see the FIPS 140-2 and Common Criteria Addendum and the CLI Command Reference. © 2019 FireEye 33 Central Management Administration Guide 34 CHAPTER 1: About the Central Management Appliance © 2019 FireEye Central Management Administration Guide CHAPTER 2: User Interfaces This section covers the following information: l Overview of CM User Interfaces on the next page l The CM Appliance Web UI on page 37 l The CM Appliance Command-Line Interface on page 56 l The CM Appliance IPMI Interface on page 60 l The CM Appliance LCD Display on page 57 © 2019 FireEye 35 Central Management Administration Guide CHAPTER 2: User Interfaces Overview of CM User Interfaces FireEye Helix enables you to access all of your FireEye on-premises and Cloud-based services from a single view. The CM appliance has the following user interfaces: l l l l Web UI—A Web-based UI used to configure and manage the appliance and the appliances it manages. This is described in The CM Appliance Web UI on the facing page. The appliance Web UI includes a Dashboard, described in The Central Management Appliance Dashboard on page 39. CLI—A command-line interface used to configure and manage the CM appliance. To access the appliance CLI, see The CM Appliance Command-Line Interface on page 56. LCD Display—The LCD display and associated controls (available on some appliance models) can be used to initially set up the CM appliance. It can also be used to check system status and make certain configuration changes. This is described in The CM Appliance LCD Display on page 57. IPMI Interface—The IPMI interface enables you to access the CM appliance over the network and perform recovery activities even if the system is powered down or otherwise unresponsive. This is described in The CM Appliance IPMI Interface on page 60. Two user interfaces that are external to the CM appliance pertain to using the CM appliance in a FireEye Helix environment: l l FireEye Helix Web UI―An interface that provides a single view of alerts from all the Helix appliances in your network. For more information, see the Helix User Guide FireEye Cloud IAM Web UI―An interface to the Cloud IAM server. It is used primarily by your IAM organization administrator (a user account that FireEye provides for you along with your IAM organization). The administrator creates FireEye Cloud accounts for users and applies role-based and rule-based access controls. This is described in "FireEye Cloud IAM User Accounts" in the System Security Guide. The owners of these user accounts can also log in to the FireEye Cloud IAM Web UI. Their access privileges in the FireEye Cloud IAM Web UI are generally limited updating their account preferences and changing their passwords. This is described in "Your FireEye Cloud IAM User Account" in the System Security Guide. Access to the FireEye Cloud IAM Web UI is necessary for you to configure support for single sign-on (SSO) authentication. When SSO authentication is enabled and Helix mode is enabled on FireEye appliances, users can sign in once to authenticate to their FireEye 36 © 2019 FireEye Release 8.7 The CM Appliance Web UI Cloud Account and then navigate among the components without having to log in locally to each appliance. This is described in "Single Sign-On Authentication" in the System Security Guide. Do not change the password for the permanent api_analyst user account on the Endpoint Security server. Doing so could break the connection between the Endpoint Security server and Helix. If you need API connectivity between the Endpoint Security server and a third-party product, add another user account with the api_analyst role. The CM Appliance Web UI The CM appliance Web UI uses HTTPS to provide a secure connection for configuring the appliance. The Web UI functions you have access to depend on the privileges granted by your role. You access the CM appliance Web UI by directing a browser to the management port's IP address or hostname using HTTPS. The IP address and hostname are set during the initial configuration of the appliance. The hostname must be resolved by a DNS server if you use it to access the Web UI. The Helix CM appliance Web UI includes controls for logging in and out using local, appliance-specific credentials. The Web UI also indicates whether Helix mode is enabled and whether alerts are Helix alerts. For details, see the Helix User Guide. Browser Support Use one of the following browsers to access the CM appliance Web UI: l Internet Explorer 11.0 or higher and Microsoft Edge on supported versions of Windows l Firefox 15 or higher on supported versions of Windows and Mac l Google Chrome 13.0 or higher on supported versions of Windows and Mac Screen Resolution Requirements The CM appliance Web UI supports the following screen resolutions: 1152 x 864 pixels 1440 x 900 pixels 1280 x 800 pixels 1600 x 900 pixels 1280 x 1024 pixels 1680 x 1050 pixels © 2019 FireEye 37 Central Management Administration Guide CHAPTER 2: User Interfaces 1360 x 768 pixels 1920 x 1080 pixels 1366 x 768 pixels 1920 x 1200 pixels Logging In Locally to the Helix Appliance Web UI To log in locally to the Helix CM appliance Web UI, you need the appliance IP address or hostname, and you need the local username and password that the appliance administrator created for you. Prerequisites l Before the default Admin user can log in to the appliance Web UI and create other user accounts, the manufacturing default password (admin) must be changed to a new password that is 8 to 32 characters long. This step is included in Initial Configuration on page 73. To log in locally to the Helix CM appliance Web UI: 1. Open a Web browser and enter https://<appliance> in the address line, where appliance is the IP address or hostname of the appliance. For example, if the configured IP address of the appliance is 10.1.0.1, enter https://10.1.0.1. 2. In the appliance Web UI login page, enter the local user name and password for this appliance as provided by your administrator. 38 © 2019 FireEye Release 8.7 The CM Appliance Web UI Notifications of Appliance Health Problems The bell at the top right of the Web UI indicates the number of appliance health issues that need to be addressed. When you click the bell, the notifications are displayed with links to the relevant Web UI pages. The bell is not displayed when there are no notifications. The following illustration indicates that one issue needs to be addressed. The Central Management Appliance Dashboard The CMS Dashboard page of the Central Management Web UI provides a high-level view of the threat intelligence gathered by the appliances it manages. Within many panels on the Dashboard, you can click blue buttons and text links to drill down to critical threat information affecting your network. The following example is a partial view of the Central Management Dashboard: If an appliance needs your attention, a notification bell is displayed at the top right corner of the Dashboard and all other Web UI pages. Click the bell to open a window that lists the messages. Some messages include a link to the relevant Central Management Web UI page. (For details, see Notifications of Appliance Health Problems above). For example: © 2019 FireEye 39 Central Management Administration Guide l l l l l 40 CHAPTER 2: User Interfaces This message indicates that at least one appliance needs to be updated to be compatible with this Central Management appliance version. Clicking the button opens the Sensor Updates page, where the managed appliance can be updated. This message indicates that at least one node in MVX cluster needs to be updated or has some other issue that needs your attention. Clicking this link opens the Appliances > Nodes page. This message indicates that an appliance sent a request to be managed by this Central Management appliance. The button opens the Connection Requests dialog box, where the request can be accepted or rejected. This message indicates that a problem prevents at least one appliance from being managed properly. Clicking the button opens the Sensors page, where you can refresh the status, or reset the connection after the underlying problem is resolved. This message includes a link that opens a dialog box with options for sending additional information to FireEye for analysis to increase detection rates. For more information, see Allowing Increased Detection for Managed Appliances Using the Web UI on page 395. © 2019 FireEye Release 8.7 l The CM Appliance Web UI This message includes a link for enabling Advanced URL Defense on qualified Email Security — Server Edition appliances. For more information, see Enabling Advanced URL Defense on Managed CM Appliances Using the Web UI on page 396. Only those panels that pertain to the types of appliances under management are included. Some panels of the Dashboard do not appear if the information is not relevant to the configuration of those appliances. By default, information about all managed appliances is displayed on the Dashboard. You can filter the display by selecting an appliance group or a specific appliance from the menus at the top of the page. A label at the top of each panel identifies the appliance type to which the information pertains. NOTE: The Dashboards of managed appliances running releases earlier than 7.5.0 may show slightly different numbers from the Central Management appliance Dashboard. Enhancements have been made to the way the Central Management appliance aggregates data from managed appliances. However, there is still a chance of discrepancies, even when the appliances are running the same release as the Central Management appliance. These discrepancies could be due to the time delay to complete full aggregation of statistics on the Central Management appliance from the managed appliances. Discrepancies could also be due to the correlation of malicious URL events from a managed Network Security appliance with malicious email events on an Email Security — Server Edition appliance managed by the same Central Management appliance. You can control the display of the Dashboard or panels by clicking the following menus and icons: Panel Control Icon Description In the main view of the Dashboard, use this menu to select the appliance group for which the Dashboard displays information, or to show information about all managed groups. © 2019 FireEye 41 Central Management Administration Guide Panel Control Icon CHAPTER 2: User Interfaces Description In the main view of the Dashboard, use this menu to select the appliance for which the Dashboard displays information, or to show information about all managed appliances or all appliances in a selected group. When the selected group is an MVX cluster, the VX Series appliances (nodes) are the only selections. In the main view of the Dashboard, click this icon to select the print-to-PDF processing time and initiate printing of the current Dashboard contents. In the main view of the Dashboard, click this icon to maximize the display of a panel. In a panel with the maximized display, click this icon to minimize the display and restore the main (full) view of the Dashboard. In any Dashboard panel, click this icon to reload the displayed data. In any Dashboard panel that displays these buttons, select the period of time for which the panel displays information. The default is Day. In the Top Malware By Host and Activity panel for a managed Network Security appliance, filter the displayed data: Hosts—(Default) Display malware counts by host. Activities—Display malware counts by threat activities that have occurred. 42 © 2019 FireEye Release 8.7 The CM Appliance Web UI Panel Control Icon Description In the Top Email Domains By Sender, Recipient, URL panel for a managed Email Security — Server Edition appliance, filter the displayed data: Sender—Display email counts for the five domains that sent the most emails. Recipient—Display email counts for the five email addresses that received the most malicious emails. URL—Display email counts for the five malicious URLs that were most frequently seen in emails. In the What's Happening and Critical Malware Detection panels for a managed Network Security appliance, use this button to control whether the displayed data includes or excludes acknowledged alerts. If a table in a panel has more than five rows, click these buttons to view the other rows. In some panels, click icons like these to control whether the displayed data includes or excludes certain information. For example, the data for .xls files will not be shown in this Top Scanned File Types panel. In some panels, click icons like these to navigate to the relevant Web UI page. For example, clicking these icons on the Cloud Detection panel will open the Alerts > Alerts page. © 2019 FireEye 43 Central Management Administration Guide CHAPTER 2: User Interfaces Panel Control Icon Description In some What's Happening and Summary panels, click links like this to navigate to the relevant Web UI page. For example: l l l Clicking the Files infected link will open the File Analysis page for a managed File Security appliance Clicking the Malicious Attachments link will open the Email Alerts page for a managed Email Security — Server Edition appliance. Clicking the Cluster-Acme link will open the Appliances > Clusters page for a managed MVX cluster. In the Cluster Utilization graph, pause on a graph point to open a tooltip that shows the MVX cluster utilization at that date and time. In the Submission Statistics graph, pause on a graph point to open a tooltip that shows the MVX cluster submission statistics at that date and time. What's Happening The What's Happening panel displays the total number of alerts and events for its managed appliances in common categories (such as APT Attacks and Not Seen Before), and in categories that are specific to each type of appliance. The right side of the panel provides appliance summary information if a group, All Groups, or All Appliances is selected. In the following example, all appliances are being shown. If a group were selected, the Showing field would show the number of appliances in that group. 44 © 2019 FireEye Release 8.7 The CM Appliance Web UI The right side of the panel provides appliance detail information if a specific appliance is selected. If none of the categories is represented or if no data is available for the selected appliances and time period, the left side of the panel is empty. Central Management Service Health Statistics Trend This panel plots the trend of the system health statistics for the Central Management appliance by day, week, or month. © 2019 FireEye 45 Central Management Administration Guide CHAPTER 2: User Interfaces MVX Cluster Dashboard Panels This section contains examples of MVX cluster Dashboard panels. For details, see the MVX Smart Grid Administration Guide. The following example is a partial view of the MVX cluster panels on the Dashboard: NOTE: This section describes the Dashboard panels for the MVX cluster and individual nodes (VX Series appliances). The Dashboard panels for sensors (Network Security appliances that send submissions to an MVX cluster) are the same as the panels for integrated Network Security appliances, and are described in the Network Security User Guide. Summary Panels The Central Management Dashboard includes summary information for clusters, for the "VX" group, and for individual VX Series appliances (nodes). This Summary panel example for a cluster shows information about the overall cluster health and status. It includes the total number of nodes and sensors, and the number of nodes that are brokers, ready to be brokers (because their submission and cluster interfaces are configured), and not ready to be brokers (because those interfaces are not configured). 46 © 2019 FireEye Release 8.7 The CM Appliance Web UI This Summary panel example for the VX group shows the number of available nodes (VX Series appliances connected to the Central Management platform but not in a cluster), the number of nodes that are in a cluster, the number of nodes that are ready to be a broker, and the number of nodes that are not ready to be a broker. This Summary panel example for the vx-1 node shows the connection and health status of the node, and the cluster the node belongs to. Cluster Utilization Panel This Cluster Utilization panel example shows utilization and submission statistics for an MVX cluster. NX Series Dashboard Panels This section contains examples of NX Series Dashboard panels. For details, see the NX Series User Guide or IPS Feature Guide. © 2019 FireEye 47 Central Management Administration Guide CHAPTER 2: User Interfaces What's Happening This is an example of the What's Happening panel for a managed IPS-enabled Network Security appliance. Callback Events, Critical Malware Detection, Threat Attacks These panel examples show callback data ranked in order of the most infected subnets in your network, malicious infections uniquely detected by FireEye, and threat attacks most detected in your network. IMPORTANT! The Critical Malware Detection panel displays information for the past 24 hours. 48 © 2019 FireEye Release 8.7 The CM Appliance Web UI Top 25 Infected Subnets These panel examples show the 25 subnets in your network with the most infections, the number of unique malware events, and the number of infected hosts. Top Malware By Host and Activity This panel example shows malware infections based on the amount of activity in your network. Daily Monitored Traffic (Mbps) This panel example shows the monitored traffic, measured in megabits per second, for the past 24 hours. IPS Trend This panel example plots the number of IPS alerts and IPS critical events. © 2019 FireEye 49 Central Management Administration Guide CHAPTER 2: User Interfaces Email Security — Server Edition Dashboard Panels This section contains examples of Email Security — Server Edition dashboard panels. For details, see the CM User Guide. What's Happening This is an example of the What's Happening panel for a managed Email Security — Server Edition appliance. Email Campaign Trend This panel example shows the total number of infected emails that are part of a campaign based on similar characteristics, such as the attachment name, subject, or sender observed. The chart shows the total number of infected emails that are associated with each campaign that received malicious emails during the selected time period. When the Central Management appliance manages multiple Email Security — Server Edition appliances, the campaigns that contain the same name are combined in the Email Campaign Trend panel on the Central Management Dashboard. The campaigns associated with the same name might be different campaigns. 50 © 2019 FireEye Release 8.7 The CM Appliance Web UI Top Email Domains By Sender, Recipient, URL This panel example shows total email counts filtered by the five domains that sent the most emails, the five email addresses that received the most malicious emails, or the five malicious URLs that were most frequently seen in emails. Email Infection Trend This panel example shows the total number of infected emails, attachments, URLs, and headers that have been observed on the monitored network. © 2019 FireEye 51 Central Management Administration Guide CHAPTER 2: User Interfaces Email Statistics Trend This panel shows the total number of scanned emails, URLs, attachments, deferred emails, and bypassed emails that have been observed on the monitored network. This panel will not display statistics for any category in which the count is zero. FX Series Dashboard Panels This section contains examples of File Security dashboard panels. For details, see the FX Series User Guide. What's Happening This is an example of the What's Happening panel for a managed File Security appliance. 52 © 2019 FireEye Release 8.7 The CM Appliance Web UI Top Scanned File Types This panel example shows the number and type of the top five file formats found and analyzed. Top Infected File Types This panel example shows the top five types of files found to be infected. Files Analyzed This panel example shows the number of analyzed files. AX Series Dashboard Panel This is an example of the What's Happening panel for a managed AX Series appliance. There are no other AX Series dashboard panels displayed on the Central Management © 2019 FireEye 53 Central Management Administration Guide CHAPTER 2: User Interfaces dashboard. For details, see the AX Series User Guide. HX Series Dashboard Panel This is an example of the What's Happening information for a managed HX Series appliance. There are no other HX Series dashboard panels displayed on the Central Management dashboard. For details, see the HX Series User Guide. Central Management Web UI Tabs This section describes the Central Management Web UI tabs. The following illustration shows the tabs on a Central Management appliance that manages one or more Email Security — Server Edition and Network Security appliances. l 54 Dashboard—Provides a high-level view of the threat intelligence gathered by the appliances the Central Management appliance manages. © 2019 FireEye Release 8.7 l l l l l l l The CM Appliance Web UI Appliances—Displays information about all currently managed appliances, and allows you to add or remove appliances, configure connection parameters, configure appliance groups, import host keys for global host-key authentication, and update managed appliances. Alerts—Displays aggregated alert, detection, and quarantine information. IPS—Displays information about Integrated Intrusion Prevention System (IPS) events and alerts, and allows IPS configuration and setting of policy exceptions and custom rules. Search Emails—Allows you to search for all emails the Central Management appliance processed, and to view and manage the emails that are being processed or in queue to be processed. Settings—Provides options for configuring system administration and policy settings for the Central Management appliance and its managed appliances. Reports—Allows you to generate and schedule reports in various formats on behalf of managed appliances. About—Provides access to the following pages: o Summary — Displays system information, such as software version and Security Contents version. See Viewing System Health and Performance Check Results on page 265. o Supported Features — Displays features available for the appliance and whether they are enabled or disabled. See Supported Features on page 293. o Health Check—Provides comprehensive and current system status information such as software version, patch version, content version, MVX engine version, DTI connection, and configured interfaces. This page also provides an Appliance Health link, which takes you to the page where you can view the health status of managed appliances. See System Health and Performance on page 265. o Log Manager—Allows you to manage system logs. See Log Management on page 233. o Upgrade—Allows you to update software for the Central Management appliance, and provides an Upgrade Appliances link, which takes you to the page where you can update software and guest images for managed appliances. See Upgrading the FireEye Software on page 219. Other tabs are displayed depending on the appliances the Central Management appliance is currently managing. For example, the Alerts tab displays aggregated alert and detection statistics from managed appliances, the Search Emails tab allow you to search for processed and queued emails on a managed Email Security — Server Edition appliance, and so on. © 2019 FireEye 55 Central Management Administration Guide CHAPTER 2: User Interfaces PDF Generation Some Web UI pages, such as those that display analysis results, have a Print PDF button at the top right side of the page that allows you to save the content of the page to PDF so it can be printed or saved. Only the content that is visible on the page is included in the PDF output. For example, if an item on the page is not expanded, the details about that item are not displayed and will not be included in the PDF output. Depending on your Web browser settings, the generated PDF opens in the Web browser or is downloaded to your computer. The amount of time needed to generate the PDF depends on the current load on the system. By default, the system will try to generate the PDF using Standard Processing Time, the fastest way possible. If the PDF generation times out, you can try again using other options by clicking the arrow on the button and then selecting Extra Processing Time or Heavy Processing Time, where heavy processing time takes the longest. The CM Appliance Command-Line Interface The CM appliance includes a standard command-line interface (CLI) that can be used to configure, manage and monitor the CM system, including its managed appliances. To log into the CLI using a terminal window or SSH client: 1. Using the SSH protocol, log in to the appliance using the management interface’s IP address or hostname. $ ssh <username>@<ipAddress> | <hostName> where ipAddress specifies the IPv4 or IPv6 address of the management interface. 2. When prompted, enter your password. Password: <password> The hostname > prompt is displayed after you are logged in. 56 © 2019 FireEye Release 8.7 The CM Appliance LCD Display The CM Appliance LCD Display An LCD panel is available on the front of some appliance models. You can perform the initial configuration of the appliance using the LCD panel, as described in Configuring Initial Settings Using the LCD Panel on page 81. You can use the LCD panel to perform other basic configuration tasks as well. Navigating the LCD Menus The following illustration of the LCD panel shows how to use the navigation buttons to configure settings. For details about the menus, see LCD Menu on page 60. On some models, you need to remove the front panel to access the LCD panel navigation buttons. To remove the front panel: 1. Unscrew the front panel to unlatch it. © 2019 FireEye 57 Central Management Administration Guide CHAPTER 2: User Interfaces 2. Remove the front panel. LCD Panel Menus The LCD panel has four menus: Network Menu below, Config Options Menu on the facing page, LCD Menu on page 60, and Restart Options Menu on page 60. See Navigating the LCD Menus on the previous page for information about moving through the menus and selecting options. Network Menu The following table provides information about the Network menu. 58 © 2019 FireEye Release 8.7 The CM Appliance LCD Display Prompt Description Hostname Hostname for the appliance. DHCP enabled Enter “yes” to use DHCP on the ether1 (management interface) port. Enter “no” to manually configure your IP address and network settings. Static IP address This prompt is available if DHCP is disabled. Enter the IP address for the ether1 (management interface) port. Netmask This prompt is available if DHCP is disabled. Enter the network mask. Default gateway This prompt is available if DHCP is disabled. Enter the gateway IP address for the management interface. Primary DNS This prompt is available if DHCP is disabled. Enter the Primary DNS server IP address. Domain name This prompt is available if DHCP is disabled. Enter the domain name for the management interface; for example, it.acme.com IPv6 enabled Enter “yes” to enable IPv6 protocol, which changes the network IP routing from IPv4 to IPv6. SLAAC enabled This prompt is available if IPv6 is enabled. Enter “yes” to enable IPv6 autoconfig on the ether1 (management interface) port. Enter "no" to disable IPv6 autoconfig on the ether1 (management interface) port. Admin net login Enter “yes” to enable the administrator to log in to the appliance remotely. Enter "no" to disable remote access. Config Options Menu The following table provides information about the Config Options menu. Prompt Description Save settings Saves changes made during a session so they will persist after a reboot. Revert to factory defaults Reverts the appliance to its factory default settings, which include user name and password, and network configuration information. © 2019 FireEye 59 Central Management Administration Guide CHAPTER 2: User Interfaces Prompt Description Reset admin password Resets the admin password for accessing the appliance itself. (This does not set the password for accessing the LCD panel.) The new password is randomly generated. The LCD will display the password. When you have memorized it, press a button to move to the next prompt or menu. You can change to a password of your choice using the appliance CLI or Web UI after the basic configuration is complete. LCD Menu The following table provides information about the LCD menu. Prompt Description Password Sets a password for LCD panel access. (This does not set the password for accessing the appliance.) Brightness Sets the LCD panel’s level of brightness from 0 to 9, with 9 being the brightest. Contrast Sets the LCD panel’s level of contrast between the background and text from 0 to 9, with 9 being the highest contrast. Restart Options Menu The following table provides information about the Restart Options menu. Prompt Description Reboot system Restarts the system. Halt system Brings the system down to its lowest state while remaining on. Next boot loc Specifies disk partition (1 or 2) to boot from during the next reboot. The CM Appliance IPMI Interface IMPORTANT: The IPMI interface port is only enabled in CM Release 8.2.0 or later and IPMI firmware version 2.07 or earlier. The FireEye Intelligent Platform Management Interface (IPMI) allows you to perform the following tasks remotely from a Web browser: 60 © 2019 FireEye Release 8.7 l The CM Appliance IPMI Interface Cycle the power on your appliance when it is unresponsive. NOTE: The IPMI is active even if the appliance was powered down from the appliance CLI or from the power button on the front panel, as long as the main power is on. l l l Reset the server. Access the serial console when the management interface is unavailable or unresponsive. Check the status of server sensors. For IPMI interface configuration details, see Configuring the IPMI Interface on page 82. The IPMI interface uses a network connection to the IPMI port of the appliance and is accessed through a secure Web browser session. (The standard IPMI interface allows connections using third-party tools such as Supermicroʼs IPMI View; however, all such external access to the IPMI interface from the appliance is disabled.) IMPORTANT! The IPMI remote control cannot perform a graceful power down of the appliance. IPMI Browser Support Use one of the following Web browsers to access the Web UI: l l Internet Explorer 11.0 or higher and Microsoft Edge on supported versions of Windows Google Chrome 13.0 or higher on supported versions of Windows and Macintosh IMPORTANT! Do not use Firefox to access the IPMI port. The Firefox browser interprets a regenerated HTTPS certificate as a possible attack, and it generates an Invalid Certificate Error code ("sec_error_reused_issuer_and_serial"). Instead of completing the connection, Firefox displays a "Secure Connection Failed" page. Logging In to the IPMI Interface This procedure describes how to log in the CM appliance IPMI interface from a Web browser. © 2019 FireEye 61 Central Management Administration Guide CHAPTER 2: User Interfaces Prerequisites l The 100BASE-T IPMI port on the rear of the appliance is cabled and configured as described in Configuring the IPMI Interface on page 82. l The IP address that was configured for the IPMI port is known. l You are using a Web browser listed in IPMI Browser Support on the previous page. To log in to the IPMI interface: 1. Using a Web browser, access the IPMI port through a secure Web browser session. In the browser address bar, enter https:// followed by the IP address of the IPMI port. 2. Log in to the IPMI Web UI using ADMIN as the username and the password that was configured for the IPMI user. Power Cycling and Resetting the Device This procedure describes how to use the IPMI interface to power cycle the CM appliance. Prerequisites l You are logged in to the appliance IPMI. To cycle power or reset the server: 1. Click the Remote Control tab. 2. Click Power Control in the sidebar. 62 © 2019 FireEye Release 8.7 The CM Appliance IPMI Interface 3. Select the option you need: l Reset Server l Power Off Server – Immediate l Power Off Server – Orderly Shutdown l Power On Server l Power Cycle Server 4. Click Perform Action. Accessing the Device Serial Console This procedure describes how to use the IPMI interface to access the CM appliance through a serial console. IMPORTANT! Use the IPMI Web UI to access the compute node serial console only during a power or system reset or when the system is not otherwise responding on the management interface. Prerequisites l You are logged in to the appliance IPMI. l The appliance is not using its management interface. To access the serial console: IMPORTANT! Use the IPMI Web UI to access the serial console only during a power or system reset or when the system is not otherwise responding on the management interface. 1. Click the Remote Control tab. 2. Click Console Redirection in the sidebar. © 2019 FireEye 63 Central Management Administration Guide CHAPTER 2: User Interfaces 3. Click Launch Console. You might be prompted to install a Java program to launch the console, which could require changes to your Java security settings. If your security policy does not allow this, and if your appliance uses a recent IPMI firmware version, you can instead open ports on the firewall. To view the installed and available firmware versions, click System and then System Information, or follow the instructions in IPMI Firmware Updates on page 203. Checking the Status of Device Sensors This procedure describes how to use the IPMI interface to check the status of the CM appliance sensors. Prerequisites l You are logged in to the appliance IPMI. To check the status of server sensors: 1. Click the Server Health tab. 2. Click Sensor Readings in the sidebar. 2. Click options at the bottom of the page as needed: l Refresh l Show Thresholds l Intrusion Reset Resetting the IPMI Interface Using the CLI This procedure describes how to reset the IPMI interface. 64 © 2019 FireEye Release 8.7 The CM Appliance IPMI Interface Prerequisites l Admin access to the CM appliance. If the IPMI interface stops working, follow these steps to reset it. You might need to schedule a maintenance window to do this. To reset the IPMI interface: 1. Log in to the CM CLI. 2. Go to CLI configuration mode: hostname > enable hostname # configure terminal 3. Reload the IPMI firmware: hostname (config) # ipmi firmware reload cold 4. Wait five minutes. 5. Check whether the IPMI interface is up: hostname (config) # show ipmi 6. If the IPMI interface is down: a. Shut down the appliance: hostname (config) # reload halt b. Unplug all power cables. c. Wait 90 seconds. d. Plug in the power cables. e. Push the power button to restart the appliance. © 2019 FireEye 65 Central Management Administration Guide 66 CHAPTER 2: User Interfaces © 2019 FireEye Central Management Administration Guide PART II: Configuration l Initial Configuration on page 73 l Virtual Central Management Appliances on page 85 l License Keys on page 115 l The DTI Network on page 127 l System Email Settings on page 163 l Date and Time Settings on page 179 © 2019 FireEye 67 Central Management Administration Guide 68 PART II: Configuration © 2019 FireEye Central Management Administration Guide CHAPTER 3: Accessing the Physical or Serial Console Use one of the methods in this section to establish a connection with the physical or serial console. Physical Console Method You can connect keyboard and video cables to the appliance and then log in to the CM CLI. See your Hardware Administration Guide to view the port locations To access the physical console: l Plug in a keyboard and a VGA monitor. Serial Console Methods If you are not using a terminal server, you need to be physically near the CM appliance to use the serial port. The serial port is on the back of the appliance. See your Hardware Administration Guide to view the port location. The serial port uses the following settings: l Baud rate: 115200 l Data bits: 8 l Stop bits: 1 l Parity: None l Flow control: XON/XOFF © 2019 FireEye 69 Central Management Administration Guide CHAPTER 3: Accessing the Physical or Serial Console NOTE: If the appliance stops responding on startup without displaying an error message, the serial port or the connection may be faulty. If this occurs, do the following: 1. Press and hold the power button on the front of the appliance for a few seconds until the appliance powers off. 2. Unplug all power cables from the server and wait for about 5 minutes to ensure shutdown is complete. 3. Connect a different serial cable. 4. Plug in the power cables. 5. If the server does not automatically restart, press the power button. You can access the serial port as described in the following topics: l PC or Mac below l Linux on the facing page l Terminal Server on the facing page PC or Mac Because laptops do not usually have a serial port, you need a USB-to-serial cable to connect the laptop to the DB-9 serial port of the CM appliance. FireEye uses Prolific Technology Inc. adapters. IMPORTANT! A USB-to-serial cable is not provided with the appliance. To access the serial console from a PC or Mac laptop: 1. Connect the USB-to-serial cable to the USB port of the laptop. 2. Connect one end of the null modem cable that is provided with the appliance to the USB-to-serial cable. 3. Connect the other end of the null modem cable to the serial port of the appliance. 4. Use a serial application (such as PuTTY) to establish a connection. Specify the COM port assigned to the USB-to-serial cable. 70 © 2019 FireEye Release 8.7 Linux You can use a serial cable or a USB-to-serial cable to connect the Linux machine to the serial port of the CM appliance. FireEye uses Prolific Technology Inc. adapters. IMPORTANT! A USB-to-serial cable is not provided with the appliance. To access the serial console from a Linux machine: 1. Connect the cable to the serial port of the appliance and to the Linux machine. 2. From a command prompt, establish a connection. If you are using a USB-to-serial cable, specify the COM port assigned to it. Terminal Server To access the serial console from a terminal server: 1. Set the terminal server to a baud rate of 115200. 2. Plug one end of a serial cable into the DB-9 serial port on the CM appliance and plug the other end into the terminal server. 3. In a Telnet application (such as PuTTY), enter the host name or terminal server IP address, the terminal server port number that the appliance is using, and the appliance port number. © 2019 FireEye 71 Central Management Administration Guide 72 CHAPTER 3: Accessing the Physical or Serial Console © 2019 FireEye Central Management Administration Guide CHAPTER 4: Initial Configuration This section covers the following information: l Initial Configuration Overview on the next page l Initial Configuration Prerequisites on the next page l Use one of the following methods to configure initial settings: o Configuring Initial Settings Using a Keyboard and Monitor on page 75 o Configuring Initial Settings Using the Serial Console Port on page 76 o Configuring Initial Settings Using the LCD Panel on page 81 For information about responding to the configuration wizard prompts, refer to Configuration Wizard Steps on page 78. l Configuring the IPMI Interface on page 82 © 2019 FireEye 73 Central Management Administration Guide CHAPTER 4: Initial Configuration Initial Configuration Overview The management interface is the port through which the CM appliance is managed and administered. It is also the port through which an appliance is managed by the Central Management appliance. With the single-port address type, the management interface is also the port through which a managed appliance requests and downloads software updates from the DTI network. Initial settings need to be configured to set up the management interface, and to allow access to the network, change the default administrator password, and so on. The following initial configuration methods are available: Use one of the following methods to log in to the CM CLI and configure initial settings: l l l Keyboard and monitor—Connect a USB keyboard and VGA monitor directly to the USB 3.0 ports and a video port that are on the rear panel of the appliance. This is the easiest way to configure the initial settings, provided that you are physically near the appliance. Serial port—Connect a Windows laptop, a Mac laptop, a Linux system, or a terminal server to the appliance serial port. The serial port is on the rear panel. LCD panel—Use the navigation buttons and menus on the liquid crystal display (LCD) panel to select initial settings. The LCD panel is on the front of most appliance models. Be sure to cable and configure the IPMI interface so that you can access the appliance should it become unresponsive to network or serial port access. NOTE: You must access the appliance through the serial port if you want to monitor appliance boot activities. You can enter CLI commands through direct keyboard and monitor connection only before the boot loader begins loading the kernel, for example, to post output, and after the boot is completed. Initial Configuration Prerequisites Before you configure the appliance: 74 © 2019 FireEye Release 8.7 Configuring Initial Settings Using a Keyboard and Monitor l Read the Release Notes for the current release. l Collect the following information from your network administrator: l o Static IP address, subnet mask, and default gateway address for the appliance management interface. (You do not need this information if Dynamic Host Configuration Protocol (DHCP) will be used on the management interface.) o IP address for each Domain Name System (DNS) server (if DNS name resolution will be used). o IP address for each Network Time Protocol (NTP) server (if NTP synchronization will be used). o Telnet or SSH client on the remote system (if the appliance will be managed remotely). If you plan to configure initial settings using the serial console port and a Windows or Mac laptop, obtain a USB-to-serial cable. Configuring Initial Settings Using a Keyboard and Monitor You can connect keyboard and video cables to the appliance and then log in to the CM CLI to perform the initial configuration. See your Hardware Administration Guide to view the port locations. To configure initial settings using a keyboard and monitor: 1. Plug in a keyboard and a VGA monitor. 2. When prompted, enter the default username (admin) and password (admin) for the permanent "admin" user. 3. You are asked to accept the End User License Agreement (EULA). Enter y to accept the terms of the agreement. 4. Enter y when you are prompted to use the Configuration Wizard for initial configuration. Then respond to the prompts as described in Configuration Wizard Steps on page 78. 5. After you answer the questions, the wizard summarizes your answers. To change an answer, enter the step number. Press Enter to save changes. © 2019 FireEye 75 Central Management Administration Guide CHAPTER 4: Initial Configuration Configuring Initial Settings Using the Serial Console Port If you are not using a terminal server, you need to be physically near the CM appliance to use the serial port. The serial port is on the back of the appliance. See your Hardware Administration Guide to view the port location. The serial port uses the following settings: l Baud rate: 115200 l Data bits: 8 l Stop bits: 1 l Parity: None l Flow control: XON/XOFF NOTE: If the appliance stops responding on startup without displaying an error message, the serial port or the connection may be faulty. If this occurs, do the following: 1. Press and hold the power button on the front of the appliance for a few seconds until the appliance powers off. 2. Unplug all power cables from the server and wait for about 5 minutes to ensure shutdown is complete. 3. Connect a different serial cable. 4. Plug in the power cables. 5. If the server does not automatically restart, press the power button. Configure initial settings as described in the following topics: l Using a Windows or Mac Laptop below l Using a Linux System on the facing page l Using a Terminal Server on the facing page Using a Windows or Mac Laptop Use the procedure in this section to configure initial settings from a Windows or Mac laptop. 76 © 2019 FireEye Release 8.7 Configuring Initial Settings Using the Serial Console Port To configure initial settings from a Windows or Mac laptop: 1. Establish a connection with the serial console as described in PC or Mac on page 70. 2. When prompted, enter the default username (admin) and password (admin) for the administrator. 3. You are asked to accept the End User License Agreement (EULA). Enter y to accept the terms of the agreement. 4. Enter y when you are prompted to use the Configuration Wizard for initial configuration. Then respond to the prompts as described in Configuration Wizard Steps on the next page. 5. After you answer the questions, the wizard summarizes your answers. To change an answer, enter the step number. Press Enter to save changes. Using a Linux System Use the procedure in this section to configure initial settings from a Linux system. To configure initial settings from a Linux system: 1. Establish a connection with the serial console as described in Linux on page 71. 2. When prompted, enter the default username (admin) and password (admin) for the administrator. 3. You are asked to accept the End User License Agreement (EULA). Enter y to accept the terms of the agreement. 4. Enter y when you are prompted to use the Configuration Wizard for initial configuration. Then respond to the prompts as described in Configuration Wizard Steps on the next page. 5. After you answer the questions, the wizard summarizes your answers. To change an answer, enter the step number. Press Enter to save changes. Using a Terminal Server Use the procedure in this section to configure initial settings from a terminal server. To configure initial settings from a terminal server: 1. Establish a connection with the serial console as described in Terminal Server on page 71. 2. When prompted, enter the default username (admin) and password (admin) for the administrator. 3. You are asked to accept the End User License Agreement (EULA). Enter y to accept the terms of the agreement. © 2019 FireEye 77 Central Management Administration Guide CHAPTER 4: Initial Configuration 4. Enter y when you are prompted to use the Configuration Wizard for initial configuration. Then respond to the prompts as described in Configuration Wizard Steps below. 5. After you answer the questions, the wizard summarizes your answers. To change an answer, enter the step number. Press Enter to save changes. Configuration Wizard Steps The configuration wizard is typically used to perform the initial configuration of the system. See Initial Configuration on page 73 for information about running the wizard before the management interface is configured. After the management interface is configured, an administrator can use the configuration jump-start CLI command to run the wizard. The following table describes the questions the configuration wizard prompts you to answer as it moves through the wizard steps. As noted in the table, the wizard skips some steps based on your answers to previous steps. NOTE: To exit the configuration wizard, press CTRL+C. To restart the configuration wizard, use the configuration jump-start command. Step 78 Response Activation code? (Virtual KVM deployments only) Enter the activation code you obtained from FireEye. Hostname? Enter the hostname for the appliance. Admin password? Enter a new administrator password. The new password must be 8–32 characters. If you do not change the password, the administrator will be unable to log in to the appliance. Confirm admin password? Re-enter the new administrator password. Enable remote access for ‘admin’ user? Enter yes to enable the administrator to log in to the appliance remotely. Enter no to disable remote access. Use DHCP on ether1 interface? Enter yes to use Dynamic Host Configuration Protocol (DHCP) to configure the appliance IP address and other network parameters. Enter no to manually configure your IP address and network settings. (If you enter yes, the zeroconf and static IP addressing steps are skipped.) © 2019 FireEye Release 8.7 Configuration Wizard Steps Step Response Use zeroconf on ether1 interface? Enter yes to use zero-configuration (zeroconf) networking. Enter no to specify a static IP address and network mask. (If you specify yes, the next step is skipped.) NOTE: Do not use zeroconf on the primary interface. Primary IP address and masklen? Enter the IP address for the management interface in A.B.C.D format and enter the network mask, for example: 1.1.1.2/12. Default gateway? Enter the gateway IP address for the management interface. Primary DNS server? Enter the IP address of the DNS server. Domain name? Enter the domain for the management interface; for example: it.acme.com. Activation code Enter the activation code you obtained from FireEye. (Some virtual appliances only) Enable fenet service? Enter yes to enable access to the DTI network. (If you enter no, the next three steps are skipped.) Enable fenet license update service? Enter yes to enable the licensing service to automatically download your licenses from the DTI network and install them. (If licenses are downloaded and installed successfully, the wizard skips the step that prompts for the product license key and the step that prompts for the security-content updates key.) Sync appliance time with fenet? Enter yes to synchronize the appliance time with the DTI server time. If you enabled the licensing service, synchronization prevents a feature from being temporarily unlicensed due to a time gap. The wizard makes three attempts to perform this step before it gives up and moves to the next step. Update licenses from fenet? Enter yes to download and install your licenses. The wizard makes three attempts to perform this step before giving up and moving on to the next step. © 2019 FireEye 79 Central Management Administration Guide Step CHAPTER 4: Initial Configuration Response Enable NTP? Enter yes to enable automatic time synchronization with one or more Network Time Protocol (NTP) servers. Enter no to manually set the time and date on the appliance. (This step is skipped if you entered yes in the "Sync appliance time with fenet?" or "Enable Incident Response or Compromise Assessment?" step.) If you enter no, specify the time and date in Greenwich Mean Time (GMT). Set time (<hh>:<mm>:<ss>)? Enter the appliance time. (This step and the next step are skipped if you entered yes in the "Sync appliance time with fenet?" or "Enable NTP?" step.) Set date Enter the appliance date. (<yyyy>/<mm>/<dd>)? Enable IPv6? Enter yes to enable IPv6 protocol, which changes network IP routing from IPv4 to IPv6. (This step and the next two steps are skipped if you entered yes in the "Enable Incident Response or Compromise Assessment?" step. This step and the next two steps will be automatically performed if you entered yes in the “Enable FaaS VPN” step.) Enable IPv6 autoconfig (SLAAC) on ether1 interface? Enter yes to enable IPv6 autoconfig on the ether1 (management interface) port. (This step is skipped if you entered no in the "Enable IPv6?" step.) Enable DHCPv6 on ether1 interface? Enter yes to use DHCPv6 to configure IPv6 hosts with IP addresses. (This step is skipped if you entered no in the "Enable DHCP?" or "Enable IPV6?" step.) Product license key? Enter the product license key you obtained from FireEye, or press Enter to install a 15-day evaluation license. (This step and the next step are skipped if you entered yes in the "Enable fenet license update service?" step and if licenses were successfully installed as a result.) Security-content updates key? Enter the security-content license key you obtained from FireEye, or press Enter to skip this step and install the license later. Configure CMS HA? Enter yes to configure the Central Management appliance in a high availability (HA) environment. (For the remaining HA configuration steps, see the Central Managment High Availibility Guide.) (Physical models and selected virtual models only) 80 © 2019 FireEye Release 8.7 Configuring Initial Settings Using the LCD Panel Configuring Initial Settings Using the LCD Panel An LCD panel is available on the front of some appliance models. To configure initial settings from the LCD panel: 1. Press the center button to access the Network menu and respond to the prompts: a. Hostname—Specify the hostname for the system. b. DHCP enabled—Enter yes to use dynamic host configuration protocol (DHCP). Enter no to manually configure your IP address and network settings. If you entered yes, proceed to the IPv6 enabled step. c. Static IP address—Enter the IP address for the Ethernet 1 (management interface) port. d. Netmask—Enter the network mask. e. Default gateway—Enter the gateway IP address for the management interface. f. Primary DNS—Enter the primary DNS server IP address. g. Domain name—Enter the domain name for the management interface; for example, it.acme.com. h. IPv6 enabled—Enter yes to enable IPv6 protocol, which changes network IP routing from IPv4 to IPv6. If you enter no, proceed to the Admin net login step. i. SLAAC enabled—Enter yes to enable IPv6 autoconfig on the ether1 (management interface) port. Enter no to disable IPv6 autoconfig on the ether1 (management) interface port. j. Admin net login—Enter yes to enable the administrator to log in to the system remotely. Enter no to disable remote access. 2. Press the left or right arrow button until you reach the LCD menu. At the Password prompt, enter a password used to access the LCD panel. (This is not the password used to access the appliance Web UI or CLI.) © 2019 FireEye 81 Central Management Administration Guide CHAPTER 4: Initial Configuration 3. Press the left or right arrow button until you reach the Config Options menu. At the Reset admin password prompt: a. Press the center button to reset the password used by the permanent admin user to log in to the appliance Web UI or CLI. (This is not the password used to access the LCD panel.) b. A randomly generated password is displayed. After you memorize it, press the center or exit button to dismiss the display. After the initial configuration, you can change to a password of your choice using the appliance Web UI or CLI. Configuring the IPMI Interface Use the commands in this section to configure the IPMI interface. For information about using the IPMI interface after it is configured, see The CM Appliance IPMI Interface on page 60. Prerequisites l One end of an Ethernet cable is plugged in to the IPMI port, and the other end of the cable is plugged in to an administrative computer or terminal server Viewing the IPMI Configuration This procedure describes how to use the CLI to view the IPMI configuration. To view the IPMI configuration: 1. Go to CLI enable mode: hostname > enable 2. Display the configuration. For example: hostname (config) # show ipmi interface IPMI LAN Settings ---------------------------------------Admin Shut Down : no Shut Down : no IP Address Source : Static Address IP Address : 192.168.42.27 Subnet Mask : 0.0.0.0 Default Gateway IP : 0.0.0.0 82 © 2019 FireEye Release 8.7 Configuring the IPMI Interface Configuring the IPMI Port This procedure describes how to use CLI commands to configure the IPMI interface. To configure the IPMI port: 1. If you want to configure a static IP address for the IPMI interface, do the following: a. Log in to the appliance CLI. b. Go to CLI configuration mode. hostname > enable hostname # configure terminal c. If DHCP was previously configured for IPMI, change to the static method: hostname (config) # ipmi lan ipsrc static d. Configure the IP address for the IPMI interface: hostname (config) # ipmi lan ipaddr <ipAddress> e. Configure the netmask for the IPMI interface: hostname (config) # ipmi lan netmask <netMask> f. Configure the default gateway for the IPMI interface: hostname (config) # ipmi lan defgw <ipAddress> 2. If you want to configure DHCP: a. Make sure that DHCP is enabled on your network: hostname (config) # show ip dhcp b. Enable DHCP: hostname (config) # ipmi lan ipsrc dhcp 3. The default username for logging in to the IPMI Web UI is ADMIN. Configure the password. The password must be a minimum of five characters, and a maximum of 20 characters. hostname (config) # ipmi user set password <password> 4. Save your changes. hostname (config) # write memory To revert to the default configuration: 1. Go to CLI configuration mode. hostname > enable hostname # configure terminal 2. Revert to the default configuration: hostname (config) # ipmi lan ipsrc static © 2019 FireEye 83 Central Management Administration Guide CHAPTER 4: Initial Configuration 3. Save your changes. hostname (config) # write memory NOTE: It is important to use the latest IPMI firmware available for your system. For details, see IPMI Firmware Updates on page 203. 84 © 2019 FireEye Central Management Administration Guide CHAPTER 5: Virtual Central Management Appliances A virtual Central Management appliance is a virtual instance of a physical Central Management appliance. It manages a virtual appliance the same way it manages a physical appliance, but requires no hardware. The same virtual Central Management appliance can manage both physical and virtual appliances. Both physical and virtual appliances depend on the FireEye DTI network (cloud.fireeye.com) for automatic license updates and DTI services such as threat intelligence and software and security content updates. Virtual appliances also depend on the DTI network for the token server, which continually renews the lease on its product license, and the entropy server, which generates randomness for more secure connections. A virtual appliance has a unique activation code, which serves the following purposes: l Gives the appliance a unique identity (its appliance ID). l Activates the product (FIREEYE_APPLIANCE) license. l Allows access to the license token server. l Provides access to the DTI network. l Protects you from fraudulent use of the virtual appliance. l Allows the virtual appliance to initialize—the appliance remains disabled until you apply the activation code. The activation code is highly sensitive, because it gives the virtual appliance its identity and access credentials. FireEye takes measures to prevent fraudulent use of activation codes as described in How It Works on page 108. This section includes the following information: l l Deploying Virtual Central Management Appliances on VMware ESXi on the next page Deploying Virtual Central Management Instances on Amazon Web Services (AWS) on page 96 © 2019 FireEye 85 Central Management Administration Guide CHAPTER 5: Virtual Central Management Appliances l Understanding Virtual Appliance Licensing on page 108 l Viewing System Entropy Status on page 112 Deploying Virtual Central Management Appliances on VMware ESXi Open Virtualization Format (OVF) is an open standard for various virtualization platforms, and is used to package and distribute the software that runs on virtual machines. A virtual appliance is packaged as an OVA image, which is a compressed file containing the contents of an OVF folder. The OVF folder contains the appliance system image as well as virtual machine files. You install a virtual appliance in a VMware ESXi server. CAUTION! VMware EXSi host version 6.0 or later is required. Earlier ESXi versions are not supported, and virtual appliances installed using those versions will not function properly. NOTE: This section assumes a familiarity with deploying virtual machines and administering ESXi hosts. This section provides the basic steps for creating and deploying a virtual appliance. For comprehensive information about deploying virtual machines, see the documentation provided by VMware, Inc. VMware ESXi System Requirements Before you deploy a virtual Central Management appliance, make sure the following requirements are met. VMware Requirements The following VMware resources are required: l VMware EXSi host version 6.0 or later. Earlier ESXi versions are not supported. l VMware vSphere Client l 86 VMware vCenter Server (recommended). When you use vSphere Client to add your virtual appliances to vCenter Server, the Deploy OVF Template wizard provides an easy way to enter your activation code. Otherwise, you must type it in the virtual appliance console, because you cannot paste into this console. l VMXNET 3 network adapters l Link aggregation enabled on ESXi host © 2019 FireEye Release 8.7 Deploying Virtual Central Management Appliances on VMware ESXi Virtual Appliance Specifications Each virtual appliance must meet the following specifications. All CPU cores are Intel Xeon E5-2630 v4, with 2.20 GHz processor (minimum). Model CPU Cores RAM CM2500V 4 32 GB Virtual NICs 4 (total): Hard Disk Space 512 GB 1 (management) 1—3 (for future use) CM4500V 8 64 GB 4 (total): 1200 GB 1 (management) 1—3 (for future use) CM7500V 16 128 GB 4 (total): 1200 GB 1 (management) 1—3 (for future use) Limitations l l l Central Management high availability (HA) is supported on the CM4500V and CM7500V models only. You cannot change the number of network interfaces on the virtual appliance. If the server that hosts your virtual appliances does not have enough physical NICs, you can use VLAN tagging, assign unused interfaces to a virtual switch that is not bound to a physical NIC, or add physical NICs to the server. Changing storage policy and adding partitions is not supported. © 2019 FireEye 87 Central Management Administration Guide l l CHAPTER 5: Virtual Central Management Appliances Snapshots are not supported. Content is encoded and decoded on each virtual appliance, and will not be decoded correctly on the snapshot. The following VMware features are not supported: l Virtual SMP l Update Manager l Data Protection l High Availability (HA) l vMotion (including Storage vMotion, Enhanced vMotion Compatibility, and Cross-vSwitch vMotion) l Storage APIs for Data Protection l Memory hot add l Endpoint l Replication l Fault Tolerance l Virtual Volumes l Offline operational mode Installing a Virtual Appliance in VMware ESXi This section describes how to install a virtual appliance. IMPORTANT! This procedure uses VMware ESXi version 6.0.0 (build 3568940) and vSphere Client version 6.0.0 (build 3562874) on VMware vCenter Server version 6.0.0 (build 3018524). The navigation instructions and user interface may vary based on your version of these products. NOTE: procedure covers the required settings for a FireEye virtual appliance. You can accept the default values for the other settings, or specify values that are appropriate for your setup. Prerequisites 88 l Root user account on an ESXi server. l Requirements in VMware ESXi System Requirements on page 86 are met. © 2019 FireEye Release 8.7 Deploying Virtual Central Management Appliances on VMware ESXi To install a virtual appliance: 1. Log in to vSphere Client. 2. From the File menu, select Deploy OVF Template to start the wizard. 3. On the Source screen, paste the URL that FireEye provided that points to the OVA file containing the Central Management system image, or click Browse and navigate to the OVA file stored in your file system, and then click Next. © 2019 FireEye 89 Central Management Administration Guide CHAPTER 5: Virtual Central Management Appliances 4. On the OVF Template Details screen, review the information. If the information is correct, click Next. Otherwise, click Back and enter the correct URL or path. 5. On the Name and Location screen, enter a unique name that describes the virtual appliance. 90 © 2019 FireEye Release 8.7 Deploying Virtual Central Management Appliances on VMware ESXi 6. On the Disk Format screen, select Thin Provision, and then click Next. 7. On the Network Mapping screen, click Next to accept the default settings. © 2019 FireEye 91 Central Management Administration Guide CHAPTER 5: Virtual Central Management Appliances 8. On the Properties screen, you can complete fields to configure initial settings as described in Using the Properties Screen on page 94. (If you do not use this screen, you must type the values into the vSphere Client console manually, because you cannot paste into this console.) 92 © 2019 FireEye Release 8.7 Deploying Virtual Central Management Appliances on VMware ESXi 9. On the Ready to Complete screen: a. Verify the information. b. (Optional) Select the Power on after deployment check box. c. Click Finish. Performing the Initial Configuration The management interface is the port through which the virtual appliance is managed and administered. It is also the port through which integration of the Central Management appliance and a managed appliance is managed. With the single-port address type, the management interface is also the port through which a managed appliance requests and downloads software updates from the DTI network. Initial settings need to be configured to set up the management interface, and to allow access to the network, change the default administrator password, and so on. If your virtual appliances are managed by VMware vCenter Server, the installation wizard includes a Properties screen that allows you to enter your activation code and supply © 2019 FireEye 93 Central Management Administration Guide CHAPTER 5: Virtual Central Management Appliances CLI commands that configure the appliance. You can also reset the password for the "admin" user on this screen. If the wizard does not include the Properties screen or if you choose not to use it, you can use the console of the vSphere client to type the activation code and commands that allow the admin to log in to the CLI or Web UI to configure the appliance. You can fully configure the appliance from the console, but it might be inconvenient because you cannot paste into the console. Using the Properties Screen The Properties screen is included in the Deploy OVF Template wizard if you connect to your ESXi host through VMware vCenter Server. Installing a Virtual Appliance in VMware ESXi on page 88 shows an illustration of this screen and provides information about the other wizard screens. FireEye recommends that you use the Properties screen to do at least the following: l l Enter the activation code for your virtual appliance. The activation code contains many characters. The vSphere Client prevents you from pasting the activation code into the vSphere Client console, and it is easy to make a typing error. Reset the password for the "admin" user if password authentication will be used to log into the CLI or Web UI over the network. The password must be changed to a password of at least eight characters. You can also use this screen to provide commands for configuration settings that the system will apply during the initial boot. This is convenient if you have a large number of virtual appliances to deploy, because you can create base sets of commands and then customize them for each deployment. NOTE: You can use the system virtual bootstrap reset command to reset the Properties screen values after the virtual appliance is deployed and running. The following table describes the fields in the Properties screen. Field Activation Code 94 Description The code you received in a secure email from FireEye that gives the virtual appliance its identity and access credentials. © 2019 FireEye Release 8.7 Deploying Virtual Central Management Appliances on VMware ESXi Field Description Initial CLI commands A Base64-encoded set of commands that at a minimum allow the appliance to connect to your network. To use this field, type the commands in plain-text format, encode them to Base64, and then paste the encoded string into this field. (You can use the Linux command cat <filename>.txt | base64 | tr -d '\n' to encode the commands.) Consider using this field for network connectivity only, because the size of the string could become unwieldy. The string can be a maximum of 65,535 bytes, and cannot be line-wrapped. Initial CLI commands URL A URL that points to a file on your network (for example, http://acme.com/operations/6500V_config.txt). To use this field, enter CLI commands that configure additional settings in plain-text format, and store the file on an HTTP server in your network. The virtual appliance needs network connectivity (which the commands in the Initial CLI commands field can establish) to access the file referenced in the URL. Reset admin password A password of at least eight characters. The initial "admin" password must be reset to allow the admin user to log into the CLI or Web UI over the network unless both of the following are true: l l The CLI commands being executed set an SSH authorized key for the admin use, which allows the admin to log in remotely without a password. You disable password login using the username admin disable password command. Using the Console FireEye recommends that you use the Properties screen to provide initial configuration settings, because you cannot copy and paste into the vSphere Client console. However, if you do not use this screen, and if the license update feature is not enabled, FireEye recommends that you accept the evaluation licenses during the initial configuration, because typing the keys is tedious and prone to error. After the activation code is entered and the admin user has access to the appliance Web UI or CLI , you can copy and paste the license keys. To perform the initial configuration of a virtual appliance: 1. Log in to vSphere client. 2. In the left pane, expand the ESXi IP address and then select the virtual appliance. © 2019 FireEye 95 Central Management Administration Guide CHAPTER 5: Virtual Central Management Appliances 3. Click the Console tab. 4. If the console is not running, click the green arrow to launch it. 5. At the login prompt, enter admin. 6. At the password prompt, enter admin. 7. Start the configuration jump-start wizard: hostname (config) # configuration jump-start 8. Answer the wizard questions as described in Configuration Wizard Steps on page 78. NOTE: To navigate away from the vSphere Client console and return to the vSphere Client user interface or your local machine, press Ctrl+Alt. Deploying Virtual Central Management Instances on Amazon Web Services (AWS) An AMI (Amazon Machine Image) is a template that contains the software configuration needed to deploy a virtual Central Management instance. The software configuration includes the operating system, application server, and applications that are needed to launch the instance. The following table summarizes the steps to launch a virtual Central Management instance in Amazon Web Services (AWS). NOTE: This document provides the basic steps for launching FireEye virtual appliances, and assumes familiarity with launching virtual machines in AWS. For comprehensive information, see the AWS documentation provided by Amazon. 96 © 2019 FireEye Release 8.7 Deploying Virtual Central Management Instances on Amazon Web Services (AWS) Task Description 1. Launch the instance. Some settings are defined by your system administrator. Other settings are required for the Central Management instance. For instructions, see Launching a Virtual Central Management Instance on AWS on the next page. 2. Apply the activation code and configure the initial admin password for the instance. See Configuring the Activation Code and Initial Admin Password on AWS on page 99. 3. Perform the initial configuration of the instance. See Performing the Initial Configuration on page 100. CAUTION: In the "Primary IP address and masklen?" step of the configuration jump-start wizard, enter the same values you configured when you launched the instance on AWS. Prerequisites l FireEye AMIs in the US West region are copied to My AMIs in your region. l Access to the AWS Management Console. l l Items from your AWS administrator, such as the network, subnet, and IP addresses for the instance, and key pairs and security groups to secure the instance. Items from FireEye, such as the activation code and licenses for your instance. AWS System Requirements Each virtual appliance launched in AWS must meet the following specifications. All AWS virtual CM models must be deployed on AWS memory optimized instances such as r4.xxx. Instance Requirements Model CPU Cores RAM CM 4500V 8 61 GB 1 1200 GB r4.2xlarge CM 7500V 16 122 GB 1 120 GB r4.4xlarge © 2019 FireEye Virtual NICs Disk Space AWS Instance Type 97 Central Management Administration Guide CHAPTER 5: Virtual Central Management Appliances Network Requirements l Connectivity with the DTI network (one-way or two-way sharing) l Network access to the following ports: l 80 TCP l 22 TCP l 443 TCP Launching a Virtual Central Management Instance on AWS This topic describes how to launch a virtual Central Management instance on AWS (Amazon Web Services). IMPORTANT: The navigation instructions and user interface may vary based on the AWS Management Console version that is running when you launch your instances. NOTE: This procedure covers the required settings for a FireEye virtual appliance. You can accept the default values for the other settings, or specify values that are appropriate for your environment. To launch a Central Management instance on AWS: 1. Go to the AWS login page and log in using your AWS ID. 2. On the Profile page, select your AWS role and then click AWS Console URL. 3. On the next page, click AWS Console login. The AWS Management Console opens. 4. In the navigation bar at the top of the console, select the region for the instance. 5. In the AWS services section, select EC2. 6. Click Launch Instance in the Create Instance section. 7. On the Choose an Amazon Machine Image (AMI) page, locate the AMI for the Central Management model. For example, select FireEyeCM4500Vec2 for the CM 4500V model. Then click Select. 8. On the Choose an Instance Type page, select Memory optimized - r4.2xlarge for the CM 4500V model or Memory optimized - r4.4xlarge for the CM 7500V model. Then click Next: Configure Instance Details. 98 © 2019 FireEye Release 8.7 Deploying Virtual Central Management Instances on Amazon Web Services (AWS) 9. On the Configure Instance Details page, select the management network and subnet from the Network and Subnet drop-down lists, and specify other settings provided by your network administrator. Click Next: Add Storage. NOTE: FireEye recommends that you configure a static IP address in the Primary IP field in the Network interfaces section at the bottom of the page. 10. On the Add Storage page, keep the default settings and then click Next: Add Tags. 11. (If required by your AWS administrator) On the Add Tags page, provide key and value combinations. Then click Next: Configure Security Group. 12. On the Configure Security Group page, select or add the security group that defines firewall rules that control traffic to the Central Management instance. Then click Review and Launch. IMPORTANT: FireEye recommends using a security group applicable to your organization instead of using the default security group, which is less secure. 13. On the Review Instance Launch page, review the details about your instance. Click the appropriate Edit link if you need to make changes. When you are satisfied with the details, click Launch. 14. In the Select an existing key pair or create a new key pair dialog box: a. Select an existing pair or create a new one. To use the key pair you created when you were set up to use Amazon EC2, click Choose an existing key pair, and then select that key. IMPORTANT: Store the name of the key pair and the private key in a secure location. b. Select the checkbox to confirm that you agree to the acknowledgement statement, and then click Launch Instances. 15. Continue to Configuring the Activation Code and Initial Admin Password on AWS below. Configuring the Activation Code and Initial Admin Password on AWS This topic describes how to apply the activation code for the Central Management instance and configure a temporary password for the initial admin user. © 2019 FireEye 99 Central Management Administration Guide CHAPTER 5: Virtual Central Management Appliances NOTE: You will use this password to log in to an SSH session using password authentication and perform the initial configuration of the appliance. During the jump-start wizard, you can configure another password. If the password you configure in this topic is not 8–32 characters long, you must change the password during the jump-start wizard to meet this password length requirement. To apply the activation code to the instance: 1. Open the EC2 Management Console. 2. Select Instances > Instances in the left pane. 3. Select the instance, right-click, and then select Instance Settings > View/Change User Data. 4. Copy and paste the following script in the User Data field. Replace <code> with the activation code for the instance that was included in the onboarding email from FireEye and replace <password> with the new password for the initial admin user. { "va_bootstrap": { "activation_code": "<code>", "reset_admin_password": "<password>" } } IMPORTANT: This step is required. The syntax (including the indentation) must match what is shown in this step. Otherwise, you will be unable to establish an SSH session with the instance. 5. Click Save. 6. Right-click the instance, and select Instance State > Start. 7. Continue to Performing the Initial Configuration below. Performing the Initial Configuration The management interface is the port through which the Central Management instance is managed and administered. It is also the port through which integration of the Central Management instance and managed appliances is managed. Initial settings need to be configured to set up the management interface and to allow access to the network, change the default admin password, and so on. To perform the initial configuration of a Central Management instance: 1. Connect to the instance through an SSH client. 2. At the login prompt, enter admin. 100 © 2019 FireEye Release 8.7 Deploying Virtual Central Management Appliances on KVM Servers 3. At the password prompt, enter the initial password you configured in Configuring the Activation Code and Initial Admin Password on AWS on page 99. NOTE: Alternatively, you can use the ssh -i command to use the private key file to establish an SSH session. For example, ssh -i /path/<my-keypair>.pem admin@<instance>. 4. Accept the license agreement. The configuration jump-start wizard begins. 5. Answer the wizard questions as described in Configuration Wizard Steps on page 78. CAUTION: In the "Primary IP address and masklen?" step, enter the same values you configured on the Configure Instance Details page when you launched the instance (see Launching a Virtual Central Management Instance on AWS on page 98). NOTE: The "Admin password?" step is optional if you configured an 8–32 character password in Configuring the Activation Code and Initial Admin Password on AWS on page 99. Deploying Virtual Central Management Appliances on KVM Servers The following sections describe how to deploy a virtual Central Management appliance on KVM (Kernel-based Virtual Machine) servers. KVM is an open-source hardware virtualization software through which you can create and run multiple Linux and Windows-based virtual machines simultaneously. Supported virtual CM models include CM 4500V and CM 7500V. l KVM System Requirements below l Installing a Virtual Central Management Appliance on KVM on the next page l Performing the Initial Configuration on page 105 KVM System Requirements The following KVM (Kernel-based Virtual Machine) resources are required: l l Ubuntu 18.4 or later or CentOS 7.4 or later Standard virtual switch, connected to an external network and shared by the operating system © 2019 FireEye 101 Central Management Administration Guide l l l CHAPTER 5: Virtual Central Management Appliances Software bridge (for example, "br0") in the operating system for the management connection to the virtual Central Management appliance. The software bridge should be configured with the physical NIC mapping on the host, which is then used for management access to the virtual Central Management appliance. (For instructions, see the documentation provided by Ubunto.) Ubuntu: l KVM version (kvm -version): QEMU emulator version 2.11.1 (Debian 1: 2.11 l + dfsg-1ubuntu 7.9) l libvirtd version: libvirtd (libvirt) 4.0.0 l virt-manager version: 1.5.1 CentOS: l KVM version: QEMU emulator version 1.5.3 (qemu-kvm-1.5.3-160.el7) l libvirtd version: libvirtd (libvirt) 4.5.0 l virt-manager version: 1.5.0 Installing a Virtual Central Management Appliance on KVM This section describes how to install a virtual Central Management appliance on a KVM server using the KVM Virtual Machine Manager UI. IMPORTANT: This procedure uses KVM version libvert 4.5 on Ubuntu 18.04. The navigation instructions and user interface may vary if you are using CentOS or a different version of Ubuntu. NOTE: This procedure covers the required settings for a FireEye virtual appliance. You can accept the default values for the other settings, or specify values that are appropriate for your setup. Before starting the virtual appliance installation, ensure you have the required prerequisite software installed. See KVM System Requirements on the previous page. The following packages are required for a successful virtual Central Management appliance deployment on KVM: 102 l qemu-kvm l qemu-img l virt-manager l libvirt © 2019 FireEye Release 8.7 l libvirt-python l libvirt-client l virt-install l virt-viewer l librbd1-devel Deploying Virtual Central Management Appliances on KVM Servers In the following procedure, you will create the virtual appliance and configure its management port. To install a virtual appliance using the KVM Virtual Machine Manager UI: 1. Download the Central Management KVM deployment .zip file from the FireEye DTI network to a KVM server and extract the files within it to the /home/admin/images directory. The .zip file name is based on your appliance model. For example, the .zip for the CM 7500V is image-cms-fireeyecm4500v.zip. © 2019 FireEye 103 Central Management Administration Guide CHAPTER 5: Virtual Central Management Appliances 2. In KVM Virtual Machine Manager, select File > New Virtual Machine. 3. Complete the Create a new virtual machine screens: Screen Step 1 of 4 Action 1. Select Import existing disk image. 2. Click Forward. Step 2 of 4 1. Browse to and select the folder to which you extracted the .zip file in the first step. 2. Select the .qcow2 file, such as image-cmsfireeyecm4500v.qcow2, and click Choose Volume. 3. Select OS type Linux and in the Version field, select your version of CentOS or Ubuntu. 4. Click Forward. Step 3 of 4 1. Set Memory and CPU settings to the values for your virtual CM model. 2. Click Forward. Step 4 of 4 1. Enter a name, such as FireEye-CM-4500V. 2. Click Customize configuration before install and select Network selection Bridge br0. The bridge must have already been created in the host OS. This is the management (ether1) port for the virtual appliance. 3. Click Finish. The KVM installation page opens. 104 © 2019 FireEye Release 8.7 Deploying Virtual Central Management Appliances on KVM Servers 4. In the KVM installation page, configure the basic information and disk IO for the virtual Central Management appliance. Tab Overview Action 1. Enter a domain name, such as FireEye-CM4500V, for the virtual Central Management appliance in the Name field and optionally enter a Title and Description. 2. Click Apply. VirtIO Disk 1 1. Click Advanced options. 2. Select SCSI in the Disk bus field. 3. Click Apply. 5. In the KVM installation page, add the virtual hardware for the controller: a. At the bottom left of the KVM installation page, click Add Hardware. b. In the Add New Virtual Hardware page, select the Controller tab and then select the following values: l Type—SCSI l Model—VirtIO SCSI c. Click Finish. 6. Click Begin installation. 7. After the installation is complete, proceed to Performing the Initial Configuration below. Performing the Initial Configuration The management interface is the port through which the Central Management instance is managed and administered. It is also the port through which integration of the Central Management instance and managed appliances is managed. Initial settings need to be configured to set up the management interface and to allow access to the network, change the default admin password, and so on. After the virtual Central Management appliance finishes booting for the first time, the configuration wizard starts. Answer the wizard questions as described in the following table. Configuration Wizard Steps on page 78 © 2019 FireEye 105 Central Management Administration Guide Step CHAPTER 5: Virtual Central Management Appliances Response Activation code? (Virtual KVM deployments only) Enter the activation code you obtained from FireEye. Hostname? Enter the hostname for the appliance. Admin password? Enter a new administrator password. The new password must be 8–32 characters. If you do not change the password, the administrator will be unable to log in to the appliance. Confirm admin password? Re-enter the new administrator password. Enable remote access for ‘admin’ user? Enter yes to enable the administrator to log in to the appliance remotely. Enter no to disable remote access. Use DHCP on ether1 interface? Enter yes to use Dynamic Host Configuration Protocol (DHCP) to configure the appliance IP address and other network parameters. Enter no to manually configure your IP address and network settings. (If you enter yes, the zeroconf and static IP addressing steps are skipped.) Use zeroconf on ether1 interface? Enter yes to use zero-configuration (zeroconf) networking. Enter no to specify a static IP address and network mask. (If you specify yes, the next step is skipped.) NOTE: Do not use zeroconf on the primary interface. Primary IP address and masklen? Enter the IP address for the management interface in A.B.C.D format and enter the network mask, for example: 1.1.1.2/12. Default gateway? Enter the gateway IP address for the management interface. Primary DNS server? Enter the IP address of the DNS server. Domain name? Enter the domain for the management interface; for example: it.acme.com. Activation code Enter the activation code you obtained from FireEye. (Some virtual appliances only) Enable fenet service? 106 Enter yes to enable access to the DTI network. (If you enter no, the next three steps are skipped.) © 2019 FireEye Release 8.7 Deploying Virtual Central Management Appliances on KVM Servers Step Response Enable fenet license update service? Enter yes to enable the licensing service to automatically download your licenses from the DTI network and install them. (If licenses are downloaded and installed successfully, the wizard skips the step that prompts for the product license key and the step that prompts for the security-content updates key.) Sync appliance time with fenet? Enter yes to synchronize the appliance time with the DTI server time. If you enabled the licensing service, synchronization prevents a feature from being temporarily unlicensed due to a time gap. The wizard makes three attempts to perform this step before it gives up and moves to the next step. Update licenses from fenet? Enter yes to download and install your licenses. The wizard makes three attempts to perform this step before giving up and moving on to the next step. Enable NTP? Enter yes to enable automatic time synchronization with one or more Network Time Protocol (NTP) servers. Enter no to manually set the time and date on the appliance. (This step is skipped if you entered yes in the "Sync appliance time with fenet?" or "Enable Incident Response or Compromise Assessment?" step.) If you enter no, specify the time and date in Greenwich Mean Time (GMT). Set time (<hh>:<mm>:<ss>)? Enter the appliance time. (This step and the next step are skipped if you entered yes in the "Sync appliance time with fenet?" or "Enable NTP?" step.) Set date Enter the appliance date. (<yyyy>/<mm>/<dd>)? Enable IPv6? Enter yes to enable IPv6 protocol, which changes network IP routing from IPv4 to IPv6. (This step and the next two steps are skipped if you entered yes in the "Enable Incident Response or Compromise Assessment?" step. This step and the next two steps will be automatically performed if you entered yes in the “Enable FaaS VPN” step.) Enable IPv6 autoconfig (SLAAC) on ether1 interface? Enter yes to enable IPv6 autoconfig on the ether1 (management interface) port. (This step is skipped if you entered no in the "Enable IPv6?" step.) © 2019 FireEye 107 Central Management Administration Guide Step CHAPTER 5: Virtual Central Management Appliances Response Enable DHCPv6 on ether1 interface? Enter yes to use DHCPv6 to configure IPv6 hosts with IP addresses. (This step is skipped if you entered no in the "Enable DHCP?" or "Enable IPV6?" step.) Product license key? Enter the product license key you obtained from FireEye, or press Enter to install a 15-day evaluation license. (This step and the next step are skipped if you entered yes in the "Enable fenet license update service?" step and if licenses were successfully installed as a result.) Security-content updates key? Enter the security-content license key you obtained from FireEye, or press Enter to skip this step and install the license later. Configure CMS HA? Enter yes to configure the Central Management appliance in a high availability (HA) environment. (For the remaining HA configuration steps, see the Central Managment High Availibility Guide.) (Physical models and selected virtual models only) Understanding Virtual Appliance Licensing Licenses for virtual appliances are based on a unique appliance ID. FireEye sends you two secure emails. One email contains the appliance ID, a unique activation code, and a link to download the software image for the virtual appliance. The other email contains the license keys for the virtual appliance. The FIREEYE_APPLIANCE (product) license for a virtual appliance must be continually validated by a token server. The token server uses a time-limited token to activate the product license on the virtual appliance. The token also provides a short-term lease on the product license. The virtual appliance must continually renew this lease to keep its product license active. If the product license becomes inactive, malware detection is disabled on the appliance. NOTE: The start and stop dates for the product license also govern whether the license remains active. How It Works After the virtual appliance has been activated, it connects to the token server and requests a license token for its product license. If the DTI credentials the appliance presents are 108 © 2019 FireEye Release 8.7 Understanding Virtual Appliance Licensing valid, the token server sends the appliance a token that allows the product license to be active for the duration of the lease. The duration of a lease is one hour, so the license token must be renewed every hour. The appliance applies for the lease renewal with enough lead time to keep the appliance functioning if an event such as a brief network outage occurs. The lead time is 15 minutes by default and can be changed with the assistance of FireEye Technical Support. The token server grants grace periods to allow for token server failures and network outages. Initially there is no grace period. After the virtual appliance has been continually licensed for three hours, the token server grants the appliance six hours of grace time. If the current token expires and the token renewal fails, the product license will remain active for up to six hours while the appliance continues to send a renewal request every minute to the token server. The grace period is extended to three days if FireEye determines that your network is down and unable to contact the DTI network. When connectivity is restored, the appliance automatically requests a new license token. FireEye takes the following measures to guard against accidental or malicious abuse of the product license. l l l Hourly validation. Authentication and authorization take place every hour, because each token request must be validated against the virtual appliance's DTI credentials. Duplicate detection. The token server detects duplicate virtual appliances based on the appliance ID in the activation code, the universal unique identifier (UUID) of the virtual appliance, and the last license token renewal request that was presented to the server. A brief period of overlap is allowed to support a legitimate migration of the virtual appliance to another ESXi server, or a database backup and restore operation. Time service. The token server provides a time service to prevent appliance clock manipulation. SNMP and email event notifications warn you if the product license becomes inactive, if the token server cannot be reached, and if a duplicate virtual appliance is detected. The identity of the duplicate appliance is kept confidential for security. Prerequisites l Monitor, Operator, or Admin access to view licensing information Viewing Virtual Appliance License Status Using the CLI Use the commands in this section to view current token status and configuration information. © 2019 FireEye 109 Central Management Administration Guide CHAPTER 5: Virtual Central Management Appliances To view license token status: 1. Log in to the virtual appliance. 2. Enable the enable CLI mode: hostname > enable 3. View the status: hostname # show licenses token To view license token configuration: 1. Log in to the virtual appliance. 2. Enable the enable CLI mode: hostname > enable hostname # 3. View the configuration: hostname # show licenses tokens configured Examples The following example shows license token configuration information for the vCM-04 virtual appliance. vCM-04 # show licenses tokens configured License token configuration: Query Enabled: yes Query lead time: 25% (15 min) Query Retry interval: 1 min The following example shows the current status of license tokens on the vCM-04 virtual sensor. vCM-04 # show licenses tokens Token Summary : Token Active : Token Required : yes yes Token Lease : Lease Active: Lease Time Remaining : yes 12 min Token Grace Period : Grace Period Active : Grace Period Available : Grace Period Remaining : no yes 360 min Token Server Current Time : 2016/07/25 14:49:21 Token Details : Next Token : Sequence Number : Lease Duration : Timestamp : 110 186 60 min 2016/07/25 14:47:21 © 2019 FireEye Release 8.7 Understanding Virtual Appliance Licensing Active Token : Sequence Number : Lease Duration : Timestamp : 185 60 min 2016/07/25 14:01:21 Previous Token : Sequence Number : Lease Duration : Timestamp : 184 60 min 2016/07/25 13:15:21 Output Fields The following table describes the show licenses tokens configured command output fields. Field Description Query Whether the virtual appliance is enabled to request license token renewals. Enabled Query Lead time The percentage of the lease duration before the active lease expires at which the virtual appliance should request license token renewal. This value is 25 percent of the lease duration (15 minutes). Query Retry interval How soon the license token renewal is tried again after an unsuccessful attempt. This value is one minute. The following table describes the show licenses tokens command output fields. The output fields and values depend on the current license token status. For example, when a token has not been obtained yet, the Next Token field is (not fetched). Field Description Token Active Whether the current token is active. Token Required Whether a token is required to keep the product license active. Token Lease Lease Active Whether the lease on the current token is active. Lease Time Remaining Number of minutes before the lease expires. Token Grace Period Grace Period Active © 2019 FireEye Whether the virtual appliance is currently using grace time because its license token expired. 111 Central Management Administration Guide Field CHAPTER 5: Virtual Central Management Appliances Description Grace Period Available Whether the appliance has available grace time to use if necessary. Grace Period Remaining The number of minutes remaining in the grace period. The maximum is 360 minutes (six hours). Token Server Current Time Current date and time of the token server. Next Token Sequence Number Number identifying the next token on the token server. Lease Duration Number of minutes the next token will last. Timestamp Date and time the next token was obtained. Active Token Sequence Number Number identifying the license token that is currently in use. Lease Duration Number of minutes the lease on the token will last. Timestamp Date and time the current token was obtained. Previous Token Sequence Number Number identifying the last token that was used. Lease Duration Number of minutes the lease on the token lasted. Timestamp Date and time the previous token was obtained. Viewing System Entropy Status Unpredictability (or randomness) plays a critical role in securing connections between entities. Entropy is a generator of randomness. As a rule, entities with more randomness have a more secure connection. A lack of entropy can have a negative impact on security and performance. The Central Management appliance must have adequate entropy to generate keys for secure SSL and SSH communication. Physical appliances have a built-in source of highquality entropy. Virtual appliances do not have a built-in source, so they continually obtain entropy information from a centralized, upstream DTI entropy server. 112 © 2019 FireEye Release 8.7 Viewing System Entropy Status Prerequisites l Monitor, Operator, or Admin access Viewing System Entropy Status Using the CLI Use the commands in this section to view the current status of system entropy. To view the status of system entropy: 1. Log in to the Central Management CLI. 2. View the status: hostname > show system entropy Example The following example shows the status of system entropy on a virtual Central Management appliance. vCM-03 > show system entropy Entropy bootstrap complete: Entropy bits available: Entropy refresh interval: yes 983 900 Entropy last fetch status: success Entropy last fetch success time: 2016/07/23 06:46:47 Output Fields Field Description Entropy bootstrap complete Whether the system got sufficient initial entropy to generate keys for secure SSL and SSH communication. Entropy bits available The number of random bits that are currently available for applications that need random numbers. Entropy refresh interval The interval at which the virtual appliance requests entropy (every 900 seconds, or 15 minutes). Entropy last fetch status The status of the last entropy request. Entropy last fetch success time The date and time the last entropy request succeeded. © 2019 FireEye 113 Central Management Administration Guide 114 CHAPTER 5: Virtual Central Management Appliances © 2019 FireEye Central Management Administration Guide About FireEye License Keys CHAPTER 6: License Keys This section covers the following information: l About FireEye License Keys below l Automatic License Updates on page 118 l Manual License Installation on page 121 l Viewing License Notifications Using the Web UI on page 125 About FireEye License Keys License keys are required for system operation. The CM appliance requires these license keys: License Key FIREEYE_ APPLIANCE Description Required to register your system and use the product features. Version l l Central Management Central Management HA Used in high availability deployments. © 2019 FireEye 115 Central Management Administration Guide License Key CONTENT_ UPDATES CHAPTER 6: License Keys Description Allows your system to access the Dynamic Threat Intelligence (DTI) network, which provides the latest intelligence on advanced cyber attacks and malware callback destinations. This enables FireEye products to proactively recognize new threats and block attacks. You can override the one-way sharing license on your appliance to submit information to AV-Suite and the DTI cloud by using the analysis oneway-override enable FIREEYE_ SUPPORT Version Two license versions: License type 1—The two-way sharing license provides your appliance with malware intelligence from the DTI network and shares data about malware analyzed by your appliance. License type 2—The one-way sharing license provides your appliance with malware intelligence, but no information is submitted to the DTI cloud. command. See Overriding OneWay Sharing License on the facing page. Note: When using a one-way license, locally generated intel is shared across all appliances attached to the Central Management appliance. Allows your system to receive software image updates and the latest guest images. — The following licenses are optional: NOTE: The functionality provided by optional licenses is disabled if the FIREEYE_APPLIANCE license is invalid. License Key Description MD_ACCESS Allows FireEye products to connect to the Managed Defense VPN. Without this license, Managed Defense cannot manage the server. DA_HANCOM Allows your appliance to perform dynamic analysis of Hancom Office files. If licenses have expired or will expire within 30 days, warnings are displayed on the Central Management License Settings page. For details, see Viewing License Notifications Using the Web UI on page 125. 116 © 2019 FireEye Release 8.7 Overriding One-Way Sharing License Overriding One-Way Sharing License A one-way sharing license on the appliance provides the CM appliance with malware intelligence, but no information is submitted to AV-Suite and the DTI Cloud. When you override the setting for one-way license sharing, the appliance is allowed to submit information such as an MD5 checksum to the AV-Suite and the DTI Cloud for further malware analysis. Prerequisites l Administrator or Operator access to the appliance l A one-way sharing CONTENT_UPDATES license l Verify that AV-Suite integration is enabled and that AV-Suite version 6 is configured. Use the show static-analysis config command. Override One-Way Sharing License Using the CLI Follow these steps to override the one-way sharing license setting and share information with AV-Suite and the DTI Cloud from the CM appliance. To override the one-way sharing license: 1. Go to CLI configuration mode. hostname > enable hostname # configure terminal 2. Override the one-way sharing license on the appliance. hostname (config) # analysis one-way-override enable 3. Verify that the one-way sharing license was overridden. hostname # show analysis one-way-override one_way license override :Enabled 3. Save your changes: hostname (config) # write memory To return the one-way sharing license to its default setting: 1. Go to CLI configuration mode. hostname > enable hostname # configure terminal 2. Return the one-way sharing license to its default setting. hostname (config) # no analysis one-way-override enable © 2019 FireEye 117 Central Management Administration Guide CHAPTER 6: License Keys 3. Verify that the one-way sharing license has returned to its default setting. hostname # show analysis one-way-override one_way license override :Disabled 4. Save your changes: hostname (config) # write memory Automatic License Updates The license update feature enables the CM appliance with basic network connectivity to automatically download licenses from the DTI network and install them. This feature provides the following benefits: l l l Minimal initial configuration—The license update feature is enabled with the configuration jump-start wizard during the initial system configuration. This means the feature can be fully functional after the jump-start wizard is completed. Simplified license management—There is no need to contact FireEye for license keys when new features are added or when licenses are renewed, because the new licenses are automatically downloaded and installed. Scalability—Organizations, such as those with a large number of appliances, can benefit from all appliances being updated automatically, instead of entering license keys manually on each appliance, one at a time. You can enable automatic license updates on the CM appliance using the configuration wizard or the CLI. How It Works The license update feature, if enabled, downloads and applies licenses to which the customer is contractually entitled. If an active license for a feature is already installed and the licensing service downloads an active license for the feature, the installed license is replaced by the downloaded license only if the downloaded license offers new functionality, a later expiry date, or was part of a more recent customer order. This process is automatic; however, you can also explicitly update licenses. The license update feature will not: l l Install a downloaded license that would cause a feature to become temporarily unlicensed. Remove a feature license if there is no newly ordered replacement for it. If you experience issues with a license retrieved from an automatic update, you can use the command no fenet license update enable to disable the automatic update process and 118 © 2019 FireEye Release 8.7 Automatic License Updates you can use the command license install <cr> to manually install your older license key or keys. You can synchronize the system time to the DTI server time to prevent a feature from being temporarily unlicensed due to time differences. This is a one-time synchronization, but it can be repeated. When an appliance is managed by the Central Management appliance, the Central Management appliance acts as a proxy between the managed appliance and the licensing service. The license update feature must still be enabled on the managed appliance. In such an integrated environment, the Central Management appliance acts as the DTI server for the managed appliances, so the licensing service uses the Central Management DTI network credentials instead of the appliance's credentials. Enabling Automatic License Updates This section describes two ways to enable automatic license updates on the CM appliance. Configuration Wizard Method The configuration wizard is typically used to initially configure a new system. The wizard steps, which include the following license activation steps, allow a customer to have a functioning system with only minimal configuration. l Enable fenet service? l Enable fenet license update service? l Sync appliance time with fenet? l Update licenses from fenet? For details about the wizard steps, see Configuration Wizard Steps on page 78. CLI Method The following topic describes how to use CLI commands to enable and work with the license update feature: l Enabling Automatic License Updates Using the CLI on the next page Prerequisites l l An established connection between the appliance and the Internet. Operator or Admin access to enable the license update feature and download and install licenses. © 2019 FireEye 119 Central Management Administration Guide l l CHAPTER 6: License Keys DTI network access to allow the appliance to get updates directly from the DTI network. (Optional) Admin access to synchronize the system clock with the DTI server clock. Enabling Automatic License Updates Using the CLI When the license update feature is enabled, license updates are automatic. You can also explicitly update licenses. To verify and enable automatic license updates: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Verify the license update feature status: hostname (config) # show fenet license fenet License Update Service Licensing service: Administratively enabled Last time licensing service was contacted: 2014/08/11 10:50:04 Last time licensing service was contacted successfully: 2014/08/11 10:50:04 Last time keys from licensing service were applied: 2014/08/07 17:50:03 3. If the license update feature service is disabled, enable it: hostname (config) # fenet license update enable 4. Save your changes: hostname (config) # write memory NOTE: See Synchronizing the System Clock to DTI Server Time Using the CLI on page 192 for an option that prevents potential licensing issues if there is a time gap between the two clocks. To explicitly update licenses: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Update licenses: hostname (config) # fenet license update 3. Save your changes: hostname (config) # write memory 120 © 2019 FireEye Release 8.7 Manual License Installation To disable automatic license updates: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Disable the feature: hostname (config) # no fenet license update enable 3. Save your changes: hostname (config) # write memory Manual License Installation If the license update feature is not enabled, you need to install license keys manually. Licenses need to be installed when an evaluation license expires or when a license expires or no longer meets your needs. In addition, replacement licenses need to be installed after a Return Material Authorization (RMA). You can obtain your license keys from the Assets tab in the FireEye Customer Support Portal or by sending an email that includes the MAC address of your appliance to key_ request@fireeye.com. There are two ways to manually install licenses, described in the following topics: l Installing Licenses Using the Web UI below l Installing Licenses Using the CLI on the next page Installing Licenses Using the Web UI Use the CM License Settings page to install licenses on the Central Management appliance. © 2019 FireEye 121 Central Management Administration Guide CHAPTER 6: License Keys NOTE: Clicking the Enable VPN link in the Description column for an MD_ ACCESS license allows you to connect the appliance to FireEye as a Service over the Internet using a secure SSL VPN connection. For details, see the FireEye as a Service Quick Start Guide. Prerequisites l Admin or Operator access. l The appliance does not already have the type of license key you are installing. To install license keys using the Web UI: 1. Click the Settings tab. 2. Click CM Licenses on the sidebar. 3. Click Add License. The Add License dialog box opens. 4. Paste the license key you obtained from FireEye in the License Key box. 5. Click Add. The page refreshes to show the license key in the table. If the key is valid, the Valid column shows a check mark and additional information is displayed about the license. Removing Licenses Using the Web UI Use the CMS License Settings page to remove Central Management licenses. Prerequisites l Admin or Operator access To remove license keys: 1. Click the Settings tab. 2. Click CMS Licenses on the sidebar. 3. Click the icon in the Delete column in the row for the license you want to remove. 4. Click Yes in the confirmation message that appears. Installing Licenses Using the CLI Use the CLI commands in this topic to install licenses on the CM appliance. 122 © 2019 FireEye Release 8.7 Manual License Installation Prerequisites l Admin or Operator access To install licenses: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Install each license: hostname (config) # license install <key1> <key2> <key3> NOTE: You can enter the license keys sequentially separated by spaces as shown above, or enter license install and then press Enter to be prompted to enter the license keys one at a time. 3. Verify the licenses: hostname (config) # show licenses License 1: LK2-FIREEYE_APPLIANCE-0000-0000-0000-0000-0000-0000-00000000-0000 Feature: FIREEYE_APPLIANCE Description: FireEye Appliance Valid: yes Start date: 2016/11/21 (ok) Tied to Appl ID: 000000000000 (ok) Product: eMPS (ok) Type: PROD (ok) Agreement: EULA (ok) Active: yes ... License 2: LK2-CONTENT_UPDATES-0000-0000-0000-0000-0000-0000-0000-00000000 Feature: CONTENT_UPDATES Description: Content updates Valid: yes Start date: 2016/11/21 (ok) End date: 2017/11/21 (ok) Tied to Appl ID: 000000000000 (ok) Sharing: all (ok) Active: yes License 3: LK2-FIREEYE_SUPPORT-0000-0000-0000-0000-0000-0000-0000-00000000 Feature: FIREEYE_SUPPORT Description: FireEye Support Valid: yes Start date: 2016/11/21 (ok) End date: 2017/11/21 (ok) Tied to Appl ID: 000000000000 (ok) Sharing: all (ok) Active: yes ... 4. Save your changes: hostname (config) # write memory © 2019 FireEye 123 Central Management Administration Guide CHAPTER 6: License Keys Removing Licenses Using the CLI Use the CLI commands in this topic to remove licenses. Prerequisites l Admin or Operator access To remove licenses: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. List the installed licenses: hostname (config) # show licenses License 1: LK2-FIREEYE_APPLIANCE-0000-0000-0000-0000-0000-0000-0000 Feature: FIREEYE_APPLIANCE Description: FireEye Appliance Valid: yes Start date: 2016/11/01 (ok) Tied to appl ID: 000000000000 (ok) Product: MPS (ok) Type: PROD (ok) Agreement: EULA (ok) Op Mode: inline (ok) Active: yes ... License 2: LK2-CONTENT_UPDATES-0000-0000-0000-0000-0000-0000-0000 Feature: CONTENT_UPDATES Description: Content updates Valid: yes Start date: 2016/11/01 (ok) End date: 2017/11/01 (ok) Tied to appl ID: 000000000000 (ok) Sharing: all (ok) Active: yes License 3: LK2-FIREEYE_SUPPORT-0000-0000-0000-0000-0000-0000-0000 Feature: FIREEYE_SUPPORT Description: FireEye Support Valid: yes Start date: 2016/11/01 (ok) End date: 2017/11/01 (ok) Tied to appl ID: 000000000000 (ok) Sharing: all (ok) Active: yes 3. Specify the license ID to remove an individual license. For example, 3 is the license ID for the Support license shown in the previous example. hostname (config) # license delete 3 4. Save your changes. hostname (config) # write memory 124 © 2019 FireEye Release 8.7 Viewing License Notifications Using the Web UI NOTE: The show licenses command output in this procedure shows the basic licenses installed on an Network Security appliance. The output is similar for CM appliances. Viewing License Notifications Using the Web UI Functionality associated with a license stops when a license expires. For example, when the FIREEYE_APPLIANCE license expires, the appliance will block access to all pages except the CMS License Settings page, and CLI commands (except those that install licenses) are disabled or their execution fails. For example, the report generate command will not create a report. To prevent a gap in functionality, the CMS License Settings page displays notifications about expired license and licenses that will expire within 30 days. For example: NOTE: See Automatic License Updates on page 118 for information about enabling the appliance to automatically download licenses from the DTI network when it is time to renew them. © 2019 FireEye 125 Central Management Administration Guide 126 CHAPTER 6: License Keys © 2019 FireEye Central Management Administration Guide About the DTI Network CHAPTER 7: The DTI Network This section covers the following information: l About the DTI Network below l About DTI Network Communication on page 130 l Changing the Active Setting for a DTI Service on page 131 l Using an HTTP Proxy for DTI Service Requests on page 136 l Understanding the DTI Cache on page 137 l Validating DTI Access on page 149 l Configuring DTI Credentials on page 152 l Automatic Validation of Security Content on page 153 l Sharing Anonymized Data on page 155 About the DTI Network The FireEye Dynamic Threat Intelligence (DTI) network (cloud) provides subscriber platforms with the latest intelligence on advanced cyber attacks and malware callback destinations. This enables FireEye products to proactively recognize new threats and block attacks. The DTI cloud is also used to enable automatic software updates. Finally, a connection to the DTI cloud is required to use the license update feature. Threat Intelligence The FireEye DTI cloud interconnects FireEye platforms deployed within customer networks, technology partner networks, and service provider networks around the world. The FireEye DTI cloud serves as a global distribution hub to efficiently share automatically generated threat intelligence such as new malware profiles, vulnerability exploits, and obfuscation tactics, as well as new threat findings from the FireEye APT Discovery Center and verified third-party security feeds. By leveraging the FireEye DTI cloud, the FireEye Threat Prevention Platform is more efficient at detecting unknown zero-day, highly targeted © 2019 FireEye 127 Central Management Administration Guide CHAPTER 7: The DTI Network attacks used in cybercrime, cyber espionage, and cyber reconnaissance as well as known malware. NOTE: A subscription to the FireEye DTI cloud service is required before you can use the features described in this section. When the DTI cloud receives threat intelligence from customers and partners from around the world, this information is analyzed and distributed to all customers with a DTI cloud subscription. The information includes: l New malware profiles l Vulnerability exploits l Obfuscation tactics l New threat findings from the FireEye Labs and verified third-party security feeds Each customer controls what information is shared with and received from the DTI cloud. Automatic License Updates The license update feature enables appliances to automatically download the appropriate licenses from the DTI cloud and install them. This feature provides the following benefits: 128 © 2019 FireEye Release 8.7 l l l About the DTI Network Minimal initial configuration—The license update feature is enabled with the configuration jump-start wizard during the initial configuration. This means the feature can be fully functional after the jump-start wizard is completed. Simplified license management—There is never a need to contact FireEye for license keys when new features are added or when licenses are renewed, because new licenses are automatically downloaded and installed. Scalability—Organizations, such as those with a large number of appliances, can benefit from having all of them being updated automatically, instead of entering license keys manually on each appliance, one at a time. For more information on automatic license activation, see Automatic License Updates on page 118. System Health Monitoring and Software Updates When connected to the DTI cloud, the CM appliance regularly provides system and diagnostic information to the DTI cloud. This information is then analyzed to ensure that the appliance is operating as expected. The system and diagnostics checks include the following: l System Image Version l System Processes l Hardware State l Network State If problems are found, the customer is alerted. If a new system image is available, administrators can choose to download it and then update the appliance. NOTE: No customer-specific proprietary information is included this system and diagnostic information exchange. © 2019 FireEye 129 Central Management Administration Guide CHAPTER 7: The DTI Network About DTI Network Communication To communicate with the DTI network, the CM appliance needs the following information: l DTI server address l DTI network username l DTI network user password This information is pre-configured on new physical appliances and on virtual appliances. For older appliances, the information was supplied in the box containing your appliance or otherwise provided by FireEye. Communication with the DTI network is enabled during the initial appliance configuration if default values are accepted, as described in Initial Configuration Overview on page 74. The appliance sends requests to the DTI network for the services shown in the following table. 130 DTI Service Description Download source The source for software updates (system images, guest images, and security content). Upload destination The destination for anonymized data (system statistics). MIL The destination for Malware Intelligence Lab (MIL) malware detection and callback intelligence. FAUDE The destination for Advanced URL Detection Engine (FAUDE) malware detection and callback intelligence. AV-Suite The destination to store verdicts for both malicious (blacklist) and nonmalicious (whitelist) objects in the AV-Suite cloud-based detection service. Enrollment The Central Management appliance that manages the MVX cluster to which sensors and hybrid appliances send submissions for inspection and analysis. This service is used by appliances that submit to or are part of an MVX cluster. Helix The destination for health statistics from Helix-enabled appliances. Virtual The destination for virtual appliance services, such as license token renewals and system entropy information. This service is used by virtual appliances. © 2019 FireEye Release 8.7 Changing the Active Setting for a DTI Service Changing the Active Setting for a DTI Service Appliances send requests for DTI services to the following servers: l l l l Dynamic Threat Intelligence (DTI)—The FireEye DTI server. The DTI server addresses follow: l staticcloud.fireeye.com (Download source and virtual service) l up-staticcloud.fireeye.com (Upload destination) l mil-staticcloud.fireeye.com (MIL service) l unity.fireeye.com (FAUDE and AV-Suite services) l Helix full URL (Helix service) Content Delivery Network (CDN)—A content delivery network server. The server address is cloud.fireeye.com or download.fireeye.com. The Central Management appliance (CMS)—Available only to managed appliances. The address is the Central Management address. A custom DTI server, if configured—A custom DTI server used only for managed appliances in a Network Address Translation (NAT) deployment in which the appliance uses the non-default dual-port address type to communicate with the Central Management appliance, and an accessible address needs to be configured for the Central Management appliance. The address is the accessible Central Management address. For details, see the System Administration Guide or Administration Guide for the managed appliance. Each appliance has an active setting and available options for each DTI service. By default, CMS is the active setting for all DTI services on managed appliances. This is the default global setting, which means all appliances that are managed by the Central Management appliance use this setting. You can change the global setting on the Central Management appliance, and you can override the global setting for individual managed appliances. You can also change the active download source setting for standalone appliances and the Central Management appliance. Reasons for changing the active setting for a DTI service include: l Faster download speed. A CDN server is typically geographically closer to standalone appliances than the FireEye DTI server. The DTI or CDN server could be closer to managed appliances than the Central Management appliance. © 2019 FireEye 131 Central Management Administration Guide l l l l CHAPTER 7: The DTI Network Decentralization —You can limit the amount of traffic passing through the Central Management appliance when requests for one or more DTI services go directly to the DTI network. Security. Your security policies could require you to download the software updates directly from the FireEye DTI server. HTTP proxy. You can use an HTTP proxy as an intermediary between an appliance and the DTI network. In this scenario, managed appliances using the single-port address type must use DTI. Managed appliances using the dual-port address type can use either CMS or DTI. For details, see Using an HTTP Proxy for DTI Service Requests on page 136. Network address translation. When the Central Management appliance is behind a NAT gateway, an accessible IP address that the managed appliances can reach could need to be configured as a custom DTI source. For details, see the System Administration Guide or Administration Guide for the managed appliance. Prerequisites l Admin access. l Appliances are in "online" mode and connected to the DTI network. Changing the Active Source for a Central Management Appliance Using the Web UI Use the DTI Network Settings page to change the active DTI source setting for a Central Management appliance. To change the active source setting: 1. Select Settings > CM Settings. 2. Click DTI Network in the sidebar. 132 © 2019 FireEye Release 8.7 Changing the Active Setting for a DTI Service 3. In the Source list in the CM Local DTI Settings section, select the DTI the Central Management appliance will use for software updates. 4. Click Save Local DTI Settings. Changing the Active Source for a Central Management Appliance Using the CLI Use the commands in this section to change the active DTI source for a Central Management appliance. To change the active source setting: 1. Log into the standalone appliance. 2. Go to CLI configuration mode: hostname > enable hostname # configure terminal 3. View the current active and available DTI sources: hostname (config) # show fenet dti configuration 4. Change the active download source: hostname (config) # fenet dti source default {CDN | DTI} 5. Verify your change: hostname (config) # show fenet dti configuration 6. Save your change: hostname (config) # write memory Example In this example, the active download source on a Central Management appliance is changed from DTI to CDN. hostname (config) # show fenet dti configuration DTI CLIENT CONFIGURATIONS: ACTIVE SETTINGS: Mode Download source ... : : online DTI (DTIUser@staticcloud.fireeye.com) AVAILABLE OPTIONS: -------------------------------------------------------------Download User Address -------------------------------------------------------------CDN DTIUser cloud.fireeye.com DTI DTIUser staticcloud.fireeye.com ... -------------------------------------------------------------- © 2019 FireEye 133 Central Management Administration Guide CHAPTER 7: The DTI Network hostname (config) # fenet dti source default CDN hostname (config) # show fenet dti configuration DTI CLIENT CONFIGURATIONS: ACTIVE SETTINGS: Mode Download source ... : : online CDN (DTIUser@cloud.fireeye.com) Changing the Global Active Source for Managed Appliances Using the Web UI Use the DTI Network Settings page to change the DTI source from which the appliances managed by a Central Management appliance download software updates. To change the global source setting: 1. Select Settings > CM Settings. 2. Click DTI Network in the sidebar. 3. In the Source list in the Appliance DTI Settings section, select the DTI source from which managed appliances download software updates. 4. Click Save Appliance DTI Settings. Changing Global Active DTI Settings for Managed Appliances Using the CLI Use the commands in this section to change global active DTI settings for the appliances that are managed by a Central Management appliance. To change global active DTI settings: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 134 © 2019 FireEye Release 8.7 Changing the Active Setting for a DTI Service 2. View the current active and available DTI sources. hostname (config) # show fenet dti configuration 3. To change the active global source setting: a. Specify the active setting: hostname (config) # fenet dti source managed {DTI | CDN | CMS} b. Apply the setting to all managed appliances: hostname (config) # fenet dti source managed-sync 4. To change the active global upload destination setting: a. Specify the active setting: hostname (config) # fenet dti upload destination managed {DTI | CMS} b. Apply the setting to all managed appliances: hostname (config) # fenet dti upload destination managed-sync 5. To change the active global setting for the mil, faude, avsuite, helix, or virtual service: a. Specify the active setting: hostname (config) # fenet dti <service> service managed {DTI | CMS} b. Apply the setting to all managed appliances: hostname (config) # fenet dti <service> service managed-sync 6. Verify your changes: hostname (config) # show fenet dti configuration 7. Save your changes: hostname (config) # write memory Examples In this example, the active setting for the download source is changed to DTI for the appliances that are managed by this Central Management appliance. hostname (config) # show fenet dti configuration DTI CLIENT CONFIGURATIONS: ACTIVE SETTINGS: Mode : Download source : Upload destination : ... online CDN (DTIUser@cloud.fireeye.com) DTI (DTIUser@up-staticcloud.fireeye.com) ACTIVE SETTINGS FOR MANAGED APPLIANCES: Download source : CMS Upload destination : CMS ... AVAILABLE OPTIONS: © 2019 FireEye 135 Central Management Administration Guide CHAPTER 7: The DTI Network -------------------------------------------------------------Download User Address -------------------------------------------------------------CDN DTIUser cloud.fireeye.com CMS DTIUser 10.2.3.4 DTI DTIUser staticcloud.fireeye.com -------------------------------------------------------------... hostname (config) # fenet dti source managed DTI hostname (config) # fenet dti source managed-sync hostname (config) # show fenet dti configuration DTI CLIENT CONFIGURATIONS: ACTIVE SETTINGS: Mode : Download source : Upload destination : ... online CDN (DTIUser@cloud.fireeye.com) DTI (DTIUser@up-staticcloud.fireeye.com) ACTIVE SETTINGS FOR MANAGED APPLIANCES: Download source : DTI Upload destination : CMS ... Using an HTTP Proxy for DTI Service Requests An HTTP proxy server can act as an intermediary between an appliance and the DTI network. The following table describes the default behavior, and the behavior after an HTTP proxy is configured on the appliance and enabled for DTI service requests. Appliance Standalone Appliance Default Behavior The appliance connects directly to the DTI network. Central The Central Management Management Appliance appliance connects directly to the DTI network. 136 HTTP Proxy Behavior The appliance connects to the DTI network through the HTTP proxy. The Central Management appliance connects to the DTI network through the HTTP proxy. © 2019 FireEye Release 8.7 Understanding the DTI Cache Appliance Managed Appliance Default Behavior The appliance communicates with the DTI network through the Central Management appliance. HTTP Proxy Behavior Single-port communication with the Central Management appliance (the default, in which both management and DTI network traffic use SSH port 22)—The appliance connects to the DTI network through the HTTP proxy. Dual-port communication with the Central Management appliance (in which management traffic uses SSH port 22 and DTI network traffic uses HTTP port 443)—The appliance either connects directly to the DTI network through the HTTP proxy, or through the managing Central Management appliance to the HTTP proxy. IMPORTANT: If an HTTP proxy server is configured and enabled on a managed appliance that uses single-port communication with the Central Management appliance, the managed appliance will automatically fail over to the proxy server for all DTI services if the Central Management appliance becomes unavailable. For information about configuring an HTTP proxy server on the Central Management appliance, see Configuring HTTP Proxy Server Settings on page 207. For information about configuring managed appliances to use an HTTP proxy server for DTI services, see the System Administration Guide or Administration Guide for the managed appliance. Understanding the DTI Cache When the Central Management appliance is the default DTI source for managed appliances, it downloads software updates from the DTI network on behalf of the appliances. The software updates are temporarily stored in a DTI cache on the Central Management appliance. When the Central Management appliance receives an update request from a managed appliance or makes an update request on behalf of the appliance, the Central Management appliance first determines whether the requested software is already in the cache and whether it is the latest version. If the requested software is not in the cache, or if the software is out-of-date, the Central Management appliance downloads the latest software from the DTI network. After the software is in the cache, it is available to update the appliances, as described in Updating Managed Appliances on page 499. You can explicitly download system images and guest images from the DTI network and store them in the cache, even if no appliance requested it. This saves bandwidth and shortens the maintenance window for appliance updates. It also allows you to be more © 2019 FireEye 137 Central Management Administration Guide CHAPTER 7: The DTI Network flexible about scheduling appliance updates, because the software is already downloaded and ready to push to the appliances. This can be especially useful for guest images, which can take hours to download. For details, see Downloading Software Updates to the DTI Cache on the facing page. To save space on the hard disk, the Central Management appliance continuously removes out-of-date security content, and removes out-of-date system images and guest images as they are replaced. You can also manually remove security content, guest images, and system images from the cache. The Central Management appliance provides the following information about the cache contents. l Size. The size of the guest image, system image, or security content, in bytes. l Type. The type of content: l SysImage—Appliance system image. l GI—Guest image. l l l l l GI-Delta—A file containing the changes between a particular version of the guest images and the latest version. GI-Metadata—A list of the names and versions of the guest images that are available for the managed appliances. SC-Full—Security content (stored for three hours). SC-Delta—A file containing the changes between a particular version of the security content and the latest version. Security content is updated every hour (by default), and stale files are automatically removed from the cache. State. Fresh or Stale. If a system image or guest image has been in the cache longer than 90 days, or if security content has been in the cache longer than three hours for SC-Full or one hour for SC-Delta, it is marked stale. Otherwise, it is marked fresh. NOTE: If a system image or guest image is the latest available version, but is older than 90 days, it is still marked stale. l l l l 138 File. The name of the system image, guest image, delta, metadata, or security content file. For example, image-emps_7.7.0.img, win7-sp1.15.0826.img, sc-stable_ 114.150.img. Last Modification Time. The date and time the file finished downloading from the DTI network to the cache. Max-Age. The amount of time the content is in the cache before it is marked stale. System images and guest images become stale after 7776000 seconds (90 days). Security content becomes stale after 10800 seconds (3 hours). Etag. An internal identifier. © 2019 FireEye Release 8.7 l Understanding the DTI Cache Active Download ID. An internal identifier that is displayed when you view the status of the download. For details about viewing the cache contents, removing software from the cache and other cache management tasks, see Viewing the Cache Configuration on page 146. NOTE: This information pertains to a Central Management appliance running in online mode, in which the cache is always running. The cache is disabled on a Central Management appliance running in offline mode. For information about how the Central Management appliance handles software updates for managed appliances when it is in offline mode, see the DTI Offline Portal User's Guide. NOTE: The cache is disabled for cloud Central Management models CM 2500V and CM 4500V. Appliances managed by these models download software updates directly from the DTI network. Downloading Software Updates to the DTI Cache The following sections describe how to download software updates to the DTI cache in advance, before an appliance requests them. l Downloading System Images to the DTI Cache Using the CLI on the next page l Downloading Guest Images to the DTI Cache Using the CLI on page 142 Cached guest images that were downloaded on behalf of a particular appliance type can potentially be used for other appliances. Consider the following examples. l l l l A Central Management administrator initiates a download of guest images for a managed Network Security 7.9.0 appliance. The latest guest images in the DTI network are version 3. The system checks which guest images version is installed on the Network Security appliance, and determines it is version 2. The DTI network has a delta file containing the changes between guest images version 2 and 3, so only the delta file is downloaded to the Central Management cache. A managed Email Security — Server Edition appliance (EX-01) running release 7.8.0 requests a guest images update. Guest images version 2 is installed on the Email Security — Server Edition appliance, so the delta file in the cache can be used to update the appliance. Nothing needs to be downloaded from the DTI network in this case. © 2019 FireEye 139 Central Management Administration Guide l CHAPTER 7: The DTI Network A managed Email Security — Server Edition appliance (EX-02) running release 7.7.0 requests a guest images update. Guest images version 1 is installed on the appliance. The delta file in the cache does not contain the differences between version 1 and 2 of the guest images, so a full update is needed. The complete guest images version 3 is not in the cache, so the Central Management appliance must download it from the DTI network before it can update the EX-02 appliance. NOTE: You cannot manually download security content to the DTI cache. Security content is updated frequently, so there is no benefit to downloading it before a maintenance window. The newest security content is automatically downloaded to the cache when the new security content is released. NOTE: You can schedule the DTI cache storage operations using the job CLI commands. For details, see the CLI Command Reference. Prerequisites l l l l Operator or Admin access The type of appliance for which you will download content is connected to the Central Management appliance. Minimum appliance release for downloading system images: Network Security 7.5.0, Email Security — Server Edition 7.6.0, Malware Analysis 7.7.0, File Security 7.7.0, and Endpoint Security 3.0.0. Minimum appliance release for downloading guest images: Network Security 7.7.0 Downloading System Images to the DTI Cache Using the CLI Use the commands in this section to download system images from the DTI network and store them in the cache on the Central Management appliance. You can download the latest system image for all managed appliances or for a specific type of managed appliance. You can also download a specific version of a system image. NOTE: You can perform only one download operation at a time. To download the latest system image for all appliances: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Download the system image: hostname (config) # fenet dti cache populate image product all 140 © 2019 FireEye Release 8.7 Understanding the DTI Cache 3. Confirm that the operation succeeded: hostname (config) # show fenet dti cache populate images status To download the latest system image for a specific appliance type: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Download the system image: hostname (config) # fenet dti cache populate image product <product> where <product> is the product identifier, such as wMPS. Use the fenet dti cache populate image product ? command to see a list of the product identifiers. 3. Confirm that the operation succeeded: hostname (config) # show fenet dti cache populate images status To download a specific version of a system image: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Download the system image: hostname (config) # fenet dti cache populate image product <product> version <version> where : l <product> is the product identifier, such as wMPS. Use the fenet dti cache populate image product ? command to see a list of the product identifiers. l <version> is the product version. Use the fenet dti cache populate image product <product> version ? command to see a list of the available versions. 3. Confirm that the operation succeeded: hostname (config) # show fenet dti cache populate images status Examples The following example downloads the latest system image for the Network Security appliance. hostname (config) # fenet dti cache populate image product wMPS Operation started in the background. Run 'show fenet dti cache populate images status' to check on status. hostname (config) # show fenet dti cache populate images status Active Download ID: v54n Start Time: © 2019 FireEye 2015/10/08 00:57:36.139 141 Central Management Administration Guide Elapsed Time: CHAPTER 7: The DTI Network 12 sec ============================================================== Download Tasks ============================================================== Downloading the 7.7.0 image for wMPS Progress: 59.00 % Status: running hostname (config) # show fenet dti cache populate images status Active Download ID: v54n Start Time: Elapsed Time: 2015/10/08 00:57:36:139 20 sec ============================================================== Download Tasks ============================================================== Downloading the 7.7.0 image for wMPS Progress: 100 % Status: success The following example downloads the Email Security — Server Edition 7.6.1 system image. hostname (config) # fenet dti cache populate image product eMPS 7.6.1 Operation started in the background. Run 'show fenet dti cache populate images status' to check on status. hostname (config) # show fenet dti cache populate images status Active Download ID: pzz2 Start Time: End Time: Elapsed Time: 2015/10/07 14:37:51.220 2015/10/07 14:38:02.520 11 sec ============================================================== Download Tasks ============================================================== Downloading the 7.6.1 image for eMPS Progress: 100.00 % Status: success Downloading Guest Images to the DTI Cache Using the CLI Use the commands in this section to download guest images from the DTI network and store them in the cache on the Central Management appliance. You can download guest images for all managed appliances, or guest images for a specific appliance. NOTE: You can perform only one guest images download operation at a time. To download guest images for all managed appliances: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 142 © 2019 FireEye Release 8.7 Understanding the DTI Cache 2. Download the guest images: hostname (config) # fenet dti cache populate guest-images all 3. Confirm that the operation succeeded: hostname (config) # show fenet dti cache populate guest-images status To download guest images for a specific appliance: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Download the guest images: hostname (config) # fenet dti cache populate guest-images appliance <applianceName> where <applianceName> is the hostname of the appliance. Use the fenet dti cache populate guest-images appliance ? command to list the hostnames. 3. Confirm that the operation succeeded: hostname (config) # show fenet dti cache populate guest-images status Examples The following example downloads guest images for the NX-01 appliance and shows the download progress. hostname (config) Operation started Run 'show fenet hostname (config) # fenet dti cache populate guest-images appliance NX-01 in the background. dti cache populate guest-images status' to check on status. # show fenet dti cache populate guest-images status Active Download ID: grgf Start Time: Elapsed Time: 2015/10/07 20:24:17.701 13 sec ============================================================================ Download Tasks ============================================================================ Downloading Guest-Image Profile (Full-Image) winxp-sp3 for NX-01 Progress: 4.97% Status: running Downloading Guest Image-Profile (Full-Image) win7-sp1 for NX-01 Progress: Status: not started Downloading Guest-Image Profile (Full-Image) win7x64-sp1 for NX-01 Progress: Status: not started hostname (config) # show fenet dti cache populate guest-images status Active Download ID: grgf © 2019 FireEye 143 Central Management Administration Guide Start Time: Elapsed Time: CHAPTER 7: The DTI Network 2015/10/07 20:24:17:701 218 sec =========================================================================== Download Tasks =========================================================================== Downloading Guest-Image Profile (Full-Image) winxp-sp3 for NX-01 Progress: 100.00% Status: success Downloading Guest-Image Profile (Full-Image) win7-sp1 for NX-01 Progress: 14.62% Status: running Downloading Guest-Image Profile (Full-Image) win7x64-sp1 for NX-01 Progress: Status: not started Managing the DTI Cache DTI cache management tasks include: l l l l Viewing detailed information about the contents of the cache. For details, see Viewing the DTI Cache Using the CLI below. Viewing the cache configuration. For details, see Viewing the Cache Configuration on page 146. Manually removing images, if needed. For details, see Removing Images from the Cache on page 147. Disabling the automatic removal of stale security content. For details, see Disabling Automatic Removal of Stale Security Content on page 148. Prerequisites l Operator or Admin access Viewing the DTI Cache Using the CLI Use the commands in this section to view the contents of the DTI cache. You can view a basic list of the files in the cache, or include details such as the state, age, and version of the files. To list the cache contents: 1. Go to CLI enable mode: hostname > enable 2. View the cache contents: hostname # show fenet dti proxy cached-content 144 © 2019 FireEye Release 8.7 Understanding the DTI Cache To view the state of each file in the cache: 1. Go to CLI enable mode: hostname > enable 2. View the cache contents and state information: hostname # show fenet dti proxy cached-content show-stale To view age details for each file in the cache: 1. Go to CLI enable mode: hostname > enable 2. View the cache contents and age details: hostname # show fenet dti proxy cached-content freshness-info To view the version of each file in the cache: 1. Go to CLI enable mode: hostname > enable 2. View the cache contents and file versions: hostname # show fenet dti proxy cached-content version Examples The following example shows the cache contents. hostname # show fenet dti proxy cached-content Size Type File ================================================= 931798 SC-Full sc-stable_114.150.img 294514420 SC-Full sc-stable_409.198.img 12357897831 GI win7-sp1.15.0826.img 931626 SC-Full sc-stable_114.149.img 6314243531 GI winxp-sp3.15.0826.img 586688050 SysImage image-hx_3.0.0.img 294476781 SC-Full sc-stable_409.194.img 602473341 SysImage image-fmps_7.7.0.img 12783320704 GI win7x64-sp1.15.0826.img 627703972 SysImage image-emps_7.7.0.img The following example includes state information. hostname # show fenet dti proxy cached-content show-stale Size Type State File ========================================================== 931798 SC-Full Fresh sc-stable_114.150.img 294514420 SC-Full Fresh sc-stable_409.198.img 12357897831 GI Fresh win7-sp1.15.0826.img 931626 SC-Full Fresh sc-stable_114.149.img 294156637 SC-Full Stale sc-stable_409.186.img 6314243531 GI Fresh winxp-sp3.15.0826.img 586688050 SysImage Fresh image-hx_3.0.0.img 294415556 SC-Full Stale sc-stable_409.190.img © 2019 FireEye 145 Central Management Administration Guide 294476781 602473341 12783320704 627703972 SC-Full SysImage GI SysImage Fresh Fresh Fresh Fresh CHAPTER 7: The DTI Network sc-stable_409.194.img image-fmps_7.7.0.img win7x64-sp1.15.0826.img image-emps_7.7.0.img The following example includes age information. (The values in the Etag and File columns shown in this example have been shortened.) hostname # show fenet dti proxy cached-content freshness-info Size Type Etag Last Modification Time Max-Age State File ============================================================================= 93179 SC-Full "6xxx" Wed Oct 7 21:53:15 2015 10800 Fresh sc-xxx.img 29451442 SC-Full "6xxx" Wed Oct 7 22:22:28 2015 10800 Fresh sc-xxx.img 12357897831 GI "4xxx" Wed Oct 7 20:31:20 2015 7776000 Fresh win7xx.img 931626 SC-Full "6xxx" Wed Oct 7 20:57:15 2015 10800 Fresh sc-xxx.img 6314243531 GI "4xxx" Wed Oct 7 20:27:22 2015 7776000 Fresh winxp.img 586688050 SysImage "6xxx" Wed Oct 7 20:27:55 2015 7776000 Fresh image-n.img 294476781 SC-Full "6xxx" Wed Oct 7 20:22:20 2015 10800 Fresh sc-xxx.img 602473341 SysImage "6xxx" Wed Oct 7 20:24:25 2015 7760000 Fresh image-n.img 12783320704 GI "4xxx" Wed Oct 7 20:34:52 2015 7776000 Fresh win7xx.img 627703972 SysImage "6xxx" Wed Oct 7 20:21:02 2015 7776000 Fresh image-n.img The following example includes version information. hostname # show fenet dti proxy cached-content version Size Type File Details ============================================= 931798 SC-Full stable: 114.150 294514420 SC-Full stable: 409.198 12357897831 GI win7-sp1: 15.0826 931626 SC-Full stable: 114:149 6314243531 GI winxp-sp3: 15.0826 586688050 SysImage hx: 3.0.0 294476781 SC-Full stable: 409.194 602473341 SysImage fmps: 7.7.0 12783320704 GI win7x64-sp1: 15.0826 627703972 SysImage emps: 7.7.0 Viewing the Cache Configuration IMPORTANT: FireEye recommends that you do not change the cache configuration settings. To view the cache configuration: 1. Go to CLI enable mode: hostname > enable 2. View the cache configuration: hostname # show fenet dti proxy configuration 146 © 2019 FireEye Release 8.7 Understanding the DTI Cache To view full cache configuration information: 1. Go to CLI enable mode: hostname > enable 2. View the full cache configuration: hostname # show fenet dti proxy configuration all Example The following example shows the full cache configuration: hostname # show fenet dti proxy configuration all Fenet Cache Proxy State: running Fenet Cache Proxy Configurations: Listening Port: 8443 Cache Size: 130000 MB Maximum Cache-able Object Size: 26843545600 bytes Additional Configurations: CDN Server: download.fireeye.com Auto-Purge Cached Security-Content Deltas: yes Terminate Connection on SSL error: yes Debug Options: ALL,1 URL Query String Logging: no Removing Images from the Cache Use the commands in this section to remove images from the DTI cache. To remove a single image: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Remove the image: hostname (config) # fenet dti proxy cache purge file <fileName> where <fileName> is a value listed in the show fenet dti proxy cached-content command output. 3. Verify your change: hostname (config) # show fenet dti proxy cached-content To remove all images of a specific type: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal © 2019 FireEye 147 Central Management Administration Guide CHAPTER 7: The DTI Network 2. Remove the images: hostname (config) # fenet dti proxy cache purge file-type <fileType> where <fileType> can be SysImage, GI, GI-Delta, GI-Metadata, SC-Full, or SCDelta. See Understanding the DTI Cache on page 137 for a description of the file types. 3. Verify your change: hostname (config) # show fenet dti proxy cached-content To remove all images in the cache: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Remove the images: hostname (config) # fenet dti proxy cache purge 3. Verify your change: hostname (config) # show fenet dti proxy cached-content Examples The following example removes all guest image delta files from the cache. hostname (config) # fenet dti proxy cache purge file-type GI-Delta The following example removes the File Security 7.7.0 system image from the cache. hostname (config) # fenet dti proxy cache purge file image-fmps_7.7.0.img The following example removes all images from the cache, and then verifies the change. hostname (config) # fenet dti proxy cache purge Operation started in the background. Run 'show fenet dti proxy cached-content' to check on progress. hostname (config) # show fenet dti proxy cached-content The cache is empty. Disabling Automatic Removal of Stale Security Content Security content is updated every hour, so stale files are automatically removed from the cache by default. Use the commands in this section to stop stale files from being removed automatically. To disable the automatic removal of stale security content: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 148 © 2019 FireEye Release 8.7 Validating DTI Access 2. Disable the automatic removal feature: hostname (config) # no fenet dti proxy cache purge auto enable 3. Verify your change: hostname (config) # show fenet dti proxy configuration all The value of the Auto-Purge Cached Security-Content Deltas line should be no. 4. Save your change: hostname (config) # write memory NOTE: Use the fenet dti proxy cache purge auto enable command to reenable the feature. Example The following example disables automatic removal of stale security content delta files. hostname (config) # no fenet dti proxy cache purge auto enable hostname (config) # show fenet dti proxy configuration all Fenet Cache Proxy State: running Fenet Cache Proxy Configurations: Listening Port: 8443 Cache Size: 130000 MB Maximum Cache-able Object Size: 26843545600 bytes Additional Configurations: CDN Server: download.fireeye.com Auto-Purge Cached Security-Content Deltas: no Terminate Connection on SSL error: yes Debug Options: ALL,1 URL Query String Logging: no Validating DTI Access Before using the features associated with the DTI network, you must establish communication between the appliance and the DTI network. Use the following procedures to verify this communication. Prerequisites l Operator or Admin access l Access to the DTI network © 2019 FireEye 149 Central Management Administration Guide CHAPTER 7: The DTI Network Validating DTI Access Using the Web UI Use the FireEye CMS System Information page to validate DTI cloud communication. To validate DTI access: 1. Click the About tab. 2. Click Health Check on the upper left side. 3. Locate the DTI Cloud section. 4. Verify that the DTI Client field is Enabled. Validating DTI Access Using the CLI Use the commands in this topic to verify DTI communication. To validate DTI access: 1. Go to CLI configuration mode. hostname > enable hostname # configure terminal 150 © 2019 FireEye Release 8.7 Validating DTI Access 2. Check the status of the DTI service. (This example is from a managed appliance.) hostname (config) # show fenet status Dynamic Threat Intelligence Service: Update source Enabled Download Upload Mil : : : : : <online> yes DTIUser@10.11.121.13 : singleport DTIUser@10.11.121.13 : singleport DTIUser@10.11.121.13 : singleport HTTP Proxy: Address Username User-agent : : : Request Session: Timeout Retries Speed Time Max Time Rate Limit Speed Limit : : : : : 30 0 60 14400 : 1 Dynamic Threat Intelligence Lockdown: Enabled Locked Lock After : no : no : 5 failed attempts UPDATES Security contents: 05:43:00 Stats contents : 18:55:00 Enabled ------yes yes Notify -----no Scheduled -------------every Last Updated At --------------2016/07/20 none 2016/07/20 3. Confirm the following information: © 2019 FireEye l Update source is online. l DTI service is enabled. l DTI service username is the name provided with DTI subscription license. l DTI service address is cloud.fireeye.com. 151 Central Management Administration Guide CHAPTER 7: The DTI Network Configuring DTI Credentials Virtual appliances have appliance-specific DTI credentials that are generated from the appliance's activation code and that cannot be changed. Physical appliances have factoryconfigured DTI credentials that should not be changed. You should never change DTI credentials, except when you need to configure a custom DTI source in a Network Address Translation (NAT) deployment in which both of the following are true: l l The Central Management appliance is behind a NAT gateway. The managed appliance uses the non-default dual-port address type for communication with the Central Management appliance. Prerequisites l Admin access Configuring DTI Credentials Using the CLI Use the commands in this topic to configure DTI credentials (username and password). To configure DTI credentials: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Specify the user and password: hostname (config) # fenet dti source type <name> username <user> password <password> The variables have the following values: l <name>—The name of the custom DTI source. l <user> and <password>—The new credentials. 3. Verify your changes: hostname (config) # show fenet dti configuration 4. Save your changes. hostname (config) # write memory 152 © 2019 FireEye Release 8.7 Automatic Validation of Security Content Automatic Validation of Security Content To prevent the installation of incompatible security content, security content packages are validated automatically when they are downloaded from the FireEye Dynamic Threat Intelligence (DTI) cloud or from the FireEye DTI Offline Update Portal. This feature is supported for the following appliances: l Central Management release 8.1.0 and later. l Network Security release 8.0.0 and later. l Email Security — Server Edition release 8.1.4 and later. About Automatic Validation of Security Content When a security content package is downloaded, the appliance queries the package to obtain its attributes. Some of the attributes are compared to attributes of the installed security content and to values configured on the target appliance. The criteria that determine whether a downloaded package is compatible are listed in Conditions That Indicate a Compatible Security Content Package below. If the package passes all applicable compatibility checks, the new security content is installed on the target appliance. If the package fails a compatibility check, the appliance does the following: l Sends an error code in log messages. l Displays an error message at the CLI or the Web UI. l Performs no further checking on the downloaded package. l Discards the downloaded package without installing l Requires that the next security content update uses a full update package and not a delta update package. Conditions That Indicate a Compatible Security Content Package Downloaded security content packages are automatically evaluated against the following conditions in the order listed: 1. If the appliance is connected to the Internet: Was the package downloaded from the correct update channel of the DTI download server? 2. If the appliance is not connected to the Internet: Was the package downloaded from the correct content channel of the DTI Offline Portal? © 2019 FireEye 153 Central Management Administration Guide CHAPTER 7: The DTI Network 3. Is the package version number compatible with the target appliance release? 4. Does the package acceptance level match the level configured on the target appliance? 5. If the downloaded package is a delta package: Is the version of the content delta package compatible with the version of the security content installed on the target appliance? 6. Is the version of the downloaded package the same as or newer than the version of the installed content? Error Codes for Incompatible Security Content Packages The appliance writes a log message when a downloaded security content package is determined to be incompatible with the target appliance settings or the security content installed on the appliance. The following paragraphs describe the error codes for these events. 81 ― Incompatible DTI download server update channel The package was built for an update channel other than stable (such as beta), but the appliance is not configured to use the same update channel. 82 ― Incompatible DTI Offline Portal content channel The package was built for and downloaded from a content channel other than the one configured on the target appliance. Examples of DTI Offline Portal content channels are SCNET-5.0, SCNET-4.0, SCNET-3.0, SCNET-2.0, and SCEP-1.0. 83 ― Package version is incompatible with the appliance release The package acceptance level configured on the appliance must be compatible with the appliance software release. By default, the package acceptance level configured on the appliance is stable. Other package acceptance levels are beta and long_beta. 154 © 2019 FireEye Release 8.7 Sharing Anonymized Data 84 ― Package acceptance level does not match the target appliance configuration The package acceptance level (such as beta or long_beta) does not match the acceptance level configured on the appliance. 85 ― Delta content package version is incompatible with the installed security content The package is a delta (incremental) content package, and its version number is incompatible with the security content version installed on the target appliance. 86 ― Package version is newer than the installed security content version The package version is newer than the installed security content version, and this is not a content rollback operation. Sharing Anonymized Data The CM appliance can share anonymous data with the DTI cloud. No customer-specific proprietary information is exchanged. This section covers the following information: l About Sharing Anonymized Data With the DTI Cloud below l Uploading Anonymized Data Automatically Using the CLI on page 157 l Uploading Anonymized Data Manually Using the CLI on page 158 Prerequisites l Admin access l Two-way CONTENT_UPDATES license About Sharing Anonymized Data With the DTI Cloud FireEye appliances automatically push anonymous data to and pull security information from the Dynamic Threat Intelligence (DTI) cloud. This feature requires a two-way sharing CONTENT_UPDATES license. © 2019 FireEye 155 Central Management Administration Guide CHAPTER 7: The DTI Network NOTE: All FireEye devices upload information using a secure (HTTPS) connection to cloud.fireeye.com. By default, managed appliances communicate with the DTI cloud through the managing Central Management appliance. No customer-specific or proprietary information is exchanged. Two types of data are shared: real-time system statistics and threat intelligence information. Real-Time Statistics The following real-time statistics are anonymized and uploaded to the DTI cloud: l l l l License information―Status of the FireEye licenses on the device. Appliance health―Environmental information relating to all components such as fans and hard disk drive with System Activity Report data. Traffic Measurements―Traffic throughput statistics and capacity monitoring. Statistics of critical sub-systems capacity―Interface status, packet counts, number of flows, broken or asymmetric flows, binaries, packet loss, protocol-based stats, memory usage, and Kernel-level information. Threat Intelligence Information The following threat intelligence information is shared with the DTI cloud: l l l l Timestamp―The timestamp can be used as a reference for other events and can provide additional information about the attack and the methods used. URL―List of malicious URLs contacted during traffic analysis in the Virtual execution (VX) engine. MD5―An MD5 hash is generated for information such as IP addresses or MAC addresses. The MD5 hash enables FireEye to maintain the data for analysis without the data being traceable or recognizable in its original form. The information is important for correlation of multiple threats on a common host. File types―File types used in the course of an attack. FireEye determines the entry point, the payload, and the methods used. Information That Is Not Uploaded to the DTI Cloud The following information is NOT uploaded to the DTI cloud: 156 l No customer-specific information l No proprietary information l No packet captures © 2019 FireEye Release 8.7 Sharing Anonymized Data Benefits of Sharing Data With the DTI Cloud Uploading data to the DTI cloud provides the following benefits: l l l l Participating FireEye appliances share malware intelligence in real time. The FireEye Customer Support team can provide you with proactive operational monitoring and support. This monitoring and support includes the identification of targeted attacks. The FireEye Research Labs team processes the collection of shared data to extract the malicious content. Updated security content, some of which is developed using anonymous customer data, is included in the security content delivered to the DTI cloud for distribution to licensed FireEye appliances and compute nodes. The FireEye DTI cloud itself employs technology to detect zero-day callbacks. NOTE: You are not required to upload data in order to receive any benefits of the DTI cloud. A managed appliance can download and install updated security content, even if it does not upload data. Uploading Anonymized Data Automatically Using the CLI Use the CLI commands in this topic to specify how often the CM appliance uploads anonymized system information to the DTI cloud. No customer-specific or proprietary information is exchanged. To configure automatic system information updates: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Set the automatic update schedule: l To update hourly, enter the following command, where <mm> is the number of minutes within the hour when the update is triggered: fenet stats-content upload auto hourly at <mm> l To update daily, enter: fenet stats-content upload auto daily at <hh>:<mm> where <hh>:<mm> specifies the time to start the update based on a 24 hour clock. l To update weekly, enter the following command, where <day> is the day of the week the update should occur. fenet stats-content upload auto weekly on <day> © 2019 FireEye 157 Central Management Administration Guide l l sun l mon l tue l wed l thu l fri l sat CHAPTER 7: The DTI Network To update monthly, enter the following command, where <dd> is the day the update should occur: fenet stats-content upload auto monthly on <dd> l To disable automatic updates, enter the following command: fenet stats-content upload auto none 3. Validate the update configuration: hostname (config) # show fenet stats-content status DTI Stats Content Status Information: Dynamic Threat Intelligence Enabled Address Username Service : yes : fenet1.fireeye.com : engtest Stats Content Uploads Enabled : yes Auto Upload Schedule : none (only rt-stats upload every 3 hours) Last Uploaded At : 2014/07/16 21:36:00 Status : Uploads done successfully: rt-stats Stats-content aggregators enabled (schedule): db-aggr no (default) dmesg-aggr no (default) pcaps-aggr no (default) rt-stats-aggr yes (default) Stats Aggregators Version: AGVR_00052 Run 'show fenet stats-content aggregator <aggr-name>' for further details. 4. Save your changes. hostname (config) # write memory Uploading Anonymized Data Manually Using the CLI Use the CLI commands in this topic to push aggregated system statistics from the CM appliance to the DTI cloud. 158 © 2019 FireEye Release 8.7 Sharing Anonymized Data To manually push statistics to the DTI cloud: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Upload the statistics: hostname (config) # fenet stats-content upload now © 2019 FireEye 159 Central Management Administration Guide 160 CHAPTER 7: The DTI Network © 2019 FireEye Central Management Administration Guide AAA CHAPTER 8: System Security This section lists methods you can use to secure your FireEye appliances. For detailed information about implementing the methods, see the FireEye System Security Guide. AAA Authentication, authorization and accounting (AAA) methods control users' access to network resources, and monitor users' activities. AAA information in the System Security Guide includes: l Authentication—Configuring authentication methods and order, local authentication (user accounts and password policies), remote authentication, Common Access Card (CAC) authentication, Secure Shell (SSH) authentication, and Single Sign-On (SSO) authentication. l Authorization—Defining roles for local user accounts. l Accounting—Managing audit logs. l FireEye Cloud IAM—Using Identity Access Management (IAM), a Web service that provides user authentication and authorization. The guide also provides reference information about FireEye appliance roles and capabilities and FireEye Cloud IAM entitlements. Certificates FireEye appliances use X.509 (TLS/SSL) certificates to allow secure connections between the appliance and the Web browser running the Web UI, and to verify remote servers for various client applications. They also use the certificates to encrypt the emails they forward to a downstream MTA on the Email Security — Server Edition appliance, and secure the connection to a WebDAV server on the File Security appliance. Certificate information in the System Security Guide includes: © 2019 FireEye 161 Central Management Administration Guide 162 CHAPTER 8: System Security l Regenerating the system self-signed server certificate l Managing HTTPS and MTA server certificates l Configuring Web server and SharePoint CA certificate chains l Adding supplemental CA client certificates l Importing and downloading public and private keys, and exporting public keys l Defining common attributes of X.509 certificates l Obtaining a CA certificate from a trusted public Certificate Authority (CA) l Specifying the minimum version requirement for Transport Layer Security (TLS) l Improving certificate security © 2019 FireEye Central Management Administration Guide CHAPTER 9: System Email Settings The appliance can send email notifications about system health events, such as low disk space or a power supply failure, or a split brain condition in a High Availability (HA) deployment. It can also send scheduled reports containing malware analysis data, and email notifications triggered by malware alerts. Health Check Notifications The system email server can send notifications about system events and Central Management HA events to configured recipients. You configure the email server and recipients for these events on the Email Settings page of the Web UI or by using the email notify CLI commands. You can also: l l l Specify whether each recipient should receive notifications for "fail" events, "info" events, or both "fail" and "info" events. Specify whether each recipient should receive detailed or summarized notifications. Enable or disable specific events from triggering notifications (except for Central Management HA events). For details, see: l Configuring the Mail Server on the next page l Configuring Email Recipients on page 169 l Configuring System Events on page 172 Scheduled Reports Scheduled reports use the same email server and recipient list as the system events. If you use the CLI, you configure them using the report email commands instead of the email notify commands, as described in Configuring the Mail Server for Scheduled Reports Using the CLI on page 168. You configure the report data and schedule on the Reports > © 2019 FireEye 163 Central Management Administration Guide CHAPTER 9: System Email Settings Schedule page of the Web UI or by using the report schedule CLI commands. See Scheduling Reports for Managed Appliances Using the Web UI on page 486 for details. Malware Alert Notifications You configure email settings for malware alert notifications on the Notification Settings page of the Web UI or by using the fenotify email CLI commands. See Event Notifications on page 295 for details. Configuring the Mail Server Health check event notifications and scheduled reports can use the same mail server. If you use the CLI to configure the server, you must use two separate sets of CLI commands. The mail server settings are described in the following table. System Mail Server Settings Web UI Field Health Report Check CLI CLI Parameter Parameter Description Enable email — — Enables the email delivery of health check notifications and scheduled reports. Mail hub mailhub server Port mailhubport port Domain domain domain The domain name from which emails will appear to come. The default is the active domain for the appliance. Return Addr returnaddr returnaddr Health check parameter: The username or fully qualified return address from which emails are sent. If the string contains the @ character, it is considered fully qualified. Otherwise, it is considered a username, and by default takes the form <username>@<hostname>.<domain>. The default username is do-not-reply. The hostname or IP address of the mail server. The SMTP port used to send the emails. The default is 25. Report parameter: The fully qualified return address from which emails are sent. 164 © 2019 FireEye Release 8.7 Web UI Field Incl. hostname Configuring the Mail Server Health Report Check CLI CLI Parameter Parameter returnhost — Description Whether the appliance hostname is included in the return address. If it is excluded, the return address takes the form <username>@<domain>. This setting is ignored if the provided return address is fully qualified. Prerequisites l Operator or Admin access Configuring the Mail Server Using the Web UI Use the Email Settings page to configure settings for the mail server. To configure the mail server: 1. Click the Settings tab. 2. Click Email on the sidebar. 3. Specify settings as described in System Mail Server Settings on the previous page. 4. Click Update to save your changes. © 2019 FireEye 165 Central Management Administration Guide CHAPTER 9: System Email Settings Configuring the Mail Server for Health Check Notifications Using the CLI Use the CLI commands in this topic to configure the mail server that sends health check notifications. See System Mail Server Settings on page 164 for a description of each parameter. NOTE: See Configuring Email Recipients Using the CLI on page 171 for information about configuring the notification recipients. See Configuring System Event Notifications Using the CLI on page 174 for information about configuring the events that trigger notifications. To configure the mail server for system notifications: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Specify the hostname or IP address of the mail server: hostname (config) # email mailhub {<hostname> | <IPv4 or IPv6 address>} 3. Specify the SMTP port used by the mail server to send notifications: hostname (config) # email mailhub-port <port> 4. Specify the domain name from which emails will appear to come: hostname (config) # email domain <domainName> 5. Specify the username or fully qualified return address from which emails are sent: hostname (config) # email return-addr {<username> | <returnAddress>} 6. (Optional) Include the hostname of the mail server in the return address: hostname (config) # email return-host 7. Verify your changes: hostname (config) # show email 8. Save your changes: hostname (config) # write memory NOTE: To remove a configuration or restore a default setting, append no to the command. For example, to exclude the hostname in the return address, use the no email return-host command, and to restore the default domain name, use the no email domain command. 166 © 2019 FireEye Release 8.7 Configuring the Mail Server Examples In this example, the return address is not fully qualified, so the hostname ("hostname") and domain are appended to it. hostname (config) # email mailhub 10.1.0.0 hostname (config) # email domain mail.acme.com hostname (config) # email return-addr admin hostname (config) # show email Mail hub: 10.1.0.0 Mail hub port: 25 Domain override: mail.acme.com Return address: admin Include hostname in return address: yes Current reply address: admin@hostname.mail.acme.com ... In this example, the return address is fully qualified, so the hostname and domain are not included. hostname (config) # email mailhub 10.1.0.0 hostname (config) # email domain mail.acme.com hostname (config) # email return-addr notify@acme.com hostname (config) # show email Mail hub: 10.2.0.0 Mail hub port: 25 Domain override: mail.acme.com Return address: notify@acme.com Include hostname in return address: yes Current reply address: notify@acme.com ... In this example, all settings are restored to their default values. hostname (config) # show email Mail hub: 10.3.0.0 Mail hub port: 26 Domain override: mailhost.acme.com Return address: admin Include hostname in return address: no Current reply address: admin@hostname.mailhost.acme.com ... hostname (config) # no email mailhub hostname (config) # no email mailhub-port hostname (config) # no email return-addr hostname (config) # email return-host hostname (config) # show email Mail hub: Mail hub port: 25 Domain override: Return address: do-not-reply Include hostname in return address: yes Current reply address: do-not-reply@hostname.acme.com ... © 2019 FireEye 167 Central Management Administration Guide CHAPTER 9: System Email Settings Configuring the Mail Server for Scheduled Reports Using the CLI Use the CLI commands in this topic to configure the mail server that sends scheduled reports. See System Mail Server Settings on page 164 for a description of each parameter. IMPORTANT! If you use the CLI to configure the mail server, the changes will not appear on the Email Settings page in the Web UI. NOTE: See Adding and Removing Scheduled Report Recipients on page 171 for information about configuring the report recipients using the CLI. To configure the mail server for scheduled reports: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Specify the hostname or IP address of the mail server: hostname (config) report email smtp server {<hostname> | <ipAddress>} 3. Specify the SMTP port used by the mail server to send reports: hostname (config) # report email smtp port <port> 4. Specify the domain name from which emails will appear to come: hostname (config) # report email smtp domain <domainName> 5. Specify the fully qualified return address from which emails are sent: hostname (config) # report email smtp return-addr <returnAddress> 6. Verify your changes: hostname (config) # show report email 7. Save the configuration: hostname (config) # write memory NOTE: To remove a configuration or restore the default setting, append no to the command. For example, to restore the default return address, use the no report email return-addr command, and to remove the configured domain name, use the no report email smtp domain command. Examples In this example, the email server is configured to send scheduled reports. hostname hostname hostname hostname 168 (config) (config) (config) (config) # # # # report email server 10.4.0.0 report email smtp domain mailer.acme.com report email smtp return-addr reports@acme.com show report email © 2019 FireEye Release 8.7 Configuring Email Recipients Report email SMTP SMTP SMTP SMTP ... configurations: server: 10.4.0.0 server port: 25 Domain: mailer.acme.com Return addr: reports@acme.com In this example, all configuration settings are restored to their default values. hostname (config) # show report email Report email configurations: SMTP server: 10.4.0.0 SMTP server port: 26 SMTP Domain: acme.com SMTP Return addr: admin@acme.com ... hostname (config) # no email report smtp hostname (config) # no email report smtp hostname (config) # no email report smtp hostname (config) # no email report smtp hostname (config) # show report email Report email SMTP SMTP SMTP SMTP ... server port domain return-addr configurations: server: server port: 25 Domain: Return addr: do-not-reply Configuring Email Recipients The same users can receive both system event notifications and scheduled reports. If you use the CLI to configure them, you must use two separate sets of CLI commands. Each new recipient will receive detailed notifications for all enabled system health check events. You can customize the notifications for individual users, and configure which specific events trigger notifications. (See Configuring System Events on page 172 for details.) IMPORTANT! If you use the CLI to configure a scheduled report recipient, the change will not be reflected in the Web UI. For example: l l © 2019 FireEye You add analyst@acme.com using the report email recipient analyst@acme.com CLI command. That recipient will be listed in the show report email command output, but will not be added to the recipient list on the Email Settings page in the Web UI. The recipient list on the Email Settings page includes admin@acme.com, but the Report checkbox is not selected. You then add that recipient using the report email recipient admin@acme.com CLI command. The Report checkbox will still not be selected on the Email Settings page. 169 Central Management Administration Guide CHAPTER 9: System Email Settings IMPORTANT! If you use the Web UI to add an email recipient, the recipient will be enabled to receive both system event notifications and scheduled reports. However, if you use the email notify recipient CLI command to add this recipient, the recipient will receive only system event notifications, not scheduled reports (the Report check box will be cleared on the Email Settings page). Prerequisites l Operator or Admin access Configuring Email Recipients Using the Web UI Use the Email Settings page to add or remove the email recipients for system event notifications and for scheduled reports. 1. Click the Settings tab. 2. Click Email in the sidebar. 3. Locate the Email Recipients section. 4. Click Add Email Recipient. 5. Enter the email address of the user in the Add Email Recipient box and then click Add Recipient. 6. (Optional) Clear the Info, Fail, and Detail checkboxes as needed to customize the notifications the user will receive. (See Configuring System Event Notifications Using the Web UI on page 173 for details.) To add a scheduled report recipient: 1. Click Add Email Recipient. 2. Enter the email address of the user in the Add Email Recipient box and then click Add Recipient. 3. Make sure the Report checkbox remains selected. 170 © 2019 FireEye Release 8.7 Configuring Email Recipients 4. (Optional) Clear the Info, Fail, and Detail checkboxes to prevent the user from receiving system event notifications as well as scheduled reports. To remove an email recipient: 1. Click the icon in the Delete column. 2. When prompted, click OK to confirm the action. Configuring Email Recipients Using the CLI Use the commands in this section to add or remove email recipients for system event notifications and scheduled reports. IMPORTANT! If you use the CLI to add or remove a scheduled report recipient, the changes will not appear on the Email Settings page in the Web UI. Adding and Removing System Event Notification Recipients To add system event notification recipients: 1. Enable the CLI configuration mode: hostname > enable hostname # configure terminal 2. To add a recipient: hostname (config) # email notify recipient <emailAddress> 3. To remove a recipient: hostname (config) # no email notify recipient <emailAddress> 4. Verify your changes: hostname (config) # show email 5. Save your changes: hostname (config) # write memory Adding and Removing Scheduled Report Recipients To configure scheduled report recipients: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. To add a recipient: hostname (config) # report email recipient <emailAddress> © 2019 FireEye 171 Central Management Administration Guide CHAPTER 9: System Email Settings 3. To remove a recipient: hostname (config) # no report email recipient <emailAddress> 4. Verify your changes: hostname (config) # show report email 5. Save your changes: hostname (config) # write memory Examples This example adds analyst@acme.com as a system event notification recipient and removes user3@acme.com. hostname (config) # show email ... Email notification recipients: admin@acme.com (all events, in detail) exec@acme.com (failure events only, in detail) user3@acme.com (all events, summarized) ... hostname (config) # email notify recipient analyst@acme.com hostname (config) # no email notify recipient user3@acme.com hostname (config) # show email ... Email notification recipients: admin@acme.com (all events, in detail) analyst@acme.com (all events, in detail) exec@acme.com (failure events only, in detail) This example adds analyst@acme.com as a scheduled report recipient, and removes admin@acme.com. hostname (config) # show report email Report email configurations: ... Email recipients: admin@acme.com exec@acme.com hostname (config) # report email recipient analyst@acme.com hostname (config) # no report email recipient admin@acme.com hostname (config) # show report email Report email configurations: ... Email recipients: analyst@acme.com exec@acme.com Configuring System Events By default, configured users receive detailed notifications about all enabled system events. Informational events are logged when there is a change in the system. Failure events are 172 © 2019 FireEye Release 8.7 Configuring System Events logged when there is a failure in the system. You can use the CLI to change which events are enabled. For example, you could disable informational events, such as system log file rotations, from triggering notifications. For each recipient, you can specify whether failure notifications, informational notifications, or both are sent. For example, a user might want to know that a disk failed, but not that an excessive temperature condition returned to normal. You can also specify whether a user receives summarized or detailed notifications. Prerequisites l Operator or Admin access Configuring System Event Notifications Using the Web UI Use the Email Settings page to configure the severity of system email event notifications to be sent to each configured recipient. To enable or disable specific system notifications, you must use the CLI. See Configuring System Event Notifications Using the CLI on the next page. To configure severity of system event notifications to be sent to recipients: 1. Click the Settings tab. 2. Click Email in the sidebar. 3. Locate the Email Recipients section. 4. Select or clear the Info and Fail checkboxes to specify the severity of events for which the user receives notifications. 5. Select or clear the Detail checkbox to specify whether the user receives detailed or summarized notifications. 6. Click Update to save your changes. © 2019 FireEye 173 Central Management Administration Guide CHAPTER 9: System Email Settings Configuring System Event Notifications Using the CLI Use the commands in this topic to customize system event notifications for each user and to configure which events trigger notifications. IMPORTANT: You cannot view most Central Management high availability (HA) events as described in this topic, and cannot configure which of those events trigger notifications. For a list of the HA events and their severity, see the Central Management High Availability Guide. Viewing System Events You can view all system events, or the system events that are currently enabled to trigger notifications, ordered by their severity. To view all system events: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. View the events: hostname (config) # email notify event ? To view enabled system events and their severity: l View the events by severity: hostname > show email events Configuring System Event Notifications for Each User To configure system event notifications for each user: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. View the current configuration: hostname (config) # show email 174 © 2019 FireEye Release 8.7 Configuring System Events 3. Specify the severity of events for which each user should receive notifications. l To receive "info" events: hostname (config) # email notify recipient <emailAddress> class info l To stop receiving "info" events: hostname (config) # no email notify recipient <emailAddress> class info l To receive "failure" events: hostname (config) # email notify recipient <emailAddress> class failure l To stop receiving "failure" events: hostname (config) # no email notify recipient <emailAddress> class failure 4. Specify the notification format. l To receive detailed notifications: hostname (config) # email notify recipient <emailAddress> detail l To receive summarized notifications: hostname (config) # no email notify recipient <emailAddress> detail Configuring Which Events Trigger Notifications To configure which events trigger notifications: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. View the current configuration as described in Viewing System Events on the previous page. 3. To enable an event: hostname (config) # email notify event <event> 4. To disable an event: hostname (config) # no email notify event <event> 5. Verify your changes: hostname (config) # show email events 6. Save your changes: hostname (config) # write memory © 2019 FireEye 175 Central Management Administration Guide CHAPTER 9: System Email Settings Examples This example stops admin@acme.com from receiving "info" notifications and changes the message format to a summary. hostname (config) # show email ... Email notification recipients: admin@acme.com (all events, in detail) operator@acme.com (failure events only, in detail) user3@acme.com (all events, in detail) ... hostname (config) # no email notify recipient admin@acme.com info hostname (config) # no email notify recipient admin@acme.com detail hostname (config) # show email ... Email notification recipients: admin@acme.com (failure events only, summarized) operator@acme.com (failure events only, in detail) user3@acme.com (all events, in detail) This example disables log file rotations from triggering event notifications: hostname (config) # no email notify event syslog-rotation Configuring Auto Support for System Event Notifications You can configure the appliance to send emails to autosupport@fireeye.com when specific system events occur. This includes configuring settings to ensure the emails are sent securely. You can specify one of the following security types: l l l none—Do not use TLS to secure the autosupport emails. tls—Use TLS over the default server port to secure autosupport emails. Do not send the emails if TLS fails. tls-none—Use TLS over the default server port to secure autosupport email. The email is sent in plain text if TLS fails. Prerequisites l 176 Operator or Admin access © 2019 FireEye Release 8.7 Configuring Auto Support for System Event Notifications Configuring Auto Support for System Event Notifications Using the CLI Use the commands in this section to configure autosupport for system event notifications. (See Viewing System Events on page 174 for information about viewing a full list of events.) To configure autosupport: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Enable autosupport email notifications (disabled by default): hostname (config) # email autosupport enable 3. Display the current configuration for generating autosupport emails for system events: hostname (config) # show email 4. Specify each event for which autosupport email notifications should be sent: hostname (config) # email autosupport event <event> 5. Configure the supplemental Certificate Authority (CA) certificates that are used to verify the server certificates. l To use only the built-in list: hostname (config) # email autosupport ssl ca-list none l To use the default supplemental CA certificate list: hostname (config) # email autosupport ssl ca-list default-ca-list 6. Configure a security type to use for autosupport email. l No TLS: hostname (config) # email autosupport ssl mode none l TLS: hostname (config) # email autosupport ssl mode TLS l TLS none: hostname (config) # email autosupport ssl mode tls-none 7. Verify the server certificates: hostname (config) # email autosupport cert-verify 8. Save your changes: hostname (config) # write memory © 2019 FireEye 177 Central Management Administration Guide 178 CHAPTER 9: System Email Settings © 2019 FireEye Central Management Administration Guide Manual Time Configuration CHAPTER 10: Date and Time Settings You can set the CM appliance date and time manually, or configure one or more Network Time Protocol (NTP) servers that synchronize the time automatically. You can also perform a one-time synchronization of the system clock to the DTI server clock. This section covers the following information: l Manual Time Configuration below l NTP Server Configuration on page 181 l Time Zone Configuration on page 190 l Synchronizing the System Clock to DTI Server Time Using the CLI on page 192 NOTE: The date and time are stored as Coordinated Universal Time (UTC) in the database. The Z character in syslog output indicates that the time displayed is in the UTC time zone; for example, Oct 19 2016 16:10:10 Z. By default, the display time zone is UTC. Manual Time Configuration You can manually set the date and time on your CM appliance. l Setting the Date and Time Using the Web UI below l Setting the Date and Time Using the CLI on the next page Setting the Date and Time Using the Web UI Use the top section of the Date and Time Settings page to set the date and time for your CM appliance. © 2019 FireEye 179 Central Management Administration Guide CHAPTER 10: Date and Time Settings IMPORTANT! NTP synchronization is set by default and must be disabled before you can manually configure the date and time. For instructions about disabling NTP, see NTP Server Configuration on the facing page. Prerequisites l Admin access To set the date and time: 1. Click the Settings tab. 2. Click Date and Time on the sidebar. 3. Select the date and time from the drop-down lists. 4. Click Update Time. 5. Set the time zone as described in Time Zone Configuration on page 190. Setting the Date and Time Using the CLI Use the CLI commands in this topic to set the time zone on your CM appliance. IMPORTANT! NTP synchronization is set by default and must be disabled before you can manually configure the date and time. For information about disabling NTP, see NTP Server Configuration on the facing page. Prerequisites l Admin access To set the date and time: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 180 © 2019 FireEye Release 8.7 NTP Server Configuration 2. (Optional) Use the clock set <HH>:<MM> <YYYY>/<MM>/<DD> command to specify the time and date. For example, the following command sets the time and date to 2:00 p.m. on July 21, 2014: hostname (config) # clock set 14:00 2014/07/21 3. Use the clock timezone <timezone> command to specify the time zone. For example, both of the following commands set the time zone to Pacific Standard Time: hostname (config) # clock timezone UTC-offset UTC+8 hostname (config) # clock timezone America North United_States Pacific NOTE: The time zone is for display purposes and should match other security device settings. 4. To restore the default time zone: hostname (config) # no clock timezone 5. View the configured time and date settings: hostname (config) # show clock 6. Save your changes. hostname (config) # write memory Examples l Time and date using the North America Central Daylight time zone: hostname > show clock Time: 16:39:35 Date: 2014/06/25 Time zone: America North United_States Central (US/Central) UFC offset: -0500 (UTC minus 5 hours) l Time and date settings using the default time zone: hostname > show clock Time: 21:40:37 Date: 2014/06/25 Time zone: UTC (Etc/UTC) UTC offset: same as UTC NTP Server Configuration Instead of manually setting the system date and time, you can specify one or more Network Time Protocol (NTP) servers and peers to synchronize the time automatically. By default, NTP version 4 is used, but you can specify version 3 instead. You can perform a © 2019 FireEye 181 Central Management Administration Guide CHAPTER 10: Date and Time Settings one-time action that synchronizes the system clock with a specific NTP server. NTP is enabled by default. The appliance is pre-configured with four NTP servers your appliance can use if it can reach them. The appliance can authenticate that the time it obtains from an NTP server is from a known and trusted source. The system clock is updated only if a key ID in the incoming NTP packet matches a key ID configured on the appliance, and if that key ID is mapped to the same MD5 or SHA1 hash value stored on both the NTP server and the appliance. If the key ID/value pair on NTP server and appliance do not match, the clock is not updated. NTP authentication is enabled by default, but the NTP server must already have the key ID/value pair, and the same key ID/value pair must be configured on the appliance and then associated with the NTP server. A total of 16 keys can be configured on a single appliance. l Configuring NTP Servers Using the Web UI below l Configuring NTP Servers Using the CLI on the facing page l Configuring NTP Authentication Using the CLI on page 186 Prerequisites l l l l Admin access to configure NTP Monitor, Operator, or Admin access to view NTP configuration and status information Connectivity to at least one NTP server For NTP authentication: Authentication key ID/value pairs on the NTP servers for which authentication will be configured Configuring NTP Servers Using the Web UI Use the Enable NTP section of the Date and Time Settings page to configure NTP servers. 182 © 2019 FireEye Release 8.7 NTP Server Configuration To configure NTP servers: 1. Click the Settings tab. 2. Click Date and Time on the sidebar. 3. Click Add NTP Server. 4. Enter the IP address or hostname of the NTP server that you want to use in the Add NTP Server box. 5. Click Add. 6. Repeat the previous three steps to add additional servers. 7. To synchronize the system time once with a selected NTP server, click Update next to the server entry. The time is updated, and the needed adjustment is displayed in a message on the page. 8. To delete an NTP server, select the checkbox next to the server and then click Remove NTP Server. 9. Click Yes to confirm the action. Configuring NTP Servers Using the CLI Use the commands in this topic to configure NTP servers. NOTE: See Configuring NTP Authentication Using the CLI on page 186 for information about ensuring that the system clocks are only updated if the time is obtained from a trusted source. To enable and configure NTP servers: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Enable NTP synchronization: hostname (config) # ntp enable 3. Specify the primary NTP server: hostname (config) # ntp server <server> where <server> is the IPv4 or IPv6 address, or hostname of the NTP server. 4. Repeat the previous step for the secondary NTP server and any additional NTP servers. © 2019 FireEye 183 Central Management Administration Guide CHAPTER 10: Date and Time Settings To change the NTP version: 1. Specify the version: hostname (config) # ntp 2. To change the version on an NTP server: hostname (config) ntp server <server> version <version> where <server> is the IPv4 or IPv6 address, or hostname of the NTP server, and <version> is either 3 or 4 3. To change the version on an NTP peer: hostname (config) ntp peer <peer> version <version> where <peer> is the IPv4 or IPv6 address, or hostname of the NTP peer, and <version> is either 3 or 4. 4. Save your changes: hostname (config) # write memory To disable NTP: 1. Disable NTP synchronization: hostname (config) # ntp disable or hostname (config) # no ntp enable 2. Save your changes: hostname (config) # write memory To synchronize the system time with a specific NTP server one time: 1. Synchronize the system time: hostname (config) # ntpdate <server> where <server> is the IPv4 or IPv6 address, or hostname of the NTP server to synchronize with. 2. Save your changes: hostname (config) # write memory To view the current NTP runtime state and configuration: 1. Go to CLI standard mode. 2. View the information: hostname > show ntp 184 © 2019 FireEye Release 8.7 NTP Server Configuration To view the configured NTP servers and their settings: 1. Go to CLI standard mode. 2. View the information: hostname > show ntp configured Examples The following example configures two NTP servers and an NTP peer. hostname (config) # ntp server 0.acme.pool.ntp.org hostname (config) # ntp server 1.acme.pool.ntp.org hostname (config) # ntp peer 5.acme.pool.ntp.org hostname (config) # show ntp configured NTP enabled: yes NTP Authentication enabled: yes NTP peer 5.acme.pool.ntp.org Enabled: yes NTP version: 4 Key: none NTP server 0.acme.pool.ntp.org Enabled: yes NTP version: 4 Key: none NTP server 1.acme.pool.ntp.org Enabled: yes NTP version: 4 Key: none The following example disables NTP synchronization on the system. hostname (config) # no ntp enable hostname (config) # show ntp configured NTP enabled: no NTP Authentication enabled: yes No NTP peers configured. NTP server 0.acme.pool.ntp.org Enabled: yes ... hostname (config) # show ntp NTP is administratively disabled. NTP Authentication is administratively enabled. Clock is unsynchronized. No NTP associations present. The following example temporarily disables NTP on the "3.acme.pool.ntp.org" server. hostname (config) # ntp server 3.acme.pool.ntp.org disable hostname (config) # show ntp configured NTP enabled: yes NTP Authentication enabled: yes No NTP peers configured. NTP server 0.acme.pool.ntp.org Enabled: yes ... NTP server 3.acme.pool.ntp.org Enabled: no ... The following example removes the "2.acme.pool.ntp.org" NTP server. © 2019 FireEye 185 Central Management Administration Guide CHAPTER 10: Date and Time Settings hostname (config) # no ntp server 2.acme.pool.ntp.org The following example synchronizes the system clock with the NTP server. hostname (config) # ntpdate 0.acme.pool.ntp.org adjust time server 192.168.120.23 offset -0.023716 sec The following example changes the NTP version on the "3.acme.pool.ntp.org" server to version 3. hostname (config) # ntp server 3.acme.pool.ntp.org version 3 hostname (config) # show ntp configured NTP enabled: yes NTP Authentication enabled: yes No NTP peers configured. ... NTP server 3.acme.pool.ntp.org Enabled: yes NTP version: 3 Key: none The following example shows the current NTP runtime state and configuration. hostname > show ntp NTP is administratively enabled. NTP Authentication is administratively enabled. Clock is synchronized. Reference: 10.255.34.6 Offset: 1.713 ms. Active servers and peers: Poll Last Conf Offset Ref Interv Resp Address Type Status Stratum (msec) Clock (sec) (sec) =========================================================================== 192.168.1.1 n/a candidat (+) 2 -0.233 10.2.3.4 64 60 10.2.3.4 n/a outlyer (-) 2 12.069 192.168.2.2 64 50 172.16.4.5 n/a candidat (+) 2 -0.958 10.5.6.7 64 50 10.255.34.6 n/a sys.peer (*) 2 1.713 172.16.3.4 64 45 The following example shows the configured NTP servers and their settings: hostname > show ntp configured NTP enabled: yes NTP Authentication enabled: yes No NTP peers configured. NTP server 0.acme.pool.ntp.org Enabled: yes NTP version: 4 NTP server 1.acme.pool.ntp.org Enabled: yes NTP version: 4 NTP server 2.acme.pool.ntp.org Enabled: yes NTP version: 4 NTP server 3.acme.pool.ntp.org Enabled: yes NTP version: 4 Configuring NTP Authentication Using the CLI This topic describes how to configure NTP authentication using the CLI. 186 © 2019 FireEye Release 8.7 NTP Server Configuration Enabling NTP Authentication and Configuring Keys Perform the tasks in this section in the order shown to configure NTP authentication. Obtain the authentication keys from the NTP server: 1. On the NTP server, map a key ID from 1–16 to an MD5 or SHA1 hash value. 2. Repeat the previous step for additional key ID/value pairs. 3. Copy and paste the key ID/value pairs so they can be configured on the appliance later in this procedure. Enable NTP and NTP authentication: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. View the current status. hostname (config) # show ntp configured 3. If NTP enabled: no appears in the command output, enable NTP. hostname (config) # ntp enable 4. If NTP Authentication enabled: no appears is the command output, enable NTP authentication. hostname (config) # ntp authentication enable Define the authentication keys: 1. Use the following command to configure the key ID and hash value you obtained from the NTP server: hostname (config) # ntp authentication key <number> hash <type> <value> where: l <number> is an integer from 1–16 l <type> is md5 or sha1 l <value> is the hash value 2. Repeat the previous step for each key you want to define. 3. View the configured keys. hostname (config) # show ntp authentication configured 4. Save your changes. hostname (config) # write memory © 2019 FireEye 187 Central Management Administration Guide CHAPTER 10: Date and Time Settings Assign the keys to the NTP servers: 1. To assign a key to an NTP server, use the ntp server <server> authentication key <number> command, where <server> is the IP address or hostname of the NTP server, and <number> is the integer that you assigned to the key in the previous task The following example assigns hash key 1 to the NTP server 0.acme.pool.ntp.org: hostname (config) # ntp server 0.acme.pool.ntp.org authentication key 1 2. Repeat the previous step for each key you want to define. 3. View the assigned keys: hostname (config) # show ntp configured 4. Verify that the keys are valid: hostname (config) # show ntp authentication 5. Save your changes: hostname (config) # write memory Disabling NTP Authentication and Removing Keys You cannot delete an authentication key from the system if it is mapped to an NTP server. If a key is mapped to an NTP server, you must disable NTP authentication on that server before you delete the key. To disable NTP authentication on the system: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Disable NTP authentication: hostname (config) # no ntp authentication 3. Save your changes: hostname (config) # write memory To disable NTP authentication on a specific server: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 188 © 2019 FireEye Release 8.7 NTP Server Configuration 2. To disable NTP authentication with a specified NTP server, use the no ntp server <server> authentication command, where <server> is the hostname or IP address of the NTP server. The following example disables NTP authentication with the NTP server with hostname 1.acme.pool.ntp.org: hostname (config) # no ntp server 1.acme.pool.ntp.org authentication 3. Save your changes: hostname (config) # write memory To delete an NTP authentication key: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. To delete a key, use the no ntp authentication key <number> command, where <number> is the key ID. hostname (config) # no ntp authentication key 1 3. Save your changes: hostname (config) # write memory Examples The following example shows the current configuration. hostname (config) # show ntp configured NTP enabled: yes NTP Authentication enabled: yes No NTP peers configured. NTP server 0.acme.pool.ntp.org Enabled: yes NTP version: 4 Key: none NTP server 1.acme.pool.ntp.org Enabled: yes NTP version: 4 Key: none NTP server 2.acme.pool.ntp.org Enabled: yes NTP version: 4 Key: none The following example defines two authentication keys and assigns each one to an NTP server. hostname (config) # ntp authentication key 1 hash md5 153ffa51cc765fb257e384e8e6aec8fe hostname (config) # ntp server 0.acme.pool.ntp.org key 1 hostname (config) # ntp authentication key 2 hash sha1 27a048b642be47d50a9c38427495945429597d91 © 2019 FireEye 189 Central Management Administration Guide CHAPTER 10: Date and Time Settings hostname (config) # ntp server 1.acme.pool.ntp.org key 2 hostname (config) # show ntp configured NTP enabled: yes NTP Authentication enabled: yes No NTP peers configured. NTP server 0.acme.pool.ntp.org Enabled: yes NTP version: 4 Key: 1 NTP server 1.acme.pool.ntp.org Enabled: yes NTP version: 4 Key: 2 NTP server 2.acme.pool.ntp.org Enabled: yes NTP version: 4 Key: none hostname (config) # show ntp authentication configured NTP enabled: yes NTP Authentication enabled: yes NTP Key Number 1 Type: md5 Key: 153ffa51cc765fb257e384e8e6aec8fe NTP Key Number 2 Type: sha1 Key: 27a048b642be47d50a9c38427495945429597d91 hostname (config) # show ntp authentication NTP is administratively enabled. NTP authentication is administratively enabled. Active servers and peers: Address auth keyid ===================================== 172.16.2.3 ok 1 10.30.4.3 ok 2 192.168.10.12 none none The following example disables NTP authentication on the 1.acme.pool.ntp.org server and then deletes the key it was using from the system. hostname (config) # no ntp server 1.acme.pool.ntp.org authentication hostname (config) # no ntp authentication key 2 Time Zone Configuration You must set the time zone on your CM appliance whether you configure the date and time manually or synchronize with an NTP server. 190 l Setting the Date and Time Using the Web UI on page 179 l Setting the Date and Time Using the CLI on page 180 © 2019 FireEye Release 8.7 Time Zone Configuration Setting the Time Zone Using the Web UI Use the bottom section of the Date and Time Settings page to set the time zone for your appliance. Prerequisites l Admin access To set the time zone: 1. Click the Settings tab. 2. Click Date and Time on the sidebar. 3. Select the time zone from the drop-down list. 4. Select options from other drop-down lists, if present. 5. Click Set Time Zone. Setting the Time Zone Using the CLI Use the CLI commands in this topic to set the time zone on your CM appliance. Prerequisites l Admin access To set the time zone: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. To specify the time zone, use the clock timezone <timezone> command. For example, both of the following commands set the time zone to Pacific Standard Time: hostname (config) # clock timezone UTC-offset UTC+8 © 2019 FireEye 191 Central Management Administration Guide CHAPTER 10: Date and Time Settings hostname (config) # clock timezone America North United_States Pacific NOTE: The time zone is for display purposes and should match other security device settings. 3. Restore the default time zone: hostname (config) # no clock timezone 4. View the configured time and date settings: hostname (config) # show clock 5. Save your changes: hostname (config) # write memory Examples Time and Date Using the North America Central Daylight Timezone hostname # show clock Time: 16:39:35 Date: 2014/06/25 Time zone: America North United_States Central (US/Central) UFC offset: -0500 (UTC minus 5 hours) Time and Date Settings Using the Default Timezone hostname # show clock Time: 21:40:37 Date: 2014/06/25 Time zone: UTC (Etc/UTC) UTC offset: same as UTC Synchronizing the System Clock to DTI Server Time Using the CLI The system time should match the DTI server time as closely as possible. This is necessary for features such as the license update service, in which licenses are downloaded from the DTI server and installed on the CM appliance. IMPORTANT! To prevent time gaps that could affect the validity of your licenses, FireEye recommends that you perform this synchronization before you enable the feature. The fenet time sync CLI command retrieves the time (in UTC) from the DTI server and then synchronizes the system clock to it. This command is especially useful if you do not use NTP servers to synchronize your system clock. 192 © 2019 FireEye Release 8.7 Synchronizing the System Clock to DTI Server Time Using the CLI IMPORTANT! This action synchronizes the system clock to the DTI server a single time. It does not change the system time zone. Prerequisites l Admin access To synchronize the system clock to the DTI server clock: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Synchronize the clocks: hostname (config) # fenet time sync 3. Save your changes: hostname (config) # write memory © 2019 FireEye 193 Central Management Administration Guide 194 CHAPTER 10: Date and Time Settings © 2019 FireEye Central Management Administration Guide PART III: Administration l Network Administration on page 197 l Upgrading the FireEye Software on page 219 l Log Management on page 233 l Database Backup and Restore on page 245 l System Health and Performance on page 265 l SNMP Data on page 279 l Login Banners and Messages on page 287 l Event Notifications on page 295 l Disk Space Management on page 345 © 2019 FireEye 195 Central Management Administration Guide 196 PART III: Administration © 2019 FireEye Central Management Administration Guide Basic Network Configuration CHAPTER 11: Network Administration This section covers the following information: l Basic Network Configuration below l IPMI Firmware Updates on page 203 l IP Filtering on page 204 l Configuring HTTP Proxy Server Settings on page 207 l Defining Another Management Interface on page 209 For additional information about configuring interfaces, see the CLI Command Reference. IMPORTANT: You must use the same link settings on both ends of a network connection. For example, you cannot change the interface speed on one end to "auto" if the other end has a manual speed configured. NOTE: For information about connecting to, configuring, and troubleshooting FireEye as a Service, see the FireEye as a Service Quick Start Guide. Basic Network Configuration The following sections describe basic management interface and global network configuration settings. Management Interface Settings The following list describes the management interface configuration settings. l IP Version—The appliance has dual-stack support for Internet Protocol version 4 (IPv4) and version 6 (IPv6) on the management interface. © 2019 FireEye 197 Central Management Administration Guide l l l l l l l CHAPTER 11: Network Administration DHCP—Dynamic Host Configuration Protocol (DHCP) dynamically distributes network configuration parameters. If DHCP is disabled on the management interface, you must manually configure the IP address, subnet mask, and default gateway or next-hop device. IP Address—The IPv4 or IPv6 address of the management interface. Both types of addresses can be configured. The IPv4 address is enabled by default. You must explicitly enable the IPv6 address. Subnet Mask—The network portion of the IP address. For example, 255.255.255.0 indicates that the first 24 bits of an IPv4 address are used for the network portion of the address. Default Gateway—For an IPv4 address, the IPv4 address of the default router. For an IPv6 address, the IPv6 address of the default router or next-hop device. Autoconf Enabled—When Stateless Address Autoconfiguration (SLAAC) is enabled, an IPv6 address is automatically assigned for the interface. The address is based on an IPv6 prefix learned from router advertisements, combined with an interface identifier based on the MAC address of the interface. Autoconf Route—When this feature is enabled, the system learns a default route from the automatically assigned IPv6 address. Autoconf Privacy—When this feature is enabled, the system generates random host identifiers (known as privacy extensions) to construct the IPv6 address. This provides more security when communicating with remote hosts. Global Network Settings The following list describes global network configuration settings. l l l 198 DNS Servers—Domain Name System (DNS) servers translate domain names to IP addresses for routing. At least one DNS server is required. You can optionally configure a secondary DNS server that is used when the primary server is unavailable or cannot resolve a domain name. You can view a list of DNS servers that will be traversed for DNS resolution, in order, from top to bottom. Only active DNS servers are listed. If neither DNS server can resolve the domain name, an error is displayed. Domain Names—The domain names the DNS servers resolve to IP addresses. You can view a list of domain names in order, from top to bottom. Hostname—The hostname of the appliance (for example, dc-01). You can include the domain (for example, dc-01.acme.com). © 2019 FireEye Release 8.7 l l Basic Network Configuration IPv6—You can enable or disable IPv6 routing on the system, on the management interface, or both. IPv6 must be enabled on the Network Security appliances that are members of an Network Security High Availability (HA) pair. It is enabled automatically by the Central Management appliance that manages the HA pair. VPN—You can enable or disable virtual private networking (VPN) on the system. When VPN is enabled, the appliance can connect to FireEye as a Service over the Internet using a secure SSL VPN connection. VPN requires a valid MD_ACCESS license on the appliance. VPN requires IPv6 routing, so IPv6 must be enabled on the system before you can enable VPN. For more information, see the FireEye as a Service Quick Start Guide. Prerequisites l Operator or Admin access Configuring Basic Network Settings Using the Web UI Use the Network Settings page to configure basic network settings for the CM appliance. For a description of the information and settings on this page, see Basic Network Configuration on page 197. Viewing Management Interface Detail Settings Use the Interface Details section to view the configuration of the management interface. This is a read-only section. The management interface is configured during the initial configuration, and can be modified later using the CLI. For details, see Initial Configuration on page 73 or the CLI Command Reference. To view the management interface configuration: 1. Click the Settings tab. 2. Select Network on the sidebar. 3. Locate the Interface Details section at the top of the page. Configuring DNS Servers Use the Configure DNS Server Addresses section to configure DNS server addresses. © 2019 FireEye 199 Central Management Administration Guide CHAPTER 11: Network Administration To configure DNS servers: 1. Click the Settings tab. 2. Select Network on the sidebar. 3. In the Configure DNS Server Addresses section, enter the IP address of the primary DNS server. 4. (Optional) Enter the IP address of a secondary DNS server. 5. Click Apply. The order in which the DNS servers are traversed is displayed in the DNS Resolution order list. An error message is displayed if no server is active. Configuring Domain Names Use the Configure Domain Names section to add or remove domain names. To add domain names: 1. Click the Settings tab. 2. Select Network on the sidebar. 3. In the Configure Domain Names section, click Add Domain Name. 4. Enter a domain name, click Add. 200 © 2019 FireEye Release 8.7 Basic Network Configuration 5. Repeat the previous steps to configure additional domain names. The order in which the domain names are traversed is displayed in the Domain Names Resolution order list. To remove domain names: 1. Locate the domain name you want to delete. 2. Click the Delete (trash can) icon in the Delete column for each domain name you want to remove. 3. Click YES. The domain name is deleted from the configuration. The following message appears: 4. Close the message. Enabling IPv6 Use the Configure IPv6 section to enable or disable IPv6 routing. You can also use this section to enable or disable IPv6 on the SMTP interface. To enable IPv6 routing: 1. Click the Settings tab. 2. Select Network on the sidebar. 3. Enable IPv6: l l © 2019 FireEye To enable IPv6 routing on the system, select the Global IPv6 checkbox, and then click Apply. To enable IPv6 on the management interface, select the Management Interface IPv6 checkbox, and then click Apply. 201 Central Management Administration Guide CHAPTER 11: Network Administration To disable IPv6 routing: 1. Click the Settings tab. 2. Select Network on the sidebar. 3. Disable IPv6: l l To disable IPv6 routing on the system, clear the Global IPv6 checkbox, and then click Apply. To disable IPv6 on the management interface, clear the Management Interface IPv6 checkbox, and then click Apply. Enabling VPN The VPN Settings section appears at the bottom of the page if a valid MD_ACCESS license is installed. You can enable VPN only when IPv6 is enabled on the system. For details, see the FireEye as a Service Quick Start Guide. Configuring Basic Network Settings Using the CLI Use the commands in this topic to configure the network settings manually. To configure basic network settings: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. To disable DHCP for the interface: hostname (config) # no interface ether1 dhcp NOTE: If you use DHCP and there is no network connection for the management interface, do the following: 1. Restore the network connection. 2. Disable DHCP. 3. Enable DHCP. 3. Set the interface IP address and network mask. For example: hostname (config) # interface ether1 ip address 1.1.1.1 255.240.0.0 202 © 2019 FireEye Release 8.7 IPMI Firmware Updates 4. Specify the default gateway. For example: hostname (config) # ip default-gateway 1.1.1.2 ether1 5. Specify a DNS server. For example: hostname (config) # ip name-server 10.10.20.5 6. Save your changes. hostname (config) # write memory IPMI Firmware Updates New Intelligent Platform Management Interface (IPMI) firmware is packaged with the appliance software image, but is not automatically installed when you upgrade to a new appliance release. It is important to update the IPMI firmware to ensure that you are using the latest, most secure version. By default, if the IPMI interface has been configured with an IP address, you are notified when a newer version is available. The notice is displayed when you log in to the CLI and when you view the Version Information section on the About > FireEye CMS System Information page in the Web UI. If you prefer, you can disable the notification from appearing again. For details, see Enabling and Disabling IPMI Firmware Notifications Using the CLI on the next page. You can use the show ipmi version include-firmware-update-notice command to view the notice, even if your firmware is up to date. IMPORTANT! Updating the IPMI firmware reverts all settings to factory defaults, including the IPMI username and password, network configuration, and event logs. Before starting the update, gather all information you will need to reconfigure IPMI. NOTE: The IPMI Web UI will be unavailable during the IPMI firmware update. NOTE: The IPMI firmware type is specific to the appliance model, so it is possible that not all models will get an IPMI firmware update in the same CM software release. Prerequisites l Admin access © 2019 FireEye 203 Central Management Administration Guide CHAPTER 11: Network Administration Enabling and Disabling IPMI Firmware Notifications Using the CLI This procedure describes how to use CLI commands to disable and re-enable notifications about out-of-date IPMI firmware on the CM appliance. This notification is enabled by default. To disable notifications about out-of-date firmware: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Disable notifications: hostname (config) # no ipmi firmware update notice enable 3. Save your changes. hostname (config) # write memory To re-enable notifications about out-of-date firmware: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Enable notifications: hostname (config) # ipmi firmware update notice enable 3. Save your changes. hostname (config) # write memory IP Filtering IP filtering allows you to manage rules for filtering IP packets entering and leaving the appliance through its management interfaces. IP filtering supports IPv4 and IPv6, by separate but largely identical sets of CLI commands. For more information, see the CLI Command Reference. IP filtering is disabled by default for both IPv4 and IPv6. However, some appliances may have IP filtering enabled by existing components on the system which will still be visible in the show ip filter command output. NOTE: Enabling IPv6 filtering has no effect unless IPv6 is enabled. 204 © 2019 FireEye Release 8.7 IP Filtering Interfaces Supported by IP Filtering Rules When you use IP filtering, interfaces can be grouped into three sets: 1. Management interfaces: ether*. IP filtering rules apply to these interfaces. Some appliances such as the Network Security appliance, have one management interface, ether1. On the Central Management platform and Endpoint Security appliance, there are multiple management interfaces, named ether1, ether2, and so on. If an interface is not specified for a rule, the default is "ether+," which in IP filtering matches any interface beginning with "ether". 2. Data ports: pether* . These interfaces cannot have IP filtering rules. 3. Other interfaces: lo, tun0 (if a VPN is enabled). These interfaces may have IP filtering rules installed automatically by the system. You cannot configure the rules for these interfaces. Viewing IP Filtering Rules When you view a list of IP filtering rules using the show ip filter or show ipv6 filter command, rules added for management interfaces as described above and rules added automatically by the system are listed together, in the order in which they are applied. If you are on the VPN, you should use the show ipv6 filter command, which displays detailed information about the firewall rules. The show ipv6 filter configured command, described below, does not include this information. Rules that are manually configured are shown with numbers in the left column, which correspond to the rule numbers visible in show ip filter configured and show ipv6 filter configured command output. Rules that are added automatically by the system do not have numbers. The default filter configuration for the INPUT and OUTPUT chains is an ACCEPT rule with a DROP policy for all traffic on all interfaces whose names begin with "ether". The default configuration for the FORWARD is simply a DROP policy with no rules since CM appliances do not forward packets. Enabling IP filtering has no effect on your network's function until you create new IP filter rules. When IP filtering is enabled, one additional rule is added automatically by the system after all configured rules. This rule is to ACCEPT all inbound and outbound traffic on the loopback 'lo' interface. The system requires the loopback interface to work for internal purposes. NOTE: When you enable FireEye as a Service, IP filters are automatically enabled. See the FireEye as a Service Quick Start Guide for details. © 2019 FireEye 205 Central Management Administration Guide CHAPTER 11: Network Administration CAUTION: This feature will affect integration with third-party services. Exercise caution and common sense when adding IP filtering rules. If rules are set improperly, it may cause problems such as dropping all traffic. For example, adding DROP rules on the OUTPUT chain for ether1 or ether+ could interfere with remote syslog; or adding DROP rules on the INPUT chain could interfere with external access to system services such as SNMP. Prerequisites l Operator or Admin access to configure IP filtering l Monitor, Operator, or Admin access to view IP filtering Enabling IP Filtering Using the CLI Use the commands in this section to enable IP filtering. NOTES: l l The default rules do not place any restrictions on incoming and outgoing packets on ether* interfaces. You may add rules using the CLI. Use caution to not block access to needed network services. IP filtering is automatically enabled when you connect to FireEye as a Service, described in the FireEye as a Service Quick Start Guide. To view the active rules: 1. Go to CLI enable mode: hostname > enable 2. View the rules: hostname # show ip filter hostname # show ipv6 filter To enable IP filtering: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Enable IP filtering: hostname (config) # ip filter enable hostname (config) # ipv6 filter enable 3. Save your changes: hostname (config) # write memory 206 © 2019 FireEye Release 8.7 Configuring HTTP Proxy Server Settings Configuring HTTP Proxy Server Settings Configuring an HTTP proxy server on your appliance involves the following tasks: l l Configuring the hostname or IP address of the proxy server. Configuring the port for client communication, if you do not want to accept the default port (port 8080). l (Optional) Enabling basic authentication on the proxy server. l (Optional) Specifying a user-agent string that is included in HTTP requests. l Enabling the proxy server. Prerequisites l Admin access. l The HTTP proxy server is deployed in your network. Configuring HTTP Proxy Server Settings Using the CLI Use the commands in this section to configure and enable an HTTP proxy server on an appliance. To configure and enable an HTTP proxy server: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Configure the proxy server hostname or IP address, and the port (if you do not want to use the default, port 8080): hostname (config) # fenet proxy host <hostname or IP address>[:<port>] 3. Optional: Specify the credentials for basic authentication: l Specify the user: hostname (config) # fenet proxy auth basic user <username> l Specify the password: hostname (config) # fenet proxy auth basic password <password> 4. Optional: Specify a user-agent string: hostname (config) # fenet proxy user-agent <string> 5. Enable the proxy server: hostname (config) # fenet proxy enable © 2019 FireEye 207 Central Management Administration Guide CHAPTER 11: Network Administration 6. Verify your changes: hostname (config) # show fenet 7. Save your changes: hostname (config) # write memory NOTE: The show fenet status command also displays HTTP proxy settings, but does not show whether the proxy server is enabled or disabled. The show fenet command output includes or excludes "disabled" to indicate the status. Example The following example configures an HTTP proxy server with basic authentication credentials. hostname hostname hostname hostname hostname (config) (config) (config) (config) (config) # # # # # fenet proxy fenet proxy fenet proxy fenet proxy show fenet host 192.168.2.3 auth basic user bsmith auth basic password abcd6789 enable DTI CLIENT CONFIGURATION: ... Http proxy : bsmith@192.168.2.3:8080 (user agent:) ... hostname (config) # show fenet status ... HTTP Proxy: Address Username User-agent ... : 192.168.2.3:8080 : bsmith : Disabling HTTP Proxy Server Settings Using the CLI Use the commands in this section to disable an HTTP proxy server or to remove its configuration settings. To disable an HTTP proxy server or remove its configuration settings: l To disable an HTTP server: hostname (config) # no fenet proxy enable l To remove the HTTP proxy server: hostname (config) # no fenet proxy l To remove the basic authentication user: hostname (config) # no fenet proxy auth basic user 208 © 2019 FireEye Release 8.7 l Defining Another Management Interface To remove the basic authentication password: hostname (config) # no fenet proxy auth basic password l To remove the user-agent string: hostname (config) # no fenet proxy user-agent Example The following example disables an HTTP proxy server. hostname (config) # no fenet proxy enable hostname (config) # show fenet DTI CLIENT CONFIGURATION: ... Http proxy : bsmith@192.168.2.3:8080 (user agent:) Disabled ... Defining Another Management Interface The management interface is used for remote access to the Web UI and CLI, and for other management traffic (such as NTP, SNMP, and syslog). The default management interface is ether1. You can define a different interface (such as ether2) for remote access to the Web UI and CLI. Reasons for doing so include: l l A private IP address is defined for ether1, so remote users cannot reach it. You could use ether1 for the connection between a Central Management appliance and its managed appliances, and define an accessible IP address for the ether2 interface. You want to use one network for Web UI and CLI traffic, and another network for other management traffic. By default, listen interface constraints are enabled on the appliance. This means only interfaces that meet the following criteria can accept HTTP/HTTPS requests (for Web UI access) and SSH connections (for CLI access). l l The interface must be in the listen interface list. By default, only ether1 is in this list. The interface must meet the eligibility requirements listed in Prerequisites on the next page. The system prevents remote users from being locked out of the system when the criteria are not met by at least one interface. If no interface meets the criteria, listen interface constraints are not enforced, and all viable interfaces are open and can accept HTTP/HTTPS requests and SSH connections. Examples © 2019 FireEye 209 Central Management Administration Guide l l CHAPTER 11: Network Administration The appliance uses the default configuration (listen interface constraints are enabled and ether1 is in the listen interface list). You configure a static IPv4 or IPv6 address for the ether1 and ether2 interfaces and bring them up. Remote users do not have access to the system over ether2, because it was not added to the listen interface list. You then shut down the ether1 interface, and ether2 (the only viable interface) immediately becomes accessible, because the listen interface constraints are no longer enforced. You add ether2 to the listen interface list, but both ether1 and ether2 use DHCP to obtain IPv4 addresses or DHCPv6 to obtain IPv6 addresses. Because neither interface meets the IPv4 or IPv6 static IP address requirement listed in Prerequisites below, the listen interface constraints are no longer enforced. All viable interfaces, including ether1 and ether2, become accessible. Prerequisites l Operator or Admin access. l The appropriate management port is connected to the network switch or router. l Eligibility requirements: l l l The interface exists and is running. DHCP and zeroconf are disabled on the interface (for IPv4), or IPv6 is enabled on both the interface and the system (for IPv6). The interface has an IPv4 or IPv6 address: l l IPv4: At least one static nonzero IPv4 address is available to be assigned to the interface. IPv6: A static IPv6 address is available to assign to the interface, or the address can be obtained dynamically through Stateless Address Autoconfiguration (SLAAC) or DHCPv6. Defining Another Management Interface Using the CLI Use the commands in this section on an appliance that enforces listen interface constraints to define a management interface other than ether1, and add it to the listen interface list so it can accept HTTP/HTTPS requests and SSH connections. To define another management interface: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 210 © 2019 FireEye Release 8.7 Defining Another Management Interface 2. Assign an IP address to the other interface: hostname (config) # interface <interfaceName> ip address <ipAddress> <mask> where: l <ipAddress> is the IPv4 or IPv6 address of the interface. l <mask> is the IPv4 mask length prefixed by a slash (for example, /24) or an IPv4 netmask (for example, 255.255.255.0), or the IPv6 mask length prefixed by a slash (for example, /48). 3. (For IP routing) Set the static route for the interface: hostname (config) # ip route <networkPrefix> <mask> <gatewayIP> <interfaceName> where: l <networkPrefix> is the IPv4 or IPv6 network prefix specifying the network. l <mask> is the IPv4 mask length prefixed by a slash (for example, /24) or a netmask (for example, 255.255.255.0), or the IPv6 mask length preceded by a slash (for example, /48). l <gatewayIP> is the IPv4 or IPv6 address of the gateway or next-hop device. l <interfaceName> is the name of the management interface. 4. (For Web UI access): Add the interface to the listen interface list for HTTP/HTTPS requests: hostname (config) # web server listen interface <interfaceName> 5. (For CLI access): Add the interface to the listen interface list for SSH connections: hostname (config) # ssh server listen interface <interfaceName> 6. Verify your changes: hostname (config) # show web hostname (config) # show ssh server 7. Save your changes: hostname (config) # write memory NOTE: This procedure assigns a static IPv4 or IPv6 address to the interface. SLAAC or DHCPv6 can instead automatically assign the IPv6 address. Example The following example configures ether2 as the management interface on the acme-1 appliance. It then adds ether2 the listen interface list. acme-1 (config) # interface ether2 ip address 10.1.2.3 /24 acme-1 (config) # web server listen interface ether2 © 2019 FireEye 211 Central Management Administration Guide CHAPTER 11: Network Administration acme-1 (config) # ssh server listen interface ether2 acme-1 (config) # show web Web User Interface server: Web interface enabled: yes HTTP enabled: yes HTTP port: 80 HTTP redirect to HTTPS: yes HTTPS enabled: yes HTTPS port: 443 HTTPS protocols: TLSv1 HTTPS minimum protocol version: TLSv1 HTTPS cipher list: compatible HTTPS certificate name: system-self-signed HTTPS CA chain name: Listen enabled: yes Listen Interfaces: Interface: ether1 Interface: ether2 Interface: lo ... acme-1 (config) # show ssh server SSH server configuration: SSH server enabled: yes Minimum protocol version: 2 TCP forwarding enabled: yes X11 forwarding enabled: no Audit log file transfers: yes Cipher list: compatible Minimum key length: 1024 bits Client Alive Interval: 0 Client Alive Count Max 3 SSH server ports: 22 Interface listen enabled: Listen Interfaces: Interface: ether1 Interface: ether2 ... yes IMPORTANT: Listen interface constraints are enabled on the system by default. However, if the Listen enabled line in the show web command output is no, use the web server listen enable command to enable constraints for HTTP/HTTPS requests. If the Interface listen enabled line in the show ssh server command output is no, use the ssh server listen enable command to enable constraints for SSH connections. DTI Traffic and Management Traffic By default, both management and DTI traffic use the ether1 network interface, which needs Internet access for DTI network downloads and uploads. For security, you might want to isolate the management traffic by streaming it from an out-of-band network interface with no Internet access. 212 © 2019 FireEye Release 8.7 DTI Traffic and Management Traffic To split the DTI traffic from the ether1 interface, you need a dedicated network interface on the Central Management appliance that is connected to the Internet, as shown in the following illustration. The default gateway of the managed appliance must be reconfigured to this interface. If the managed appliance and the Central Management appliance are in different subnets, a static route must be configured to stream the management traffic from the ether1 interface. IMPORTANT! After traffic is split, accessing the management interface through the Web UI or the CLI must be done from clients in the same subnet as the management interface. © 2019 FireEye 213 Central Management Administration Guide CHAPTER 11: Network Administration Prerequisites l l Admin access Dedicated port for Internet access. For example, in a standard Central Management deployment, the ether2, ether3, and ether4 ports are unused and can be used for this purpose. (On some appliances, ports are labeled pether). For details, see the Central Management Hardware Administration Guide for your Central Management model. Splitting DTI and Management Traffic Using the CLI Use the commands in this section to split DTI and management traffic. The following topologies are supported: l l Central Management Appliance and Managed Appliance in Same Subnet below Central Management Appliance and Managed Appliance in Different Subnets on the facing page Central Management Appliance and Managed Appliance in Same Subnet To configure split traffic when the devices are in the same subnet: 1. Go to CLI configuration mode: cm-hostname > enable cm-hostname # configure terminal 2. Enable the interface that should have Internet access for DTI traffic: cm-hostname (config) # no interface <interface> shutdown where <interface> is the name of the interface (for example, ether4). 3. Configure the interface for DTI traffic: cm-hostname (config) # interface <interface> ip address <ipAddress> <mask> where <interface> is the interface name, <ipAddress> is the interface IP address, and <mask> is the network mask. The network mask can be specified in a dotted decimal format (such as 255.255.255.0) or in a mask length format (such as /24). 4. Remove the existing default gateway route: cm-hostname (config) # no ip default-gateway 5. Configure the default gateway to the interface for DTI traffic: cm-hostname (config) # ip default-gateway <ipAddress> <interface> where <ipAddress> is the IP address and <interface> is the name of the interface for DTI traffic. 214 © 2019 FireEye Release 8.7 DTI Traffic and Management Traffic 6. Verify the default gateway configuration: cm-hostname (config) # show ip default-gateway 7. Verify the IP route: cm-hostname (config) # show ip route 8. Save your changes: cm-hostname (config) # write memory Example In this example, the current settings are shown, DTI traffic is configured to go through the ether4 interface, and the configuration is verified. cm-hostname (config) # show ip default-gateway Active default gateways: 172.16.1.1 (interface: ether1) cm-hostname (config) # show ip route Destination Mask Gateway default 0.0.0.0 172.16.1.1 172.16.0.0 255.240.0.0 0.0.0.0 cm-hostname cm-hostname cm-hostname cm-hostname (config) (config) (config) (config) # # # # Interface ether1 ether1 Source static interface no interface ether4 shutdown interface ether4 ip address 10.13.66.12 255.255.255.0 no ip default-gateway ip default-gateway 10.13.66.1 ether4 cm-hostname (config) # show ip default-gateway Active default gateways: 10.13.66.1 (interface: ether4) cm-hostname (config) # show ip route Destination Mask Gateway default 0.0.0.0 10.13.66.1 10.13.66.1 255.255.255.0 0.0.0.0 172.16.0.0 255.240.0.0 0.0.0.0 Interface ether4 ether4 ether1 Source static interface interface Central Management Appliance and Managed Appliance in Different Subnets When the Central Management appliance and the managed appliance are in different subnets, there is an additional step to configure a static route for the managed appliance to connect to the Central Management appliance. To configure split traffic when the devices are in different subnets: 1. Go to CLI configuration mode: cm-hostname > enable cm-hostname # configure terminal 2. Enable the interface that should have Internet access for DTI traffic: cm-hostname (config) # no interface <interface> shutdown where <interface> is the name of the interface (for example, ether4). © 2019 FireEye 215 Central Management Administration Guide CHAPTER 11: Network Administration 3. Configure the IP address and netmask of the interface for DTI traffic: cm-hostname (config) # interface <interface> ip address <ipAddress> <mask> where <interface> is the name of the interface, <ipAddress> is the IP address of that interface, and <mask> is the network mask. The network mask can be specified in a dotted decimal format (such as 255.255.255.0) or in a mask length format (such as /24). 4. Remove the static default gateway: cm-hostname (config) # no ip default-gateway 5. Reconfigure the default gateway to the interface for DTI traffic: cm-hostname (config) # ip default-gateway <ipAddress> <mask> where <ipAddress> is the IP address and <interface> is the name of the interface for DTI traffic. 6. Add a static route for the Central Management platform to send management traffic to the managed appliance over the ether1 interface: cm-hostname (config) # ip route <ipAddress> <mask> ether1 where <ipAddress> is an IP address in the same subnet as the managed appliance and <mask> is the network mask. 7. Verify the default gateway configuration: cm-hostname (config) # show ip default-gateway 8. Verify the IP route: cm-hostname (config) # show ip route 9. Save your changes: cm-hostname (config) # write memory Example In this example, the current settings are shown, DTI traffic is configured to go through the ether4 interface, a new static route is configured for management traffic, and then the configuration is verified. cm-hostname (config) # show ip default-gateway Active default gateways: 172.16.1.1 (interface: ether1) cm-hostname (config) # show ip route Destination Mask Gateway default 0.0.0.0 172.16.1.1 172.16.0.0 255.240.0.0 0.0.0.0 cm-hostname cm-hostname cm-hostname cm-hostname cm-hostname 216 (config) (config) (config) (config) (config) # # # # # Interface ether1 ether1 Source static interface no interface ether4 shutdown interface ether4 ip address 10.13.66.12 255.255.255.0 no ip default-gateway ip default-gateway 10.13.66.1 ether4 ip route 172.17.74.0 255.255.255.0 ether1 © 2019 FireEye Release 8.7 cm-hostname (config) # show ip default-gateway Active default gateways: 10.13.66.1 (interface: ether4) cm-hostname (config) # show ip route Destination Mask Gateway default 0.0.0.0 10.13.66.1 10.13.66.1 255.255.255.0 0.0.0.0 172.16.0.0 255.240.0.0 0.0.0.0 172.17.74.0 255.255.255.0 0.0.0.0 © 2019 FireEye DTI Traffic and Management Traffic Interface ether4 ether4 ether1 ether1 Source static interface interface static 217 Central Management Administration Guide 218 CHAPTER 11: Network Administration © 2019 FireEye Central Management Administration Guide Before You Begin the Upgrade CHAPTER 12: Upgrading the FireEye Software The CM appliance automatically checks for new system images. Updates are made on an ongoing basis and are easy to download and install. This section describes how to update the Central Management system image. For information about updating managed appliances from the Central Management appliance, see Updating Managed Appliances on page 499. NOTES: l l l Refer to the FireEye DTI Offline Update Portal Guide for upgrade instructions if your server is offline and cannot download updates from the DTI network. Upgrade times vary, based on the operating environment at your site and the size of the server database. Do not reboot your server during an upgrade, unless prompted to do so. Before You Begin the Upgrade Review the items in this section before you begin your upgrade. l l User Role—You must have admin access to upgrade the CM appliance. Back Up the Appliance—Before performing the upgrade, back up your appliance. See Database Backup and Restore on page 245 for more information. © 2019 FireEye 219 Central Management Administration Guide l CHAPTER 12: Upgrading the FireEye Software Licenses—Before performing upgrades, confirm that the following licenses are installed and valid: l CONTENT_UPDATES license (needed for security content updates) l FIREEYE_SUPPORT license (needed for software updates) NOTE: See License Keys on page 115 for more information. If you need to obtain the licenses, send an email to key_request@fireeye.com. l l l l l End-User License Agreement (EULA)—The upgrade could require acceptance of the End User License Agreement (EULA). If it is required, the appliance will not function until the EULA is accepted. To review the EULA before the upgrade, download a copy from the FireEye Customer Support Portal at http://csportal.fireeye.com. Minimum Version to Upgrade—Refer to the Release Notes to determine whether you can upgrade directly from the current release to the new release. IPMI and BIOS Versions—The CM 4500 model requires IPMI 3.11 and BIOS 1.9. Check the versions installed on the appliance with the show system bios command and the show system bios include-firmware-update-notice command. If they are earlier than IPMI 3.11 and BIOS 1.9, see Upgrading Firmware to IPMI 3.11 and BIOS 1.9 on page 230 for upgrade instructions. Download Time—Downloading the operating system software requires about 45 minutes when upgrading from the CLI. Downloading the guest images typically requires 2 ½ to 9 hours from the CLI, depending on connection speed and whether the full set of guest images is downloaded. A complete set can require 24 hours or more. Network Proxy Configuration—If you have an intelligent proxy appliance that is required for access to the Internet, ensure that it does not perform secure sockets layer (SSL) terminations with certificate replacement. An example of such a proxy is the Blue Coat ProxySG appliance. If the proxy does perform SSL terminations, then you must whitelist the FireEye Dynamic Threat Intelligence (DTI) network server (staticcloud.fireeye.com), or the Content Distribution Network (CDN) server (cloud.fireeye.com or download.fireeye.com) in the proxy configuration. For integration with third-party products, such as ArcSight, Juniper STRM, Blue Coat ProxySG, or Q1 Lab QRadar, contact FireEye Technical Support. Refer to the vendor documentation for proxy configuration information. 220 © 2019 FireEye Release 8.7 Upgrading the Appliance Using the Web UI Upgrading the Appliance Using the Web UI Use the Upgrade page to upgrade the CM appliance. To open the Upgrade page, click the About tab and then click Upgrade. The following is an example of the Update page for a Central Management appliance. Task List for Upgrades Perform the following steps (detailed in the sections that follow) to upgrade the CM appliance. NOTE: If your appliance is offline and cannot download updates from the DTI network, perform Select an Upgrade Source below and then refer to the FireEye DTI Offline Update Portal User Guide for additional instructions. 1. Select an Upgrade Source below. 2. Check for Available Update Software on the next page. 3. Download the Software on the next page. 4. Install the Software Update on the next page. 5. Upgrading the Appliance Using the Web UI above. 6. Validate the Software Updates on page 223. Select an Upgrade Source The upgrade source is the location from which the software updates will be downloaded. Online Option l DTI—The software is downloaded from the Dynamic Threat Intelligence (DTI) server or a Content Delivery Network (CDN) server. The server address is © 2019 FireEye 221 Central Management Administration Guide CHAPTER 12: Upgrading the FireEye Software displayed at the top right of the page. See Changing the Active Setting for a DTI Service on page 131 for details about these options. Offline Options The following options can be used if your appliance cannot download updates from a DTI source server. For details and upgrade instructions, see the FireEye DTI Offline Update Portal User Guide. l l Local—Upload a local file that was obtained from the FireEye DTI Update Portal for offline appliances. Click Local to specify a path to the locally stored update software, and then click Save. URL—Upload a local file that was obtained from FireEye via the DTI Update Portal for offline appliances and hosted on a local site identified by a URL. Click URL to specify a URL to the update software, and then click Save. NOTE: For offline guest image updates, downloads are more efficient if Source is set to URL, not Local. If neither offline option is feasible, contact FireEye Technical Support. Check for Available Update Software Click the action icon ( ) in the Action column, and then click Check for a resource row to determine if update software is available. The status is displayed in the expanded Status area. NOTE: If the Check option does not appear in the Action column, then the software is already available for download or an update has recently taken place. The Check option also does not appear during software downloads. Download the Software If a software update is available, the Download option in the Action column is displayed. Click the action icon ( ) in the Action column, and then click Download to begin the software download. The download status is displayed in the expanded Status area. Install the Software Update Installation status is displayed in the expanded Status area. After you download a software update, click the action icon ( 222 ) in the Action column, and then click Install to © 2019 FireEye Release 8.7 Upgrading the Appliance Using the CLI install it. Installation status is displayed in the expanded Status area. If prompted, read the End User License Agreement (EULA), and then accept it if you agree to its terms. If you do not accept it, the appliance will not function. NOTE: If an upgrade process is interrupted or fails, the appliance software automatically falls back to the currently installed image. When installation of the software image is complete, click the action icon ( ) in the Action column, and then click Reboot to complete the update process. NOTE: You must access the appliance through the serial port if you want to monitor appliance boot activities. You can enter CLI commands through direct keyboard and monitor connection only before the boot loader begins loading the kernel, for example, to post output, and after the boot is completed. Validate the Software Updates After software updates are installed, verify the installations: l l Click the About tab. The current software image version information is displayed on the FireEye CMS System Information page. Click the Settings tab, and then click CMS Licenses on the sidebar to verify and view installed licenses. Valid and active licenses display the attribute “True.” If the licenses are not valid and active, the updates are not functional. Upgrading the Appliance Using the CLI Use the commands in the following sections to upgrade the CM appliance. Task List for Upgrades Perform the following steps (detailed in the sections that follow) to upgrade the appliance. 1. Download and Install the Appliance Software Image on the next page. 2. Restart the Appliance and Accept the EULA on the next page. 3. Verify the Upgrade on page 225. IMPORTANT: Be sure to download the software image files from the configured DTI source server before beginning any installations. © 2019 FireEye 223 Central Management Administration Guide CHAPTER 12: Upgrading the FireEye Software Download and Install the Appliance Software Image To download and install the software image: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Check for downloads: hostname (config) # fenet image check hostname (config) # show fenet image status 3. Download the software image: hostname (config) # fenet image fetch 4. View the download progress: hostname (config) # show fenet image status Progress of latest action taken: action fetch initiated Tue Nov 22 13:04:44 2016 applying fetch for image lms fetching checksum of the requested image done fetching requested image 7.9.0 initiated fetching requested image 7.9.0 done action fetch completed Tue Nov 22 13:06:03 2016 fetch-done: OS image downloaded successfully: image-lms_7.9.0.img If you have already downloaded the latest software, you may see an error: "Latest image already downloaded and ready to install (error)." To check which images are downloaded, use the following command: hostname (config) # show fenet image list 5. Install the downloaded software image: hostname (config) # image install image-lms_7.9.0.img hostname (config) # image boot next NOTE: If an upgrade process is interrupted or fails, the appliance software automatically falls back to the currently installed image. 6. Save your changes: hostname (config) # write memory Restart the Appliance and Accept the EULA To restart the appliance and accept the EULA: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Restart the appliance: 224 © 2019 FireEye Release 8.7 Configuring Auto-Mounting on a USB Device hostname (config) # reload 3. After restarting the appliance, the system could display the FireEye End User License Agreement (EULA). Read the EULA. Click Yes if you agree to its terms, and then click Submit. If you do not accept the EULA, the appliance will not function. After accepting the EULA, the login page is displayed. Wait a few minutes before logging in because database records are undergoing an update in preparation for the upgrade. NOTE: You must access the appliance through the serial port if you want to monitor appliance boot activities. You can enter CLI commands through direct keyboard and monitor connection only before the boot loader begins loading the kernel, for example, to post output, and after the boot is completed. Verify the Upgrade To verify the upgrade: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Display the version information for the current system image: hostname (config) # show version Configuring Auto-Mounting on a USB Device You can configure auto-mounting on a USB device attached to the CM appliance. Only one USB device can be mounted at a time. You can configure HTTP access to install system images from the USB device onto the appliance. NOTE: You can configure auto-mounting on a USB device only using the CLI. Prerequisites l Admin access © 2019 FireEye 225 Central Management Administration Guide CHAPTER 12: Upgrading the FireEye Software Enabling or Disabling Auto-Mounting on a USB Device Using the CLI Use the commands in this topic to enable or disable auto-mounting on a USB device attached to the CM appliance. You must enable auto-mounting when the USB device is attached. By default, auto-mounting is disabled. Auto-mounting will not mount the USB device when it is already attached to the appliance. Prerequisites l Admin access To enable auto-mounting on a USB device: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Enable auto-mounting on a USB device attached to the appliance: hostname (config) # media usb auto-mount enable 3. Plug the USB device in to the appliance immediately. 4. Verify the USB device auto-mount configuration. hostname (config) # show media usb USB auto-mount configuration: Enabled: yes Local web access: yes Top-level directory: fireeye To disable auto-mounting on the USB device: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Disable auto-mounting on the USB device: hostname (config) # no media usb auto-mount enable 3. Verify the USB device auto-mount configuration. hostname (config) # show media usb USB auto-mount configuration: Enabled: no Local web access: yes Top-level directory: fireeye 226 © 2019 FireEye Release 8.7 Configuring Auto-Mounting on a USB Device Configuring HTTP Access to Install Software Updates Using the CLI Use the commands in this topic to configure HTTP access to install software updates from a USB device onto the appliance. By default, you can access only the contents locally in the fireeye directory for the first partition from a specified URL. NOTE: The Central Management appliance does not host guest images when it is operating in "inline" mode. Prerequisites l l Admin access Enable auto-mounting on the USB device to the attached appliance. For details about how to enable auto-mounting, see Enabling or Disabling Auto-Mounting on a USB Device Using the CLI on the previous page. To configure HTTP access to install software updates from a USB device: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Enable HTTP access on the loopback interface on the appliance: hostname (config) # media usb web-access enable local Local web access is enabled by default. 3. Specify the top-level directory as the location to extract software updates on a USB device: hostname (config) # media usb web-access top-dir fireeye This directory will be used as the URL to extract the software on the USB device. 4. Verify that the USB device is mounted: hostname (config) # show media usb USB auto-mount configuration: Enabled: yes Local web access: yes Top-level directory: fireeye USB auto-mount status: Device mounted: yes Access URL: N/A © 2019 FireEye 227 Central Management Administration Guide CHAPTER 12: Upgrading the FireEye Software 5. Download software updates using the specified URL as the location to install the updates. See Installing Guest Images from a USB Device Using the CLI below for a representative procedure. Installing Guest Images from a USB Device Using the CLI Use the commands in this topic to install guest images from a USB device onto the appliance. By default, you can access only the contents locally in the fireeye directory for the first partition from a specified URL. NOTE: The Central Management appliance does not host guest images when it is operating in "inline" mode. Prerequisites l l l l Admin access Enable auto-mounting on the USB device to the attached appliance. For details about how to enable auto-mounting, see Enabling or Disabling Auto-Mounting on a USB Device Using the CLI on page 226. Configure HTTP access. For details, see Configuring HTTP Access to Install Software Updates Using the CLI on the previous page. Complete the steps in the following order to set up the files correctly to install guest images from a USB device: 1. Download the guest images tar file from the FireEye network. 2. Extract the contents on the USB device. 3. Remove the version numbers. Copy the following file names: l server-manifest.VERSION to server-manifest l server-manifest.VERSION.md5 to server-manifest.md5 l server-manifest.VERSION.v2 to server-manifest.v2 l server-manifest.VERSION.v2.md5 to server-manifest.v2.md5 To download guest images from a USB device: 1. Download guest images using the specified URL as the location to install the guest images: hostname (config) # guest-images download url <URL> where URL is the location that you specified as the top-level directory for the installation. 228 © 2019 FireEye Release 8.7 Configuring Auto-Mounting on a USB Device Wait for the appliance to fully download the guest images before beginning any installations. 2. Verify the download progress: hostname (config) # show guest-images download 3. After the download is complete, install the guest images: hostname (config) # guest-images install 4. Verify that guest images are properly installed: hostname (config) # show guest-images Mounting or Unmounting a USB Device Using the CLI Use the commands in this topic to manually mount or unmount a USB device to the attached appliance. FireEye recommends that you physically remove the USB device from the port. Use the media usb mount command before you attach the drive, and use the media usb eject command after you unplug it. NOTE: The media usb eject command will have no effect if the USB device is not mounted. Prerequisites l Admin access To mount a USB device: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Mount the USB device to the attached appliance: hostname (config) # media usb mount To unmount a USB device: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Unmount the USB device from the attached appliance: hostname (config) # media usb eject © 2019 FireEye 229 Central Management Administration Guide CHAPTER 12: Upgrading the FireEye Software Upgrading Firmware to IPMI 3.11 and BIOS 1.9 Upgrading IPMI 3.11 and BIOS 1.9 Firmware for Specific Platforms The CM 4500 model requires an upgrade to IPMI 3.11 and BIOS 1.9. You must install the IPMI upgrade before you upgrade the BIOS. To upgrade IPMI to version 3.11: CAUTION: IPMI network and password settings revert to factory defaults after this upgrade, and IPMI logs are deleted. Make a note of your settings and back up your IPMI logs. WARNING: Do not shut down or remove power from the appliance during the upgrade. 1. Go to CLI configuration mode. hostname> enable hostname# configure terminal 2. Begin the upgrade: hostname (config)# ipmi firmware update latest 3. Confirm the upgrade: hostname (config)# show ipmi If the upgrade fails, try the steps again. If IPMI functions are not fully restored, perform a full power cycle (cold shutdown) on the appliance: 1. Stop the reload process: hostname (config)# reload halt 2. Disconnect all power cables for 2 minutes. 3. After 2 minutes, reconnect power cables and restart the appliance. To upgrade the BIOS to version 1.9: 1. Go to CLI configuration mode. hostname> enable hostname# configure terminal 230 © 2019 FireEye Release 8.7 Upgrading Firmware to IPMI 3.11 and BIOS 1.9 2. Begin the upgrade: hostname (config)# system bios firmware update latest WARNING: Do not shut down or remove power from the appliance during the upgrade. 3. Confirm the upgrade: hostname (config)# show system bios 4. Stop the reload process: hostname (config)# reload halt 5. Disconnect all power cables for 2 minutes. 6. After 2 minutes, reconnect power cables and restart the appliance © 2019 FireEye 231 Central Management Administration Guide 232 CHAPTER 12: Upgrading the FireEye Software © 2019 FireEye Central Management Administration Guide Managing Logs Using the Web UI CHAPTER 13: Log Management This section covers the following information: l Managing Logs Using the Web UI below l Viewing the Current Log Configuration on page 236 l Configuring a Syslog Server Using the CLI on page 237 l l Configuring the Minimum Severity of Messages Sent to Syslog Servers Using the CLI on page 238 Configuring the Minimum Severity of Messages Stored on the Local Drive Using the CLI on page 240 l Configuring the Timestamp Format Using the CLI on page 242 l Uploading the Active Log File to a Network Location Using the CLI on page 244 For a full list and for details about command usage and parameters, see the CLI Command Reference. NOTE: You may need to download logs and provide them to FireEye Technical Support for troubleshooting. Managing Logs Using the Web UI Use the About > Log Manager page to manage appliance logs. This page allows you to customize log generation for various time periods. © 2019 FireEye 233 Central Management Administration Guide CHAPTER 13: Log Management NOTE: You may need to download logs and provide them to FireEye Technical Support for troubleshooting. You may also be asked to upload the logs to FireEye. To manage logs: 1. Click the About tab. 2. Click Log Manager. 3. Select which log categories to include by clicking Selected Logs or All logs and outputs. 4. Select or clear checkboxes to specify the categories you want to include in the logs. 5. If a drop-down list is present, select the time period the log should cover. The default is today. The other options are past week, past 2 weeks, and past month. 6. If you want to view the log files you download, clear the Password-protect generated log archive checkbox in the Password area. IMPORTANT: If this checkbox is selected, you will be unable to open the files. 7. Click Create. The log is added to the Log Archives area. 8. To download a log, click the action icon ( ) in the Action column and then click Download. The log archive is downloaded to your local file system. The archive name begins with the hostname of the appliance. 9. To delete an archive, click the action icon ( ) in the Action column and then click Delete. 234 © 2019 FireEye Release 8.7 Managing Logs Using the Web UI 10. If FireEye requests that you upload an archive, click the action icon ( ) in the Action column and then click Upload. The file is automatically uploaded to FireEye. © 2019 FireEye 235 Central Management Administration Guide CHAPTER 13: Log Management Viewing the Current Log Configuration This topic describes how to use CLI commands to view the current log configuration on the CM appliance. For a full list of logging commands and the usage and parameters, see the CLI Command Reference. Prerequisites l Admin access To view the current log configuration: 1. Go to CLI enable mode: hostname > enable 2. View the current logging configuration: hostname # show logging Local logging level: Override for class mgmt-back: Override for class mgmt-front: 236 notice notice notice Remote syslog default level: No remote syslog servers configured. notice Receive remote messages via UDP: no Receive remote messages via TCP: no Receive remote messages via TLS: no Log file rotation: Log rotation size threshold: Archived log files to keep: 256 megabytes 40 Log format: Timestamp format: Subsecond timestamp field: rfc-3164 disabled Secure channel logs: yes © 2019 FireEye Release 8.7 Configuring a Syslog Server Using the CLI Configuring a Syslog Server Using the CLI This topic describes how to use CLI commands to specify a syslog server for log messages on the CM appliance. For a full list of logging commands and the usage and parameters, see the CLI Command Reference. Prerequisites l Admin access To specify a syslog server: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. To specify a syslog server to which logging messages are sent, use the logging <serverAddress> command, where <serverAddress> is the server IP address. For example: hostname (config) # logging 10.10.20.62 3. Verify your changes: hostname (config) # show logging Local logging level: Override for class mgmt-back: Override for class mgmt-front: Remote syslog default level: Remote syslog servers: 10.10.20.62 protocol: port: [ . . . ] notice notice notice notice notice udp 514 4. Save your changes. hostname (config) # write memory © 2019 FireEye 237 Central Management Administration Guide CHAPTER 13: Log Management Configuring the Minimum Severity of Messages Sent to Syslog Servers Using the CLI This topic describes how to use CLI commands to specify the minimum severity level of log messages sent to syslog servers. For a full list of logging commands and the usage and parameters, see the CLI Command Reference. Prerequisites l Admin access To configure the minimum severity of log messages sent to syslog servers: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. To specify the minimum severity level of messages sent to syslog servers, use the logging trap <severity> command, where <severity> is one of the following: l none—Disables logging. l emerg—System failure. l alert—Immediate action required. l crit—Critical condition. l err—Error condition. l warning—Warning condition. l notice—Normal but significant condition. l info—Informational message. l debug—Debug-level message. The following example specifies that all log messages of error level or higher severity are sent to the syslog server: hostname (config) # logging trap err 238 © 2019 FireEye Release 8.7 Configuring the Minimum Severity of Messages Sent to Syslog Servers Using the CLI 3. Verify your changes: hostname (config) # show logging Local logging level: Override for class mgmt-back: Override for class mgmt-front: Remote syslog default level: Remote syslog servers: 10.10.20.62err protocol: port: [ . . . ] notice notice notice err udp 514 4. Save your changes. hostname (config) # write memory © 2019 FireEye 239 Central Management Administration Guide CHAPTER 13: Log Management Configuring the Minimum Severity of Messages Stored on the Local Drive Using the CLI This topic describes how to use CLI commands to specify the minimum severity level of log messages stored on the local drive. For a full list of logging commands and the usage and parameters, see the CLI Command Reference. Prerequisites l Admin access To configure the minimum severity of log messages stored on the local drive: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. To specify the minimum severity level of messages stored on the local disk, use the logging local <severity> command, where <severity> is one of the following: l none—Disables logging. l emerg—System failure. l alert—Immediate action required. l crit—Critical condition. l err—Error condition. l warning—Warning condition. l notice—Normal but significant condition. l info—Informational message. l debug—Debug-level message. l override—Override a log level. The following example specifies that all log messages of "error" level or higher severity are saved in the log files on the local disk: hostname (config) # logging local err 240 © 2019 FireEye Release 8.7 Configuring the Minimum Severity of Messages Stored on the Local Drive Using the CLI 3. Verify your changes: hostname (config) # show logging Local logging level: Override for class mgmt-back: Override for class mgmt-front: err notice notice 4. Save your changes. hostname (config) # write memory © 2019 FireEye 241 Central Management Administration Guide CHAPTER 13: Log Management Configuring the Timestamp Format Using the CLI This topic describes how to use CLI commands to specify the syslog timestamp format. For a full list of logging commands and the usage and parameters, see the CLI Command Reference. Prerequisites l Admin access To configure the timestamp format used in log messages: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Enter the logging fields timestamp format <format> command, where <format> is one of the following: l l rfc-3164—Use the timestamp format specified in RFC-3164 (for example, May 13 15:12:01). rfc-3339—Use the timestamp format specified in RFC-3339 (for example, 2017-05-15T15:22:33). The following example specifies that all log messages use RFC-3339 format: hostname (config) # logging fields timestamp format rfc-3339 242 © 2019 FireEye Release 8.7 Configuring the Timestamp Format Using the CLI 3. Verify your changes: hostname (config) # show logging Local logging level: err Remote syslog default level: notice No remote syslog servers configured. Receive remote messages via UDP: no Receive remote messages via TCP: no Receive remote messages via TLS: no Log file rotation: Log rotation size threshold: Archived log files to keep: 256 megabytes 40 Log format: Timestamp format: rfc-3339 Subsecond timestamp field: Secure channel logs: disabled no 4. Save your changes. hostname (config) # write memory © 2019 FireEye 243 Central Management Administration Guide CHAPTER 13: Log Management Uploading the Active Log File to a Network Location Using the CLI This topic describes how to use CLI commands to upload the active log file to a network location. For a full list of logging commands and the usage and parameters, see the CLI Command Reference. Prerequisites l Admin access To upload the active log file to a network location: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. To upload the active log file to a specified network location using file transfer protocol (FTP), trivial file transfer protocol (TFTP), secure copy (SCP) or SSH file transfer protocol (SFTP), use the following command: hostname (config) # logging files upload current <uploadURL> The <uploadURL> parameter specifies the protocol and file location. l ftp://<domain>/<path>/<fileName> l tftp://<domain>/path>/<fileName> l scp://<username>[:<password>]@<hostname>/<path>/<fileName> l sftp://<domain>/<path>/<fileName> NOTE: For the SCP protocol, you also specify the credentials. You can enter the password in the command line, or you can enter it when you are prompted at the CLI. The following example uses SCP to upload the active log file to logs/FE_log.gz: hostname (config) # logging files upload current scp://it123@example.com/logs/FireEye_log.gz Password (if required): *********** 3. Verify your changes: hostname (config) # show log files 4. Save your changes. hostname (config) # write memory 244 © 2019 FireEye Central Management Administration Guide Database Backup and Restore Introduction CHAPTER 14: Database Backup and Restore This section describes how to back up and restore the appliance database and how to manage backup files on the appliance. It includes the following topics: l Database Backup and Restore Introduction below l Task List for Database Backup and Restore on the next page l Viewing the Last Backup and Restore Results on the next page l Estimating the Space Needed for the Backup File on page 248 l Backing Up the Database on page 249 l Scheduling Automatic Backups on page 253 l Downloading Backup Files on page 256 l Uploading Backup Files on page 257 l Restoring the Database from a Backup File on page 258 l Deleting Previous Backup Files on page 262 Database Backup and Restore Introduction You can back up, restore, upload, download, and delete the configuration database, which stores Central Management configuration settings. You can restore a database from a previous backup. Backup files can be deleted to free space for new backups. NOTE: License keys and guest images (applicable to offline Central Management appliances only) are not included in the backup. You must reinstall the license keys and guest images separately. Network settings can be restored. © 2019 FireEye 245 Central Management Administration Guide CHAPTER 14: Database Backup and Restore Task List for Database Backup and Restore Complete the steps for backing up and restoring the database in the following order: 1. Log in to the Web UI or CLI. 2. Verify the status of the last backup and restore operations. For details about how to view the last backup and restore operations, see Viewing the Last Backup and Restore Results below. 3. the config backup file. For details about how to estimate the space needed, see Estimating the Space Needed for the Backup File on page 248. 4. Specify a config backup profile and a location for the backup file. Decide whether to include public and private key encryption. Start the backup. For details about how to specify a backup profile, include encryption, and start or cancel the backup, see Backing Up the Database on page 249. To schedule how often you want the backup job to automatically run, see Scheduling Automatic Backups on page 253. 5. To restore the database, select the backup file. For details about how to restore the database, see Restoring the Database from a Backup File on page 258. 6. Monitor the status of the backup or restore operation. Viewing the Last Backup and Restore Results You can view the details for the last backup and restore operations. Details of the last backup or restore operation include the following: l Status of the backup or restore (such as "running") l Destination of the backup file or source of the restore file l Start time of the backup or restore operation l End time of the backup or restore operation l Result of the backup or restore operation (such as "success") After a backup or restore operation, the appliance marks the result as "success" or "failure." When a backup or restore operation is in process, the appliance displays the status as "running." 246 © 2019 FireEye Release 8.7 Viewing the Last Backup and Restore Results Prerequisites l Admin access Viewing the Last Backup and Restore Results Using the Web UI The Backup and Restore page displays the status details about the last backup and restore operation. Example status details are shown in the following illustration. Viewing the Last Backup and Restore Status Using the CLI Use the commands in this section to view the status for the last backup and restore operations. To view the details of the last backup operation: 1. Go to CLI enable mode. hostname > enable 2. View the details of the last backup operation. For example: hostname # show backup status Backup status: Last backup profile: Last backup destination: Last backup start time: Last backup end time: Last Backup result: not-running config local 2016/12/08 18:32:58.112 2016/12/08 18:34:26.301 success To view the details of the last restore operation: 1. Go to CLI enable mode. hostname > enable © 2019 FireEye 247 Central Management Administration Guide CHAPTER 14: Database Backup and Restore 2. View the details of the last restore operation. For example: hostname # show restore status Restore status: Last restore profile: Last restore source: Last restore start time: Last restore end time: Last restore result: not-running config usb 2016/12/08 21:13:53.151 2016/12/08 21:13:53.151 success Estimating the Space Needed for the Backup File The appliance estimates the size of the backup file and calculates the amount of space it needs. The available space must be greater than the estimated space required to perform the backup operation. The size depends on the profile you select (described in Database Backup and Restore Introduction on page 245). Details of the backup estimates for the configuration database include the following: l Size estimate of the database file based on the backup profile l Available space based on the backup profile l Whether the backup can be performed Prerequisites l l Admin access to run the estimate Monitor, Operator, or Admin access to view the backup estimate using the CLI. (In the Web UI, these roles can view only existing backup files, not the backup estimate.) Estimating the Space Needed for the Backup File Using the Web UI Use the Backup and Restore page to estimate the space needed for the backup file. To estimate the space needed for the backup file: 1. Click the Settings tab. 2. Click CM Backup & Restore on the sidebar. 3. Select the configuration backup file you want to estimate. (See Database Backup and Restore Introduction on page 245 for descriptions.) 248 © 2019 FireEye Release 8.7 Backing Up the Database 4. Click Estimate in the Estimate Backup column. Details of the backup estimates for the configuration database are displayed. Estimating the Space Needed for the Backup File Using the CLI Use the commands in this section to estimate the space needed for the backup file. To estimate the space needed for the backup file: 1. Go to CLI enable mode. hostname > enable 2. View the estimate for the configuration database: hostname # show backup estimate profile config Example The following example shows the estimated available space for a backup of the configuration database: hostname # show backup estimate profile config -----------------------------------------------# Estimates for config backup -----------------------------------------------Local space available : 599097 MB Space reserved for other purposes : 356220 MB Space available for backups : 242877 MB Estimated space required for backup : 8 MB Can perform local or remote backup : yes USB space available : 12808 MB Can perform USB backup : yes Backing Up the Database You can save the backup file three ways: l l l To a local destination on the appliance To a remote server (this first creates a local backup and then transfers it to the remote server) To a USB device connected to your local machine © 2019 FireEye 249 Central Management Administration Guide CHAPTER 14: Database Backup and Restore Use the media usb mount command to mount the USB device to the attached appliance. If the USB device is mounted, use the media usb eject command to unmount the USB device. For details about how to mount or unmount a USB device, see Mounting or Unmounting a USB Device Using the CLI on page 229. The appliance must have sufficient space to save one backup. You cannot proceed with a backup operation if there is not enough space on the requested backup destination. For information about estimating the amount of space, see Estimating the Space Needed for the Backup File on page 248. NOTE: The appliance is fully functional while the backup operation is in process. Prerequisites l Admin access Backing Up the Database Using the Web UI Use the Backup and Restore page to back up the database. To back up the database: 1. Click the Settings tab. 2. Click CM Backup & Restore on the sidebar. 3. Select the backup location from the drop-down list. l Local—Saves the backup file to a local destination on the appliance. l USB—Saves the backup file to a USB device connected to your local machine. l 250 Remote—Saves the backup file to a remote server. This first creates a local backup and then transfers it to the remote server. © 2019 FireEye Release 8.7 Backing Up the Database 4. If you selected Remote Server, enter the location of the remote backup file in the Remote URL or Server Location column: scp://<username>:<password>@<hostname>/<directory> where <username> and <password> are remote server admin credentials, <hostname> is the remote server, and <directory> is the directory in which to save the backup file. 5. Enter a custom prefix for the backup file name in the File Name Prefix column. You can use the prefix to sort the list of the backup files. 6. (Optional) Clear the Encrypt checkbox to disable public and private key encryption for the backup operation. Each backup file is signed by default using the public and private key pairs. By default, encryption is always included in the backup. NOTE: Encryption delays the backup operation. Backups are encrypted only using static keys. 7. Click Backup in the Action column. A progress bar indicates the status of the backup operation. NOTE: To cancel a database backup that is in progress, click the red X in the progress bar. Backing Up the Database Using the CLI Use the commands in this section to back up the configuration database. To back up the database: 1. Go to CLI configuration mode. hostname > enable hostname # configure terminal 2. Specify the configuration database for backup: hostname (config) # backup profile config © 2019 FireEye 251 Central Management Administration Guide CHAPTER 14: Database Backup and Restore 3. Specify the location for the backup file. l To save the configuration backup file to a local destination on the Central Management appliance: hostname (config) # backup profile config to local l To save the backup file on a remote server: hostname (config) # backup profile config to <url> where <url> specifies remote server admin credentials (<username> and <password>), the remote server( <hostname>), and the directory in which to save the backup file (<directory> )in the following format: scp://<username>[:<password>]@<hostname>/<directory> NOTE: If you do not specify the remote host administrator password in the backup profile command (where the password would be visible as clear text), the CLI prompts for the password and obfuscates the keyboard input as you type it. A remote backup first creates a local backup and then transfers it to the remote server. l To save the backup file to a USB drive on your local machine: hostname (config) # backup profile config to usb 4. Specify a custom prefix for the backup file name: hostname (config) # backup profile config to <backupLocation> prefix <prefix> 5. (Optional) Monitor the progress of the backup operation. l To disable progress tracking for the backup operation: hostname (config) # backup profile config to <backupLocation> progress no-track l To enable progress tracking for the backup operation: hostname (config) # backup profile config to <backupLocation> progress track By default, progress tracking is enabled. 252 © 2019 FireEye Release 8.7 Scheduling Automatic Backups 6. (Optional) Disable public and private key encryption for the backup operation. hostname (config) # backup profile config to <backupLocation> noencryption The following example backs up the configuration database to a local destination on the Central Management appliance without encryption: hostname (config) # backup profile config to local no-encryption NOTE: Encryption is enabled by default. Encryption delays the backup operation. Backups are encrypted only using static keys. NOTE: To cancel a backup that is in progress, enter the backup cancel command. When you cancel the backup operation that is in progress, the system finishes the current step before canceling the entire operation. Examples The following example backs up the configuration database to a local destination on the Central Management appliance: hostname (config) # backup profile config to local Step 1 of 3: Performing Sanity checks 100.0% [#################################################################] Step 2 of 3: Backing up config db 100.0% [#################################################################] Step 3 of 3: Generating Backup package 100.0% [#################################################################] The following example backs up the configuration database to a remote location: hostname (config) # backup profile config to scp://admin123@bkpFeb/IE-CM4400 Password (if required): ******** Step 1 of 4: Performing Sanity checks 100.0% [#################################################################] Step 2 of 4: Backing up config db 100.0% [#################################################################] Step 3 of 4: Generating Backup package 100.0% [#################################################################] Step 4 of 4: Transferring backup to remote loc 100.0% [#################################################################] Scheduling Automatic Backups You can configure and enable automatic backup jobs. You can specify how often you want the backup job to run automatically. NOTE: You can schedule automatic backup jobs only using the CLI. © 2019 FireEye 253 Central Management Administration Guide CHAPTER 14: Database Backup and Restore Prerequisites l Admin access l Sufficient storage for automatic backups IMPORTANT! Additional space is required when you schedule automatic backups to run frequently. You must monitor the generated backups and delete the unnecessary backups. Scheduling Automatic Backups Using the CLI Use the commands in this section to schedule automatic backups for the database. To configure the scheduled backup job: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Create the job by specifying the job ID. hostname (config) # job <jobID> 3. Schedule the backup job for the configuration database: hostname (config) # job <jobID> command <sequenceNumber> "backup profile config" 4. Use the backup profile command to specify the location for the backup file. hostname (config) # job <jobID> command <sequenceNumber> "backup profile config to <backupLocation>" l To schedule the backup job to a local destination on the Central Management platform: hostname (config) # job <jobID> command <sequenceNumber> "backup profile config to local" l To schedule the backup job on a remote server: hostname (config) # job <jobID> command <sequenceNumber> "backup profile config to <url>" where <url> is the specified remote location using the following format: scp://<username>:<password>@<hostname>/<remotePath> l To schedule the backup job to a USB drive on your local machine: hostname (config) # job <jobID> command <sequenceNumber> "backup profile config to usb" 5. Save your changes: hostname (config) # write memory 254 © 2019 FireEye Release 8.7 Scheduling Automatic Backups To schedule automatic backups for the database: 1. Specify how often you want the backup job to run automatically. l To schedule daily, enter the end date, start date, or time: hostname (config) # job <jobID> schedule daily end date <yyyy/mm/dd> hostname (config) # job <jobID> schedule daily start date <yyyy/mm/dd> hostname (config) # job <jobID> schedule daily time <hh:mm:ss> The parameter values are as follows: o <yyyy/mm/dd> specifies the end or start date for the backup job. o <hh:mm:ss> specifies the time to start the backup job based on a 24- hour clock. l To schedule monthly, enter: hostname (config) # job <jobID> schedule monthly day-of-month <day> where <day> is the day of the month the backup should occur. l To schedule once, enter: hostname (config) # job <jobID> schedule once time <hh:mm:ss> date <yyyy/mm/dd> The parameter values are as follows: o <hh:mm:ss> specifies the time to start the backup job based on a 24- hour clock. o l <yyyy/mm/dd> specifies the date to start the backup job. To schedule a backup that runs periodically on a schedule you define, enter the end and start date or time interval: hostname (config) # job <jobID> schedule periodic end date <yyyy/mm/dd> time <hh:mm:ss> hostname (config) # job <jobID> schedule periodic start date <yyyy/mm/dd> time <hh:mm:ss> hostname (config) # job <jobID> schedule periodic interval <timeInterval> The parameter values are as follows: o <yyyy/mm/dd> specifies the end or start date for the backup job. o <hh:mm:ss> specifies the end or start time for the backup job based on a 24-hour clock. o © 2019 FireEye <timeInterval> is specified in the format of "2h3m4s." 255 Central Management Administration Guide l CHAPTER 14: Database Backup and Restore To schedule weekly: hostname (config) # job <jobID> schedule <frequency> weekly dayof-week <day> The <day> parameter is the day of the week the backup job is scheduled to occur. Valid values are sun (Sunday), mon (Monday), tue (Tuesday), wed (Wednesday), thu (Thursday), fri (Friday), and sat (Saturday). l To specify a type of schedule, enter: hostname (config) # job <jobID> schedule <type> where <type> is the type of schedule for the backup job. Valid values are: Value Description once The backup runs only once daily The backup runs daily weekly The backup runs weekly monthly The backup runs monthly periodic The backup runs automatically on a schedule you define 2. Enable the configuration for the scheduled backup job. hostname (config) # job <jobID> enable 3. Save your changes: hostname (config) # write memory 4. Verify the status for the scheduled backup job. For example: hostname (config) # show job Job 333: Status: pending Enabled: yes Continue on failure: no Schedule type: Time and date: daily 2016/08/16 00:00:00 +0000 Last exec time: N/A Next exec time: Sun 2016/08/17 00:00:00 +0000 Commands: Command 1: backup profile config to local Downloading Backup Files You can download backup files from the appliance to your local machine. 256 © 2019 FireEye Release 8.7 Uploading Backup Files NOTE: A backup file is downloaded only using the Web UI. Prerequisites l Admin access Downloading Backup Files Using the Web UI Use the Backup and Restore page to download a backup file from the appliance to your local machine. To download a database backup file: 1. Click the Settings tab. 2. Click CM Backup & Restore on the sidebar. 3. In the Restore Available Backups section, locate the backup FEBKP file in the Backup name (Profile) column. 4. Click the green arrow in the Download column to download the backup. Uploading Backup Files You can upload backup files from your local machine to the appliance. One backup file is used to restore the database for multiple appliances. The uploaded backup files are stored in the same location where you saved the local backup files. NOTE: A backup file is uploaded only using the Web UI. Prerequisites l Admin access © 2019 FireEye 257 Central Management Administration Guide CHAPTER 14: Database Backup and Restore Uploading Backup Files Using the Web UI Use the Backup and Restore page to upload a backup file from your local machine to the appliance. To upload a backup file from your local machine: 1. Click the Settings tab. 2. Click CMS Backup & Restore on the sidebar. 3. In the Upload Backup File area, click Choose File, and then navigate to the backup file you want to upload. 4. Click Submit to upload the backup file from your local machine. An error occurs if an invalid backup file is uploaded. Restoring the Database from a Backup File You can restore the backup from three locations: l l l From your local appliance. From a remote server. Do not restore the current network settings while the appliance is performing a restore operation from a remote server. From a USB device connected to your local machine. Usage Guidelines Follow these usage guidelines when you are restoring the database from a backup file: l l l 258 The appliance will not be fully operational during the restore operation. For example, the alert detection process will stop during the restore operation. You cannot cancel the restore operation while it is in process. If the restore process fails, the Central Management platform will automatically revert back to the original configuration. © 2019 FireEye Release 8.7 l l l Restoring the Database from a Backup File The config backup profile can be restored from a software upgrade. You cannot restore the backup from a software downgrade. You cannot restore a backup from another product family. You cannot restore a backup from a release earlier than Central Management 7.5.0. You can restore a backup from Central Management 7.5.0 on a Central Management platform running release 7.6.0. Prerequisites l l l l Admin access Verify that you have a backup FEBKP file of the current database before you begin the restore operation. Locate the previous backup you want to restore. Verify the details for the appliance, backup profile, version, hostname, and date stamp. These details are validated while the restore operation is in process. Restoring the Database from a Backup File Using the Web UI Use the Backup and Restore page to restore the database from a backup file. NOTE: This illustration is from an Email Security — Server Edition appliance, but it is representative of CM appliances as well. To restore the database from a backup file: 1. Click the Settings tab. 2. Click CM Backup & Restore on the sidebar. 3. Locate the backup FEBKP file you want to restore in the Backup Name (Profile) column. You have the option to restore everything using a full profile or restore portions using one of the other profiles. © 2019 FireEye 259 Central Management Administration Guide CHAPTER 14: Database Backup and Restore 4. If you selected Remote Server, scroll down to enter the location of the remote backup file in the Remote URL or SCP box: {scp|sftp}://<username>:<password>@<hostname>/<filePath> where <username> and <password> are remote server Administrator credentials, <hostname> is the remote host, and <filepath> is the full path of the backup file. Then select the profile you want to restore from the drop-down list. 5. (Optional) Clear the Exclude Network Settings checkbox to include the network settings from the backup file. By default, the network settings are not included in the restore operation. CAUTION! Do not restore the current network settings while the appliance is performing a restore operation from a remote server. 6. Click Restore to restore the backup. 7. In the confirmation dialog box, click Yes. NOTE: The appliance will not be fully operational during the restore operation. You cannot cancel the restore operation while it is in process. You must reinstall the license keys separately. Restoring the Database from a Backup File Using the CLI Use the commands in this section to restore the database from a backup file. To restore the database from a backup file: 1. Go to CLI configuration mode. hostname > enable hostname # configure terminal 2. Locate the backup FEBKP file you want to restore. l To display a list of the backup files on the USB drive: hostname (config) # show backup available on-usb l To display a list of the backup files: hostname (config) # show backup available local 3. Specify the configuration database profile: hostname (config) # restore profile config 4. Specify the location of the backup file. l To restore the backup from the local destination on the Central Management appliance: hostname (config) # restore profile config from local 260 © 2019 FireEye Release 8.7 Restoring the Database from a Backup File l To restore the backup from a remote server: hostname (config) # restore profile config from <url> where <url> specifies remote server Administrator credentials (<username> and <password>), the remote server (<hostname>), and the full path of the backup file( <filepath>) in the following format: {scp|sftp}://<username>[:<password>]@<hostname>/<filepath> NOTE: If you do not specify the remote host administrator password in the restore profile command (where the password would be visible as clear text), the CLI prompts for the password and obfuscates the keyboard input as you type it. l To restore the backup from a USB drive on your local machine: hostname (config) # restore profile config from usb 5. Enter the name of the backup file. hostname (config) # restore profile config from <backupLocation> backup <name> 6. (Optional) Restore the network settings from the relevant backup: hostname (config) # restore profile config from <backupLocation> backup <name> include-network-config CAUTION! Do not restore the current network settings while the CM appliance is performing a restore operation from a remote server. 7. (Optional) Monitor the progress of the restore operation. Progress tracking is enabled by default. l To disable progress tracking for the restore operation: hostname (config) # restore profile config from <backupLocation> backup <name> progress no-track l To enable progress tracking for the restore operation: hostname (config) # restore profile config from <backupLocation> backup <name> progress track You can cancel progress tracking by using Ctrl+C. The restore operation still happens in the background. Use the show restore status command to find the status of the restore operation. Example The following example shows how to restore a configuration database backup from local on an appliance. hostname (config) # restore profile config from local backup vx-Config-7.9.0vx-2-20160802-239500.febkp © 2019 FireEye 261 Central Management Administration Guide CHAPTER 14: Database Backup and Restore Password (if required): ******** Step 1 of 4: Performing Sanity checks 100.0% [##################################################################] Step 2 of 4: Extracting backup package 100.0% [##################################################################] Step 3 of 4: Restoring config db 100.0% [##################################################################] Step 4 of 4: Restart system services 100.0% [##################################################################] NOTE: This example is from a VX Series appliance, but it is representative of CM appliances as well. Deleting Previous Backup Files You can delete previous backup files to free space for new backup files. Prerequisites l Admin access Deleting Previous Backup Files Using the Web UI Use the Backup and Restore page to delete a backup file. NOTE: This illustration is from an Email Security — Server Edition appliance, but it is representative of CM appliances as well. To delete a backup: 1. Click the Settings tab. 2. Click CMS Backup & Restore on the sidebar. 3. In the Restore Available Backups area, locate the backup FEBKP file you want to delete in the Backup Name (Profile) column. 4. Click the icon in the Delete column. 5. Click Yes to confirm the action. 262 © 2019 FireEye Release 8.7 Deleting Previous Backup Files Deleting Previous Backup Files Using the CLI Use the commands in this section to delete previous backup files. IMPORTANT! If you delete a backup file from a USB drive by using the backup delete from usb command, the deletion might take a few minutes. To delete a backup file: 1. Go to CLI configuration mode. hostname > enable hostname # configure terminal 2. Specify the location of the backup file. l To delete a file from the appliance, enter: hostname (config) # backup delete from local l To delete a file from a USB drive on your local machine, enter: hostname (config) # backup delete from usb NOTE: To delete a remote backup file, you must log in to the remote server and delete the file manually. 3. Specify the name of the backup file to delete from the backup location. hostname (config) # backup delete from <backupLocation> name <backupName> where <backupName> is the backup FEBKP file you want to delete. Example The following example shows how to delete a database backup that resides locally on an appliance. hostname (config) # backup delete from local name wMPS-Config-7.9.0-IE-NX90020160807-220207.febkp NOTE: This example is from an Network Security appliance, but it is representative of CM appliances as well. © 2019 FireEye 263 Central Management Administration Guide 264 CHAPTER 14: Database Backup and Restore © 2019 FireEye Central Management Administration Guide Viewing System Health and Performance Check Results CHAPTER 15: System Health and Performance The Central Management platform provides health and status information about itself and its managed appliances. l Checking Status and Health of Managed Appliances on page 489 For information about checking the status of an MVX cluster, see the FireEye Network Security Deployment Guide for MVX Smart Grid. Prerequisites l Monitor, Operator, Analyst, or Admin access Viewing System Health and Performance Check Results You can view overall status information about system health and appliance performance check results. Prerequisites l Admin, Operator, Monitor, or Analyst access © 2019 FireEye 265 Central Management Administration Guide CHAPTER 15: System Health and Performance Viewing System Health and Performance Check Results Using the Web UI Use the About > Summary page to view overall status information about the appliance components. The Summary page panels display a summary view of appliance health, appliance performance, and status. This example is from a SmartVision Edition sensor (which is an NX Series appliance with a SmartVision Edition FIREEYE_APPLIANCE license), but it is representative of CM appliances as well. The color of a display panel indicates the status of each appliance component: Color Gray Description A gray panel indicates the appliance component is in good condition. Yellow A yellow panel indicates the appliance component is in warning condition. Red A red panel indicates the appliance component is in critical condition. The following table describes each display panel on the Summary page. Panel Software Version 266 Description Compares the software version running on the system to the available software on the DTI network. A red panel indicates that your appliance is not running the current software version. To upgrade the software image, click Upgrade. The Web UI displays the About > Upgrade page, where you can upgrade to the latest software image. © 2019 FireEye Release 8.7 Viewing System Health and Performance Check Results Panel Description Licenses Displays the number of installed licenses that are valid and active. A red panel indicates that licenses have expired. A yellow panel indicates that licenses will expire within 30 days. DTI Displays whether the appliance can receive security content updates from and upload analysis statistics to the DTI network. A red panel indicates that services are not reachable. Backups Displays the status of the last backup operation. A red panel indicates that the last backup operation failed or data has never been backed up on the appliance. To back up the database, click Create Backup. The Web UI displays the Settings > Appliance Backup & Restore page, where you can back up the database. Global Cache Displays whether the global cache is enabled on the system. RAID Displays the overall status of RAID. An error message appears if a RAID error has occurred. A yellow panel indicates that a non-RAID disk was detected. Power Supply Displays the overall status of the power supply. A red panel indicates that the power supply is in critical condition. System Temperature Displays the current temperature and unit of measurement on the system. A red panel indicates that the temperature is below or exceeded a system-defined threshold. Paging Displays whether the system has started the paging activity. A yellow panel indicates that the paging activity is in progress. IPMI Compares the IPMI firmware version running on the system to the available version on the DTI network. A red panel indicates that a newer version exists. IP Displays IPv4, IPv6, or both. Network Deployment Displays the status of network information that might indicate appliance deployment problems. A red panel indicates that a network deployment problem was found. Filesystem Displays the status of the number of partitions that have free space. A yellow panel indicates that the amount of free space in one of the partitions dropped below 10 percent. © 2019 FireEye 267 Central Management Administration Guide Panel CHAPTER 15: System Health and Performance Description USB Displays whether a USB device is connected to the appliance. Timezone Displays the time zone for your appliance. The Timezone panel also displays the number of seconds since the appliance was synchronized with the DTI server. CMS Displays the status of whether an appliance is managed by the Central Management Management appliance. To display system health and performance check results: 1. Click the About tab. 2. Click Summary. 268 © 2019 FireEye Release 8.7 Checking System Health and Status Checking System Health and Status You can use the Web UI or CLI to view health and status information. Prerequisites l Monitor, Operator, Analyst, or Admin access Checking System Health Using the Web UI Use the Health Check page to check appliance health and status. To view health and status: 1. Click the About tab. 2. Click Health Check. The results of the last check are displayed. 3. Review the system information. 4. To update the results, click Refresh Health Check. The following sections contain descriptions of the information in each area of the page. Version Information The About > Health Check > Version Information section provides an up-to-date view of the software running on your appliance and compares that with the available software on the FireEye DTI network. © 2019 FireEye 269 Central Management Administration Guide CHAPTER 15: System Health and Performance Information about the IPMI version is not displayed for a user that is assigned an Analyst role. Information Description Software Version Compares the software version running on the system to the available software on the DTI network. If a newer version exists, administrators are prompted to upgrade the software. Installed Version Displays the current software version running on the system. Available Version Displays the current software version available on the DTI network. Content Version When the Central Management appliance is in "online" mode, it sends the request for security content updates to the DTI network on behalf of its managed appliances. The security content is downloaded to the managed appliances; it is not hosted on the Central Management appliance. When the Central Management appliance is in "offline" or "local" mode, the Central Management appliance downloads and hosts the security content for the appliances to download. IPMI Version Compares the IPMI firmware version running on the system to the available version on the DTI network. If a newer version exists, administrators are prompted to upgrade the firmware. Installed Version Displays the current IPMI firmware version. Available Version Displays the latest available IPMI firmware version. System Info The System Info status section provides an up-to-date status of your appliance hardware and alerts administrators when problems are found. 270 © 2019 FireEye Release 8.7 Checking System Health and Status Information Description Processing Load Provides analysis of the overall load the system is carrying. If it is nearing capacity, the administrator is alerted. Average Load The average processing load handled by the system. Elapsed The current uptime of the system in days, hours, minutes, and seconds. Services Health The About > Health Check > Services Health section provides an up-to-date status of your appliance’s system services and analysis engine services when problems are found. Information Description Service Name Displays the name of the system service or analysis engine service. Status Displays the health state of the system service or analysis engine service. Services can be healthy, disabled, degraded, or in the failed state. Recovery Steps Displays instructions for how to resolve the problem. Hardware The About > Health Check > Hardware section provides status on the appliance’s hardware components. Information about the disk, RAID, and chassis are not displayed for a user that is assigned an Analyst role. Information Description Disk Displays whether the hard disk is online. If a problem is found, the administrator is alerted. Device State Displays the current state of the hard disk. Device Support Displays the type of device available on the system. © 2019 FireEye 271 Central Management Administration Guide CHAPTER 15: System Health and Performance Information Description Self Assessment Indicates whether the disk passed its internal self-tests. User Capacity Shows the disk capacity on the disk. Chassis Displays status of the hardware chassis. If a problem is found, the administrator is alerted. Lock Provides the state of the chassis lock. Boot Up State Provides the boot up status. Power Supply State Provides the state of the power supply. RAID Provides the status of RAID. DTI Cloud The About > Health Check > DTI Cloud section displays the status of the connection between the appliance and the DTI network. This example is from an Network Security appliance, but is representative of other FireEye appliances as well. Information 272 Description DTI Client Shows whether the DTI client is running on the system. Username Displays the current user of the system. Support Updates Displays the status of the support license. Security Content Displays whether security content sharing is enabled on the system. Sharing Displays the type of content update license purchased. Content Updates Displays the status of the content update license. Download Compares the source for software updates (system images, guest images, and security content) to the available download source on the DTI network and displays the status. © 2019 FireEye Release 8.7 Checking System Health and Status Information Upload Description Compares the destination that is used for software uploads to the available upload destination on the DTI network and displays the status. Last Shows the last time software updates were downloaded and Communication uploaded. Time Interfaces The About > Health Check > Interfaces section displays information about each available Ethernet port on the CM appliance. The About > Health Check > Interfaces section is not displayed for a user that is assigned an Analyst role. Information Description Interface Whether the Ethernet port is up or down. Auto Negotiation Whether auto negotiation is enabled. Duplex The type of duplex communication used by the Ethernet port. Link Detected Whether the Ethernet port is currently linked to another port. Link Transceiver The location of the link transceiver used to generate Ethernet traffic. Link Speed The maximum data speed available on the Ethernet port. MAC Address The MAC address of the Ethernet port. RX Packet The number of packets received by the Ethernet port during the life of this connection. TX Packet The number of packets transmitted by the Ethernet port during the life of this connection. TX Packets Dropped The number of packets that were dropped through Ethernet traffic. © 2019 FireEye 273 Central Management Administration Guide CHAPTER 15: System Health and Performance Checking System Health Using the CLI Use the CLI commands in this topic to view health and status information about CM appliance components. This topic describes selected commands that return system, hardware status, DTI network, and interface information. For a full list of commands and details about their usage and parameters, see the CLI Command Reference. l Monitor, Operator, or Admin access l Admin access for the show ipmi command NOTE: The examples in this section are from an Network Security appliance, but they are representative of CM appliances as well. To check appliance health: 1. Go to CLI enable mode: hostname > enable 2. Display detailed information about the system and the software running on it. hostname # show version Product name: Web MPS [licensed] Product model: FireEyeNX9450 Product edition: Classic Bandwidth: 2000 Mb Product release: wMPS (wMPS) 7.7.0.433916 Build ID: #433916 Build date: 2015-12-29 17:21:57 Build arch: x86_64 Built by: root@vta114 Version summary: wmps wMPS (wMPS) 7.7.0.433916 #433916 2015-12-29 17:21:57 x86_64 build@vta108:FireEye (xxx) Content Version: 385.314 Appliance ID: XXXXXXXXXXXX 274 Product model: Host ID: System serial num: System UUID: FireEyeNX9450 XXXXXXXXXXX XXXXXXXXXX XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX Uptime: CPU load averages: Number of CPUs: System memory: Swap: 3d 6h 34m 34.205s 0.36 / 0.40 / .38 32 9210 MB used / 119984 MB free / 129194 MB total 0 MB used / 65536 MB free / 65536 MB total © 2019 FireEye Release 8.7 Checking System Health and Status 3. Display the IPMI configuration: hostname # show ipmi IPMI LAN Settings ---------------------------------------Admin Shut Down : no Shut Down : no IP Address Source : Static Address IP Address : 192.168.42.27 Subnet Mask : 0 Default Gateway IP : 0 IPMI Firmware Installed ------------------------------Firmware Version: 2.67 Device: 1 IPMI Version: 2.0 IPMI Firmware Available For Update ----------------------------------New Firmware Version: 2.67 New Firmware Filename: FireEye_V267.bin Firmware Update Notice: Firmware is up to date for this release IPMI Firmware Availability Notice is enabled 4. Display overall system status: hostname * show system health Overall system feature status: Good © 2019 FireEye 275 Central Management Administration Guide CHAPTER 15: System Health and Performance 5. Display information about the Dynamic Threat Intelligence (DTI) network: hostname # show fenet status Dynamic Threat Intelligence Service: Update source Enabled Download Upload Mil : : : : : <online> yes DTIUser@cloud.fireeye.com DTIUser@up-cloud.fireeye.com DTIUser@mil-cloud.fireeye.com HTTP Proxy: Address Username User-agent : : : Request Session: Timeout Retries Speed Time Max Time Rate Limit : : : : : 30 3 60 14400 Speed Limit : 1 Dynamic Threat Intelligence Lockdown: Enabled Locked Lock After : no : no : 5 failed attempts UPDATES Enabled ------Security contents: yes Stats contents: yes 276 Notify -----no Scheduled --------every none Last Updated At ------------------2016/07/18 19:28:00 2016/07/18 15:55:00 © 2019 FireEye Release 8.7 Checking System Health and Status 6. Display status and traffic statistics for all interfaces: hostname # show interfaces Interface ether1 status: Comment: Admin up: yes Link up: yes DHCP running: no IP address: 172.00.00.00 Netmask: 255.000.0.0 IPV6 enabled: no Speed: 1000Mb/s (auto) Duplex: full (auto) Interface type: ethernet Interface ifindex: 12 Interface source: physical MTU: 1500 HW address: 00:25:90:D0:A3:76 RX RX RX RX RX RX RX bytes: 3114981133 packets: 31934013 mcast packets: 31564 discards: 296 errors: 1 overruns: 0 frame: 0 TX bytes: 227921679 TX packets: 367951 TX discards: 0 TX errors: 0 TX overruns: 0 TX carrier: 0 TX collisions: 0 TX queue len: 1000 Interface ether2 status: Comment: Admin up: yes Link up: no DHCP running: no IP address: Netmask: IPV6 enabled: no Speed: UNKNOWN Duplex: UNKNOWN Interface type: ethernet MTU: 1500 HW address: 00:25:90:D0:A3:77 RX RX RX RX RX RX RX bytes: packets: mcast packets: discards: errors: overruns: frame: 0 0 0 0 0 0 0 TX TX TX TX TX TX TX TX bytes: packets: discards: errors: overruns: carrier: collisions: queue len: 0 0 0 0 0 0 0 0 Interface pether2 status: Comment: Admin up: yes Link up: no DHCP running: no IP address: Netmask: IPV6 enabled: no Speed: UNKNOWN Duplex: UNKNOWN Interface type: ethernet Interface ifindex: 9 © 2019 FireEye 277 Central Management Administration Guide CHAPTER 15: System Health and Performance Interface source: Bridge group: MTU: HW address: physical ether2 1500 00:25:90:D0:A3:77 RX RX RX RX RX RX RX 0 0 0 0 0 0 0 bytes: packets: mcast packets: discards: errors: overruns: frame: TX TX TX TX TX TX TX TX bytes: packets: discards: errors: overruns: carrier: collisions: queue len: 0 0 0 0 0 0 0 1000 Interface pether3 status: Comment: Admin up: yes Link up: yes DHCP running: no IP address: 127.0.0.10 Netmask: 255.255.255.0 IPV6 enabled: no Speed: 1000 MB/s (auto) Duplex: full (auto) Interface type: ethernet Interface ifindex: 6 Interface source: physical MTU: 1500 HW address: 00:25:90:D0:A3:67 RX RX RX RX RX RX RX 278 bytes: packets: mcast packets: discards: errors: overruns: frame: 31628620500 46795 367056 212322 0 0 0 TX TX TX TX TX TX TX TX bytes: packets: discards: errors: overruns: carrier: collisions: queue len: 0 0 0 0 0 0 0 1000 © 2019 FireEye Central Management Administration Guide Retrieving SNMP Data CHAPTER 16: SNMP Data FireEye appliances send Simple Network Management Protocol (SNMP) data to convey abnormal conditions to administrative computers that monitor and control them. The administrative computers are called SNMP managers. SNMP data includes the following: l l Information that is retrieved (pulled) by the SNMP manager. This information is sent in response to requests the SNMP manager sends to the appliance. See Retrieving SNMP Data below. Events (known as traps) that are sent (pushed) by the appliance to the SNMP manager. Traps typically report alarm conditions such as a disk failure or excessive temperature. They are unsolicited; that is, they are not sent in response to requests from the SNMP manager. See Sending Traps on page 283. Retrieving SNMP Data This section describes how to retrieve SNMP information from the CM appliance. A Management Information Base (MIB) is a text file written in a specific format in which all of the manageable features of a device are arranged in a tree. Each branch of the tree contains a number and a name, and the complete path from the top of the tree down to the point of interest forms the Object Identifier, or OID. The OID is a string of values separated by periods, such as .1.3.6.1.2.1.1.3.0. You can send requests for data on an object using the OID, but it can be simpler to use the symbolic name for the object instead. A MIB allows SNMP tools to translate the symbolic names into OIDs before sending the requests to the managed device. Symbolic names for objects in the FireEye MIB include feSerialNumber.0, feHardwareModel.0, feProductLicenseActive0, feFanIsHealthy.1, and so on. The FireEye MIB, named FE-FIREEYE-MIB, needs to be downloaded from the CM appliance to the SNMP manager so it can be loaded into an SNMP browser or other tool. A typical SNMP browser can retrieve the values the appliance supports, and then display them in a hierarchy so you can navigate to the value you need to include in the request. © 2019 FireEye 279 Central Management Administration Guide CHAPTER 16: SNMP Data This section contains the following topics: l Providing Access to SNMP Data below l Downloading the MIB below l Sending Requests for SNMP Information on page 282 Providing Access to SNMP Data To allow access to SNMP v3 data, configure a username and password. Prerequisites l Operator or Admin access To enable access to SNMP data: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Verify that SNMP is enabled: hostname (config) # show snmp If the output shows SNMP enabled: no, enter the snmp-server enable command. 3. SNMP v3: Specify the SNMP user and password: hostname (config) # snmp-server user <username> v3 enable hostname (config) # snmp-server user <username> v3 auth sha <password> 4. Save your changes: hostname (config) # write memory Downloading the MIB You can download the MIB from the Web UI or from the command prompt. Prerequisites l Analyst, Operator, or Admin access Downloading the MIB Using the Web UI Use the Notification Settings page to download the MIB. 280 © 2019 FireEye Release 8.7 Retrieving SNMP Data To download the MIB: 1. Click the Settings tab. 2. Click Notifications on the sidebar. 3. Click the SNMP tab. 4. In the Define protocol settings section, click Download. Downloading the MIB Using the Command Prompt This section describes how to download the FE-FIREEYE-MIB to SNMP managers that run on Microsoft Windows, Linux, and Apple devices. The MIB file is retrieved using a program that connects using port 22, which is normally used for protocols such as SSH, SCP, and PSCP. Because file-level access is denied by policy, the direct path to the MIB file needs to be specified. To download the FireEye MIB to Windows devices: 1. Download the pscp.exe tool (available from PuTTY download page). 2. Navigate to a command prompt window. 3. Change to the directory in which you downloaded the pscp.exe tool: cd Downloads 4. Copy the MIB file from the appliance: pscp.exe -r -scp admin@<appliance><applianceIPAddress>:/usr/share/snmp/mibs \Temp\mibs\ 5. When prompted for the password, enter admin. The files are copied to the \Temp\mibs directory on the Windows device. 6. Change to the mibs directory: cd C:\Temp\mib © 2019 FireEye 281 Central Management Administration Guide CHAPTER 16: SNMP Data 7. Load the MIB into an SNMP browser or tool, or open the MIB file: vi FE-FIREEYE-MIB.txt To download the FireEye MIB to Linux devices: 1. Copy the MIB file from the appliance using the OpenSSH client: scp -r admin@<appliance><applianceIPAddress>:/usr/share/snmp/mibs /usr/<userDirectoryName> 2. When prompted for the password, type admin. The files are copied to the mibs directory that resides in the /usr/<userDirectoryName> directory. 3. Change to the mibs directory: cd mibs 4. Load the MIB into an SNMP browser or tool, or open the MIB file: vi FE-FIREEYE-MIB.txt To download the FireEye MIB to Apple devices: 1. Navigate to the terminal emulator. 2. Copy the MIB files from the appliance: scp -r admin@<applianceIPAddress>:/usr/share/snmp/mibs ~/ 3. When prompted for the password, type admin. The files are copied to the mibs directory that resides in the user directory. 4. Load the MIB into an SNMP browser or tool, or open the MIB file: vi FE-FIREEYE-MIB.txt Sending Requests for SNMP Information This topic describes two ways to retrieve SNMP information. l l The snmpget command retrieves the value of a specific object. The snmpwalk command walks through the object hierarchy, automatically retrieving the values of objects for the subtree or node that you specified. Examples of basic commands that retrieve SNMP data follow. The commands are entered from the SNMP manager application. The IP address in the commands is the appliance IP address. SNMP v3 commands: snmpmgr # snmpget -m +FE-FIREEYE-MIB -v 3 -u myname -a MD5 -A mypassword -l authNoPriv 172.0.0.0 feTemperatureValue.0 snmpmgr # snmpwalk -m +FE-FIREEYE-MIB -v 3 -u myname -a MD5 -A mypassword -l authNoPriv 172.0.0.0 enterprises.25597 282 © 2019 FireEye Release 8.7 Sending Traps SNMP v2c commands: snmpmgr # snmpget -m +FE-FIREEYE-MIB -v 2c -c public 172.0.0.0 feSupportLicenseActive.0 snmpmgr # snmpwalk -m +FE-FIREEYE-MIB -v 2c -c public 172.0.0.0 fireeye snmpmgr # snmpwalk -v 2c -c public 172.0.0.0 enterprises.25597 To retrieve license expiration dates formatted in a table, use a command similar to the following (different commands are required by different SNMP manager applications): snmpmgr # snmptable -c public -Of -v 2c localhost feLicenseFeatureTable Check the number of days in the rightmost column. If the value is less than 30, contact your system administrator. Sending Traps This section describes how to configure basic SNMP support on the CM appliance, enable and configure traps, and set up trap logging. For detailed information about SNMP commands and options for more advanced configurations, see the CLI Command Reference. Enabling and Configuring Traps Various events can trigger the appliance to send traps to the SNMP manager. Most of the events are enabled by default. This topic describes how to enable the appliance to send traps, configure the IP address of the SNMP manager that receives the traps, and disable and enable individual events. Prerequisites l Operator or Admin access To enable traps and events: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. SNMP is enabled by default. Verify that it is enabled: hostname (config) # show snmp If the output shows SNMP enabled: no, enter the snmp-server enable command. 3. Enable the appliance to send notifications to the SNMP manager: hostname (config) # snmp-server enable notify © 2019 FireEye 283 Central Management Administration Guide CHAPTER 16: SNMP Data 4. Specify the IPv4 or IPv6 address of the SNMP manager: hostname (config) # snmp-server host <IPv4 or IPv6 address> traps public 5. Save your changes hostname (config) # write memory To view the events that can be enabled or are currently enabled: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. View a list of all events that can be enabled: hostname (config) # snmp-server notify event ? 3. View the events that are currently enabled: hostname (config) # show snmp events To disable or enable specific events: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Disable an event: hostname (config) # no snmp-server notify event <event> For example, the following command stops a trap from being sent when the temperature of the appliance is normal: hostname (config) # no snmp-server notify event normal-temperature 3. Enable an event: hostname (config) # snmp-server notify event <event> For example, the following command enables the appliance to send a trap when there is a change in an interface link: hostname (config) # snmp-server notify event if-link-change 1. Save your changes: 4. hostname (config) # write memory Logging Trap Messages The snmptrapd service receives and logs trap messages. 284 © 2019 FireEye Release 8.7 Sending Traps To set up trap logging: 1. Log into the SNMP manager application. 2. Enable the snmptrapd service: snmptrapd 3. Specify the log location: /var/log/snmptrapd.log © 2019 FireEye 285 Central Management Administration Guide 286 CHAPTER 16: SNMP Data © 2019 FireEye Central Management Administration Guide About Login Banners and Messages CHAPTER 17: Login Banners and Messages This section covers the following information: l About Login Banners and Messages below l Customizing Login Banners and Messages Using the Web UI on page 289 l Customizing Login Banners and Messages Using the CLI on page 290 About Login Banners and Messages You can customize or remove the messages that appear when users log in to the CM appliance. You can configure three messages: l Remote Banner—Shown on the Web UI login page and SSH login page. l Local Banner—Shown after the username is entered in the CLI session. l Message of the Day—Shown after the user is authenticated and logged into the appliance CLI. The default remote banner is shown in the following illustration. © 2019 FireEye 287 Central Management Administration Guide CHAPTER 17: Login Banners and Messages The default local banner and message of the day are shown in the following illustration. 288 © 2019 FireEye Release 8.7 Customizing Login Banners and Messages Using the Web UI Customizing Login Banners and Messages Using the Web UI Use the Login Banner page to configure the messages users see when they log in to the CM appliance. Prerequisites l Operator or Admin access To configure login messages: 1. Click the Settings tab. 2. Click Login Banner on the sidebar. 3. In the Remote Banner Text box, clear any existing text, and then enter the message to be displayed in the Web UI and SSH login pages. You can enter up to 2000 characters. IMPORTANT! If you change the banner text later with the banner login CLI command, the new text will also appear in the Web UI login page and SSH login page, overwriting the text you specify here. 4. In the Local Banner Text box, clear any existing text, and then enter the message to be displayed in the CLI after the username is entered. You can enter up to 2000 characters. © 2019 FireEye 289 Central Management Administration Guide CHAPTER 17: Login Banners and Messages 5. In the Message of the Day Text box, clear any existing text, and then enter the message to be displayed in the CLI after the user is authenticated. You can enter up to 2000 characters. 6. Click Update. The messages will appear the next time the user logs in. Customizing Login Banners and Messages Using the CLI Use the CLI commands in this topic to configure the messages users see when they log in to the appliance. l The login message is shown after the username is entered. l The local login message is shown in the CLI login after the username is entered. l The remote login message is shown in the SSH login page. l The message of the day is shown after the password is entered and the user is authenticated. NOTE: Messages can be longer than one line. To add a new line, type >. Each message can contain up to 2000 characters. Prerequisites l Operator or Admin access To customize the messages: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Display the current banner text: hostname (config) # show banner 290 © 2019 FireEye Release 8.7 Customizing Login Banners and Messages Using the CLI 3. Perform the following tasks as needed. l To configure the same message for the local login message (that appears in the CLI login) and the remote login message (that appears in the Web UI login page and SSH login page), use the following command: hostname (config) # banner login "<text>" IMPORTANT! The login message you configure using the banner login "<text>" command also overwrites the remote message that is displayed on the Web UI login page and SSH login page. Use the Customizing Login Banners and Messages Using the Web UI on page 289 to specify a unique Web UI and SSH login message. l To change the local login message only, use the following command: hostname (config) # banner login-local "<text>" l To change the remote login message only, use the following command: hostname (config) # banner login-remote "<text>" l To change the message of the day, use the following command: hostname (config) # banner motd "<text>" l To clear the local login message, the remote login message, or both: hostname (config) # banner login "" hostname (config) # banner login-local "" hostname (config) # banner login-remote "" l To clear the message of the day: hostname (config) # banner motd "" l To restore the default messages: hostname (config) # no banner login hostname (config) # no banner motd 4. Save your changes. hostname (config) # write memory Examples The following example changes the message of the day. hostname (config) # banner motd “There are no maintenance activities scheduled for this week.” The following example changes the local and remote login messages: hostname (config) # banner login "This FireEye appliance is the property of Acme, Inc. > >Unauthorized access is prohibited and is punishable by law." © 2019 FireEye 291 Central Management Administration Guide CHAPTER 17: Login Banners and Messages The following example shows the current messages. hostname # show banner Banners: Message of the Day (MOTD): There are no maintenance activities scheduled for this week. Login: This FireEye appliance is the property of Acme, Inc. Unauthorized access is prohibited and is punishable by law. The following example shows the default messages: hostname # show banner Banners: Message of the Day (MOTD): FireEye Command Line Interface Local login: This system is for the use of authorized users only. > >Individuals using this computer system without authority, or in excess of their authority, are subject to having all of their activities on this system monitored and recorded by system personnel. Network login: This system is for the use of authorized users only. > >Individuals using this computer system without authority, or in excess of their authority, are subject to having all of their activities on this system monitored and recorded by system personnel. 292 © 2019 FireEye Central Management Administration Guide Viewing Supported Features Using the Web UI CHAPTER 18: Supported Features The Web UI Features page shows tiles for the features available for this appliance. Tiles for enabled features are marked with a checkmark and are outlined in green. Features introduced in the release of Central Management that you are viewing are labeled New. Prerequisites l Admin, Operator, Monitor, or Analyst access Viewing Supported Features Using the Web UI Use the Supported Features page to view the features available for an appliance. To view the supported features: 1. Click the Features tab or click About > Supported Features. 2. To filter by category, select one of the following from the selection box on the top left of the page: l Detection l Integration l Management 3. Click Enabled or Disabled to filter by enabled or disabled features. 4. Click New Features Only to view only new features. 5. Click i in a tile to view information about the feature, including the version in which it was released, the category of security it provides, and any additional requirements. © 2019 FireEye 293 Central Management Administration Guide 294 CHAPTER 18: Supported Features © 2019 FireEye Central Management Administration Guide Configuring Event Notifications Using the Web UI CHAPTER 19: Event Notifications As described in Managing the Distribution of Alert Notifications on page 421, you can configure alert notifications for the Central Management appliances, for managed appliances, or both. You can send a test-fire notification from the Central Management appliance or from managed appliances. There are the following differences: l l l l A test-fire notification sent from a managed appliance contains more information than one sent from the Central Management appliance. Notifications sent from the Central Management appliance do not appear in the Central Management database or Web UI. Notifications sent from a managed appliance do appear in the appliance database and Web UI; if they are aggregated up to the Central Management appliance, they also appear in the Central Management database and Web UI. After notifications are aggregated up to the Central Management appliance, another notification is sent from the Central Management appliance. NOTE: This section describes how to configure event (alert) notifications. See System Email Settings on page 163 for information about system email notifications. Configuring Event Notifications Using the Web UI Prerequisites l The appliance must have an established connection to the Internet. l Operator or Admin access. © 2019 FireEye 295 Central Management Administration Guide CHAPTER 19: Event Notifications Configuring Event Notifications Use the Notification Settings page to configure event notifications. To configure event notifications: 1. Click the Settings tab. 2. Click the Notifications on the side bar. The Summary tab opens. 3. In the Global column of the matrix, select the event types for which you want notifications. Selections in this column ensure notifications are sent for these event types. This selection does not affect the display of events in the Web UI. 4. In the Global row of the matrix, select the appropriate protocol for all events. Alternatively, select the appropriate protocol for each event type, in the appropriate event type row. 5. To configure a protocol, click the applicable column heading: o Configuring Email Notifications Using the Web UI on page 299 o Configuring HTTP Notifications Using the Web UI on page 301 o Configuring Rsyslog Notifications Using the Web UI on page 305 o Configuring SNMP Notifications Using the Web UI on page 309 6. Click Send Test Message to send a test notification to verify your settings for all enabled protocols. Recipients are specified in the Email Settings page; see Configuring Email Recipients on page 169. NOTE: Test-fire events generated for malware object event notifications disappear from the Alerts tab within five minutes. 296 © 2019 FireEye Release 8.7 Configuring Event Notifications Using the Web UI 7. To turn off daily digest notifications for all enabled protocols, clear the Daily digest at checkbox. To turn on daily digest notifications, select the checkbox. NOTE: FireEye recommends using Per Event notifications instead of Daily Digest notifications. 8. To change the time for the daily notification, specify the hour and minutes in the drop-down list boxes. 9. To apply your notification settings, click Update Digest. CSV Fields for Daily Digest Notifications The following table describes the fields included in the daily digest notifications for all protocols. Field Description alertType Type of alert. alertid FireEye internal alert ID (which is external for ArcSight). product Name of FireEye product. release FireEye software release. fileHash Checksum of the malware object from a managed FireEye appliance MVX engine. dvchost Hostname of a FireEye appliance performing the detection and sending the notification. sname FireEye-assigned signature name. dvc Device address of the detecting FireEye appliance MVX engine. locations Geographical location of the botnet CnC server, if known. malware_ type Type of malware. sev Severity level of the event. Range: 0 through 10. The highest event severity level is 10. occurred Time that the malware event occurred as detected by a managed FireEye appliance MVX engine. mwurl URL that triggered the malware event. © 2019 FireEye 297 Central Management Administration Guide Field CHAPTER 19: Event Notifications Description link URL of the infection or alert that is local to the detecting appliance. src IP address of the infected host. action Type of action (notified or blocked) that was taken by the managed FireEye appliance MVX engine. objurl Detailed information about the detected malware URL. sid FireEye internal alert signature ID that is assigned for malware detection. stype FireEye-assigned signature type that is used for malware detection. profile Guest image profile and version that is used for malware detection. malwarenote Notes about the malware. application Name of the target application that is running on the MVX engine during malware detection. 298 original_ name Original file name of the malware. header Protocol header. anomaly Attributes of operating system (OS) changes made by the malware, data theft, or miscellaneous anomaly. osinfo Information about the OS name and version. cnchost Hostname of the command and control (CnC) server, if known. This field will display the IP address if the managed appliance cannot determine the hostname. channel CnC channel. cncport Port number of the CnC listening server. os Application name of the target OS. app Name of the target application that is running on the MVX engine during malware detection. shost Hostname of the infected machine as detected by a managed FireEye appliance MVX engine, if available. © 2019 FireEye Release 8.7 Configuring Event Notifications Using the Web UI Field Description spt Source port number of the infected host as detected by a managed FireEye appliance MVX engine. smac Source MAC address of the infected host. dst IP address of the destination when any communication to an external host is observed within the MVX engine. dmac MAC address of the destination when any communication to an external host is observed within the MVX engine. dpt Port number of the destination when any communication to an external host is observed within the MVX engine. Configuring Email Notifications Using the Web UI Use the Notification Settings page to select who is sent email notifications when the specified events are detected. Prerequisites l The appliance must have an established connection to the Internet. l Operator or Admin access Configuring SMTP Settings Use the Define protocols section on the SMTP tab of the Notification Settings page to configure SMTP settings. © 2019 FireEye 299 Central Management Administration Guide CHAPTER 19: Event Notifications To configure the SMTP server: 1. Click the Settings tab. 2. Click Notifications on the side bar. 3. Click the SMTP tab. 4. Locate the Define protocol settings section. 5. Enter the domain that is used for email in the Domain field. 6. Enter the SMTP server that is used for mail delivery in the SMTP Server field. 7. Enter the SMTP server port that is used for mail delivery in the SMTP Server Port field. 8. (Optional) Select the Return hostname checkbox to use the local domain name. Clear this checkbox to use the value in the Return username box and the value in the Domain box. 9. Enter the user who is specified as the “from” user in the Return username box. 10. Verify that the value in the Return address box is correct. If it is not, change the values in the Domain box and Return username boxes. 11. Select XML, JSON, or Text as the default format and select which level of detail is provided in the Default format drop-down list box: o Normal—This format contains detailed information and abstracts, such as alert type, ID, source IP, malware name, hostname, and alert URL without redundant information. o Concise—This format contains basic information, such as alert type, ID, source IP, malware name, hostname, and alert URL. o Extended—This format contains detailed information and abstracts, including data-theft information (if any) and static-analysis details. This format provides all details about files and objects modified during analysis. 12. Select whether to send the notification as an inline message or an attachment in the Default send as drop-down list box. 13. Select the delivery frequency in the Default delivery drop-down list box: o Per Event (Recommended)—Send a notification each time an event of this type occurs. o Daily Digest—Send a daily notification of specified events detected in the past 24 hours. 14. Click Apply Settings. NOTE: If you do not click Apply Settings, your changes are lost. 300 © 2019 FireEye Release 8.7 Configuring Event Notifications Using the Web UI Setting Up the SMTP Recipients Use the View and add SMTP Recipients section of the Notification Settings page to add and configure SMTP recipients for email notifications. To add an SMTP recipient: 1. Select Notifications on the side bar. 2. Enter the email address to receive the notification in the Email Address box. For example, name@company.com 3. Select the Enabled checkbox to enable the recipient to receive email notifications. To update the SMTP recipient listing: 1. Select Notifications on the side bar. 2. Click the SMTP tab. 3. Click the recipient in the Name column. 4. Click the icon in the Edit column. 5. Make changes as needed. 6. Click Update Recipient. Configuring HTTP Notifications Using the Web UI Use the Notification Settings page to post HTTP notifications to one or more Web servers. Prerequisites l The appliance must have an established connection to the Internet. l Operator or Admin access. © 2019 FireEye 301 Central Management Administration Guide CHAPTER 19: Event Notifications Configuring HTTP Settings Use the Define protocol settings section on the HTTP tab of the Notification Settings page to configure default settings for HTTP notifications. To configure HTTP settings: 1. Click the Settings tab. 2. Select Notifications on the side bar. 3. Click the HTTP tab. 4. Select the delivery frequency in the Default delivery drop-down list box: o Daily Digest—Send a daily notification of specified events detected in the past 24 hours in the selected format and level of details (default is Concise). o Per Event (recommended)—Send a notification each time an event of this type occurs. 5. Select a service provider in the Default provider drop-down list box. The default service provider is Generic. NOTE: FireEye recommends using the Generic service provider. 6. Select XML, JSON, or Text as the default format and select which level of detail is provided in the Default format drop-down list box: o l l 302 Normal—This format contains detailed information and abstracts, such as alert type, ID, source IP, malware name, hostname, and alert URL without redundant information Concise—This format contains basic information, such as alert type, ID, source IP, malware name, hostname, and alert URL. Extended—This format contains detailed information and abstracts, including data-theft information (if any) and static-analysis details. This format provides all details about files and objects modified during analysis. © 2019 FireEye Release 8.7 Configuring Event Notifications Using the Web UI 7. To apply the HTTP settings, click Apply Settings. NOTE: If you do not click Apply Settings, your changes are lost. Setting Up HTTP Servers Use the View and add HTTP Servers section on the HTTP tab of the Notification Settings page to add and configure HTTP servers. To add an HTTP server: 1. Click the Settings tab. 2. Click Notifications on the side bar. 3. Click the HTTP tab and locate the View and add HTTP Servers section. 4. Click Add HTTP Server. The Add New HTTP Server dialog box opens. 5. Enter the name of the HTTP server that will post the notification (for example, NX7400 or HX4500) in the Server name box NOTE: Do not enter URLs and email addresses in the Server name box. 6. Select the Enabled checkbox to choose which servers will post HTTP notifications. 7. Enter the URL of the server to post the HTTP notification in the Server Url box. 8. Leave the User box blank. This option will be deprecated. 9. Select the Alerts Update Notification checkbox to choose which servers will post HTTP notifications when ATI alert updates are detected. 10. (Optional) If authentication is required for the server, select the Auth checkbox. If you checked the Auth checkbox, you must also enter a username and password. l Enter the user name for HTTP authentication in the Username box. l Enter the password for HTTP authentication in the Password box. 11. (Optional) If you want to use SSL for notifications, select the SSL Enable checkbox and SSL Verify checkboxes. © 2019 FireEye 303 Central Management Administration Guide CHAPTER 19: Event Notifications 12. Select the event type or All Events in the Events Notification drop-down list box to post HTTP notifications when the specified events are detected. NOTE: Selections on the Summary tab take precedence over your selection here. For example, if you globally disable an event type on the Summary tab, no alert notifications will be sent for that event type, regardless of your selection in this drop-down list box. 13. Select the delivery frequency in the Delivery drop-down list box: o Per Event (recommended)—Send a notification each time an event of this type occurs. o Default—Use the delivery frequency specified in the Default delivery box in the HTTP Settings area. o Daily Digest—Send a daily notification of specified events detected in the past 24 hours in the selected format and level of details (default is Concise). 14. Select a service provider in the Default provider drop-down list box. The default service provider is Generic. NOTE: FireEye recommends using the generic service provider. 15. Select XML, JSON, or Text as the notification format and select which level of detail is provided in the Message Format drop-down list box. Select Default to use the format specified in the Default format box in the HTTP Settings area. o Normal—This format contains detailed information and abstracts, such as alert type, ID, source IP, malware name, hostname, and alert URL without redundant information. o Concise—This format contains basic information, such as alert type, ID, source IP, malware name, hostname, and alert URL. o Extended—This format contains detailed information and abstracts, including data-theft information (if any) and static-analysis details. This format provides all details about files and objects modified during analysis. 16. Click Add New HTTP Server. To modify the HTTP server listing: 1. Click the Settings tab. 2. Click Notifications on the side bar. 3. Click the HTTP tab and locate the View and add HTTP Servers section. 4. Click the server in the Name column in the View and add HTTP Servers section. 5. Click the icon in the Edit column. 304 © 2019 FireEye Release 8.7 Configuring Event Notifications Using the Web UI 6. Update the settings as needed. 7. Click Update HTTP Server. To enable or disable an HTTP server: 1. Click the Settings tab. 2. Click Notifications on the side bar. 3. Click the HTTP tab and locate the View and add HTTP Servers section. 4. Select the checkbox next to the server. 5. Click Enable or Disable. 6. Click Yes to confirm the action. To remove an HTTP server: 1. Click the Settings tab. 2. Click Notifications on the side bar. 3. Click the HTTP tab and locate the View and add HTTP Servers section. 4. Select the checkbox next to the server. 5. Click Remove. 6. Click Yes to confirm the action. Configuring Rsyslog Notifications Using the Web UI Use the Notification Settings page to send notifications to one or more remote syslog servers. Prerequisites l l The Central Management appliance must have an established connection to the Internet. Operator or Admin access Configuring Rsyslog Settings Use the Define protocol settings section on the RSYSLOG tab of the Notification Settings page to configure default settings for rsyslog notifications. © 2019 FireEye 305 Central Management Administration Guide CHAPTER 19: Event Notifications To configure rsyslog settings: 1. Click the Settings tab. 2. Select Notifications on the side bar. 3. Click the RSYSLOG tab. 4. Select Common Event Format (CEF), Log Event Enhanced Format (LEEF), CommaSeparated Values (CSV), XML, JSON, or Text as the default format and select which level of detail (only for XML, JSON, or text) is provided in the Default format drop-down list box: o Normal—This format contains detailed information and abstracts, such as alert type, ID, source IP, malware name, hostname, and alert URL without redundant information. o Concise—This format contains basic information, such as alert type, ID, source IP, malware name, hostname, and alert URL. o Extended—This format contains detailed information and abstracts, including data-theft information (if any) and static-analysis details. This format provides all details about files and objects modified during analysis. 5. Per event is selected in the Default delivery drop-down list box. This sends a notification each time an event of this type occurs. 6. Select the severity classification for the rsyslog notification in the Default send as box: 306 o Alert—Action must be taken immediately (severity 1). o Critical—Critical conditions (severity 2). o Debug—Debug-level messages (severity 7). o Emergency—Emergency: system is unusable (severity 0). o Error—Error conditions (severity 3). o Informational—Informational messages (severity 6). o Notice—Normal but significant conditions (severity 5). o Warning—Warning conditions (severity 4). © 2019 FireEye Release 8.7 Configuring Event Notifications Using the Web UI 7. Click Apply Settings. NOTE: If you do not click Apply Settings, your changes are lost. Setting Up Rsyslog Servers Use the View and add Rsyslog Servers section on the RSYSLOG tab of the Notification Settings page to add and configure rsyslog servers. To add an rsyslog server: 1. Click the Settings tab. 2. Click Notifications on the side bar. 3. Click the RSYSLOG tab. 4. Click Add Rsyslog Server. The Add New Rsyslog Server dialog box opens. 5. Enter the name of the rsyslog server to receive the notifications (for example, NX7400) in the Server Name box. 6. Enter the IP address of the rsyslog server in the IP Address box. 7. Select the Enabled checkbox to choose which servers will receive rsyslog notifications. 8. Select the delivery frequency in the Delivery drop-down list box: o Default—Use the delivery frequency specified in the Default delivery box in the Rsyslog Settings area. o Per Event—Send a notification each time a malware object is detected. 9. Select the event type or All Events in the Notification drop-down list box to send rsyslog notifications when the specified events are detected. © 2019 FireEye 307 Central Management Administration Guide CHAPTER 19: Event Notifications 10. Select CEF, LEEF, CSV, XML, JSON, or Text as the default format and select which level of detail (only for XML, JSON, or text) is provided in the Format drop-down list box. Select Default to use the format specified in the Default format box in the Rsyslog Settings section. o Normal—This format contains detailed information and abstracts, such as alert type, ID, source IP, malware name, hostname, and alert URL without redundant information. o Concise—This format contains basic information, such as alert type, ID, source IP, malware name, hostname, and alert URL. o Extended—This format contains detailed information and abstracts, including data-theft information (if any) and static-analysis details. This format provides all details about files and objects modified during analysis. 11. Select the severity classification for the rsyslog notification in the Send as box: o Default—Use the value specified in the Default send as field in the Rsyslog Settings area. o Alert—Action must be taken immediately (severity 1). o Critical—Critical conditions (severity 2). o Debug—Debug-level messages (severity 7). o Emergency—Emergency: system is unusable (severity 0). o Error—Error conditions (severity 3). o Informational—Informational messages (severity 6). o Notice—Normal but significant conditions (severity 5). o Warning—Warning conditions (severity 4). 12. Select UDP or TCP in the Protocol drop-down list box. 13. Click Add new Rsyslog Server. To update the rsyslog servers: 1. Click the Settings tab. 2. Select Notifications on the side bar. 3. Click the RSYSLOG tab. 4. Click the server in the Name column of the View and add Rsyslog Servers section. 5. Click the icon in the Edit column. 6. Update settings as needed. 7. Click Update Rsyslog Server. 308 © 2019 FireEye Release 8.7 Configuring Event Notifications Using the Web UI To enable or disable an rsyslog server: 1. Click the Settings tab. 2. Select Notifications on the side bar. 3. Click the RSYSLOG tab. 4. Select the checkbox for the server. 5. Click Enable or Disable. 6. Click Yes to confirm the action. To remove an rsyslog server: 1. Click the Settings tab. 2. Select Notifications on the side bar. 3. Click the RSYSLOG tab. 4. Select the checkbox for the server. 5. Click Remove. 6. Click Yes to confirm the action. Configuring SNMP Notifications Using the Web UI NOTE: The following topics pertain to malware alert events. For information about SNMP notifications that pertain to system events such as low disk space, see SNMP Data on page 279. Use the Notification Settings page to send notifications to one or more Simple Network Management Protocol (SNMP) servers. Prerequisites l l The Central Management appliance must have an established connection to the Internet. Operator or Admin access. Configuring SNMP Settings Use the Define protocols section on the SNMP tab of the Notification Settings page to configure default SNMP settings. © 2019 FireEye 309 Central Management Administration Guide CHAPTER 19: Event Notifications To configure SNMP notifications: 1. Click Settings > CM Settings. 2. Click Notifications on the side bar. 3. Click the SNMP tab. 4. Locate the Define protocols settings section. 5. Per event is selected in the Default delivery drop-down list box. This sends a notification each time an event of this type occurs. 6. Select the SNMP version (1 or 2c) to use for the notification in the Version dropdown list box. 7. If you need the MIB file, click Download. 8. Click Apply Settings. NOTE: If you do not click Apply Settings, your changes are lost. Setting Up SNMP Servers Use the SNMP Trap Sink Listing section on the SNMP tab of the Notification Settings page to add and configure SNMP servers. To add an SNMP server: 1. Click Settings. 2. Click Notifications on the side bar. 3. Click the SNMP tab. 310 © 2019 FireEye Release 8.7 Configuring Event Notifications Using the CLI 4. Click Add SNMP Trap Sink. The Add new SNMP trap sink dialog box opens. 5. Enter the name of the SNMP server to receive the notifications in the Trap sink name box and click Add New SNMP Trap Sink. 6. Enter the IP address of the SNMP server in the IP Address box. 7. Enter the SNMP community string in the Community box. 8. Select the Enabled checkbox to enable the server to receive SNMP notifications. 9. Select the delivery frequency in the Delivery drop-down list box. o Default—Use the delivery frequency specified in the Default delivery box in the SNMP Settings area. o Per Event (recommended)—Send a notification each time an event of this type occurs. 10. Select the event type or All Events in the Notification drop-down list box to send SNMP notifications when the specified events are detected. 11. Select the SNMP version (1 or 2c) to use for the notification in the Version dropdown list box. Select Default to use the version specified in the Define protocol settings section. 12. Click Add New SNMP Trap Sink. To update SNMP server settings: 1. Click Settings. 2. Click Notifications on the side bar. 3. Click the SNMP tab. 4. Click the server in the Name column. 5. Click the icon in the Edit column. 6. Update settings as needed. 7. Click Update SNMP Trap Sink. Configuring Event Notifications Using the CLI Prerequisites l The appliance must have an established connection to the Internet. l Operator or Admin access. © 2019 FireEye 311 Central Management Administration Guide CHAPTER 19: Event Notifications Configuring Event Notifications Use the CLI commands in this topic to configure event notifications. To configure event notifications using the CLI: 1. Go to CLI configuration mode. hostname > enable hostname # configure terminal 2. Check which protocols are already enabled: hostname hostname hostname hostname (config) (config) (config) (config) # # # # show show show show fenotify fenotify fenotify fenotify email http rsyslog snmp 3. Configure the protocols that you want to use: o Configuring Email Notifications Using the CLI on the facing page o Configuring HTTP Notifications Using the CLI on page 321 o Configuring Rsyslog Notifications Using the CLI on page 328 o Configuring SNMP Notifications Using the CLI on page 335 4. Confirm that the protocols are configured correctly: hostname hostname hostname hostname (config) (config) (config) (config) # # # # show show show show fenotify fenotify fenotify fenotify email http rsyslog snmp 5. Enable the notifications. By default, notifications are enabled. This command only affects notifications for enabled protocols. If a protocol has been disabled, you must enable the protocol before enabling notifications. hostname (config) # fenotify enable 6. Select the event type: hostname hostname hostname hostname hostname hostname (config) (config) (config) (config) (config) (config) # # # # # # fenotify fenotify fenotify fenotify fenotify fenotify alert alert alert alert alert alert domain-match infection-match ips-event malware-callback malware-object web-infection 7. Send a test email message to all enabled recipients: hostname (config) # fenotify email send-test NOTE: Test-fire events generated for event notifications disappear from the Alerts tab within five minutes. 8. Save the configuration: hostname (config) # write memory 312 © 2019 FireEye Release 8.7 Configuring Event Notifications Using the CLI Configuring Email Notifications Using the CLI Use the CLI commands in this section to select who is notified by email when malware objects are detected. Prerequisites l The appliance must have an established connection to the Internet. l Operator or Admin access to the Central Management platform. NOTE: If email notifications are not being received, check that the following items are specified: l l l l Mail port used to send the email notifications (fenotify email mailhub port <port-number>) Mail relay address used to send the email notifications (fenotify email mailhub address <ip_address>) Email notification recipient (fenotify email recipient <rname>) Recipient address used to send the email notifications (fenotify email recipient <rname> email-address <email_address>) Configuring SMTP Settings To configure the SMTP settings, perform the following subtasks: l Specify the SMTP server. l Set the default SMTP notification settings. l (Optional) Set authentication for SMTP notification settings. l (Optional) Set preferences for SMTP notifications. To specify which SMTP server to use: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Enable email notifications: hostname (config) # fenotify email enable 3. Set the mail relay address used to send the email notifications: hostname (config) # fenotify email mailhub address <ip_address> 4. Set the mail port used to send the email notifications: hostname (config) # fenotify email mailhub port <port-number> © 2019 FireEye 313 Central Management Administration Guide CHAPTER 19: Event Notifications 5. Save the configuration: hostname (config) # write memory To configure the default settings for SMTP notifications: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Enable email notifications: hostname (config) # fenotify email enable 3. Set the domain from which emails appear to come: hostname (config) # fenotify email domain <email-domain> 4. (Optional) To include the hostname in the return address for email notifications: hostname (config) # fenotify email return host-name <host_name> 5. Set the user name in the return address for email notifications (the default is donot-reply): hostname (config) # fenotify email return user-name <user_name> 314 © 2019 FireEye Release 8.7 Configuring Event Notifications Using the CLI 6. Select one of the XML, JavaScript Object Notation (JSON), or Text options for the default format of the notification: The json_legacy-concise, json_legacy-extended, and json_legacy-normal formats are deprecated. o To send notifications in XML Concise format containing basic information such as alert type, ID, source IP, malware name, hostname, and alert URL, enter: hostname (config) # fenotify email default format xml-concise o To send notifications in XML Extended format containing detailed information and abstracts including data-theft information (if any) and staticanalysis details (XML Extended provides all details about files and objects modified during analysis.), enter: hostname (config) # fenotify email default format xml-extended o To send notifications in XML Normal format containing detailed information and abstracts such as alert type, ID, source IP, malware name, hostname, and alert URL without any redundant information, enter: hostname (config) # fenotify email default format xml-normal o To send notifications in JSON Concise format containing basic information such as alert type, ID, source IP, malware name, hostname, and alert URL, enter: hostname (config) # fenotify email default format json-concise o To send notifications in JSON Extended format containing detailed information and abstracts including data-theft information (if any) and staticanalysis details (JSON Extended provides all details about files and objects modified during analysis.), enter: hostname (config) # fenotify email default format json-extended o To send notifications in JSON Normal format containing detailed information and abstracts such as alert type, ID, source IP, malware name, hostname, and alert URL without any redundant information, enter: hostname (config) # fenotify email default format json-normal o To send notifications in Text Concise format containing basic information such as alert type, ID, source IP, malware name, hostname, and alert URL, enter: hostname (config) # fenotify email default format text-concise o To send notifications in Text Extended format containing detailed information and abstracts including data-theft information (if any) and staticanalysis details (Text Extended provides all details about files and objects modified during analysis.), enter: hostname (config) # fenotify email default format text-extended © 2019 FireEye 315 Central Management Administration Guide o CHAPTER 19: Event Notifications To send notifications in Text Normal format containing detailed information and abstracts such as alert type, ID, source IP, malware name, hostname, and alert URL without any redundant information, enter: hostname (config) # fenotify email default format text-normal 7. Specify how the notification is delivered by default: o To deliver the notification as an email attachment, enter: hostname (config) # fenotify email default send-as attachment o To deliver the notification in the email body (the default), enter: hostname (config) # fenotify email default send-as in-line 8. Specify the default delivery schedule for email notifications: FireEye recommends using per-event notifications. o To receive information about all events detected in the past 24 hours, enter: hostname (config) # fenotify email default delivery daily-digest o To receive a daily notification for each entity that was the source of the event, enter: hostname (config) # fenotify email default delivery daily-persource o To receive an hourly notification for each entity that was the source of the event, enter: hostname (config) # fenotify email default delivery hourly-persource o To receive a notification every minute for each entity that was the source of the event, enter: hostname (config) # fenotify email default delivery per-1min-persource o To receive a notification every 5 minutes for each entity that was the source of the event, enter: hostname (config) # fenotify email default delivery per-5min-persource o To receive information about each event, sent when the event is triggered, enter: hostname (config) # fenotify email default delivery per-event 9. Save the configuration: hostname (config) # write memory To configure authentication for SMTP notifications: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Enable email notifications: hostname (config) # fenotify email enable 3. Enable authentication for event mail notifications: 316 © 2019 FireEye Release 8.7 Configuring Event Notifications Using the CLI hostname (config) # fenotify email mailhub auth enable 4. Set the authentication method you want to use to send event mail notifications. Available methods include LOGIN or CRAM-MD5. hostname (config) # fenotify email mailhub auth auth-method <authmethod> 5. Set the username required to authenticate sending event email notifications: hostname (config) # fenotify email mailhub username <username> 6. Set the password required to authenticate sending event email notifications: hostname (config) # fenotify email mailhub password <password> To configure preferences for SMTP notifications: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Enable email notifications: hostname (config) # fenotify email enable 3. Enable From: line override for event mail notifications: hostname (config) # fenotify email mailhub preferences from-lineoverride enable 4. Set the minimum SSL protocol version required to send event mail notifications through SMTP. The following versions are supported: l ssl3: SSLv3 or higher is required. l tls1: TLSv1 or higher is required. l tls1.1: TLSv1.1 or higher is required. l tls1.2: TLSv1.2 or higher is required. hostname (config) # fenotify email mailhub preferences ssl-min-version <ssl-min-version> 5. (Optional) Set the TLS certificate authority file for event mail notifications going through SMTP. You can choose filenames under the /etc/pki/tls/certs/ directory. hostname (config) # fenotify email mailhub preferences tls-ca-file <tls-ca-file> The following example sets the TLS certificate authority file for event mail notifications to ca-bundle.crt: hostname (config) # fenotify email mailhub preferences tls-ca-file <cabundle.crt> 6. (Optional) Set the TLS certificate file for event email notifications going through SMTP. You can choose filenames under the /etc/pki/tls/ directory. hostname (config) # fenotify email mailhub preferences tls-cert-file <tls-cert-file> © 2019 FireEye 317 Central Management Administration Guide CHAPTER 19: Event Notifications The following example sets the TLS certificate file for event mail notifications to cert.pem: hostname (config) # fenotify email mailhub preferences tls-cert-file <cert.pem> 7. Enable TLS certificate verification for the SMTP relay used for event email notifications: hostname (config) # fenotify email mailhub preferences tls-cert-verify enable 8. Enable the TLS security protocol for the STMP relay used for event email notifications: hostname (config) # fenotify email mailhub preferences use-tls enable 9. Enable the STARTTLS security protocol for the SMTP relay used for event email notifications: hostname (config) # fenotify emadil mailhub preferences use-start_tls enable Setting Up the SMTP Recipients To set up the SMTP recipients, perform the following subtasks: l Add the SMTP recipients. l Configure the SMTP recipient listing for email notifications, To add an SMTP recipient: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Enable email notifications: hostname (config) # fenotify email enable 3. Add a recipient for email notifications: hostname (config) # fenotify email recipient <rname> 4. Select a recipient to receive email notifications (one recipient per command): hostname (config) # fenotify email recipient <rname> enable 5. Specify the email address for a recipient who will receive email notifications: hostname (config) # fenotify email recipient <rname> email-address <email_address> 6. Save the configuration: hostname (config) # write memory To configure the SMTP recipient listing for email notifications: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Enable email notifications: hostname (config) # fenotify email enable 318 © 2019 FireEye Release 8.7 Configuring Event Notifications Using the CLI 3. Select one of the XML, JavaScript Object Notation (JSON), or Text options for the format of the notifications received by a specified recipient: NOTE: The json_legacy-concise, json_legacy-extended, and json_legacynormal formats are deprecated. o To send notifications in XML Concise format containing basic information such as alert type, ID, source IP, malware name, hostname, and alert URL, enter: hostname (config) # fenotify email recipient <rname> prefer message format xml-concise o To send notifications in XML Extended format containing detailed information and abstracts including data-theft information (if any) and staticanalysis details (XML Extended provides all details about files and objects modified during analysis.), enter: hostname (config) # fenotify email recipient <rname> prefer message format xml-extended o To send notifications in XML Normal format containing detailed information and abstracts such as alert type, ID, source IP, malware name, hostname, and alert URL without any redundant information, enter: hostname (config) # fenotify email recipient <rname> prefer message format xml-normal o To send notifications in JSON Concise format containing basic information such as alert type, ID, source IP, malware name, hostname, and alert URL, enter: hostname (config) # fenotify email recipient <rname> prefer message format json-concise o To send notifications in JSON Extended format containing detailed information and abstracts including data-theft information (if any) and staticanalysis details (JSON Extended provides all details about files and objects modified during analysis.), enter: hostname (config) # fenotify email recipient <rname> prefer message format json-extended o To send notifications in JSON Normal format containing detailed information and abstracts such as alert type, ID, source IP, malware name, hostname, and alert URL without any redundant information, enter: hostname (config) # fenotify email recipient <rname> prefer message format json-normal o To send notifications in Text Concise format containing basic information such as alert type, ID, source IP, malware name, hostname, and alert URL, enter: hostname (config) # fenotify email recipient rname prefer message format text-concise © 2019 FireEye 319 Central Management Administration Guide o CHAPTER 19: Event Notifications To send notifications in Text Extended format containing detailed information and abstracts including data-theft information (if any) and staticanalysis details (Text Extended provides all details about files and objects modified during analysis.), enter: hostname (config) # fenotify email recipient rname prefer message format text-extended o To send notifications in Text Normal format containing detailed information and abstracts such as alert type, ID, source IP, malware name, hostname, and alert URL without any redundant information, enter: hostname (config) # fenotify email recipient rname prefer message format text-normal 4. Specify how email notifications are delivered to the specified recipient: o To deliver the notification as an email attachment, enter: hostname (config) # fenotify email recipient rname prefer message send-as attachment o To deliver the notification in the email body (the default), enter: hostname (config) # fenotify email recipient rname prefer message send-as in-line 5. Select the event type: hostname hostname hostname hostname hostname hostname (config) (config) (config) (config) (config) (config) # # # # # # fenotify fenotify fenotify fenotify fenotify fenotify email email email email email email alert alert alert alert alert alert domain-match infection-match ips-event malware-callback malware-object web-infection 6. Enable email notifications for specified recipients when ATI alert updates are detected: hostname (config) # fenotify email recipient <rname> alerts-update enable 320 © 2019 FireEye Release 8.7 Configuring Event Notifications Using the CLI 7. Specify the delivery frequency for email notifications: NOTE: FireEye recommends using per-event notifications. o To receive information about all events detected in the past 24 hours, enter: hostname (config) # fenotify email delivery daily-digest o To receive a daily notification for each entity that was the source of the event, enter: hostname (config) # fenotify email delivery daily-per-source o To receive an hourly notification for each entity that was the source of the event, enter: hostname (config) # fenotify email delivery hourly-per-source o To receive a notification every minute for each entity that was the source of the event, enter: hostname (config) # fenotify email delivery per-1min-per-source o To receive a notification every 5 minutes for each entity that was the source of the event, enter: hostname (config) # fenotify email delivery per-5min-per-source o To receive information about each event, sent when the event is triggered, enter: hostname (config) # fenotify email delivery per-event 8. Save the configuration: hostname (config) # write memory Configuring HTTP Notifications Using the CLI Use the CLI commands in this section to post HTTP notifications to one or more Web servers. Prerequisites l l The Central Management appliance must have an established connection to the Internet. Operator or Admin access Configuring HTTP Settings Use the CLI commands in this topic to set up the default configuration for HTTP notifications. To configure HTTP settings: 1. Go to CLI configuration mode: hostname > enable © 2019 FireEye 321 Central Management Administration Guide CHAPTER 19: Event Notifications hostname # configure terminal 2. Enable HTTP notifications: hostname (config) # fenotify http enable 3. Specify the default delivery schedule for HTTP notifications: NOTE: FireEye recommends using per-event notifications. o To receive information about all events detected in the past 24 hours, enter: hostname (config) # fenotify http default delivery daily-digest o To receive a daily notification for each entity that was the source of the event, enter: hostname (config) # fenotify http default delivery daily-persource o To receive an hourly notification for each entity that was the source of the event, enter: hostname (config) # fenotify http default delivery hourly-persource o To receive a notification every minute for each entity that was the source of the event, enter: hostname (config) # fenotify http default delivery per-1min-persource o To receive a notification every 5 minutes for each entity that was the source of the event, enter: hostname (config) # fenotify http default delivery per-5min-persource o To receive information about each event, sent when the event is triggered, enter: hostname (config) # fenotify http default delivery per-event 4. Specify the default service provider. The default service provider is generic. NOTE: FireEye recommends using the generic service provider. o To select Aruba as the provider, enter: hostname (config) # fenotify http default provider aruba o To select the generic provider, enter: hostname (config) # fenotify http default provider generic 322 © 2019 FireEye Release 8.7 Configuring Event Notifications Using the CLI 5. Select one of the XML, JavaScript Object Notation (JSON), or Text options for the default format of the notification where service_name is the name of the HTTP server that posts the notification: NOTE: The json_legacy-concise, json_legacy-extended, and json_legacynormal formats are deprecated. o To post notifications in JSON Concise format containing basic information such as alert type, ID, source IP, malware name, hostname, and alert URL, enter: hostname (config) # fenotify http service <service_name> provider generic message format json-concise o To post notifications in JSON Extended format containing detailed information and abstracts including data-theft information (if any) and staticanalysis details (JSON Extended provides all details about files and objects modified during analysis.), enter: hostname (config) # fenotify http service <service_name> provider generic message format json-extended o To post notifications in JSON Normal format containing detailed information and abstracts such as alert type, ID, source IP, malware name, hostname, and alert URL without any redundant information, enter: hostname (config) # fenotify http service <service_name> provider generic message format json-normal o To post notifications in Text Concise format containing basic information such as alert type, ID, source IP, malware name, hostname, and alert URL, enter: hostname (config) # fenotify http service <service_name> provider generic message format text-concise o To post notifications in Text Extended format containing detailed information and abstracts including data-theft information (if any) and static-analysis details (Text Extended provides all details about files and objects modified during analysis.), enter: hostname (config) # fenotify http service <service_name> provider generic message format text-extended o To post notifications in Text Normal format containing detailed information and abstracts such as alert type, ID, source IP, malware name, hostname, and alert URL without any redundant information, enter: hostname (config) # fenotify http service <service_name> provider generic message format text-normal o To post notifications in XML Concise format containing basic information such as alert type, ID, source IP, malware name, hostname, and alert URL, enter: hostname (config) # fenotify http service <service_name> provider generic message format xml-concise © 2019 FireEye 323 Central Management Administration Guide o CHAPTER 19: Event Notifications To post notifications in XML Extended format containing detailed information and abstracts including data-theft information (if any) and staticanalysis details (XML Extended provides all details about files and objects modified during analysis.), enter: hostname (config) # fenotify http service <service_name> provider generic message format xml-extended o To post notifications in XML Normal format containing detailed information and abstracts such as alert type, ID, source IP, malware name, hostname, and alert URL without any redundant information, enter: hostname (config) # fenotify http service <service_name> provider generic message format xml-normal 6. Save the configuration: hostname (config) # write memory Setting Up HTTP Servers To set up HTTP servers, perform the following subtasks: l Add the HTTP servers l Configure the HTTP server listing To add an HTTP server: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Enable HTTP notifications: hostname (config) # fenotify http enable 3. Specify the name of the HTTP server (for example, NX7400) to receive the notification. URLs and email addresses are not allowed. hostname (config) # fenotify http service <service-name> 4. Specify which servers will post HTTP notifications (one server per command): hostname (config) # fenotify http service <service_name> enable 5. Specify the URL for each HTTP server to receive the notification: hostname (config) # fenotify http service <service_name> server-url <url> 6. Save the configuration: hostname (config) # write memory To configure the HTTP server listing: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Enable HTTP notifications: hostname (config) # fenotify http enable 324 © 2019 FireEye Release 8.7 Configuring Event Notifications Using the CLI 3. (Optional) If authentication is required for the server, enable authentication and then specify the user name and password for HTTP authentication: hostname (config) # fenotify http service <service_name> auth enable hostname (config) # fenotify http service <service_name> auth username <user_name> hostname (config) # fenotify http service <service_name> auth password <password> 4. Select the event type: hostname hostname hostname hostname hostname hostname (config) (config) (config) (config) (config) (config) # # # # # # fenotify fenotify fenotify fenotify fenotify fenotify http http http http http http alert alert alert alert alert alert domain-match enable infection-match enable ips-event enable malware-callback enable malware-object enable web-infection enable 5. Enable the specified servers to post HTTP notifications when ATI alert updates are detected (one server per command): hostname (config) # fenotify http service <service_name> alerts-update enable 6. Specify the delivery frequency for HTTP notifications: NOTE: FireEye recommends using per-event notifications. o To receive information about all events detected in the past 24 hours, enter: hostname (config) # fenotify http service <service_name> prefer message delivery daily-digest o To receive a daily notification for each entity that was the source of the event, enter: hostname (config) # fenotify http service service_name prefer message delivery daily-per-source o To receive an hourly notification for each entity that was the source of the event, enter: hostname (config) # fenotify http service <service_name> prefer message delivery hourly-per-source o To receive a notification every minute for each entity that was the source of the event, enter: hostname (config) # fenotify http service <service_name> prefer message delivery per-1min-per-source o To receive a notification every 5 minutes for each entity that was the source of the event, enter: hostname (config) # fenotify http service <service_name> prefer message delivery per-5min-per-source o To receive information about each event, sent when the event is triggered, enter: hostname (config) # fenotify http service <service_name> prefer message delivery per-event 7. (Optional) If you want to use SSL for notifications: hostname (config) # fenotify http service <service_name> ssl enable hostname (config) # fenotify http service <service_name> ssl verify © 2019 FireEye 325 Central Management Administration Guide CHAPTER 19: Event Notifications 8. Specify the service provider. The default service provider is generic. NOTE: FireEye recommends using the generic service provider. o To select the currently active service provider, enter: hostname (config) # fenotify http service <service_name> provider default o To select the generic provider, enter: hostname (config) # fenotify http service <service_name> provider generic o To select Aruba as the provider, enter: hostname (config) # fenotify http service <service_name> provider aruba 326 © 2019 FireEye Release 8.7 Configuring Event Notifications Using the CLI 9. Select one of the XML, JavaScript Object Notation (JSON), or Text options for the format of the HTTP notifications: NOTE: The json_legacy-concise, json_legacy-extended, and json_legacynormal formats are deprecated. o To post notifications in XML Concise format containing basic information such as alert type, ID, source IP, malware name, hostname, and alert URL, enter: hostname (config) # fenotify http service <service_name> provider generic message format xml-concise o To post notifications in XML Extended format containing detailed information and abstracts including data-theft information (if any) and staticanalysis details (XML Extended provides all details about files and objects modified during analysis.), enter: hostname (config) # fenotify http service <service_name> provider generic message format xml-extended o To post notifications in XML Normal format containing detailed information and abstracts such as alert type, ID, source IP, malware name, hostname, and alert URL without any redundant information, enter: hostname (config) # fenotify http service <service_name> provider generic message format xml-normal o To post notifications in JSON Concise format containing basic information such as alert type, ID, source IP, malware name, hostname, and alert URL, enter: hostname (config) # fenotify http service <service_name> provider generic message format json-concise o To post notifications in JSON Extended format containing detailed information and abstracts including data-theft information (if any) and staticanalysis details (JSON Extended provides all details about files and objects modified during analysis.), enter: hostname (config) # fenotify http service <service_name> provider generic message format json-extended o To post notifications in JSON Normal format containing detailed information and abstracts such as alert type, ID, source IP, malware name, hostname, and alert URL without any redundant information, enter: hostname (config) # fenotify http service <service_name> provider generic message format json-normal o To post notifications in Text Concise format containing basic information such as alert type, ID, source IP, malware name, hostname, and alert URL, enter: hostname (config) # fenotify http service <service_name> provider generic message format text-concise © 2019 FireEye 327 Central Management Administration Guide o CHAPTER 19: Event Notifications To post notifications in Text Extended format containing detailed information and abstracts including data-theft information (if any) and static-analysis details (Text Extended provides all details about files and objects modified during analysis.), enter: hostname (config) # fenotify http service <service_name> provider generic message format text-extended o To post notifications in Text Normal format containing detailed information and abstracts such as alert type, ID, source IP, malware name, hostname, and alert URL without any redundant information, enter: hostname (config) # fenotify http service <service_name> provider generic message format text-normal 10. Save the configuration: hostname (config) # write memory Configuring Rsyslog Notifications Using the CLI Use the CLI commands in this section to send notifications to a remote syslog server. NOTE: You must use the CLI to configure whether there should be line breaks between notifications. Prerequisites l l The Central Management appliance must have an established connection to the Internet. Operator or Admin access. Configuring Rsyslog Settings Use the CLI commands in this topic to set up the default configuration for rsyslog notifications. To configure rsyslog settings: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Enable rsyslog notifications: hostname (config) # fenotify rsyslog enable 328 © 2019 FireEye Release 8.7 Configuring Event Notifications Using the CLI 3. Specify the default format for rsyslog notifications: NOTE: The json_legacy-concise, json_legacy-extended, and json_legacynormal formats are deprecated. o To send notifications in the Common Export Format (CEF), enter: hostname (config) # fenotify rsyslog default format cef o To send notifications in the comma-separated values (CSV) format, enter: hostname (config) # fenotify rsyslog default format csv o To send notifications in the Log Extended Event Format (LEEF) (default), enter: hostname (config) # fenotify rsyslog default format leef o To send notifications in XML Concise format containing basic information such as alert type, ID, source IP, malware name, hostname, and alert URL, enter: hostname (config) # fenotify rsyslog default format xml-concise o To send notifications in XML Extended format containing detailed information and abstracts including data-theft information (if any) and staticanalysis details (XML Extended provides all details about files and objects modified during analysis.), enter: hostname (config) # fenotify rsyslog default format xml-extended o To send notifications in XML Normal format containing detailed information and abstracts such as alert type, ID, source IP, malware name, hostname, and alert URL without any redundant information, enter: hostname (config) # fenotify rsyslog default format xml-normal o To send notifications in JSON Concise format containing basic information such as alert type, ID, source IP, malware name, hostname, and alert URL, enter: hostname (config) # fenotify rsyslog default format json-concise o To send notifications in JSON Extended format containing detailed information and abstracts including data-theft information (if any) and staticanalysis details (JSON Extended provides all details about files and objects modified during analysis.), enter: hostname (config) # fenotify rsyslog default format json-extended o To send notifications in JSON Normal format containing detailed information and abstracts such as alert type, ID, source IP, malware name, hostname, and alert URL without any redundant information, enter: hostname (config) # fenotify rsyslog default format json-normal o To send notifications in Text Concise format containing basic information such as alert type, ID, source IP, malware name, hostname, and alert URL, enter: hostname (config) # fenotify rsyslog default format text-concise © 2019 FireEye 329 Central Management Administration Guide o CHAPTER 19: Event Notifications To send notifications in Text Extended format containing detailed information and abstracts including data-theft information (if any) and staticanalysis details (Text Extended provides all details about files and objects modified during analysis.), enter: hostname (config) # fenotify rsyslog default format text-extended o To send notifications in Text Normal format containing detailed information and abstracts such as alert type, ID, source IP, malware name, hostname, and alert URL without any redundant information, enter: hostname (config) # fenotify rsyslog default format text-normal 4. Specify the default delivery schedule for email notifications: NOTE: FireEye recommends using per-event notifications. o To receive a daily notification for each entity that was the source of the event, enter: hostname (config) # fenotify rsyslog default delivery daily-persource o To receive an hourly notification for each entity that was the source of the event, enter: hostname (config) # fenotify rsyslog default delivery hourly-persource o To receive a notification every minute for each entity that was the source of the event, enter: hostname (config) # fenotify rsyslog default delivery per-1minper-source o To receive a notification every 5 minutes for each entity that was the source of the event, enter: hostname (config) # fenotify rsyslog default delivery per-5minper-source o To receive information about each event, sent when the event is triggered, enter: hostname (config) # fenotify rsyslog default delivery per-event 5. Specify the default severity classification for the rsyslog notification: NOTE: FireEye recommends setting the severity classification to alert. o To indicate that action must be taken immediately (severity 1), enter: hostname (config) # fenotify rsyslog default send-as alert o To indicate that the notification contains critical conditions (severity 2), enter: hostname (config) # fenotify rsyslog default send-as crit o To indicate that the notification contains debug-level messages (severity 7), enter: hostname (config) # fenotify rsyslog default send-as debug o To indicate an emergency (the system is unusable) (severity 0), enter: hostname (config) # fenotify rsyslog default send-as emerg 330 © 2019 FireEye Release 8.7 Configuring Event Notifications Using the CLI o To indicate that the notification contains error conditions (severity 3), enter: hostname (config) # fenotify rsyslog default send-as error o To indicate that the notification contains informational messages (severity 6), enter: hostname (config) # fenotify rsyslog default send-as info o To indicate normal but significant conditions (severity 5), enter: hostname (config) # fenotify rsyslog default send-as notice o To indicate that the notification contains warning conditions (severity 4), enter: hostname (config) # fenotify rsyslog default send-as warning 6. Save the configuration: hostname (config) # write memory Configuring Line Feedback for Rsyslog Notifications Use the CLI commands in this topic to configure whether to send notifications to a remote syslog server in a single line or with line breaks between each notification. The default is to send rsyslog notifications in a single line. To send rsyslog notifications in a single line: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Configure the single line option: hostname (config) # fenotify preferences rsyslog-strip-lnfb enable 3. Save the configuration: hostname (config) # write memory 4. Verify that rsyslog notifications will be sent in a single line: hostname (config) # show fenotify preferences IPS delivery mode: instant HTTP(s) notification using fenet proxy: yes Rsyslog notification Stripping off line feedback: yes To send rsyslog notifications with line breaks: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Configure the line break option: hostname (config) # no fenotify preferences rsyslog-strip-lnfb enable 3. Save the configuration: © 2019 FireEye 331 Central Management Administration Guide CHAPTER 19: Event Notifications hostname (config) # write memory 4. Verify that rsyslog notifications will be sent with line breaks: hostname (config) # show fenotify preferences IPS delivery mode: instant HTTP(s) notification using fenet proxy: yes Rsyslog notification Stripping off line feedback: no Setting Up Rsyslog Servers To set up rsyslog servers, perform the following subtasks: l Add the rsyslog servers l Configure the rsyslog servers To add an rsyslog server: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Enable rsyslog notifications: hostname (config) # fenotify rsyslog enable 3. Specify the name of the rsyslog server to receive the notification: hostname (config) # fenotify rsyslog trap-sink <sink_name> 4. Specify which servers will receive rsyslog notifications (one server per command): hostname (config) # fenotify rsyslog trap-sink <sink_name> enable 5. Specify the IP address or DNS address of the rsyslog server to send event logs to: hostname (config) # fenotify rsyslog trap-sink <sink_name> address <ip address> 6. Save the configuration: hostname (config) # write memory To configure the rsyslog servers: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Enable rsyslog notifications: hostname (config) # fenotify rsyslog enable 3. Specify the delivery frequency for rsyslog notifications: NOTE: FireEye recommends using per-event notifications. o To receive a daily notification for each entity that was the source of the event, enter: hostname (config) # fenotify rsyslog trap-sink <sink_name> prefer 332 © 2019 FireEye Release 8.7 Configuring Event Notifications Using the CLI message delivery daily-per-source o To receive an hourly notification for each entity that was the source of the event, enter: hostname (config) # fenotify rsyslog trap-sink <sink_name> prefer message delivery hourly-per-source o To receive a notification every minute for each entity that was the source of the event, enter: hostname (config) # fenotify rsyslog trap-sink <sink_name> prefer message delivery per-1min-per-source o To receive a notification every 5 minutes for each entity that was the source of the event, enter: hostname (config) # fenotify rsyslog trap-sink <sink_name> prefer message delivery per-5min-per-source o To receive information about each event, sent when the event is triggered, enter: hostname (config) # fenotify rsyslog trap-sink <sink_name> prefer message delivery per-event 4. Select the event type: hostname hostname hostname hostname hostname hostname (config) (config) (config) (config) (config) (config) # # # # # # fenotify fenotify fenotify fenotify fenotify fenotify rsyslog rsyslog rsyslog rsyslog rsyslog rsyslog alert alert alert alert alert alert domain-match infection-match ips-event malware-callback malware-object web-infection 5. Specify the format for rsyslog notifications: NOTE: The json_legacy-concise, json_legacy-extended, and json_legacynormal formats are deprecated. o To send notifications in the Common Export Format (CEF), enter: hostname (config) # fenotify rsyslog trap-sink <sink_name> prefer message format cef o To send notifications in the comma-separated values (CSV) format, enter: hostname (config) # fenotify rsyslog trap-sink <sink_name> prefer message format csv o To send notifications in the Log Extended Event Format (LEEF) (default), enter: hostname (config) # fenotify rsyslog trap-sink <sink_name> prefer message format leef o To send notifications in XML Concise format containing basic information such as alert type, ID, source IP, malware name, hostname, and alert URL, enter: hostname (config) # fenotify rsyslog trap-sink <sink_name> prefer message format xml-concise © 2019 FireEye 333 Central Management Administration Guide o CHAPTER 19: Event Notifications To send notifications in XML Extended format containing detailed information and abstracts including data-theft information (if any) and staticanalysis details (XML Extended provides all details about files and objects modified during analysis.), enter: hostname (config) # fenotify rsyslog trap-sink <sink_name> prefer message format xml-extended o To send notifications in XML Normal format containing detailed information and abstracts such as alert type, ID, source IP, malware name, hostname, and alert URL without any redundant information, enter: hostname (config) # fenotify rsyslog trap-sink <sink_name> prefer message format xml-normal o To send notifications in JSON Concise format containing basic information such as alert type, ID, source IP, malware name, hostname, and alert URL, enter: hostname (config) # fenotify rsyslog trap-sink <sink_name> prefer message format json-concise o To send notifications in JSON Extended format containing detailed information and abstracts including data-theft information (if any) and staticanalysis details (JSON Extended provides all details about files and objects modified during analysis.), enter: hostname (config) # fenotify rsyslog trap-sink <sink_name> prefer message format json-extended o To send notifications in JSON Normal format containing detailed information and abstracts such as alert type, ID, source IP, malware name, hostname, and alert URL without any redundant information, enter: hostname (config) # fenotify rsyslog trap-sink <sink_name> prefer message format json-normal o To send notifications in Text Concise format containing basic information such as alert type, ID, source IP, malware name, hostname, and alert URL, enter: hostname (config) # fenotify rsyslog trap-sink <sink_name> prefer message format text-concise o To send notifications in Text Extended format containing detailed information and abstracts including data-theft information (if any) and staticanalysis details (Text Extended provides all details about files and objects modified during analysis.), enter: hostname (config) # fenotify rsyslog trap-sink <sink_name> prefer message format text-extended o To send notifications in Text Normal format containing detailed information and abstracts such as alert type, ID, source IP, malware name, hostname, and alert URL without any redundant information, enter: hostname (config) # fenotify rsyslog trap-sink <sink_name> prefer message format text-normal 334 © 2019 FireEye Release 8.7 Configuring Event Notifications Using the CLI 6. Specify the severity classification for the rsyslog notification: NOTE: FireEye recommends setting the severity classification to alert. o To indicate that action must be taken immediately (severity 1), enter: hostname (config) # fenotify rsyslog trap-sink <sink_name> prefer message send-as alert o To indicate that the notification contains critical conditions (severity 2), enter: hostname (config) # fenotify rsyslog trap-sink <sink_name> prefer message send-as crit o To indicate that the notification contains debug-level messages (severity 7), enter: hostname (config) # fenotify rsyslog trap-sink <sink_name> prefer message send-as debug o To indicate an emergency (the system is unusable) (severity 0), enter: hostname (config) # fenotify rsyslog trap-sink <sink_name> prefer message send-as emerg o To indicate that the notification contains error conditions (severity 3), enter: hostname (config) # fenotify rsyslog trap-sink <sink_name> prefer message send-as error o To indicate that the notification contains informational messages (severity 6), enter: hostname (config) # fenotify rsyslog trap-sink <sink_name> prefer message send-as info o To indicate normal but significant conditions (severity 5), enter: hostname (config) # fenotify rsyslog trap-sink <sink_name> prefer message send-as notice o To indicate that the notification contains warning conditions (severity 4), enter: hostname (config) # fenotify rsyslog trap-sink <sink_name> prefer message send-as warning 7. Specify the protocol used to send rsyslog notifications (UDP is the default): l To select UDP, enter: hostname (config) # fenotify rsyslog trap-sink <sink_name> protocol UDP l To select TCP, enter: hostname (config) # fenotify rsyslog trap-sink <sink_name> protocol TCP 8. Save the configuration: hostname (config) # write memory Configuring SNMP Notifications Using the CLI NOTE: The following topics pertain to malware alert event notifications. For information about SNMP notifications that pertain to system events such as low disk space, see SNMP Data on page 279. © 2019 FireEye 335 Central Management Administration Guide CHAPTER 19: Event Notifications Use the CLI commands in this section to send notifications to one or more Simple Network Management Protocol (SNMP) servers. Prerequisites l l The Central Management appliance must have an established connection to the Internet. Operator or Admin access. Configuring SNMP Settings Use the CLI commands in this topic to set up the default configuration for SNMP notifications. To configure SNMP settings: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Enable SNMP notifications: hostname (config) # fenotify snmp enable 3. Specify the default delivery schedule for SNMP notifications: NOTE: FireEye recommends using per-event notifications. o To receive a daily notification for each entity that was the source of the event, enter: hostname (config) # fenotify snmp default delivery daily-persource o To receive an hourly notification for each entity that was the source of the event, enter: hostname (config) # fenotify snmp default delivery hourly-persource o To receive a notification every minute for each entity that was the source of the event, enter: hostname (config) # fenotify snmp default delivery per-1min-persource o To receive a notification every 5 minutes for each entity that was the source of the event, enter: hostname (config) # fenotify snmp default delivery per-5min-persource o To receive information about each event, sent when the event is triggered, enter: hostname (config) # fenotify snmp default delivery per-event 336 © 2019 FireEye Release 8.7 Configuring Event Notifications Using the CLI 4. Specify the SNMP version used for notifications: o To use SNMP version 1, enter: hostname (config) # fenotify snmp default version 1 o To use SNMP version 2c, enter: hostname (config) # fenotify snmp default version 2c 5. If you are going to download the MIB file, see the procedure that follows for Microsoft Windows, Linux, or Mac devices. The MIB file is retrieved using a program that connects using port 22, which is normally used for tools like SSH, SCP, and PSCP. Because file-level access is denied by policy, the direct path to the MIB file needs to be specified. 6. Save the configuration: hostname (config) # write memory To download the FireEye MIB for SNMP on Windows: 1. Download the pscp.exe tool (available from PuTTY download page). 2. Navigate to a command prompt window. 3. Change to the directory in which you downloaded the pscp.exe tool: cd Downloads 4. Copy the MIB file from the Central Management appliance: pscp.exe -r -scp admin@<CMSeriesIPaddress>:/usr/share/snmp/mibs \Temp\mibs\ 5. When prompted for the password, enter admin. The file is copied to the \Temp\mibs directory that resides on your desktop. 6. Change to the “mibs” directory: cd C:\Temp\mibs 7. Load the MIB file into an SNMP browser or tool or open the MIB file with the following command: FE-FIREEYE-MIB.txt To download the FireEye MIB for SNMP on Linux: 1. Using the OpenSSH client, copy the MIB file from the Central Management appliance: scp -r admin@<CMSeriesIPaddress>:/usr/share/snmp/mibs /usr/<userDirectoryName>/ 2. When prompted for the password, enter admin. The files are copied to the “mibs” directory that resides in the /usr/<userDirectoryName> directory. 3. Change to the “mibs” directory: cd mibs 4. Load the MIB file into an SNMP browser or tool or open the MIB file with the following command: vi FE-FIREEYE-MIB.txt © 2019 FireEye 337 Central Management Administration Guide CHAPTER 19: Event Notifications To download the FireEye MIB for SNMP on Mac OS X: 1. Navigate to the terminal emulator. 2. Copy the MIB file from the Central Management appliance: scp -r admin@<CMSeriesIPaddress>:/usr/share/snmp/mibs ~/ 3. When prompted for the password, enter admin. The files are copied to the “mibs” directory that resides in the user directory. 4. Load the MIB file into an SNMP browser or tool or open the MIB file with the following command: vi ~/mibs/FE-FIREEYE-MIB.txt Setting Up SNMP Servers To set up the SNMP servers, perform the following subtasks: l Add the SNMP servers l Configure the SNMP servers To add an SNMP server: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Enable SNMP notifications: hostname (config) # fenotify snmp enable 3. Specify the name of the SNMP server (for example, NX7400) for SNMP notifications: hostname (config) # fenotify snmp trap-sink <sink_name> 4. Specify which servers will receive SNMP notifications (one server per command): hostname (config) # fenotify snmp trap-sink <sink_name> enable 5. Specify the IP address or DNS address of the SNMP server to receive the notifications: hostname (config) # fenotify snmp trap-sink <sink_name> address <ip address> 6. Save the configuration: hostname (config) # write memory To configure the SNMP servers: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Enable SNMP notifications: hostname (config) # fenotify snmp enable 3. Specify the SNMP community string: hostname (config) # fenotify snmp trap-sink <sink_name> community <community_name> 338 © 2019 FireEye Release 8.7 Configuring Event Notifications Using the CLI 4. Specify the SNMP version used for notifications: o To use SNMP version 1, enter: hostname (config) # fenotify snmp trap-sink <sink_name> version 1 o To use SNMP version 2c, enter: hostname (config) # fenotify snmp trap-sink <sink_name> version 2c 5. Specify the delivery frequency for SNMP notifications: NOTE: FireEye recommends using per-event notifications. o To receive a daily notification for each entity that was the source of the event, enter: hostname (config) # fenotify snmp trap-sink <sink_name> prefer message delivery daily-per-source o To receive an hourly notification for each entity that was the source of the event, enter: hostname (config) # fenotify snmp trap-sink <sink_name> prefer message delivery hourly-per-source o To receive a notification every minute for each entity that was the source of the event, enter: hostname (config) # fenotify snmp trap-sink <sink_name> prefer message delivery per-1min-per-source o To receive a notification every 5 minutes for each entity that was the source of the event, enter: hostname (config) # fenotify snmp trap-sink <sink_name> prefer message delivery per-5min-per-source o To receive information about each event, sent when the event is triggered, enter: hostname (config) # fenotify snmp trap-sink <sink_name> prefer message delivery per-event 6. Select the event type: hostname (config) # fenotify snmp notification all-events hostname (config) # fenotify snmp notification domain-match hostname (config) # fenotify snmp notification infection-match hostname (config) # fenotify snmp notification ips-event hostname (config) # fenotify snmp notification malware-callback hostname (config) # fenotify snmp notification malware-object hostname (config) # fenotify snmp notification web-infection trap-sink <sink_name> prefer trap-sink <sink_name> prefer trap-sink <sink_name> prefer trap-sink <sink_name> prefer trap-sink <sink_name> prefer trap-sink <sink_name> prefer trap-sink <sink_name> prefer 7. Save the configuration: hostname (config) # write memory © 2019 FireEye 339 Central Management Administration Guide CHAPTER 19: Event Notifications Configuring the Proxy Server for Notifications You can enable or disable the proxy server for notifications. The proxy server is referred to as the FireEye network proxy server. HTTP notifications are currently sent through the FireEye network proxy server. This is the default setting. You can disable the proxy server for outgoing HTTP notifications, such as email reports or Splunk notifications. NOTE: Proxy server for notifications is configured only using the CLI. Prerequisites l The Central Management appliance must have an established connection to the Internet. l Operator or Admin access. l The proxy server must be explicitly disabled for outgoing HTTP notifications. Configuring the Proxy Server for Notifications Using the CLI Use the CLI commands in this topic to configure the proxy server for notifications using the CLI. To enable the proxy server for notifications: 1. Go to CLI configuration mode. hostname > enable hostname # configure terminal 2. Enable the proxy server for notifications. hostname (config) # fenotify preferences use-fenet-proxy enable 3. Verify that HTTP notifications are enabled for the proxy server. hostname (config) # show fenotify preferences Notification customized settings: IPS delivery mode: instant HTTP(s) notification using fenet proxy: yes 340 © 2019 FireEye Release 8.7 Configuring ATI Alert Updates for Notifications To disable the proxy server for notifications: 1. Go to CLI configuration mode. hostname > enable hostname # configure terminal 2. Disable the proxy server for notifications. hostname (config) # no fenotify preferences use-fenet-proxy enable 3. Verify that HTTP notifications are disabled for the proxy server. hostname (config) # show fenotify preferences Notification customized settings: IPS delivery mode: instant HTTP(s) notification using fenet proxy: no Configuring ATI Alert Updates for Notifications You can enable or disable Advanced Threat Intelligence (ATI) alert updates for notifications through HTTP and email protocols. NOTE: Rsyslog and SNMP protocols are not supported. You can configure Advanced Threat Intelligence (ATI) alert updates for notifications through HTTP and email protocols. When you enable ATI alert updates for notifications, notifications will be sent for events with threat intelligence on managed Network Security appliances running Release 7.7.0 or later. When you disable ATI alert updates for notifications, notifications will not be sent for events with threat intelligence on managed appliances. When ATI alert updates are enabled, notifications will not be sent for alerts with threat intelligence that were detected more than 90 days ago. If multiple alerts match the same ATI event triggered on the appliance, notifications will be sent only for the first three alerts per day. For detailed information about ATI, see the NX Series User Guide. NOTE: ATI alert updates for notifications are configured only using the CLI. This feature is disabled by default. Prerequisites l l The Central Management appliance must have an established connection to the Internet. Operator or Admin access to the Central Management appliance © 2019 FireEye 341 Central Management Administration Guide CHAPTER 19: Event Notifications Configuring ATI Alert Updates for Notifications Using the CLI Follow these steps to configure ATI alert updates for notifications using the CLI. To enable ATI alert updates for notifications: 1. Go to CLI configuration mode. hostname > enable hostname # configure terminal 2. Enable ATI alert update settings for notifications. hostname (config) # fenotify preferences alerts-update ati enable 3. Save your changes. hostname (config) # write memory 4. Verify the status for the ATI alert update settings. hostname (config) show fenotify preferences Notification customized settings: IPS delivery mode: instant HTTP(s) notification using fenet proxy: yes Rsyslog notification Stripping off line feedback: yes Notification timeout: 600 seconds SSL cipher list: compatible SSL minimum protocol version: tls1 Alert ATI Updates: yes CEF Compliance: yes To disable ATI alert updates for notifications: 1. Go to CLI configuration mode. hostname > enable hostname # configure terminal 2. Disable ATI alert update settings for notifications. hostname (config) # no fenotify preferences alerts-update ati enable 3. Save your changes. hostname (config) # write memory 4. Verify the status for the ATI alert update settings. hostname (config) # show fenotify preferences Notification customized settings: IPS delivery mode: instant HTTP(s) notification using fenet proxy: yes 342 © 2019 FireEye Release 8.7 Configuring ATI Alert Updates for Notifications Rsyslog notification Stripping off line feedback: yes Notification timeout: 600 seconds SSL cipher list: compatible SSL minimum protocol version: tls1 Alert ATI Updates: no CEF Compliance: yes © 2019 FireEye 343 Central Management Administration Guide 344 CHAPTER 19: Event Notifications © 2019 FireEye Central Management Administration Guide On-Demand Cleanup Using Profiles CHAPTER 20: Disk Space Management Some appliance processes require a specific amount of disk space to complete. If disk space is not available, the processes do not start. An error message describes the problem. For example, you may need to delete files and artifacts to free disk space if there is not enough room to do a database backup, to retrieve SNMP data, or to send system notifications. It may also be necessary to free disk space before upgrading the appliance. On-Demand Cleanup Using Profiles You can analyze disk space used by system files, such as backups, dumps, reports, log files, and some types of artifacts. Disk management profiles are defined for groups of system file types, and you can delete data using these profiles to free disk space. Some data, such as configuration data, cannot be deleted. Following are the profiles you can use for disk management: Profile Description backups Backup files created during user-initiated backup and restore procedures. fedb-backups Database backup files created during system image updates logs Log files malicious-artifacts Malicious artifact files generated on the appliance nonmaliciousartifacts Nonmalicious artifact files generated on the appliance reports Report files © 2019 FireEye 345 Central Management Administration Guide Profile CHAPTER 20: Disk Space Management Description snapshots System snapshots sysdumps System dumps tcpdumps TCP capture files For more information, see: l Viewing a Summary of Disk Space Use Using the CLI below l Viewing Disk Space Use By Profile Using the CLI on the facing page l Deleting Data to Free Disk Space Using the CLI on the facing page Viewing a Summary of Disk Space Use Using the CLI You can view a summary of disk space use for the /config, /var, and /data file systems and the associated profiles. You should run this command to analyze disk space use. NOTE: You cannot delete files from the /config file system. Space information for this file system is for information purposes only. To view a summary of disk space use: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Show the current disk space use summary: hostname (config) # show system cleanup summary Statistics for /config filesystem: Space Total 182 MB Space Used 7 MB Space Free 175 MB Space Available 166 MB Space Percent Free 96% Inodes Percent Free 99% Statistics for /var filesystem: Space Total 20031 MB Space Used 2682 MB Space Free 17348 MB Space Available 16324 MB Space Percent Free 86% Inodes Percent Free 99% Statistics for /data Space Total Space Used Space Free Space Available Space Percent Free Inodes Percent Free filesystem: 1068532 MB 126189 MB 942343 MB 888058 MB 88% 99% Profile Name ====================== backups fedb-backups logs malicious-artifacts nonmalicious-artifacts reports 346 | | | | | | | | Description | Occupied Space | Cleanable Space | Filesystems ================================|=============================================== Unified Backups | 0 MB | 0 MB | /data FEDB Backups | 6446 MB | 6446 MB | /data Application log files | 427 MB | 411 MB | /var Malicious Malware Artifacts | 0 MB | 0 MB | /data Non-malicious Malware Artifacts | 0 MB | 0 MB | /data Reports | 1 MB | 1 MB | /data © 2019 FireEye Release 8.7 On-Demand Cleanup Using Profiles snapshots sysdumps | System snapshots | System dumps | | 8 MB | 0 MB | 5 MB | /data 0 MB | /data tcpdumps | TCP capture files | 0 MB | 0 MB | /var Viewing Disk Space Use By Profile Using the CLI You can view disk space use by profile. You should run this command to determine the best data to delete for a specific profile. To view a summary of disk space use by profile: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Show the current disk space use for a profile: hostname (config) # show system cleanup profile [backups | fedb-backups | logs | malicious-artifacts | nonmalicious-artifacts | reports |snapshots | sysdumps | tcpdumps] For profile descriptions, see On-Demand Cleanup Using Profiles on page 345. For example, the following shows the disk space use for the logs profile: hostname (config) # show system cleanup profile logs Older than | Size ============|============= 365 days | 0 MB 180 days | 25 MB 90 days | 212 MB 30 days | 342 MB 7 days | 382 MB 1 day | 405 MB All | 411 MB Deleting Data to Free Disk Space Using the CLI After you have analyzed the disk space use, you can delete data to free the disk space you need. To delete data to free disk space: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal © 2019 FireEye 347 Central Management Administration Guide CHAPTER 20: Disk Space Management 2. Delete data: hostname (config) # system cleanup profile {backups | fedb-backups | logs | malicious-artifacts | nonmalicious-artifacts | reports |snapshots | sysdumps | tcpdumps} {all | older-than <no. of days>} [force] where: l l l all deletes all data that can be deleted for this profile older-than <no. of days> deletes data that is older than the specified number of days force deletes the data as requested without prompting for confirmation If you do not use the force option, the command prompts for confirmation. For example, the following deletes data that matches the logs profile. It deletes only data that can be deleted that is older than 180 days. hostname (config) # system cleanup profile logs older-than 180 This will remove cleanable files older than 180 days for the profile 'logs'. Do you want to continue? [y/n]: y 25 MB of disk space freed. 348 © 2019 FireEye Central Management Administration Guide CHAPTER 21: Boot Manager Utilities The Tools menu provides access to the boot manager utilities. In the console, the Tools menu is sometimes called Boot Menu. Reset admin Password Resets the factory default "admin" password. This password, which is typically "admin," is the password used to log into the physical or serial console. For security, the "admin" user cannot use this password to remotely log into the Web UI or CLI of the appliance, so the password must be changed in the console during the initial configuration of the appliance. This option is suitable if the configured "admin" password for remote access is lost or forgotten. The "admin" user can log into the physical or serial console using the default password, and then change it so the password can be used for remote access as well. Wipe Appliance Media Wipes the appliance media. The appliance will not be usable afterward. This option is suitable if you intend to use an RMA to replace the appliance, and have already saved customer data using the database backup feature. For more information, see Wiping Persistent Media on page 358. © 2019 FireEye 349 Central Management Administration Guide CHAPTER 21: Boot Manager Utilities Manufacture Appliance Manufactures the appliance to factory settings, including its original manufacturing parameters (such as hostname and DTI credentials.) This option is suitable if you need to do a more complete factory reset than is possible with the reset factory CLI commands. After you manufacture using this utility, only the original system image version and manufacture timestamps are preserved in the system log. Wipe Appliance Media and Manufacture Appliance Wipes the appliance media and manufactures the appliance to factory settings. This option is suitable if you are returning the appliance to FireEye at the end of an evaluation so it can be used for another evaluation. For more information, see Wiping Persistent Media on page 358. Return to Image Boot Menu Returns to the image boot menu, where you can boot an installed image from a particular boot location. This option is suitable if you install a new system image version but decide to use a previous version instead, or if you accidentally booted from the wrong boot location. IMPORTANT: After you select this option, pay close attention to the console so you do not miss a series of five periods (.) displayed one second apart. Before the console moves past the fifth period, press any key twice to return to the boot menu. Working with the Tools Menu The following topics describe how to access and use the Tools menu. l System Requirements below l Setting the Tools Menu Password on page 352 l Accessing the Tools Menu on page 354 l Disabling the Tools Menu on page 356 l Viewing Tools Menu Availability on page 357 System Requirements Make sure the following requirements are met. l Model numbers and system image versions: l 350 Malware Analysis Version 8.0.0 or later is running on one of the following appliance models: AX 5500, AX 5550. © 2019 FireEye Release 8.7 Working with the Tools Menu l l l l l l l l l Central Management Version 8.1.0 or later is running on one of the following appliance models: CM 4500, CM 7500, CM 9500. Email Security — Server Edition Version 8.0.0 or later is running on one of the following appliance models: EX 3500, EX 5500, EX 8500. File Security Version 8.0.0 or later is running on the FX 6500 model. Endpoint Security 4.0.0 is running on one of the following appliance models: HX 4000, HX 4400, HX 4402. Network Security Version 8.0.0 or later is running on one of the following appliance models: NX 1500, NX 2500, NX 2550, NX 3500, NX 4500, NX 5500, NX 7500, NX 10450, NX 10550. VX Series Version 8.0.0 or later is running on one of the following appliance models: VX 5500, VX 12500. You have access to the physical or serial console (see Accessing the Physical or Serial Console on page 69). The minimum system image version cited above is installed on both boot partitions on the appliance. If the appliance was not originally manufactured with that system image version, you must perform the Upgrade Steps below to meet this requirement. You obtained the appliance-specific preset Tools menu password from FireEye Technical Support, or you configured another password as described in Setting the Tools Menu Password on the next page. Limitations l l The Manufacture Appliance and Wipe Appliance Media and Manufacture Appliance options require that the appliance was originally manufactured with a system image that supports the Tools menu. All logging goes to the serial console. If you use the physical console to access the Tools menu, you will be unable to monitor the progress on the VGA monitor. Upgrade Steps The minimum system image version must be installed on both boot partitions before you can access the Tools menu. Perform the steps in this section if you are upgrading from an earlier version. NOTE: These steps are not required if your appliance was originally manufactured with the minimum system image version. The minimum versions are listed in System Requirements on the previous page. © 2019 FireEye 351 Central Management Administration Guide CHAPTER 21: Boot Manager Utilities To enable the Tools menu if you are upgrading from an earlier release: 1. Fetch and install a supported system image: hostname hostname hostname hostname hostname (config) (config) (config) (config) (config) # # # # # fenet image check show fenet image status fenet image fetch show fenet image status image install <image> This installs the system image in one of the boot partitions. 2. Verify the boot partition for the new system image: hostname (config) # show images For example, on a Network Security appliance: hostname (config) # show images Installed images: Partition 1: wmps wMPS (wMPS) 8.0.0 ... Partition 2: wmps wMPS (wMPS) 7.9.4 ... Last boot partition: 2 Next boot partition: 2 3. If necessary, change the Next boot partition so the appliance boots from the partition with the new system image when it reloads: hostname (config) # image boot next hostname (config) # write memory 4. Reload the appliance: hostname (config) # reload 5. Install the new system image again to put it on the other boot partition: hostname (config) # image install <image> 6. Change the next boot partition: hostname (config) # image boot next hostname (config) # write memory 7. Reload the appliance: hostname (config) # reload If you do not want to use the default Tools menu password, you can now configure one as described in Setting the Tools Menu Password below. Users who know the password can access the Tools menu on any subsequent appliance reload, as described in Accessing the Tools Menu on page 354. Setting the Tools Menu Password The Tools menu requires a password. There are two options: 352 © 2019 FireEye Release 8.7 l l Working with the Tools Menu Default Password. A unique password that is derived from the appliance ID is preset on the appliance and must be obtained from FireEye Technical Support. Configured Password. You can instead set another password in plain text or as a hashed string. A plain-text password is hashed before it is stored. Prerequisites l Admin access Setting the Tools Menu Password in Plain Text Using the CLI Use the commands in this section to set the Tools menu password in plain text. To set a plain-text password: 1. Log into the appliance CLI. 2. Go to CLI configuration mode: hostname > enable hostame # configure terminal 3. Set the password: hostname (config) # boot bootmgr tools password <password> 4. Save your change: hostname (config) # write memory NOTE: Alternatively, you can use the boot bootmgr tools password 0 <password> command to set the password in plain text, or use the boot bootmgr tools password command and enter the plain-text password at the prompt. Example The following example sets "fyd4k8q2" as the password for the Tools menu. hostname (config) # boot bootmgr tools password fyd4k8q2 Setting the Tools Menu Password with Encryption Using the CLI Use the commands in this section to set the Tools menu password with a hashed string. © 2019 FireEye 353 Central Management Administration Guide CHAPTER 21: Boot Manager Utilities To set an encrypted password: 1. Log into the appliance CLI. 2. Go to CLI configuration mode: hostname > enable hostame # configure terminal 3. Set the password: hostname (config) # boot bootmgr tools password 7 <password> 4. Save your change: hostname (config) # write memory Example The following example sets an encrypted password for the Tools menu. hostname (config) # boot bootmgr tools password 7 $6$xuQN2G3r$ufK5k8dUDdpp0hPETrtjBIDZ3f3PhCxGYagp2k0gvgv/YrD88GNIkUsaKRVDMsPAy QlcGuzhRXaBpCCVPeQd1 Restoring the Default Tools Menu Password Using the CLI Use the commands in this section to restore the default Tools menu password. You must obtain this password from FireEye Technical Support. To restore the default Tools menu password: 1. Log into the appliance CLI. 2. Go to CLI configuration mode: hostname > enable hostname # configure terminal 3. Restore the password: hostname (config) # no boot bootmgr tools password 4. Save your change: hostname (config) # write memory Accessing the Tools Menu Use the procedure in this section to access the Tools menu. To access the Tools menu: 1. Connect to the physical or serial console as described in Accessing the Physical or Serial Console on page 69. 354 © 2019 FireEye Release 8.7 Working with the Tools Menu NOTE: If you use the physical console to access the Tools menu, you will be unable to monitor the progress on the VGA monitor. 2. Log into the console using admin credentials. 3. Go to CLI configuration mode: hostname > enable hostname # configure terminal 4. Reload the appliance: hostname (config) # reload 5. Pay close attention to the console as it reloads so you do not miss the boot: prompt. 6. When you see the boot: prompt, press Enter. 7. Pay close attention to the console so you do not miss a series of five periods (.) displayed one second apart. 8. Before the console moves past the fifth period, press any key twice. An image boot menu such as the following on an Network Security appliance is displayed. Boot Menu --------------------------------------------------------------0: wmps wMPS (wMPS) 8.0.0... 1: wmps wMPS (wMPS) 8.0.0... 2: Tools Menu --------------------------------------------------------------- 9. Press the down arrow on your keyboard to select the 2. Tools Menu option. 10. Press Enter. 11. When prompted, enter the Tools menu password provided by your administrator. 12. The Tools menu (labeled "Boot Menu") is displayed. Boot Menu --------------------------------------------------------------0: Reset admin Password 1: Wipe Appliance Media 2: Manufacture Appliance 3: Wipe Appliance Media and Manufacture Appliance 4: Return to Image Boot Menu --------------------------------------------------------------- 13. Select an option (described in Boot Manager Utilities on page 349). NOTE: If you select option 4, pay attention to the console so you do not miss a series of five periods displayed one second apart, and then press any key twice to access the image boot menu. Example The following example from a Network Security appliance accesses the Tools menu. © 2019 FireEye 355 Central Management Administration Guide CHAPTER 21: Boot Manager Utilities nx-03 (config) # reload Configuration changed: save changes? Configuration changes saved. Rebooting... ... boot: Booting from local disk... PXE-MOF: Exiting Intel Boot Agent. Booting default image in 3 seconds. ... This terminal is not active or input for output while booting. Booting default image in 1 seconds. Boot Menu --------------------------------------------------------------0: wmps wMPS (wMPS) 8.0.0... 1: wmps wMPS (wMPS) 8.0.0... 2: Tools Menu --------------------------------------------------------------Use the ^ and v keys to select which entry is highlighted. Press enter to boot the selected image or 'p' to enter a password to unlock the next set of features. Highlighted entry is 2: Booting: 'Tools Menu' Password: ******** ....... Boot Menu --------------------------------------------------------------0: Reset admin Password 1: Wipe Appliance Media 2: Manufacture Appliance 3: Wipe Appliance Media and Manufacture Appliance 4: Return to Image Boot Menu --------------------------------------------------------------Use the ^ and v keys to select which entry is highlighted. Press enter to boot the selected image or 'p' to enter a password to unlock the next set of features. Highlighted entry is 0: NOTE: The 'p' option cited in the console instructions is not available. Disabling the Tools Menu To prevent users from accessing the Tools menu, disable the Tools menu password. 356 © 2019 FireEye Release 8.7 Working with the Tools Menu Prerequisites l Admin access Disabling the Tools Menu Using the CLI Use the commands in this section to disable the Tools menu password, which prevents users from accessing the Tools menu. To disable the Tools menu: 1. Log into the appliance CLI. 2. Go to CLI configuration mode: hostname > enable hostname # configure terminal 3. Disable the password: hostname (config) # boot bootmgr tools disable password 4. Save your change: hostname (config) # write memory Viewing Tools Menu Availability You can view whether the Tools menu is available on the appliance. Prerequisites l Monitor, Operator, or Admin access Viewing Tools Menu Availability Using the CLI Use either of the following commands to view whether users can access the Tools menu. l show bootvar l show images If a Tools menu password is set (either the default password or a configured password), users can access the Tools menu. If the Tools menu password is disabled, users cannot access the Tools menu. Examples The following example from a Network Security appliance shows that the Tools menu password is set, so users can access the Tools menu. © 2019 FireEye 357 Central Management Administration Guide CHAPTER 21: Boot Manager Utilities nx-05 > show bootvar Installed images: Partition 1: wmps wMPS (wMPS) 7.4.0 xxx Partition 2: wmps wMPS (wMPS) 8.0.0 xxx Last boot partition: 1 Next boot partition: 1 Boot manager admin password: undisclosed password set Boot manager tools menu password: undisclosed password set ... The following example shows that the Tools menu password is disabled, so users cannot access the Tools menu. nx-01 > show images Installed images: Partition 1: wmps wMPS (wMPS) 7.4.0 ... Partition 2: wmps wMPS (wMPS) 8.0.0 ... No image files are available to be installed. No image install currently in progress. Boot manager admin password: Boot manager tools menu password: undisclosed password set password disabled Wiping Persistent Media You can securely erase (wipe) proprietary and confidential data from the persistent media on an appliance before you return it to FireEye at the end of an evaluation or when you need to use a Return of Materials Authorization (RMA) to replace the appliance. The secure erase operation overwrites every addressable byte of the media device at least once, and then verifies that the operation succeeded. You use the Tools (also known as Boot) menu in the boot manager to perform these actions. The boot manager requires serial or physical console access and a password. You can either wipe the appliance media only or wipe the appliance media and manufacture the appliance. These options are described in Boot Manager Utilities on page 349. The media wipe operation could take from six to ten hours, depending on the disk size. The status of the current operation is displayed in the console so you can monitor the progress, which is refreshed periodically. 358 © 2019 FireEye Release 8.7 Wiping Persistent Media Prerequisites l Make sure the requirements for the Tools menu are met. See System Requirements on page 350. Wiping Persistent Media Using the Tools Menu Use the procedure in this section to wipe persistent media from the appliance. To wipe persistent media: 1. Go to the Tools (displayed as Boot) menu as described in Accessing the Tools Menu on page 354. Boot Menu --------------------------------------------------------------0: Reset admin Password 1: Wipe Appliance Media 2: Manufacture Appliance 3: Wipe Appliance Media and Manufacture Appliance 4: Return to Image Boot Menu --------------------------------------------------------------- 2. To only wipe the media, use the ^ and v keys to select 1: Wipe Appliance Media. CAUTION: This option will leave the appliance unusable. 3. To both wipe the media and then manufacture the appliance, select 3: Wipe Appliance Media and Manufacture Appliance. 4. Press Enter. Example The following example from an Network Security appliance accesses the Tools menu, and then wipes the appliance media and manufactures the appliance. For brevity, some console output is omitted. nx-03 (config) # reload Configuration changed: save changes? Configuration changes saved. Rebooting... ... boot: Booting from local disk... PXE-MOF: Exiting Intel Boot Agent. Booting default image in 3 seconds. ... This terminal is not active for input or output while booting. Booting default image in 1 seconds. © 2019 FireEye 359 Central Management Administration Guide CHAPTER 21: Boot Manager Utilities Boot Menu --------------------------------------------------------------0: wmps wMPS (wMPS) 8.0.0... 1: wmps wMPS (wMPS) 7.9.4... 2: Tools Menu --------------------------------------------------------------Use the ^ and v keys to select which entry is highlighted. Press enter to boot the selected image or 'p' to enter a password to unlock the next set of features. Highlighted entry is 2: Booting: 'Tools Menu' Password: ******** ....... Boot Menu --------------------------------------------------------------0: Reset admin Password 1: Wipe Appliance Media 2: Manufacture Appliance 3: Wipe Appliance Media and Manufacture Appliance 4: Return to Image Boot Menu --------------------------------------------------------------Use the ^ and v keys to select which entry is highlighted. Press enter to boot the selected image or 'p' to enter a password to unlock the next set of features. Highlighted entry is 3: Booting: 'Wipe Appliance Media and Manufacture Appliance' ... Running /etc/init.d/rcS.d/S33diskwipe - Preparing to run diskwipe... *** WARNING: DO NOT POWER OFF! *** == Detecting disks to wipe == Wiping system disks scrub: using NNSA NAP-14.1-C patterns scrub: please verify that device size below is correct! scrub: scrubbing /dev/sda 1919313510400 bytes (~1787GB) scrub: random |.......| .................. NOTE: The 'p' option cited in the console instructions is not available. 360 © 2019 FireEye Central Management Administration Guide PART IV: Appliances l Adding and Removing Appliances on page 363 l Viewing and Modifying Managed Appliance Information on page 373 l Configuring Managed Appliances on page 383 l Using Appliance Groups and Command Profiles on page 405 l Monitoring Aggregated Alert Data on page 421 l Working with Reports for Managed Appliances on page 443 l Checking Status and Health of Managed Appliances on page 489 l Updating Managed Appliances on page 499 l Configuring Custom IOC Feeds on page 505 l Filtering Alerts Using Tags and Rules on page 525 © 2019 FireEye 361 Central Management Administration Guide 362 PART IV: Appliances © 2019 FireEye Central Management Administration Guide Adding an Appliance (Using the Central Management Appliance) CHAPTER 22: Adding and Removing Appliances Appliances can be added to a Central Management network for management in two ways: l l A Central Management administrator can add an appliances directly from the Central Management appliance. This is a server-initiated connection. For details, see Adding an Appliance (Using the Central Management Appliance) below. An appliance administrator can send a request for management to the Central Management appliance, and a Central Management administrator can accept or reject the request. This is a client-initiated connection. For details, see Accepting a Management Request on page 366. For information about removing a managed appliance, see Removing a Managed Appliance from the Central Management Network on page 371. Adding an Appliance (Using the Central Management Appliance) A Central Management administrator can add an appliance to the Central Management appliance. IMPORTANT! See Adding an Appliance in a NAT Deployment (Using the Central Management Appliance) on page 584 for procedures to follow in a NAT deployment. Prerequisites l Admin access to the Central Management appliance l Unique hostname for each appliance being added © 2019 FireEye 363 Central Management Administration Guide l CHAPTER 22: Adding and Removing Appliances Remote user credentials. This is a managed appliance "admin" user that the Central Management appliance uses to log in to the appliance to establish the connection. See User Authentication on page 558 for details about configuring the remote user. Adding an Appliance Using the Central Management Web UI Use the Add New Sensor dialog box to add an appliance to the Central Management appliance. When you add an appliance, "password" is the initial authentication type, so a username and password must be provided for the remote user that logs in to the appliance to establish the connection. After the appliance is added, you can change the authentication type as described in Configuring User Authentication Using the Web UI on page 562. IMPORTANT! You can use the Web UI to add appliances with publicly accessible IP addresses only. For information about adding appliances with publicly inaccessible IP addresses, see Adding an Appliance in a NAT Deployment (Using the Central Management Appliance) on page 584. To add an appliance: 1. Click the Appliances tab. The Sensors tab should be selected. 2. Click Actions > Add Sensor. The Add New Sensor dialog box opens. 3. In the Sensor Name box, enter a unique name that identifies the appliance. 4. In the IP Address box, enter the appliance IP address. 364 © 2019 FireEye Release 8.7 Adding an Appliance (Using the Central Management Appliance) 5. In the Username and Password boxes, enter the credentials for the remote user. These are the credentials for an existing user on the appliance you are adding. 6. (Optional) In the Comments box, enter explanatory information about the appliance. 7. (Required for compliance mode; optional for non-compliance mode) Enter the appliance host key (beginning with the appliance IP address) in the Host Key box. For details, see Importing a Host Key into the Global Host-Keys Database Using the Web UI on page 568. 8. Click Add. The appliance is added to the list on the page, and it becomes a member of the system group for that appliance type. You can add the appliance to a different group or create a new group for the appliance as described in Grouping Appliances on page 405. NOTE: See Viewing Managed Appliance Information Using the Web UI on page 375 for information about the status indicators and the actions you can take from this page. Adding an Appliance Using the Central Management CLI Use the commands in this section to add an appliance to the Central Management appliance. NOTE: The procedure in this section includes the basic steps for adding an appliance. Additional options are available. See Configuring Secure Shell (SSH) Authentication on page 557 for information about public key and host authentication. See the CLI Command Reference for a full list of the cmc... commands and details about their parameters and usage. To add an appliance: 1. Log in to the Central Management CLI. 2. Enable the CLI configuration mode: cm-hostname > enable cm-hostname # configure terminal 3. Specify the appliance IP address: cm-hostname (config) # cmc appliance <applianceID> address <IPaddress> where applianceID is the appliance record name and IPaddress is its IP address. IMPORTANT: Specify the IP address, not the hostname. Otherwise, if the hostname changes later, the connection will be broken and the appliance will need to be added again. © 2019 FireEye 365 Central Management Administration Guide CHAPTER 22: Adding and Removing Appliances 4. (Optional) Specify the appliance port: cm-hostname (config) # cmc appliance <applianceID> port <port> The port defaults to 22 if it is not specified. 5. Configure authentication for the remote user (an existing user on the appliance you are adding): cm-hostname (config) # cmc appliance <applianceID> authtype <authtype> cm-hostname (config) # cmc appliance <applianceID> auth <authtype> username <username> cm-hostname (config) # cmc appliance <applianceID> auth <authtype> password <password> | identity <identity> where authtype can be password, ssh-dsa2, or ssh-rsa2. (See Configuring User Authentication Using the CLI on page 563 for details.) 6. (Optional) Add a comment describing the appliance: cm-hostname (config) # cmc appliance <applianceID> comment <comment> 7. (Required for compliance mode; optional for non-compliance mode) Configure the appliance host key (beginning with the appliance IP address). For details, see Importing a Host Key into the Global Host-Keys Database Using the CLI on page 570. 8. Save your changes: cm-hostname (config) # write memory Example cm-hostname cm-hostname cm-hostname cm-hostname cm-hostname (config) (config) (config) (config) (config) # # # # # cmc cmc cmc cmc cmc appliance appliance appliance appliance appliance Acme-NX Acme-NX Acme-NX Acme-NX Acme-NX address 172.00.00.00 authtype password password username admin3 password password 12345abcde comment New York NX Series Accepting a Management Request A Central Management administrator can view a list of appliances that requested to be added for management, and accept or reject them. After a request is accepted, the appliance is added to the Central Management appliance. Requirements for Establishing a Successful Connection To accept a management request and successfully establish and maintain the connection, the following must be in place: 366 © 2019 FireEye Release 8.7 l l l Accepting a Management Request The rendezvous process enabled on the Central Management appliance (enabled by default). To verify and enable the process, see Preparing the Central Management to Accept a Management Request below. The appliance has a permanent hostname. If the hostname is changed, the connection will be broken and cannot be reset. If this happens, the appliance must be removed from the Central Management appliance and then added again using the new hostname. The Central Management appliance and the requesting appliance have the same service name. The rendezvous process has an identifier (known as service name) that is set to "cmc" by default. The Central Management appliance and the requesting appliance must have the same service name; if you change the service name on one, you must change it on the other as well. The cmc rendezvous service-namehostname command changes the service name; the no cmc rendezvous service-name command restores the default value. For details, see the CLI Command Reference. The auto-connect feature must be enabled on the requesting appliance. To prevent future connection issues, do not enable the auto-connect feature from the Central Management appliance on behalf of a managed appliance that was added using a client-initiated connection. The value of the Auto-connect field in the output of the show cmc client command on the managed appliance is yes. The value of the Auto-connect field in the output of the show cmc appliance <appliance ID> command on the Central Management appliance is no. See Accepting a Management Request in a NAT Deployment on page 586 for procedures to follow in a NAT deployment. Prerequisites l Admin access Preparing the Central Management to Accept a Management Request Use the commands in this section to prepare the Central Management appliance to accept or reject a request by an appliance to be added for management. To prepare to accept a request to be managed: 1. Log in to the Central Management CLI. 2. Verify that the rendezvous process is enabled: cm-hostname > enable cm-hostname # show cmc rendezvous © 2019 FireEye 367 Central Management Administration Guide CHAPTER 22: Adding and Removing Appliances 3. If Server rendezvous enabled: no is shown: a. Enable the rendezvous process: cm-hostname # configure terminal cm-hostname (config) # cmc rendezvous server enable b. Save your changes: cm-hostname (config) # write memory Accepting a Management Request Using the Central Management Web UI Use the Connection Requests dialog box to accept (or reject) a request to be managed. NOTE: If any requests from appliances are waiting for approval, a message is displayed in the notification bell at the top right of the Central Management Web UI. To accept a request to be managed from an appliance: 1. If the Central Management appliance has never accepted a request for management, ensure that it meets the requirements described in Preparing the Central Management to Accept a Management Request on the previous page. 368 © 2019 FireEye Release 8.7 Accepting a Management Request 2. Log in to the Central Management Web UI. 3. Do one of the following to open the Connection Requests dialog box: l l Click the button in the Dashboard message. Click the Appliances tab. The Sensors tab should be selected. Click Actions > Waiting Connection Requests. The IP address and hostname of the requesting appliance are displayed. 4. To approve the request and add the appliance: a. Select its checkbox and then click Accept. b. When prompted, confirm your action. The appliance is added to the list on the page, and it becomes a member of the system group for that appliance type. The appliance hostname becomes the display name shown in the Sensor column. You can add the appliance to a different group or create a new group for the appliance as described in Grouping Appliances on page 405. 5. To reject the request (for example, if you do not recognize the appliance): a. Select its checkbox and then click Reject. b. When prompted, confirm your action. NOTE: See Viewing Managed Appliance Information Using the Web UI on page 375 for information about the status indicators and the actions you can take from this page. Accepting a Management Request Using the Central Management CLI Use the commands in this section to accept or reject a request by an appliance to be added to the Central Management appliance for management. To accept a request to be managed: 1. If the Central Management appliance has never accepted a request for management, ensure that it meets the requirements described in Preparing the Central Management to Accept a Management Request on page 367. 2. Log in to the Central Management CLI. 3. Go to CLI configuration mode: hostname > enable hostname # configure terminal © 2019 FireEye 369 Central Management Administration Guide CHAPTER 22: Adding and Removing Appliances 4. View the list of requests: cm-hostname (config) show cmc rendezvous 5. Accept one or more requests. l To accept a specific appliance: cm-hostname (config) # cmc rendezvous server accept client <hostname> where <hostname> is the hostname of the requesting appliance. l To accept all appliances in the list: cm-hostname (config) # cmc rendezvous server accept all 6. Save your changes. hostname (config) # write memory To reject a request to be managed: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. View the list of requests: cm-hostname (config) # show cmc rendezvous 3. Reject one or more requests: l To reject a specific appliance: cm-hostname (config) # no cmc rendezvous server accept client <hostname> where <hostname> is the hostname of the requesting appliance. l To reject all appliances in the list: cm-hostname (config) # no cmc rendezvous server accept all 4. Save your changes. hostname (config) # write memory Example In this example, the request from the nx-02 appliance is accepted and the request from the nx-04 appliance is rejected. hostname (config) # show cmc rendezvous CMC rendezvous service name: cmc CMC server: Server rendezvous enabled: yes Auto-accept enabled: no Clients waiting approval: nx-02 (172.14.10.00) 370 © 2019 FireEye Release 8.7 Removing a Managed Appliance from the Central Management Network nx-04 (172.14.20.00) ... hostname (config) # cmc rendezvous server accept client nx-02 hostname (config) # no cmc rendezvous server accept client nx-04 hostname (config) # write memory Removing a Managed Appliance from the Central Management Network When you remove a managed appliance from the Central Management network, all aggregated data (including alert information) associated with the appliance is also removed. When you subsequently add back the appliance, the data is restored, but all alerts generated by the appliance are assigned new IDs. IMPORTANT! Because the alerts have new IDs when an appliance is added back to the Central Management appliance, Endpoint Security links for alerts will break if the alerts were generated by the appliance before it was removed from the Central Management appliance. Prerequisites l Admin access Removing a Managed Appliance from the Central Management Network Using the Web UI Use the Sensors page to remove an appliance from the Central Management network. NOTE: The Un-Enroll And Delete link is used to remove an Network Security sensor from an MVX cluster and then remove it from the Central Management appliance. For details, refer to the MVX Smart Grid Administration Guide or the Cloud MVX Administration Guide. © 2019 FireEye 371 Central Management Administration Guide CHAPTER 22: Adding and Removing Appliances To remove an appliance: 1. Click the Appliances tab. The Sensors tab should be selected. 2. Click Select > Delete in the row for the appliance you to want to remove. 3. If the Network Security sensor is enrolled with the MVX cluster, click Un-Enroll And Delete in the row for the sensor you want to remove. 4. When prompted, click OK to confirm your action. NOTE: Removing an appliance can take a long time if the Central Management appliance is busy aggregating data. Removing a Managed Appliance from the Central Management Network Using the CLI Use the commands in this section to remove an appliance from the Central Management network. To remove an appliance: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Remove the appliance: hostname (config) # no cmc appliance <applianceName> 3. Save your changes: hostname (config) # write memory NOTE: Removing an appliance can take a long time if the Central Management appliance is busy aggregating data. Example This example removes the FX-03 appliance from management. hostname (config) # no cmc appliance FX-03 372 © 2019 FireEye Central Management Administration Guide CHAPTER 23: Viewing and Modifying Managed Appliance Information You can view information about managed appliances in the Central Management Web UI or CLI. You might need to modify information about a managed appliance. Reasons for doing so include: l The password for the remote user changes due to password change policies. (This is the user that logs in to the appliance to establish the connection.) l You need to change the remote user authentication type to SSH-DSA2 or SSH-RSA2. l The appliance IP address changes. l You need to provide the global host-key for a managed appliance because global host-key authentication is enforced. The following table describes the managed appliance information. Appliance Information Field Description Sensor The unique name that identifies the appliance. Product The appliance type (for example, AX, EX, FX, HX, NX, NX - IPS, Network Security [SmartVision Edition]). IP The IP address of the appliance's management interface. Sensor ID The unique sensor ID of the appliance. Model Number The model number of the appliance. © 2019 FireEye 373 Central Management Administration Guide Field 374 CHAPTER 23: Viewing and Modifying Managed Appliance Information Description Cluster Enrollment The MVX cluster with which the sensor is enrolled and the broker to which it is connected. For details about cluster enrollment, refer to the MVX Smart Grid Administration Guide or the Cloud MVX Administration Guide. Connection The status of the connection between the Central Management appliance and the managed appliance. Public Key Used The SSH-DSA2 or SSH-RSA2 key used to authenticate the remote user the Central Management appliance uses to log in to the appliance for management. This field is empty if password authentication is being used. Health The status of the appliance health. Last Contact The last time the Central Management appliance contacted the managed appliance to get its status and health check data. Last Connected The last time the Central Management appliance and the managed appliance connected to each other, either initially or after a broken connection was restored. Last Broken The last time the Central Management appliance and the managed appliance lost their connection. Member Groups The groups of which the appliance is a member, including the reserved system group. EULA Whether the terms of the FireEye End User License Agreement (EULA) were accepted when the appliance was first configured. Version The version of the appliance's software image. Security Content Version The version of the security content installed on the appliance. Timestamp (UTC) The last time security content was generated for the appliance. Guest Image Version The guest images profiles installed on the appliance. © 2019 FireEye Release 8.7 Viewing Managed Appliance Information Using the Web UI Field Description Enabled (CLI only) Whether the appliance can be managed by the Central Management appliance . Version compatible Whether the Central Management appliance supports this version of the appliance. Prerequisites l Monitor, Operator, or Admin access Viewing Managed Appliance Information Using the Web UI Use the Sensors page to view information about managed appliances. For information about tasks you can perform from this page, see: l l Configuring User Authentication Using the Web UI on page 562 Importing a Host Key into the Global Host-Keys Database Using the Web UI on page 568 l Creating and Managing Groups Using the Web UI on page 406 l Adding Appliances to Groups Using the Web UI on page 410 l Modifying Managed Appliance Information Using the Web UI on page 379 l Checking Status and Health of Managed Appliances Using the Web UI on page 490 l Removing a Managed Appliance from the Central Management Network Using the Web UI on page 371 See Appliance Information on page 373 for a description of the fields on the page. © 2019 FireEye 375 Central Management Administration Guide CHAPTER 23: Viewing and Modifying Managed Appliance Information NOTE: The Create HA Pair link is used to create an NX Series high availability (HA) pair. For details, see the NX Series High Availability Guide. To view appliance information: 1. Click the Appliances tab. The Sensors tab should be selected. 2. By default, appliances in all groups are displayed. To filter by appliance group, select a group in the Sensor Group list. 3. By default, ten appliances are displayed on each page. To show all appliances on one page, click Show All. To return to the paginated view, click paginate. 4. To view detailed information about an appliance, click the appliance name in the Sensor column. 376 © 2019 FireEye Release 8.7 Viewing Managed Appliance Information Using the Web UI 5. To determine how the connection between the Central Management appliance and the managed appliance was initiated, rest your cursor over the icon in the Connection column. If the Central Management appliance initiated the connection, server-initiated is displayed. If the appliance initiated the connection, clientinitiated is displayed. © 2019 FireEye 377 Central Management Administration Guide CHAPTER 23: Viewing and Modifying Managed Appliance Information Viewing Managed Appliance Information Using the CLI Use the commands in this section to view information about managed appliances. NOTE: See Appliance Information on page 373 for a description of the command output. To view appliance information: 1. Go to CLI enable mode: hostname > enable 2. View basic appliance information: hostname # show cmc appliances 3. View the groups to which the appliances belong: hostname # show cmc groups 4. View detailed information about a specific appliance: hostname # show cmc appliances <applianceName> Example This example shows basic information about the three appliances this Central Management appliance manages. hostname # show cmc appliances Appliance FX-03: Address: 172.16.109.163 Enabled: yes Connected: yes (server-initiated) Status check OK: no Version compatible: yes Appliance HX-05: Address: Enabled: Connected: 378 10.2.201.20 yes yes (server-initiated) © 2019 FireEye Release 8.7 Modifying Managed Appliance Information Using the Web UI Status check OK: Version compatible: Appliance NX-04: Address: Enabled: Connected: Status check OK: Version compatible: yes no 172.16.74.50 yes yes (server-initiated) yes yes NOTE: For an example of the show cmc groups command output, see Adding Appliances to Groups Using the CLI on page 410. For an example of the show cmc appliances <applianceName> command output, see Checking Status and Health of Managed Appliances Using the CLI on page 492. Modifying Managed Appliance Information Using the Web UI Use the Edit Sensor page to modify information about a managed appliance. To modify appliance information: 1. Click the Appliances tab. The Sensors tab should be selected. 2. Click Select > Edit in the row for the appliance you need to modify. The Edit Sensor dialog box opens. 3. Edit the fields as needed and then click Update. 4. Verify that the updated information is displayed in the row for the appliance. IMPORTANT! The Edit menu item is not available if the managed appliance initiated the connection to the Central Management appliance, as described in Accepting a Management Request on page 366 and the System Administration Guide or Administration Guide for the appliance. © 2019 FireEye 379 Central Management Administration Guide CHAPTER 23: Viewing and Modifying Managed Appliance Information Modifying Managed Appliance Information Using the CLI Use the commands in this section to modify information about managed appliances. CAUTION! Do not change an appliance's hostname if the appliance initiated the connection to the Central Management appliance. NOTE: This section does not include all appliance modification commands. For a full list of commands, see the cmc appliance <applianceName> commands in the CLI Command Reference. To modify appliance information: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. To change the appliance IP address: hostname (config) # cmc appliance <applianceName> address <ipAddress> | <hostname> 3. To rename the appliance: hostname (config) # cmc appliance <applianceName> rename <newName> 4. To add or modify a comment about the appliance: hostname (config) # cmc appliance <applianceName> comment "<comment>" where commentText must be enclosed in double quotation marks. 5. To change the remote user: hostname (config) # cmc appliance <applianceName> auth password username <username> 6. To change the password: hostname (config) # cmc appliance <applianceName> auth password password <password> 7. Verify your changes: hostname (config) # show cmc appliance <applianceName> 8. Save your changes: hostname (config) # write memory 380 © 2019 FireEye Release 8.7 Modifying Managed Appliance Information Using the CLI NOTE: This procedure shows how to change the credentials for password authentication. For information about changing ssh-dsa2 and ssh-rsa2 authentication credentials, see Configuring User Authentication Using the CLI on page 563. To configure a host key for global host-key authentication, see Importing a Host Key into the Global Host-Keys Database Using the CLI on page 570. Example This example changes the NX-04 appliance name and comment. hostname (config) # cmc appliance NX-04 rename NX-07 hostname (config) # cmc appliance NX-07 comment "NX Series appliance" © 2019 FireEye 381 Central Management Administration Guide 382 CHAPTER 23: Viewing and Modifying Managed Appliance Information © 2019 FireEye Central Management Administration Guide CHAPTER 24: Configuring Managed Appliances When an appliance is under the management of the Central Management appliance, appliance configuration tasks can be performed from either the Central Management appliance or the managed appliances. However, FireEye recommends making configuration changes centrally from the Central Management appliance instead of from the managed appliances for the following reasons: l l It is more efficient because the tasks can be performed from a single interface—the Central Management Web UI or CLI. Changes you make on individual appliances could inadvertently override global settings for managed appliances. (By default, you cannot enter configuration mode in the CLI of a managed appliance until you confirm that you understand that this could happen.) You can centrally configure settings for managed appliances using the Central Management Web UI (primarily under the Appliance Settings tab) or by using the cmc execute commands in the Central Management CLI. Prerequisites l l Admin access to use the cmc execute commands Admin access to most Appliance Settings pages, such as User Accounts and Appliance Licenses. Admin or Operator access to some Appliance Settings pages, such as Network, Login Banner, and YARA Rules. © 2019 FireEye 383 Central Management Administration Guide CHAPTER 24: Configuring Managed Appliances Configuring Managed Appliances Using the Web UI Use the Appliance Settings pages to configure managed appliances. Only appliance setting options specific to the appliances currently being managed by the Central Management appliance are displayed on the sidebar under the Appliance Settings tab. For example, in the following illustration, the Inline Operational Modes tab is only displayed for managed Network Security appliances. On the individual settings pages, only information specific to the appliances currently being managed is displayed. For example, only license notifications specific to those appliances are displayed in the Appliance Settings: Appliance Licenses page. When a single appliance is selected on a common settings page, the Write to group control is displayed at the top of the page. If the control is set to On when you apply a change, the change is pushed to all appliances in the group selection. For example, in the following illustration, after you click Add User, Jim will be added to all appliances being managed by the Central Management appliance because All Groups is selected as the group. (If a specific group were selected, he would be added to all of the appliances in that group.) NOTE: If a change is related to a new feature, the change will only be applied to those appliances running the minimum required version. 384 © 2019 FireEye Release 8.7 Configuring Managed Appliances Using the Web UI Configuring Network Settings for Managed Appliances Using the Web UI Use the Appliance Settings: Network page to configure network settings on managed appliances. To configure network settings: 1. Click Settings and then select Appliance Settings. 2. Click Network in the sidebar. 3. (Optional) Use the controls at the top of the page to define the scope of the changes. 4. Configure settings as described in the System Administration Guide or Administration Guide for the managed appliance. Setting the Appliance Date and Time Manually on Managed Appliances Using the Web UI Use the Appliance Settings: Date and Time page to set the date and time manually on managed appliances. To set the date and time: 1. Click Settings and then select Appliance Settings. 2. Click Date and Time in the sidebar. 3. (Optional) Use the controls at the top of the page to define the scope of the changes. 4. Configure settings as described in the System Administration Guide or Administration Guide for the managed appliance. Managing Licenses for Managed Appliances Using the Web UI Use the Appliance Settings: Appliance Licenses page to manage licenses on managed appliances. To manage licenses: 1. Click Settings and then select Appliance Settings. 2. Click Appliance Licenses in the sidebar. 3. (Optional) Use the controls at the top of the page to define the scope of the changes. 4. Configure settings as described in the System Administration Guide or Administration Guide for the managed appliance. © 2019 FireEye 385 Central Management Administration Guide CHAPTER 24: Configuring Managed Appliances Configuring NTP Servers for Managed Appliances Using the Web UI Use the Appliance Settings: Date and Time page to configure NTP servers on managed appliances. To configure NTP servers: 1. Click Settings and then select Appliance Settings. 2. Click Date and Time in the sidebar. 3. (Optional) Use the controls at the top of the page to define the scope of the changes. 4. Configure settings as described in the System Administration Guide or Administration Guide for the managed appliance. Configuring System Email Settings for Managed Appliances Using the Web UI Use the Appliance Settings: Email page to configure system email settings on managed appliances. To configure system email settings: 1. Click Settings and then select Appliance Settings. 2. Click Email in the sidebar. 3. (Optional) Use the controls at the top of the page to define the scope of the changes. 4. Configure settings as described in the System Administration Guide or Administration Guide for the managed appliance. Configuring DTI Network Settings for Managed Appliances Using the Web UI Use the Appliance Settings: DTI Network page to configure DTI network settings on managed appliances. To configure DTI network settings: 1. Click Settings and then select Appliance Settings. 2. Click DTI Network in the sidebar. 3. (Optional) Use the controls at the top of the page to define the scope of the changes. 4. Configure settings as described in the System Administration Guide or Administration Guide for the managed appliance. 386 © 2019 FireEye Release 8.7 Configuring Managed Appliances Using the Web UI Customizing Appliance Login Messages for Managed Appliances Using the Web UI Use the Appliance Settings: Login Banner page to customize the messages users see when they log in to managed appliances. To customize login messages: 1. Click Settings and then select Appliance Settings. 2. Click Login Banner in the sidebar. 3. (Optional) Use the controls at the top of the page to define the scope of the changes. 4. Configure settings as described in the System Administration Guide or Administration Guide for the managed appliance. Configuring Guest Images for Managed Appliances Using the Web UI NOTE: Guest images will not be available on an Network Security or File Security sensor or sensor-enabled Network Security integrated appliance. Use the Appliance Settings: Guest Images page to view guest images on managed appliances. To view guest images: 1. Click Settings and then select Appliance Settings. 2. Click Guest Images in the sidebar. 3. (Optional) Use the controls at the top of the page to filter the results. 4. Configure settings as described in the User Guide for the managed appliance. Uploading Certificates to Managed Appliances Using the Web UI Use the Appliance Settings: Certificates/Keys page to upload certificates to managed appliances. To upload certificates: 1. Click Settings and then select Appliance Settings. 2. Click Certificates/Keys in the sidebar. 3. (Optional) Use the controls at the top of the page to define the scope of the changes. 4. Configure settings as described in the System Security Guide. © 2019 FireEye 387 Central Management Administration Guide CHAPTER 24: Configuring Managed Appliances Managing Users on Managed Appliances Using the Web UI Use the Appliance Settings: User Accounts page to manage users on managed appliances. To manage user accounts: 1. Click Settings and then select Appliance Settings. 2. Click User Accounts in the sidebar. 3. (Optional) Use the controls at the top of the page to define the scope of the changes. 4. Configure settings as described in the System Security Guide. Configuring Event Notifications for Managed Appliances Using the Web UI IMPORTANT! Do not configure notifications for managed appliances (and remove any existing notifications) if you are using centralized alert management as described in Centralized Notifications on page 421. Use the Appliance Settings: Notifications page to configure event notifications on managed appliances. To configure event notifications: 1. Click Settings and then select Appliance Settings. 2. Click Notifications in the sidebar. 3. (Optional) Use the controls at the top of the page to define the scope of the changes. 4. Configure settings as described in the User Guide for the managed appliance. For IPS-enabled Network Security appliances, configure settings as described in the IPS Feature Guide. Configuring File Types for Managed Malware Analysis Appliances to Analyze Using the Web UI Use the Appliance Settings: Malware File Assoc. page to configure the file types managed Malware Analysis appliances should analyze. NOTE: You must explicitly enable the display of this page. To do so, use the cmc execute appliance <applianceID> command "guest-images fileassociation display on" command in the CLI configuration mode. 388 © 2019 FireEye Release 8.7 Configuring Managed Appliances Using the Web UI To configure file types for analysis: 1. Click Settings and then select Appliance Settings. 2. Click Malware File Association in the sidebar. 3. (Optional) Use the controls at the top of the page to define the scope of the changes. 4. Configure settings as described in the AX Series User Guide. Generating Reports for Managed Appliances Using the Web UI Use the Generate Report page to generate static reports for managed appliances. To generate static reports: 1. In the Web UI, choose Reports > Static Reports. 2. Generate the static reports as described in the User Guide for the managed appliance. For information about generating a SmartVision alerts report, see the NX Series SmartVision Feature Guide. For SmartVision appliances, generate the SmartVision Alert static report as described in the NX Series SmartVision Feature Guide. A SmartVision appliance can be any of the following: o SmartVision Edition sensor o SmartVision-enabled NX Series sensor o SmartVision-enabled NX Series integrated appliance You can generate a SmartVision Alerts report from the Web UI only. A SmartVision Alerts report cannot be customized. For IPS-enabled Network Security appliances, generate the static reports as described in the IPS Feature Guide. Scheduling Reports for Managed Appliances Using the Web UI Use the Schedule Report page to schedule static or custom reports for managed appliances. You can schedule custom reports that have been generated for managed Email Security — Server Edition, Network Security, and File Security appliances if you select the Make Schedulable checkbox in the Reports > Custom Reports page on the Central Management appliance. © 2019 FireEye 389 Central Management Administration Guide CHAPTER 24: Configuring Managed Appliances To schedule static reports: 1. In the Web UI, choose Reports > Schedule Reports. 2. Schedule the static reports as described in the User Guide for the managed appliance. For IPS-enabled Network Security appliances, schedule the static reports as described in the IPS Feature Guide. You can schedule a SmartVision Alerts report from the Web UI only. A SmartVision Alerts report cannot be customized. To schedule custom reports: 1. In the Central Management appliance Web UI, choose Reports > Schedule Reports. 2. In the Report Type drop-down menu under "Custom Reports", select the custom report that has been generated for managed Email Security — Server Edition, Network Security, and File Security appliances. 3. In the Scheduled drop-down menu, set the time frequency: l hourly l daily l weekly l monthly 4. In the Time drop-down menu, set the time of day in hours and minutes (00:00). 5. If you selected a weekly report, specify the report day of the week in the WeekDay field. 6. If you selected a monthly report, specify the report day of the month in the MonthDay field. 7. In the Delivery drop-down menu, specify the delivery method. The default delivery is email. l email—Deliver the custom report as a file attached to email. l file—Deliver the custom report as a file linked from the Web UI. 8. In the Time Frame drop-down menu, select the time period for this custom report: l past day—Report covers analysis generated during the past 24 hours. l past week—Report covers analysis generated during the past 7 days. l past month—Report covers analysis generated during the past 1 month. l past 3 months—Report covers analysis generated during the past 3 months. 9. Click Schedule Report. The scheduled report is added to the top of the scheduling list. 390 © 2019 FireEye Release 8.7 Configuring Managed Appliances Using the Web UI Enabling or Disabling Riskware Detection Custom Policy Rules for Managed Appliances Using the Web UI When riskware detection is enabled on a managed Network Security or Email Security — Server Edition appliance, you can use the Appliance Settings > Riskware Policy page to enable or disable a particular policy rule. When you enable at least one matched policy rule on a managed Network Security or Email Security — Server Edition appliance, you can have the managed appliance generate a riskware alert on a nonmalicious submission. For managed Email Security — Server Edition appliances, you can also choose to block an email from being delivered to the intended recipient. For more information about this feature, see the Network Security Guide or Email Security — Server Edition User Guide. To enable or disable riskware detection custom policy rules: 1. Click the Settings and then select Appliance Settings. 2. Click Riskware Policy in the sidebar. 3. Configure settings as described in the Network Security Guide or Email Security — Server Edition User Guide. Configuring Inline Operational Modes for Managed NX Series Appliances Using the Web UI Use the Appliance Settings: Interfaces - Operational Modes page to configure inline operational modes for managed NX Series appliances. NOTE: SmartVision Edition sensors and SmartVision-enabled Network Security sensors and integrated appliances are not supported in inline deployments. These appliances must be deployed out-of-band using a TAP device. For more information, see “SmartVision Appliance Placement and Operational Mode” in the Network Security SmartVision Feature Guide. To configure operational modes: 1. Click Settings and then select Appliance Settings. 2. Click Inline Operational Modes in the sidebar. 3. (Optional) Use controls at the top of the page to define the scope of the changes. 4. Configure settings as described in the NX Series User Guide. © 2019 FireEye 391 Central Management Administration Guide CHAPTER 24: Configuring Managed Appliances Configuring Inline Policy Exceptions for Managed NX Series Appliances Using the Web UI Use the Appliance Settings: Interfaces - User-specified Policy Exceptions page to configure policy exceptions that customize inline operations on managed Network Security appliances. To configure policy exceptions: 1. Click Settings and then select Appliance Settings. 2. Click Inline Policy Exceptions in the sidebar. 3. (Optional) Use controls at the top of the page to define the scope of the changes. 4. Configure settings as described in the NX Series User Guide. Configuring Whitelists for Managed NX Series Appliances Using the Web UI Use the Appliance Settings: Whitelists page to configure whitelists for inline operation on managed Network Security appliances. To configure inline whitelists: 1. Click Settings and then select Appliance Settings. 2. Click Whitelists in the sidebar. 3. (Optional) Use the controls at the top of the page to define the scope of the changes. 4. Configure settings as described in the NX Series User Guide. Defining Filters for Managed NX Series Appliances Using the Web UI Use the Filters page to define filters for events on managed Network Security appliances. To define filters: 1. Click Alerts and then select NX. 2. Click Filters. 3. Configure settings as described in the NX Series User Guide. 392 © 2019 FireEye Release 8.7 Configuring Managed Appliances Using the Web UI Uploading YARA Rules to Managed Appliances Using the Web UI IMPORTANT! YARA rules are not supported on an Network Security or File Security sensor or sensor-enabled Network Security integrated appliance. Use the Appliance Settings: YARA Rules page to upload YARA rules for malware analysis to managed Network Security appliances running Release 7.7.0 or later, managed Email Security — Server Edition appliances running release 7.9.0 or later, managed VX Series appliances, and managed File Security appliances running Release 8.0.0 or later. To upload YARA rules: 1. Click Settings and then select Appliance Settings. 2. Click YARA Rules in the sidebar. 3. (Optional) Use the controls at the top of the page to define the scope of the changes. IMPORTANT! If the scope includes appliances that are not running the minimum supported release, a message informs you that the changes were not applied to those appliances. 4. Configure and upload YARA rules as described in the Network Security User Guide, the Email Security — Server Edition User Guide, VX Series Administration Guide, or File Security User Guide. Uploading Custom Rules to Managed NX Series Appliances Using the Web UI Use the Appliance Settings: Custom Rules page to upload custom rules for malware analysis to managed Network Security appliances. IMPORTANT: This page is displayed only when the custom rules feature is enabled using the Network Security CLI. To enable the feature, enter the fenet security-content custom rule enable command in the CLI configuration mode. To upload custom rules: 1. Click Settings and then select Appliance Settings. 2. Click Custom Rules in the sidebar. 3. (Optional) Use the controls at the top of the page to define the scope of the changes. IMPORTANT! If the scope includes appliances that are not running the minimum supported release, a message informs you that the changes were not applied to those appliances. © 2019 FireEye 393 Central Management Administration Guide CHAPTER 24: Configuring Managed Appliances 4. Upload custom rules as described in the NX Series User Guide. Configuring Forensic Analysis Integration on Managed NX Series Appliances Using the Web UI Use the Appliance Settings: Forensics page to integrate with packet analyzer applications that perform full packet capture and analysis for specific target and source IP addresses. Integrations with Solera Networks, RSA NetWitness, and PX Technology are supported. This page is displayed only when the integrations are enabled using CLI commands from both the Network Security CLI and the Central Management CLI. l Solera Networks—Use the forensic analysis enable command. l RSA NetWitness—Use the netwitness analysis enable command. l PX Technology—Use the npulse analysis enable command. To configure forensic analysis integration: 1. Click Settings and then select Appliance Settings. 2. Click Forensics in the sidebar. 3. (Optional) Use the controls at the top of the page to define the scope of the changes. 4. Configure the integration as described in the NX Series User Guide. Configuring IPS Settings for Managed NX Series Appliances Using the Web UI Use the IPS page on managed IPS-enabled NX Series appliances to view IPS events, enable and disable IPS-related features, manage policies and monitoring interfaces, and define custom IPS rules. To configure IPS settings: 1. Click the IPS tab at the top of the page. 2. Configure settings as described in the IPS Feature Guide. 3. (Optional) Use the controls at the top of the page to define the scope of the changes. Configuring SSL Interception for Managed NX Series Appliances Using the Web UI Use the Appliance Settings: SSL Intercept page to configure SSL interception. SSL/TLS protocols provide a secure communication between clients and servers. SSL/TLS traffic (also referred to as HTTPS) can be a security risk that can hide malicious traffic and 394 © 2019 FireEye Release 8.7 Configuring Managed Appliances Using the Web UI user activity. Without SSL interception, the NX Series appliance cannot inspect encrypted traffic for indicators of malicious activity. The SSL interception feature enables decryption and inspection of HTTPS traffic. The SSL interception feature allows the NX Series appliance to act as a proxy to intercept and to decrypt HTTPS traffic. The NX Series appliance uses certificates to establish a trusted thirdparty (man in the middle, or MitM) connection between the client and server. To configure SSL interception: 1. Click Settings and then select Appliance Settings. 2. Click SSL Intercept in the sidebar. 3. (Optional) Use the controls at the top of the page to define the scope of the changes. 4. Configure settings as described in the NX Series User Guide. Allowing Increased Detection for Managed Appliances Using the Web UI Use the Appliance Settings: Increased Detection page to select options for sending additional information to FireEye for analysis to increase detection rates. These options, which FireEye recommends, are disabled by default. The settings are applied globally to managed appliances running Release 7.8.0 or later. NOTE: See your FireEye sales representative for more information. To allow increased detection: 1. Click Settings and then select Appliance Settings. 2. Click Increased Detection. 3. Select the Suspicious metadata checkbox to send metadata your appliance flags as "likely suspicious" to FireEye for analysis. This may result in more false positives, but will also increase detection rates for actual malware. If you do not select this option, then only metadata flagged as "malicious" will be sent to FireEye. © 2019 FireEye 395 Central Management Administration Guide CHAPTER 24: Configuring Managed Appliances 4. Select the Suspicious file checkbox to send files that your appliance flags as "likely malicious" to FireEye for analysis. This may result in more false positives being sent to FireEye for analysis, but will also increase detection rates for actual malware. 5. Click Apply. NOTE: Alternatively, you can click a link on the Central Management Dashboard to open a dialog box with the same options. After you select the options, the link is no longer displayed. Enabling Advanced URL Defense on Managed CM Appliances Using the Web UI Use the Appliance Settings: Advanced URL Defense page to globally enable or disable the Advanced URL Defense feature on all qualified managed Email Security — Server Edition appliances that are connected or will be connected to this Central Management appliance. This feature sends URLs in emails to FireEye for analysis to increase detection rates. An Email Security — Server Edition appliance is qualified if it has a two-way sharing CONTENT_UPDATES license and is running Release 7.8.0 or later. (For more information about this feature, see the Email Security — Server Edition User Guide. ) IMPORTANT! This feature is disabled by default, even on Email Security — Server Edition appliances that had the feature enabled before upgrading to Release 7.8.0. NOTE: If you enable or disable this feature on a standalone Email Security — Server Edition appliance, and then add that appliance to the Central Management appliance, the global Central Management setting will override the standalone Email Security — Server Edition setting. To enable Advanced URL Defense: 1. Click Settings and then select Appliance Settings. 2. Click Advanced URL Defense in the sidebar. 3. Select the Enable Advanced URL Defense checkbox. 4. Click Apply to All. 396 © 2019 FireEye Release 8.7 Configuring Managed Appliances Using the Web UI NOTE: Alternatively, you can click a link on the Central Management Dashboard to navigate to this page. After you enable the feature, the link is no longer displayed. Configuring Email MTA Settings for Managed CM Appliances Using the Web UI Use the Appliance Settings: Email MTA page to configure an MTA (Mail Transfer Agent) so email can pass through and be analyzed by managed Email Security — Server Edition appliances. To configure email MTA settings: 1. Click Settings and then select Appliance Settings. 2. Click Email MTA in the sidebar. 3. (Optional) Use the section at the top of the page to define the scope of the changes. 4. Configure settings as described in the Email Security — Server Edition User Guide. Configuring Email Policy Using the Web UI Use the Appliance Settings: Email Policy page to configure analysis and post-analysis policies for managed Email Security — Server Edition appliances. To configure quarantine settings for the managing Central Management appliance, use the CM Settings: Email Quarantine Policy page. To configure email policy: 1. Do one of the following: l Click Settings and then select Appliance Settings. l Click Settings and then select CM Settings. 2. Click Email Policy (for managed appliance settings) or Email Quarantine Policy (for CM settings) in the sidebar. 3. (Optional) Use section at the top of the page to define the scope of the changes. 4. Configure settings as described in the Email Security — Server Edition User Guide. Configuring Impersonation Rules Using the Web UI Use the Appliance Settings: Impersonation page to configure impersonation rules on managed appliances. © 2019 FireEye 397 Central Management Administration Guide CHAPTER 24: Configuring Managed Appliances To configure impersonation rules: 1. Click Settings and then select Appliance Settings. 2. Click Impersonation in the sidebar. 3. Click Add. 4. Specify all valid names and email addresses for an individual, separating multiple entries with commas. 5. Click Add. Configuring Rules on an Allowed List for Managed CM Appliances Using the Web UI Use the Appliance Settings: Allowed List page to configured rules on an allowed list, which allows you to control which messages can be bypassed based on the matched email entries. IMPORTANT! FireEye recommends that you apply the same configuration changes on all managed appliances. If you edit a rule that is not common to all appliances and then apply the rule to the appliance group, the edited rule will be applied to all appliances in that group, including those appliances that did not have the rule. To configure rules: 1. Click Settings and then select Appliance Settings. 2. Click Allowed List in the sidebar. 3. (Optional) Use the controls at the top of the page to define the scope of the changes. 4. Configure settings as described in the Email Security — Server Edition User Guide. Configuring Rules on a Blocked List for Managed CM Appliances Using the Web UI Use the Appliance Settings: Blocked List page to configured rules on a blocked list, which allows you to control which messages must be considered as malicious based on the matched email entries. IMPORTANT! FireEye recommends that you apply the same configuration changes on all managed appliances. If you edit a rule that is not common to all appliances and then apply the rule to the appliance group, the edited rule will be applied to all appliances in that group, including those appliances that did not have the rule. 398 © 2019 FireEye Release 8.7 Configuring Managed Appliances Using the Web UI To configure rules: 1. Click Settings and then select Appliance Settings. 2. Click Blocked List in the sidebar. 3. (Optional) Use the controls at the top of the page to define the scope of the changes. 4. Configure settings as described in the Email Security — Server Edition User Guide. Configuring Attachment Decryption Settings for Managed CM Appliances Using the Web UI Use the Appliance Settings: Attachment decryption page to configure a list of password candidates, list of keyword candidates, and a list of ignored word candidates the Email Security — Server Edition appliance can use to decrypt password-encrypted malware objects. To configure attachment decryption settings: 1. Click Settings and then select Appliance Settings. 2. Click Attachment decryption in the sidebar. 3. (Optional) Use the controls at the top of the page to define the scope of the changes. 4. Configure settings as described in the Email Security — Server Edition User Guide. Configuring Malware Analysis Settings for Managed AX Series Appliances Using the Web UI Use the Appliance Settings: Malware Analysis page to configure malware analysis settings on managed Malware Analysis appliances. To configure malware analysis settings: 1. Click Settings and then select Appliance Settings. 2. Click Malware Analysis in the sidebar. 3. (Optional) Use the controls at the top of the page to define the scope of the changes. 4. Configure settings as described in the AX Series User Guide. Configuring File Types for Managed Malware Analysis Appliances to Analyze Using the Web UI Use the Appliance Settings: Malware File Assoc. page to configure the file types managed Malware Analysis appliances should analyze. © 2019 FireEye 399 Central Management Administration Guide CHAPTER 24: Configuring Managed Appliances NOTE: You must explicitly enable the display of this page. To do so, use the cmc execute appliance <applianceID> command "guest-images fileassociation display on" command in the CLI configuration mode. To configure file types for analysis: 1. Click Settings and then select Appliance Settings. 2. Click Malware File Association in the sidebar. 3. (Optional) Use the controls at the top of the page to define the scope of the changes. 4. Configure settings as described in the AX Series User Guide. Configuring Malware Repository Settings for Managed AX Series Appliances Using the Web UI Use the Appliance Settings: Malware Repository page to configure the malware repository network share and the repository paths for guest images on managed Malware Analysis appliances. To configure malware repository settings: 1. Click Settings and then select Appliance Settings. 2. Click Malware Repository in the sidebar. 3. (Optional) Use controls at the top of the page to define the scope of the changes. 4. Configure settings as described in the AX Series User Guide. Configuring and Managing Scans for Managed FX Series Appliances Using the Web UI Use the CMS Scans page to configure and manage scans on managed FX Series appliances. To configure and manage scans: 1. Click Alerts and then select FX. 2. Click Configured & Recent Scans. 3. (Optional) Use controls at the top of the page to define the scope of the changes and filter the results. 4. Configure and manage scans as described in the FX Series User Guide. 400 © 2019 FireEye Release 8.7 Configuring Managed Appliances Using the CLI Configuring and Managing Storage for Managed FX Series Appliances Using the Web UI Use the CMS Storage page to configure and manage file shares on managed FX Series appliances. To configure and manage storage: 1. Click Alerts and then select FX. 2. Click Storage. 3. (Optional) Use the appliance list to specify the scope of the changes and filter the results. 4. Configure and manage storage as described in the FX Series User Guide. Configuring Managed Appliances Using the CLI Use the commands in this section to configure managed appliances by executing individual commands on behalf of them. The commands are executed once; they are not stored. NOTE: For comprehensive information about the configuration commands, see the System Administration Guide, Administration Guide, or User Guide for your appliance. NOTE: If you omit the command parameter from these commands, you will be prompted for it, and the characters you enter will be masked for confidentiality. NOTE: This topic describes how to execute a single command. You can also define a profile of commands that run in sequence unattended. See Working with Command Profiles on page 412. To execute a command on an appliance: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Execute the command: hostname (config) # cmc execute appliance <applianceName> command "<command>" where command must be enclosed in double quotation marks. © 2019 FireEye 401 Central Management Administration Guide CHAPTER 24: Configuring Managed Appliances 3. Save your changes: hostname (config) # cmc execute appliance <applianceName> command "write memory" To execute a command on a group of appliances: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Execute the command: hostname (config) # cmc execute group <groupName> command "<command>" where command must be enclosed in double quotation marks. 3. Save your changes: hostname (config) # cmc execute group <groupName> command "write memory" IMPORTANT! You can cancel the execution of outstanding commands, as described in Canceling Outstanding Commands on the facing page. Example This example executes the aaa authentication password local no-userid and show aaa authentication password commands on behalf of the NX-04 appliance. hostname (config) # cmc execute appliance NX-04 command "aaa authentication password local no-userid" ============ Appliance NX-04 ============ Execution was successful. Execution output: (none) hostname (config) # cmc execute appliance NX-04 command "show aaa authentication password" ============ Appliance NX-04 ============ Execution was successful. Execution output: Local password requirements: Minimum length: 5 Maximum length: 32 Maximum character repeats: no limit Minimum lower case characters: 0 Minimum upper case characters: 0 Minimum special characters: 0 Minimum numeric characters: 0 Recent passwords to check against: Allowed password to match userid: no ... 402 © 2019 FireEye Release 8.7 Canceling Outstanding Commands Canceling Outstanding Commands Use the commands in this section to cancel commands that were issued but have not yet been executed. NOTE: You can cancel both commands issued using the cmc execute command, and commands in a profile. To cancel all outstanding commands on an appliance: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Cancel the commands: hostname (config) # cmc cancel appliance <applianceName> all To cancel all outstanding commands on a group of appliances: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Cancel the commands: hostname (config) # cmc cancel group <groupName> all Example This command cancels all outstanding commands on the EX-03 appliance. hostname (config) # cmc cancel appliance EX-03 all © 2019 FireEye 403 Central Management Administration Guide 404 CHAPTER 24: Configuring Managed Appliances © 2019 FireEye Central Management Administration Guide Grouping Appliances CHAPTER 25: Using Appliance Groups and Command Profiles You can use appliance groups and command profiles to manage the appliances in your network more efficiently. For details, see: l Grouping Appliances below l Working with Command Profiles on page 412 Grouping Appliances Appliance groups allow you to push configuration changes to multiple appliances at the same time, and to limit the displayed event data to specific appliances. IMPORTANT! Each appliance type has a reserved system group; appliances cannot be removed from their respective system groups. For example, all Network Security appliances are permanent members of the sysgroup.Web_MPS group, all Email Security — Server Edition appliances are permanent members of the sysgroup.Email_MPS, all Malware Analysis group appliances are permanent members of the sysgroup.MAS group, and so on. All managed appliances are members of the All group. You cannot add or delete appliances from reserved groups. You can create custom groups to which you can add or delete appliances as desired. You can create additional custom groups as needed. A group can have any number of appliances, and an appliance can be a member of any number of groups. Reasons for creating groups include: l Dividing appliances of the same type into smaller groups. For example, you could group your Network Security appliances by region. © 2019 FireEye 405 Central Management Administration Guide l CHAPTER 25: Using Appliance Groups and Command Profiles Combining different appliance types into the same group. For example, you could put all of your Network Security appliances and Email Security — Server Edition appliances into the same group so you can push the same user accounts or password security policies to all of them. Group Information The settings for groups are shown in the following table. Field Description Name The group name. Comment An optional comment about the group. Created (UTC) The date and time the group was created. Action Links to edit or delete a group. These links are not provided for the reserved system groups. Sensors The number of appliances that are members of the group. For more information, see: l Creating and Managing Groups Using the Web UI below l Creating and Managing Groups Using the CLI on page 408 l Adding Appliances to Groups Using the Web UI on page 410 l Adding Appliances to Groups Using the CLI on page 410 l Removing Appliances from Groups Using the Web UI on page 411 l Removing Appliances from Groups Using the CLI on page 412 Prerequisites l Operator or Admin access Creating and Managing Groups Using the Web UI Use the Create New Group dialog box to create groups, and the Groups dialog box to manage groups. 406 © 2019 FireEye Release 8.7 Grouping Appliances To add a new group: 1. Click the Appliances tab. The Sensors tab should be selected. 2. Click Actions > New Group. 3. Enter the name of the group and an optional comment. 4. Click Create Group. The Groups dialog box opens. 5. Verify that the new group was added. To edit an existing group: 1. Click Show All Groups to open the Groups dialog box. 2. Locate the group in the list. © 2019 FireEye 407 Central Management Administration Guide CHAPTER 25: Using Appliance Groups and Command Profiles 3. Click Select > Edit. 4. Edit the name and comment as needed. 5. Click Edit Group. To delete a group: 1. Click Show All Groups to open the Groups dialog box. 2. Locate the group in the list. 3. Click Select > Delete. 4. When prompted, click OK to confirm that you want to delete the group. Creating and Managing Groups Using the CLI Use the commands in this section to create and manage appliance groups. To add a new group: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Add a new group: hostname (config) # cmc group <groupName> 3. (Optional) Add a comment about the group: hostname (config) # cmc group <groupName> comment "<comment>" where commentText must be enclosed in double quotation marks. 4. Verify your changes: hostname (config) # show cmc groups 5. Save your changes: hostname (config) # write memory To rename a group: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Rename the group: hostname (config) # cmc group <groupName> rename <newGroupName> 3. Verify your change: hostname (config) # show cmc groups <newGroupName> 408 © 2019 FireEye Release 8.7 Grouping Appliances 4. Save your change: hostname (config) # write memory To delete a comment: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Delete the comment: hostname (config) # no cmc group <groupName> comment 3. Verify your change: hostname (config) # show cmc groups <groupName> 4. Save your change: hostname (config) # write memory To delete a group: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Delete the group: hostname (config) # no cmc group groupName 3. Verify your change: hostname (config) # show cmc groups 4. Save your change: hostname (config) # write memory Example This example creates a "Milan" appliance group, deletes the "Sydney" group, renames the "Milan" group to "Venice," and adds a comment to the group. hostname (config) # cmc group Milan hostname (config) # show cmc groups Group Milan Comment: No members. Group Sydney Comment: Appliances: NX-01 Group sysgroup.Email_MPS Comment: System Group: eMPS Appliances: EX-02 . . . © 2019 FireEye 409 Central Management Administration Guide hostname (config) # hostname (config) # % Unknown group. hostname (config) # hostname (config) # hostname (config) # Group Venice Comment: Italian No members. CHAPTER 25: Using Appliance Groups and Command Profiles no cmc group Sydney show cmc groups Sydney cmc group Milan rename Venice cmc group Venice comment "Italian region appliances" show cmc groups Venice region appliances Adding Appliances to Groups Using the Web UI Use the Appliance/Sensor display to add appliances to groups. Tip: Select the group in the Sensor Group to see a full list of the appliances currently in a particular group. To add an appliance to a custom group: 1. Click Appliances > Sensors. 2. Click Show All Groups. The Groups dialog appears. 3. Click the Select button for the desired group. 4. Click Add/Remove Sensors. The Add/Remove Sensors dialog appears. 5. Click the checkbox for the sensor to be added. 6. Click the Add/Remove Selected Sensors button to add the sensor. Adding Appliances to Groups Using the CLI Use the commands in this section to add appliances to groups. To add an appliance to a group: 1. Enable the CLI configuration mode: hostname > enable hostname # configure terminal 410 © 2019 FireEye Release 8.7 Grouping Appliances 2. Add an appliance to a group: hostname (config) # cmc group <groupName> appliance <applianceName> 3. Verify that the appliance was added: hostname (config) # show cmc group <groupName> 4. Save your change: hostname (config) # write memory Example This example add the FX-06 appliance to the Acme group. hostname (config) # cmc group Acme appliance FX-06 hostname (config) # show cmc groups Acme Group Acme Comment: Acme division appliances Appliances; FX-06 Removing Appliances from Groups Using the Web UI Use the Add/Remove Sensors from <Group> dialog box to remove appliances from groups. Tip: Select the group in the Sensor Group list to see a full list of the appliances currently in the group. To remove appliances from a group: 1. Click Appliances > Sensors. 2. Select the group in the Sensor Group dropdown.. 3. Click Select in the Action column for the sensor to be removed. 4. Click Delete. A confirmation prompt appears. 5. Click OK. 6. Repeat the Select> Delete > OK sequence for each sensor to be removed from the group. © 2019 FireEye 411 Central Management Administration Guide CHAPTER 25: Using Appliance Groups and Command Profiles Removing Appliances from Groups Using the CLI Use the commands in this section to remove appliances from groups. To remove an appliance from a group: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Remove an appliance from a group: hostname (config) # no cmc group <groupName> appliance <applianceName> 3. Verify that the appliance was removed: hostname (config) # show cmc group <groupName> 4. Save your change:hostname (config) # write memory Example This example removes the EX-03 appliance from the London group. hostname (config) # cmc group London appliance EX-03 show cmc groups London Group Acme Comment: UK region appliances Appliances; AX-05 Working with Command Profiles A profile is a set of CLI commands that can be applied to an appliance or appliance group. Each command is assigned a sequence number. When the profile is applied, the commands are executed in the order defined by that sequence, starting with the command with the smallest number. The benefits of using profiles include: l l Automation—Multiple configuration settings can be applied at the same time with little user intervention. Reuse—A profile consisting of common configuration commands can be used on different appliances and appliance types. You can use the following methods to add commands to profiles: 412 © 2019 FireEye Release 8.7 l l Working with Command Profiles Manually, where you define each command and its sequence number one at a time. Extracting commands from a running configuration. The show configuration running command displays commands that can be used to recreate the current running configuration. You can extract these commands from an appliance and put them into an empty profile. The commands will automatically be executed in the correct order. Commands that configure local, appliance-specific settings (such as routing, licensing, and time zone settings) will be omitted from the target profile. IMPORTANT! Some commands in the running configuration may be incompatible with a different product type or appliance model. Review the commands to determine if they are compatible before you apply a profile using this method. l Duplicating a profile. There are two options you can use when applying a profile. Profile Options Option Description no-save Prevents the configuration set by the commands in the profile from being saved to memory after the profile is applied. Otherwise, the write memory command is run in the background after the profile is applied. failcontinue Allows command execution to continue, even if one or more commands in the profile fail. Otherwise, none of the remaining commands in the profile are executed after a single command fails. Prerequisites l Admin access Creating and Managing Profiles Using the CLI Use the commands in this section to create and manage command profiles. To create a profile: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Create the profile: hostname (config) # cmc profile <profileName> © 2019 FireEye 413 Central Management Administration Guide CHAPTER 25: Using Appliance Groups and Command Profiles 3. (Optional) Add a comment about the profile: hostname (config) # cmc profile <profileName> comment "<comment>" where comment must be enclosed in double quotation marks. 4. Verify your change: hostname (config) # show cmc profiles 5. Save your changes: hostname (config) # write memory To rename a profile: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Rename the profile: hostname (config) # cmc profile <profileName> rename <newProfileName> 3. Verify your change: hostname (config) # show cmc profiles <newProfileName> 4. Save your change: hostname (config) # write memory To remove a comment: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Remove the comment: hostname (config) # no cmc profile <profileName> comment 3. Verify your change: hostname (config) # show cmc profiles <profileName> 4. Save your change: hostname (config) # write memory To delete a profile: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Delete the profile: hostname (config) # no cmc profile <profileName> 414 © 2019 FireEye Release 8.7 Working with Command Profiles 3. Verify that the profile was deleted: hostname (config) # show cmc profiles 4. Save your change: hostname (config) # write memory Example This example creates an "acctmgt" profile with a comment and deletes the "PswdPolicy" profile. hostname (config) # cmc profile acctmgt hostname (config) # cmc profile acctmgt comment "Adds operator user account." hostname (config) # no cmc profile PswdPolicy hostname (config) # show cmc profiles Profile acctmgt Comment: Adds operator user account. Commands: No commands. ... Adding Commands to Profiles Using the CLI Use the commands in this section to add commands to a profile. To add individual commands to a profile: 1. Enable the CLI configuration mode. hostname > enable hostname # configure terminal 2. Add a command and specify its sequence: hostname (config) # cmc profile <profileName> command <sequenceNumber> "<command>" where: l profileName is the name of an existing or new profile. (If the profile does not exist, it will be created.) l sequenceNumber is an integer that controls the order in which the commands within the profile will be executed. The command with the smallest sequence number is executed first. l command is the CLI command. It must be enclosed in double quotation marks. 3. Repeat the previous step for each command you want to include. 4. Verify your changes: hostname (config) # show cmc profiles <profileName> 5. Save your changes: hostname (config) # write memory © 2019 FireEye 415 Central Management Administration Guide CHAPTER 25: Using Appliance Groups and Command Profiles To extract commands from a running configuration and add them to a profile: IMPORTANT: Some commands in the running configuration may be incompatible with a different product type or appliance model. Review the commands to determine if they are compatible before you apply a profile using this command. 1. Enable the CLI configuration mode: hostname > enable hostname # configure terminal 2. Specify the empty profile and the appliance from which to extract the commands: hostname (config) # cmc profile <profileName> extract-from-appliance <applianceName> where profileName is the name of an empty profile, and applianceName is the name of the appliance from which the commands from the running configuration will be extracted. 3. Verify your change: hostname (config) # show cmc profiles <profileName> 4. Save your change: hostname (config) # write memory To copy a profile: 1. Enable the CLI configuration mode: hostname > enable hostname # configure terminal 2. Specify the names of the source profile and the target (new) profile: hostname (config) # cmc profile <sourceProfileName> copy <targetProfileName> where sourceProfileName is the original profile and targetProfileName is the new profile. 3. Verify your change: hostname (config) # show cmc profiles 4. Save your change: hostname (config) # write memory 416 © 2019 FireEye Release 8.7 Working with Command Profiles Examples Manually Adding Commands This example populates the "acctmgt" profile with commands that will add an Operator3 user account to the appliances to which it is applied. hostname (config) # cmc profile acctmgt command 1 "username Operator3 role operator" hostname (config) # cmc profile acctmgt command 2 "username Operator3 password evtk*643U" hostname (config) # show cmc profiles acctmgt Profile acctmgt Comment: Commands: 1. username Operator3 role operator 2. username Operator 3 password evtk*643U Adding Commands Extracted from the Configuration of Another Appliance This example extracts commands from the EX-03 appliance running configuration, populates the "general" profile with them, and applies them to the EX-05 appliance. The output indicates that the no fenet check-certificate command could not be executed. hostname (config) # cmc profile extract extract-from appliance EX-03 hostname (config) # cmc profile general apply appliance EX-05 ====================Appliance EX-05========================== Execution was successful. Execution output: %Disabling certificate checking is not allowed. Saving configuration file...Done! Removing Commands from Profiles Using the CLI Use the commands in this section to remove commands from a profile. To remove a single command: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal © 2019 FireEye 417 Central Management Administration Guide CHAPTER 25: Using Appliance Groups and Command Profiles 2. Remove the command: hostname (config) # no cmc profile <profileName> command <sequenceNumber> where sequenceNumber is the number assigned to the command. 3. Verify your changes: hostname (config) # show cmc profiles <profileName> 4. Save your changes:hostname (config) # write memory To remove all commands: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Remove all commands: hostname (config) # no cmc profile <profileName> command 3. Verify your change: hostname (config) # show cmc profiles <profileName> 4. Save your change: hostname (config) # write memory Applying Profiles Using the CLI Use the commands in this section to apply profiles to a specific appliance or to an appliance group. For a description of the optional parameters, see Profile Options on page 413. IMPORTANT! Unless you use the no-save parameter, the configuration changes set by the commands in the profile are written to memory. IMPORTANT! You can cancel the execution of outstanding commands in a profile, as described in Canceling Outstanding Commands on page 403. To apply a profile to a specific appliance: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 418 © 2019 FireEye Release 8.7 Working with Command Profiles 2. Apply the profile: l To apply the profile normally: hostname (config) # cmc profile <profileName> apply appliance <applianceName> l To prevent the configuration changes from being written to memory after the profile is applied: hostname (config) # cmc profile <profileName> apply appliance <applianceName> no-save l To continue executing commands after one command fails: hostname (config) # cmc profile <profileName> apply appliance <applianceName> fail-continue 3. View the command output to determine whether the profile was applied successfully. 4. Save your changes: hostname (config) # write memory To apply a profile to a group of appliances: 1. Enable the CLI configuration mode: hostname > enable hostname # configure terminal 2. Apply the profile: l To apply the profile normally: hostname (config) # cmc profile <profileName> apply group <groupName> l To prevent the configuration changes from being written to memory after the profile is applied: hostname (config) # cmc profile <profileName> apply group <groupName> no-save l To continue executing commands on the appliances in the group after one command fails: hostname (config) # cmc profile <profileName> apply group <groupName> fail-continue 3. View the command output to determine whether the profile was applied successfully. 4. Save your changes: hostname (config) # write memory © 2019 FireEye 419 Central Management Administration Guide CHAPTER 25: Using Appliance Groups and Command Profiles Examples Successful Profile Application This example applies the "acctmgt" profile to the NX-04 appliance, which succeeds. hostname (config) # cmc profile acctmgt apply appliance NX-04 =================Appliance NX-04============================= Execution was successful. Execution output: Saving configuration file...Done! Failed Profile Application This example attempts to apply the "DateTimeJpn" profile to the Tokyo group, but fails because manual time and date settings are not permitted when NTP is enabled. hostname (config) # cmc profile DateTimeJpn apply group Tokyo =================Appliance FX-03 ============================= Error code 6 (CLI command execution failure) Error output: %NTP enabled, clock adjustment not allowed Execution output: (none) 420 © 2019 FireEye Central Management Administration Guide Managing the Distribution of Alert Notifications CHAPTER 26: Monitoring Aggregated Alert Data The Central Management appliance aggregates events from all managed appliances. You can use appliance groups to limit the displayed event data to specific appliances. (For information about groups, see Grouping Appliances on page 405.) You can centrally view detection and analysis results for managed appliances using the Dashboard and the Alerts sub-menus in the Central Management Web UI or by using the cmc execute commands in the Central Management CLI. Managing the Distribution of Alert Notifications You can send alert notifications from the Central Management appliance, from managed appliances, or from both the Central Management appliance and managed appliances to different servers. The following options are available: Centralized Notifications—All notifications come from the Central Management appliance. Mixed Notifications—Notifications come from both the Central Management appliance and managed appliances. Decentralized Notifications—Notifications come from managed appliances only. Centralized Notifications Use centralized notifications if you want all your alert notifications to come from the Central Management appliance. The advantage of using centralized notifications is that you only have to configure settings once, and the alerts are tracked in the same place. A disadvantage is that you have fewer delivery options. For example, for email notifications configured on the Network Security appliance, the delivery options are "Daily digest," "Per event," "Daily per source," "Hourly per source," "1 min per source," and "5 mins per © 2019 FireEye 421 Central Management Administration Guide CHAPTER 26: Monitoring Aggregated Alert Data source." On the Central Management appliance the only options are "Daily digest" and "Per event." After Central Management notifications are enabled, all notification alerts are sent to the notification servers you configure for the Central Management appliance. Centralized notifications start immediately after you configure a protocol and add notification server details, and they stop if you remove the notification servers or the protocols. The Central Management appliance sends notifications in the order they are received. Perform the following tasks to set up centralized notifications: 1. Remove the notification settings for each managed appliance, as described in the User Guide for the managed appliance. 2. Enable notification settings for the Central Management appliance, as described in Event Notifications on page 295. Mixed Notifications Use mixed notifications when you want to send centralized notifications to one notification server, and individual appliance notifications to other servers. One advantage of mixed notifications is that you can track notifications from individual appliances separately on a separate notifications server, while still aggregating notifications from all managed appliances on the Central Management appliance. Another advantage is the additional delivery options on the individual appliances, as described in Centralized Notifications on the previous page. NOTE: If you disconnect an appliance from the Central Management appliance, notifications will be sent to the server configured for that appliance, if one is configured. 422 © 2019 FireEye Release 8.7 Managing the Distribution of Alert Notifications Perform the following tasks to set up mixed notifications: 1. Enable notification settings for the Central Management appliance, as described in Event Notifications on page 295. 2. Enable notification settings for each managed appliance you want to track separately, as described in the User Guide for the managed appliance. Decentralized Notifications Use decentralized notifications if you want notifications to be sent only from individual managed appliances, and not from the Central Management appliance. This was the notification delivery method in previous versions of the Central Management appliance (Release 6.4.1 and earlier), so no configuration changes are needed for backward compatibility. Perform the following tasks to set up decentralized notifications: © 2019 FireEye 423 Central Management Administration Guide CHAPTER 26: Monitoring Aggregated Alert Data 1. Remove all notification settings for the Central Management appliance, as described in Event Notifications on page 295. 2. Enable notification settings for each managed appliance, as described in the User Guide for the managed appliance. Monitoring Appliances Using the Web UI Alert and analysis results are specific to appliance types. You can filter some results based on appliance group or a specific appliance, as shown in the following illustration. Data is displayed only if you select a group or appliance to which the page applies. For example, no data would be displayed if you select an Network Security appliance on the Email Alerts page, because that page applies only to the Email Security — Server Edition appliance. Viewing Alerts and Events for Managed NX Series Appliances Using the Web UI Use the Alerts page to view information about Network Security alerts and events. To view alerts and events: 1. On the Alerts tab, click NX > Alerts. 2. (Optional) Use the controls at the top of the page to filter the results. 3. View the results as described in the NX Series User Guide. For IPS-enabled NX Series appliances, see the IPS Feature Guide. NOTE: See Managing Suppressed Alerts on Managed NX Series Appliances Using the Web UI on the facing page. 424 © 2019 FireEye Release 8.7 Monitoring Appliances Using the Web UI Managing Suppressed Alerts on Managed NX Series Appliances Using the Web UI Use the Appliance Settings: Suppressed Alerts page to view and manage suppressed alerts on managed Network Security appliances. When an alert is suppressed, the suppression total is pushed to all managed Network Security appliances. The maximum number of suppressed alerts is 15 for all managed appliances combined. For example, suppose the Central Management appliance manages an Network Security appliance that already has the maximum number of suppressed alerts. If you add another Network Security appliance with suppressed MD5s or URLs to the Central Management appliance, a notice at the top of the page advises you to suppress or resolve alerts until the number is brought down to 15. After you suppress or resolve these extra alerts, the suppressed alerts on the Network Security appliances become out-of-sync. A warning with a link to synchronize them is displayed at the top of the Appliance Settings: Suppressed Alerts page. NOTE: For detailed information about the alert suppression feature, see the NX Series User Guide. To view and manage suppressed alerts: 1. Click Settings and then select Appliance Settings. 2. Click Suppressed Alerts in the sidebar. 3. Manage the suppressed alerts as described in the NX Series User Guide. To reduce an excess of aggregated suppressed alerts: 1. Open the Appliance Settings: Suppressed Alerts page. A notice at the top of the page advises that too many alerts are suppressed. 2. Select the checkboxes for the MD5s and URLs with the least impact, and then click Unsuppress or Resolve. CAUTION: Do not resolve alerts until the FireEye Security Content team determines that they are false positives and updates its security content. Apply the latest security content update to your appliance, and then resolve the alerts. 3. Refresh the page. The MD5s and URLs you selected are removed from the page, and a warning at the top of the page informs you about an out-of-sync condition on the managed appliances. 4. Click the SYNC link in the warning to synchronize alert suppression. © 2019 FireEye 425 Central Management Administration Guide CHAPTER 26: Monitoring Aggregated Alert Data Monitoring Malware and Callback Activity for Managed NX Series Appliances Using the Web UI Use the Hosts and Callback Activity pages to view information about malware and CnC callback server activity on managed NX Series appliances. To view malware and callback activity: 1. Click Alerts and then select NX. 2. Click Alerts. 3. Click the Hosts or Callback Activity link. 4. (Optional) Use the controls at the top of the page to filter the results. 5. View the results as described in the NX Series User Guide. Viewing Malware Summaries for Managed NX Series Appliances Using the Web UI Use the Summaries page to view summary information about malware detected by managed Network Security appliances. To view malware summaries: 1. Click Alerts and then select NX. 2. Click Summaries. 3. Select one of the following tabs at the top of the page: l Malware—Displays the information in a table. l Charts—Displays the information in bar charts. l Treemaps—Displays the information in a treemap. 4. (Optional) Use the controls at the top of the page to filter the results. 5. View the results as described in the NX Series User Guide. Viewing Riskware for Managed Appliances Using the Web UI In the Riskware Alerts page of a managed Network Security or the Riskware Emails page of a managed Email Security — Server Edition appliance, you can identify the matched alerts that are detected as nonmalicious for a riskware event. On the Dashboard What's Happening panel, you can track the number of Web and email riskware alerts. For more information about riskware, see the Network Security Guide or Email Security — Server Edition User Guide. 426 © 2019 FireEye Release 8.7 Monitoring Appliances Using the Web UI To view riskware alerts: 1. (NX Series) Select Alerts > NX > Riskware or on the Dashboard What's Happening panel, click the Web Riskware Alerts link. 2. (CM) Select Alerts > Email > Riskware or on the Dashboard What's Happening panel, click the Email Riskware Alerts link. 3. (Optional) Use the controls at the top of the page to filter the results. Viewing SmartVision Alerts on SmartVision Appliances Using the Web UI Use the FireEye Network SmartVision page to view SmartVision alerts and associated forensic data on a SmartVision appliance. A SmartVision appliance can be any of the following l SmartVision Edition sensor l SmartVision-enabled NX Series sensor l SmartVision-enabled NX Series integrated appliance To view SmartVision alerts: 1. Select Alerts > NX > SmartVision. 2. (Optional) Use the page controls at the top of the page to define the number of alerts per page and to select a page of alerts in the list. 3. (Optional) Click the funnel icon to expand the Filter panel at the left edge of the page. Use filter options to define the match criteria for alerts that are displayed. 4. View and investigate SmartVision alerts as described in the NX Series SmartVision Feature Guide. Viewing the Campaigns for Managed CM Appliances Using the Web UI In the eAlerts > Campaigns page of a managed Email Security — Server Edition appliance, you can track the total number of infected emails that are part of a campaign. A red status indicates that the campaign is not verified. A blue status indicates that the campaign is verified. You can generate and download the list of campaigns as an Email Campaign List report in XML format, PDF format, CSV format, or JSON format from the appliance to your local desktop. © 2019 FireEye 427 Central Management Administration Guide CHAPTER 26: Monitoring Aggregated Alert Data To view the campaigns: 1. Click eAlerts > Campaigns. 2. (Optional) Use the page controls at the top of the page to define the number of campaigns per page and to select a page of campaigns in the list. 3. (Optional) Click the funnel icon to expand the Filter panel at the left edge of the page. Use filter options to define the match criteria for campaigns that are displayed. 4. View the analysis results that have been identified as a campaign as described in the Email Security — Server Edition User Guide. Managing Quarantined Emails for Managed CM Appliances Using the Web UI Use the Email Quarantine page to view and manage quarantined emails on managed Email Security — Server Edition appliances. To manage quarantined emails: 1. Click Alerts and then select Email. 2. Click eQuarantine. 3. (Optional) Use the controls at the top of the page to filter the results. 4. Manage the quarantine as described in the Email Security — Server Edition User Guide. Viewing Email Analysis Results for Managed CM Appliances Using the Web UI Use the Email Alerts page to view information about infected emails observed by managed Email Security — Server Edition appliances. To view email analysis results: 1. Click Alerts and then select Email. 2. Click eAlerts. 3. (Optional) Use the controls at the top of the page to filter the results. 4. View the information as described in the Email Security — Server Edition User Guide. 428 © 2019 FireEye Release 8.7 Monitoring Appliances Using the Web UI Viewing and Exporting the Results of Processed Emails on a Managed CM Appliance Using the Web UI Use the Processed Emails page to view the list of malicious and nonmalicious emails that have been processed by the Email Security — Server Edition appliance based on the type of fields (Message ID, Sender, Recipient, Subject Line, URL, and Attachment). The Processed Emails page also displays the status and state of the scanned emails with an associated verdict based on the results of the scan. You can display up to 100 emails per page. You can also export a filtered list of processed emails from the appliance. To view and export the status of processed emails: 1. Click the Search Emails tab and then click Processed Emails. 2. (Optional) Use the controls at the top of the page to filter the results. 3. View and export the status of processed emails as described in the Email Security — Server Edition User Guide. Viewing the Messages in the Email Queue on a Managed CM Appliance Using the Web UI Use the Queued Emails page to view the list of messages that are queued for dynamic analysis. You can filter the specific search criteria based on the sender, recipient, or queue type. You can monitor your emails while they are being processed and held in the email queue. To view the messages in the email queue: 1. Click the Search Emails tab and then click Queued Emails. 2. (Optional) Use the controls at the top of the page to define the scope of the changes. 3. View messages in the email queue as described in the Email Security — Server Edition User Guide. Viewing URL Click Reports for Managed EX Series Appliances Using the Web UI Use the Dashboard page to view the total number of missed and blocked URL click events. In this example, the following URL click events were reported for the week: l l 2 URLs were reported missed and 5 click timestamps were reported for these URLs. 5 URLs were reported blocked and 18 click timestamps were reported for these URLs. © 2019 FireEye 429 Central Management Administration Guide CHAPTER 26: Monitoring Aggregated Alert Data To view the URL click event details: 1. Click URL Click Missed or URL Click Blocked. The eAlerts > Alerts page is displayed. This example is displayed after URL Click Missed is selected. This example, displays the URL click badges for the alerts. 2. Click on an alert to display a summary of the alert details along with a table itemizing the URL clicks, the URL click time stamp, and the missed or blocked URL click status. 430 © 2019 FireEye Release 8.7 Monitoring Appliances Using the Web UI For detailed information about the URL click reporting feature, see the Email Security — Server Edition User Guide Viewing Malware Analysis Results for Managed AX Series Appliances Using the Web UI Use the Analysis page to view information about the malware analysis jobs run on managed Malware Analysis appliances. To view malware analysis results: 1. Click Alerts and then select AX. 2. Click Analysis. 3. (Optional) Use the controls at the top of the page to filter the results. 4. View results as described in the AX Series User Guide. Managing File Quarantines for Managed FX Series Appliances Using the Web UI Use the CM: Quarantined Files page to view and manage quarantined files on managed File Security appliance. To manage quarantined files: 1. Click Alerts and then select FX. 2. Click Quarantined Files. 3. (Optional) Use the controls at the top of the page to filter the results. 4. Manage the quarantine as described in the FX Series User Guide. © 2019 FireEye 431 Central Management Administration Guide CHAPTER 26: Monitoring Aggregated Alert Data Managing File Alerts for Managed FX Series Appliances Using the Web UI Use the CM: File Alerts page to to view and drill into details about malicious files on managed File Security appliance. To manage quarantined files: 1. Click Alerts and then select FX. 2. Click Alerts. 3. (Optional) Use the controls at the top of the page to filter the results. 4. Manage the alerts as described in the FX Series User Guide. Monitoring Appliances Using the CLI Use the commands in this section to view detection and analysis results on managed appliances by executing individual commands on behalf of them. The commands are executed once; they are not stored. NOTE: For comprehensive information about the detection and analysis commands, see the User Guide for your appliance. NOTE: If you omit the command parameter from these commands, you will be prompted for it, and the characters you enter will be masked for confidentiality. NOTE: This topic describes how to execute a single command. You can also define a profile of commands that run in sequence unattended. See Working with Command Profiles on page 412. To execute a command on a managed appliance: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Execute the command: hostname (config) # cmc execute appliance <applianceName> command ["<command>"] where command must be enclosed in double quotation marks. To execute a command on a group of appliances: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 432 © 2019 FireEye Release 8.7 NX Series and CM Event Correlation 2. Execute the command: hostname (config) # cmc execute group <groupName> command ["<command>"] where command must be enclosed in double quotation marks. IMPORTANT! You can cancel the execution of outstanding commands, as described in Canceling Outstanding Commands on page 403. Example This example executes the show alerts summary command on behalf of the NX-04 appliance. hostname (config) # cmc execute appliance NX-04 command "show alerts summary" ============ Appliance NX-04 ============ Execution was successful. Execution output: Domain Match : 2182 Web Infection : 6133 Malware Callback : 27273 Infection Match : 4035 Malware Object : 12564 Total Alerts : 52187 NX Series and CM Event Correlation When the Central Management appliance manages both Network Security appliances and Email Security — Server Edition appliances, malicious Web events detected by the Network Security appliances are correlated with email events detected by the Email Security — Server Edition appliances, and malicious email events detected by the Email Security — Server Edition appliances are correlated with Web events detected by the Network Security appliances. NOTE: For information about allowing two Central Management networks to share information about malicious events, see CM Peer Distributed Correlation on page 603. Correlated events are displayed with the following icons in the Web UI: Web Correlation — This icon in an email alert indicates that the alert is l correlated with a Web alert. It is typically in the URL column, depending on the tab selected in Alerts > Email > eAlerts. l Email Correlation — This icon in a Web alert indicates that the alert is correlated with an email alert. It is in the Total column or the Alert Type column, depending on the tab selected in Alerts > NX > Alerts. Correlated events are displayed with the following badges: © 2019 FireEye 433 Central Management Administration Guide l l CHAPTER 26: Monitoring Aggregated Alert Data Correlated NX Alert — This badge in an email alert indicates that the alert is correlated with a Web alert. It is shown in the Badges column in the Alerts > Email > eAlerts page. You can select it as a filter to find correlated Network Security events. Correlated EX Alert — This badge in a Web alert indicates that the alert is correlated with an email alert. It is shown in the Badges column in Alerts > NX > Alerts page. You can select it as a filter to find correlated Email Security — Server Edition events. Reviewing Email Alerts Correlated with Web Events You can view the combined alert information or navigate to the list of correlated Network Security alerts from the Email Security — Server Edition alerts. Prerequisites l l One or more Network Security appliances managed by the Central Management appliance. One or more Email Security — Server Edition appliances managed by the Central Management appliance. NOTE: By default, alert correlation is enabled on any Central Management appliance that manages one or more Network Security appliances and one or more Email Security — Server Edition appliances. For details, see: l Reviewing Correlated Email and Web Alert Information in a Combined View below l Viewing Web Alerts for Correlated Malicious Behavior on page 436 Reviewing Correlated Email and Web Alert Information in a Combined View The combined view shows the high-level details of correlated Email Security — Server Edition and Network Security alerts. To review the combined view of correlated email and Web alerts: 1. On the Alerts tab, select Email > eAlerts. 2. If there are many alerts, use the Filters panel on the left edge of the page to filter by the Correlated NX Alert badge. 434 © 2019 FireEye Release 8.7 NX Series and CM Event Correlation 3. In the Recipient tab, click the number link beside the Web icon in the URL column. The Network Security alerts correlated with the Email Security — Server Edition alert are displayed. 4. In the list of correlated alerts in the Alerts tab, click a URL in the URL column. The combined view displays the email details in the top section and the Web event details in the bottom section. © 2019 FireEye 435 Central Management Administration Guide CHAPTER 26: Monitoring Aggregated Alert Data Viewing Web Alerts for Correlated Malicious Behavior From an email alert that has a malicious URL or attachment, you can navigate to the list of Network Security alerts for the source IP addresses on which the same malicious URL or attachment was identified. This view shows all malware objects and other events that affected the source IP address for this email alert in the selected time period, including those from other URLs or attachments, other Email Security — Server Edition alerts, and other affected source IP addresses. To review the list of Web alerts correlated with an email alert: 1. On the Alerts tab, select Email > eAlerts. 2. Select the Malicious Emails tab. 3. If there are many alerts, use the Filters panel on the left edge of the page to filter by the Correlated NX Alert badge. 4. In the URL or Attachment column of an email alert, click the Web icon link ( ). The NX > Alerts > Alerts tab displays the list of Network Security alerts from all source IP addresses on which the same malicious URL or attachment was identified. The Network Security alerts marked with the email icon link ( ) are correlated with Email Security — Server Edition alerts. The following example includes a malware object and callbacks for multiple malware types. 436 © 2019 FireEye Release 8.7 NX Series and CM Event Correlation Reviewing Web Alerts Correlated with Email Events Follow these steps to review the malicious objects found by the Network Security appliance and correlated to events on the Email Security — Server Edition appliance. Prerequisites l l One or more Network Security appliances managed by the Central Management appliance. One or more Email Security — Server Edition appliances managed by the Central Management appliance. NOTE: By default, alert correlation is enabled on any Central Management appliance that manages one or more Network Security appliances and one or more Email Security — Server Edition appliances. To review Web alerts correlated with email events: 1. On the Alerts tab, click NX > Alerts. 2. If there are many alerts, use the Filters panel on the left edge of the page to filter by the Correlated EX Alert badge. © 2019 FireEye 437 Central Management Administration Guide CHAPTER 26: Monitoring Aggregated Alert Data 3. On the Hosts tab, click the number link beside the email correlation icon ( ) in the Total column. The list of correlated Email Security — Server Edition alerts is displayed in the Alerts tab. 4. In the correlated alerts, click an email correlation icon with the link superimposed on it ( ). The correlated Email Security — Server Edition alert is displayed on the eAlerts > Malicious Emails tab. 438 © 2019 FireEye Release 8.7 NX Series and CM Event Correlation Enabling Remote CM Appliance Event Correlation Follow these steps to enable remote Email Security — Server Edition appliance event correlation on the Central Management appliance. When this is enabled, the Central Management appliance will distribute the set of malicious URLs collected from the Network Security appliances to all eligible managed Email Security — Server Edition appliances. Prerequisites l l l One or more Network Security appliances managed by the Central Management appliance One or more Email Security — Server Edition appliances managed by the Central Management appliance The managed Email Security — Server Edition appliances are release 7.9.x or later NOTE: By default, alert correlation and remote correlation are enabled on any Central Management appliance that manages one or more Network Security appliances and one or more Email Security — Server Edition appliances of release 7.9.x or later. To enable remote Email Security — Server Edition appliance alert correlation on the Central Management appliance: 1. Log in to the Central Management CLI. 2. Go to CLI configuration mode: hostname > enable hostname # configure terminal 3. Enable remote Email Security — Server Edition alert correlation: hostname # (config) remote-correlation enable © 2019 FireEye 439 Central Management Administration Guide CHAPTER 26: Monitoring Aggregated Alert Data 4. Review the remote Email Security — Server Edition alert correlation configuration settings: hostname # (config) # show remote-correlation status 5. Save your changes: hostname (config) # write memory Endpoint Security Event Correlation The Central Management appliance correlates Endpoint Security alerts with managed appliance alerts and creates badges for the appropriate alerts. Correlated Network Security alerts may have Endpoint Compromised, Endpoint Contained, and Containment Requested badges. Correlated Email Security — Server Edition alerts may have a Related Endpoint badge. Endpoints Compromised, Related Endpoints, and Endpoints Contained links appear on the Central Management Dashboard What's Happening panel if there are alerts with the associated badges. Click a link to view the Alerts page with the list of alerts labeled with the associated badge. If available, you can download triage collections from the Central Management for alerts that have endpoints that are compromised. Click the Endpoint Compromised badge or Endpoints Compromised link, expand an alert and click the Download package link. For details about how a managed appliance alert becomes an Endpoint Security alert and a Central Management badge, see the Endpoint Security System Administration Guide. For details on endpoint containment and triage collections, see the Endpoint Security User Guide. Sending Alerts to the Helix Web UI Using the CLI Use the commands in this section to configure the alert settings that are pushed from all appliances managed by the Central Management appliance to the Helix Web UI when the appliances are deployed in Helix cloud mode or Helix on-premises mode. You can send alerts from all appliances managed by the Central Management appliance to the Helix Web UI using HTTPS. 440 © 2019 FireEye Release 8.7 Sending Alerts to the Helix Web UI Using the CLI To send alerts to the Helix Web UI when the appliances are deployed in Helix cloud mode: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Specify the number of days that the managed appliance managed can send alerts to the Helix Web UI: hostname (config) # helix mode cloud push-alerts-from <days> The range is from 0 to 30 days. 3. (Optional) Specify the maximum number of alerts that the managed appliance can send to the Helix Web UI: hostname (config) # helix mode cloud push-alerts-from <days> max-alerts <count> You can send up to 10,000 alerts from all managed appliances to the Helix Web UI. 4. Verify the alert settings for the Helix Web UI configuration: hostname (config) # show helix Helix Configurations: Enabled : yes Mode : cloud Single Sign-On : allowed Console URL : https://my.fireeye.com/helix/id/900151200/ Alert Sync Enabled : yes Alert Sync From : 0 days old Alert Sync Max Count : 10000 The "Alert Sync From" and "Alert Sync Max Count" lines display the alert settings configuration to send the alerts to the Helix Web UI. 5. Save your changes: hostname (config) # write memory To send alerts to the Helix Web UI when the appliances are deployed in Helix onpremises mode: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal © 2019 FireEye 441 Central Management Administration Guide CHAPTER 26: Monitoring Aggregated Alert Data 2. Specify the number of days that the managed appliance can send alerts to the Helix Web UI: hostname (config) # helix mode on-premises push-alerts-from <days> The range is from 0 to 30 days. 3. (Optional) Specify the maximum number of alerts that the managed appliance can send to the Helix Web UI: hostname (config) # helix mode on-premises push-alerts-from <days> maxalerts <count> You can send up to 10,000 alerts from all managed appliances to the Helix Web UI. 4. Verify the alert settings for the Helix Web UI configuration: hostname (config) # show helix Helix Configurations: Enabled : yes Mode : on-premises Single Sign-On : required Console URL : https://my.fireeye.com/helix/id/900151200/ Alert Sync Enabled : yes Alert Sync From : 0 days old Alert Sync Max Count : 10000 The "Alert Sync From" and "Alert Sync Max Count" lines display the alert settings configuration to send the alerts to the Helix Web UI. 5. Save your changes: hostname (config) # write memory 442 © 2019 FireEye Release 8.7 About Reports CHAPTER 27: Working with Reports for Managed Appliances This section covers the following information: l About Reports below l Customizing Reports for Managed Appliances on the next page l Generating and Scheduling Reports for Managed Appliances on page 485 About Reports Reports can be customized only on managed Email Security — Server Edition, Network Security, and File Security appliances. The Central Management allows you to generate reports about malicious behavior on the network from all managed Email Security — Server Edition, Network Security, and File Security appliances. Reports include data accumulated from all appliances of the same type. For example, if you specify the "Alert Details" report, the report will contain all data from all Network Security appliances that are managed or have been managed during the specified report time frame. You can create your own custom reports from scratch, use the predefined reports, or clone a predefined report and use it as a template for a custom report. You can also control access to the content of the report using roles. This content includes the appropriate fields and filters that you want to include in each report. Predefined Report Templates Each predefined report template defines the individual sections in the report and the presentation format (table or graph). You can choose the format (table or graph) for each section individually. Custom Reports You can configure any number of sections for a custom report on the Central Management appliance. You can generate a custom report on the Central Management appliance to help you retrieve and analyze the traffic pattern, appliance health, appliance performance, user actions, or alert details about malware and infection trends for all managed appliances. A custom report allows you to define the content and format of the data in each section of the © 2019 FireEye 443 Central Management Administration Guide CHAPTER 27: Working with Reports for Managed Appliances report and the attributes of the report such as the logo. You can configure the Central Management appliance to send the generated custom report by email to the intended recipients. You can schedule reports to be generated automatically. Customizing Reports for Managed Appliances This section covers the following information about customizing reports for managed appliances: l Task List for Customizing Reports for Managed Appliances below l Creating and Configuring Settings for a Custom Report on the facing page l Configuring Graphs for Custom Reports on page 450 l Configuring Tables for Custom Reports on page 460 l Creating a Custom Report from a Predefined Report Template on page 471 l Editing and Cloning Reports That Have Been Generated on page 475 l Sending, Downloading, and Deleting Custom Reports on page 481 You cannot customize a SmartVision Alerts report. Task List for Customizing Reports for Managed Appliances Complete the steps for customizing reports for managed appliances in the following order: 1. Log in to the Central Management Web UI. 2. (Optional) Clone a predefined report template and edit its attributes to generate a custom report. See Creating a Custom Report from a Predefined Report Template on page 471. 3. Define the settings in a custom report. See Defining Settings in a Custom Report Using the Web UI on the facing page. If desired, associate one logo with a PDF formatted custom report. See Adding or Deleting a Logo Using the Web UI on page 449. 4. Determine the type of graphs that you want to define in a custom report. See Configuring Graphs for Custom Reports on page 450. 444 © 2019 FireEye Release 8.7 Customizing Reports for Managed Appliances 5. Determine the type of tables and attributes that are the table columns that you want to define in a custom report. See Configuring Tables for Custom Reports on page 460. If desired, define the match criteria for attributes that are the table columns displayed in each section of the custom report. See Defining Filters for Table Attributes on a Custom Report Section Using the Web UI on page 464. Creating and Configuring Settings for a Custom Report You can create and configure the report settings for your custom reports by using the Central Management appliance Web UI: l Defining Settings in a Custom Report Using the Web UI below l Editing Settings in a Custom Report Using the Web UI on page 447 l Adding or Deleting a Logo Using the Web UI on page 449 Follow these usage guidelines when you configure the report settings for your custom reports: l Output the report in XML, PDF, CSV, or JSON format l Associate only one logo with a PDF-formatted custom report l l l Specify a title and description that can include letters (a–z, A–Z), numbers, dashes (-), underscores (_), and commas (,). Set the time period the report covers. By default, the custom report display time zone is UTC and is set for the past 24 hours. Automatically generate reports on a schedule and email them to designated recipients Prerequisites l Access to the Web UI of the Central Management appliance as Admin or Analyst Defining Settings in a Custom Report Using the Web UI Use the Custom Reports section to define settings in a new custom report for managed appliances using the Central Management appliance Web UI. © 2019 FireEye 445 Central Management Administration Guide CHAPTER 27: Working with Reports for Managed Appliances You can define settings in a custom report only using the Web UI. Prerequisites l Access to the Web UI of the Central Management appliance as Admin or Analyst To define the settings in a custom report: 1. In the Web UI, choose Reports > Custom Reports. 2. In the Report Title field, enter a name for your custom report. 3. In the Report Format drop-down menu, select the output format for the custom report: l xml—Generate the report in XML format. l pdf—Generate the report in PDF format. l csv—Generate the report in CSV format. l json—Generate the report in JSON format. 4. (Optional) In the Description field, enter a description of your custom report. You can specify any number of characters. 5. In the Time Zone to Convert Report Data to drop-down menu, select the time zone for the custom report. 6. In the Date Range drop-down menu, select the time period for this custom report: 446 l past hour—Report covers analysis generated during the past 1 hour. l past 7 hours—Report covers analysis generated during the past 7 hours. l past 12 hours—Report covers analysis generated during the past 12 hours. l past 7 days—Report covers analysis generated during the past 7 days. l past 30 days—Report covers analysis during the past 30 days. © 2019 FireEye Release 8.7 Customizing Reports for Managed Appliances l custom—Report covers analysis generated for a custom time period that ranges from the last 15 minutes to the past 1 year. Click Apply. 7. In the Report Recipients field, enter the email address of the report recipient. To add multiple recipients, press Enter for each additional email address. To delete a recipient, click X next to the email address you want to delete. 8. (Optional) If you want to schedule the generated custom report in the Reports > Schedule Reports page, select the Make Schedulable checkbox. The custom report that has been generated appears under "Custom Reports" in the Report Type dropdown menu. For details about how to schedule a generated custom report, see Scheduling Reports for Managed Appliances Using the Web UI on page 486. 9. Click Next Step to add a table or graph, or click Save if you are finished configuring the custom report. To add a table to a section of a custom report, see Adding Tables to a Custom Report Using the Web UI on page 460. To add a graph to a section of a custom report, see Adding Graphs to a Custom Report Using the Web UI on page 451. Editing Settings in a Custom Report Using the Web UI Follow these steps to edit settings in a new custom report for managed appliances using the Central Management appliance Web UI. You can edit settings in a custom report only using the Web UI. To preview your report, click the toggle button ( ) in the custom report configuration page. Click the button again to return to edit mode. Prerequisites l l Access to the Web UI of the Central Management appliance as Admin or Analyst You have defined the settings in a custom report using the Central Management Web UI. For details about how to define the settings in a custom report, see Defining Settings in a Custom Report Using the Web UI on page 445. To edit the settings in a custom report: 1. Click Reports > Custom Reports. 2. In the Generated Custom Reports section, click the action icon ( © 2019 FireEye ). 447 Central Management Administration Guide CHAPTER 27: Working with Reports for Managed Appliances 3. Clixk Edit. 4. In the Custom Reports page, click the action icon ( ). 5. Click Edit. 6. Modify the report setting you want to edit. l Report Title l Report Format l Description l Time Zone to Convert Report Data to l Date Range l Report Recipients 7. To enable or disable automatically generating a custom report on schedule, select or clear the Make Schedulable checkbox. 8. Click Save. 448 © 2019 FireEye Release 8.7 Customizing Reports for Managed Appliances To add a table to a section of a custom report for managed appliances, see Adding Tables to a Custom Report Using the Web UI on page 460. To add a graph to a section of a custom report for managed appliances, see Adding Graphs to a Custom Report Using the Web UI on page 451. Adding or Deleting a Logo Using the Web UI Follow these steps to add a logo to a custom report or to delete a logo from a custom report for managed appliances using the Central Management appliance Web UI. You can associate only one logo with a PDF-formatted custom report. When you upload a logo, the new logo overwrites the existing logo. The maximum size of the logo you upload is 128 x 128 pixels. You can add or delete a logo for a custom report only using the Web UI. Prerequisites l Access to the Web UI of the Central Management appliance as Admin or Analyst To add a logo to a custom report: 1. In the Web UI, choose Reports > Custom Reports. 2. In the Logo field, click Choose File. 3. Select the logo file you want to add. The image is uploaded to the Central Management appliance and it appears in the Custom Reports page. © 2019 FireEye 449 Central Management Administration Guide CHAPTER 27: Working with Reports for Managed Appliances To delete a logo from a custom report: 1. In the Web UI, choose Reports > Custom Reports. 2. In the Logo field, click the X icon next to the logo. A dialog box prompts you to confirm the changes. 3. Click Yes. The following message appears: The logo is removed from the Custom Reports page. Configuring Graphs for Custom Reports You can configure any number of graph sections for your custom reports from scratch for managed appliances by using the Central Management appliance Web UI: l Adding Graphs to a Custom Report Using the Web UI on the facing page l Editing the Graph Section of a Custom Report Using the Web UI on page 454 l Cloning a Graph Section of a Custom Report Using the Web UI on page 456 l Deleting a Graph Section From a Custom Report Using the Web UI on page 459 A custom report can contain one or more graph sections. You can choose the format of the graph (line chart, pie chart, or bar chart) for each section individually. 450 © 2019 FireEye Release 8.7 Customizing Reports for Managed Appliances Prerequisites l l Access to the Web UI of the Central Management appliance as Admin or Analyst You have defined the settings for the custom report. For details about how to define the settings for the custom report, see Defining Settings in a Custom Report Using the Web UI on page 445. Adding Graphs to a Custom Report Using the Web UI Follow these steps to add a graph to a section of a custom report for managed appliances using the Central Management appliance Web UI. You can add a graph to a section of a custom report only using the Web UI. If you want to completely delete a section of a custom report, click Delete in the Configure Section page. To preview your report, click the toggle button ( ) in the custom report configuration page. Click the button again to return to edit mode. Prerequisites l l Access to the Web UI of the Central Management appliance as Admin or Analyst You have defined the settings for the custom report. For details about how to define the settings for the custom report, see Defining Settings in a Custom Report Using the Web UI on page 445. To add a graph to a section of a custom report: 1. In the Custom Reports page, enter the report title of the report to be modified. 2. Click Next Step. 3. In the next page, click Add Section. The Configure Section window opens. 4. Click the Graph icon. In the Visualization Type area, a green check mark indicates that a graph is selected. © 2019 FireEye 451 Central Management Administration Guide CHAPTER 27: Working with Reports for Managed Appliances 5. Click Next. The graph section details and settings are displayed. 6. In the Section Details area: 452 © 2019 FireEye Release 8.7 Customizing Reports for Managed Appliances l Enter the name of the graph for your custom report section. l (Optional) Enter a description to define the report section. 7. In the Graph Settings area, choose the type of graph you want from the Graph Type drop-down menu. The available graph options depend on the appliance that is connected to your Central Management appliance. 8. (Optional) To preview the graph settings, select the Preview checkbox. The graph (such as a pie chart) that you selected is displayed. If you need to refresh the content, click the refresh icon ( ). 9. Click Save. 10. (Optional) If you want to delete the graph section completely, click Delete. Click Yes. You have the option to generate the report by clicking Generate Report. The following message appears: © 2019 FireEye 453 Central Management Administration Guide CHAPTER 27: Working with Reports for Managed Appliances The custom report is added to the top of the generated custom report list. The report status is displayed as "In progress" in the Generated Custom Reports table. The status is updated as soon as the generated report is available. Editing the Graph Section of a Custom Report Using the Web UI Follow these steps to edit the graph section of a new custom report for managed appliances using the Central Management appliance Web UI. You can change the graph characteristics that you want displayed in the section of a custom report. When you change characteristics of the graph section of a new custom report, the updated report section overwrites the existing report section. You can edit the graph section of a new custom report only using the Web UI. If you want to completely delete a section of a custom report, click Delete in the Configure Section page. To preview your report, click the toggle button ( ) in the custom report configuration page. Click the button again to return to edit mode. Prerequisites l l l 454 Access to the Web UI of the Central Management appliance as Admin or Analyst You have defined the settings for the custom report using the Central Management Web UI. For details about how to define the settings for the custom report, see Defining Settings in a Custom Report Using the Web UI on page 445. You have added one or more graph sections to the custom report using the Central Management Web UI. For details about how to add a graph to a section of a custom report, see Adding Graphs to a Custom Report Using the Web UI on page 451. © 2019 FireEye Release 8.7 Customizing Reports for Managed Appliances To edit the graph section of a new custom report: 1. In the Custom Reports page, locate the report section whose graph you want to edit. 2. Click the action icon ( ). 3. Click Edit. The Configure Section window opens. 4. Click the Graph icon. In the Visualization Type area, a green check mark indicates that a graph is selected. 5. Click Next. The graph section details and settings are displayed. 6. In the Section Details area, change the name of the graph for your custom report section. 7. In the Graph Type drop-down menu, change the graph selection you want to view for the custom report. The available graph options depend on the appliance that is connected to your Central Management appliance. 8. (Optional) To preview the graph settings, select the Preview checkbox. The characteristics of the graph (such as a bar graph) that you changed is displayed. If you need to refresh the content, click the refresh icon ( ). 9. Click Save. 10. Drag the graph section to the intended position on the custom report. You have the option to generate the report by clicking Generate Report. The following message appears: © 2019 FireEye 455 Central Management Administration Guide CHAPTER 27: Working with Reports for Managed Appliances The custom report is added to the top of the generated custom report list. The report status is displayed as "In progress" in the Generated Custom Reports table. The status is updated as soon as the generated report is available. Cloning a Graph Section of a Custom Report Using the Web UI Follow these steps to clone a graph section of a custom report and save it as a new section using the Central Management appliance Web UI. The new graph section inherits the characteristics from the existing graph section. When you clone the characteristics of an existing report, the updated report will not overwrite the existing section. You can clone a graph section of a new custom report only using the Web UI. If you want to completely delete a section of a custom report, click Delete in the Configure Section page. A dialog box prompts you to confirm your changes. To preview your report, click the toggle button ( ) in the custom report configuration page. Click the button again to return to edit mode. Prerequisites l l l Access to the Web UI of the Central Management appliance as Admin or Analyst You have defined the settings for the custom report using the Central Management Web UI. For details about how to define the settings for the custom report, see Defining Settings in a Custom Report Using the Web UI on page 445. You have generated one or more custom reports for a managed appliance using the Central Management Web UI. To clone a graph section of a custom report: 1. In the Generated Custom Reports portion of the Custom Reportspage, locate the report whose section or characteristics you want to clone. 2. Click the action icon ( 456 ). © 2019 FireEye Release 8.7 Customizing Reports for Managed Appliances 3. Click Clone. The graph characteristics of the existing report section are copied as a new section. © 2019 FireEye 457 Central Management Administration Guide CHAPTER 27: Working with Reports for Managed Appliances 4. Click Edit. The Configure Section window opens for the relevant report section. In the Visualization Type area, a green check mark indicates that a graph is selected. 5. Click Next. The graph section details and settings are displayed. 6. Change the data you want displayed. 7. Click Save. 8. Drag the section to the intended position in the custom report. You have the option to generate the report by clicking Generate Report. The following message appears: The custom report is added to the top of the generated custom report list. The report status is displayed as "In progress" in the Generated Custom Reports table. The status is updated as soon as the generated report is available. 458 © 2019 FireEye Release 8.7 Customizing Reports for Managed Appliances Deleting a Graph Section From a Custom Report Using the Web UI Follow these steps to delete a graph section from a custom report for managed appliances using the Central Management appliance Web UI. You can delete a graph section from a custom report only using the Web UI. Prerequisites l l Access to the Web UI of the Central Management appliance as Admin or Analyst You have added one or more graph sections to a new custom report for a managed appliance using the Central Management Web UI. For details about how to add a graph to a section of a custom report, see Adding Graphs to a Custom Report Using the Web UI on page 451. To delete a graph section from a custom report: 1. In the Custom Reports page, locate the graph section you want to delete. 2. Click the action icon ( © 2019 FireEye ). 459 Central Management Administration Guide CHAPTER 27: Working with Reports for Managed Appliances 3. Click Delete. The graph section is removed from the custom report. You must generate the report for the changes to take effect. Configuring Tables for Custom Reports You can configure any number of table sections for your custom reports from scratch for managed appliances by using the Central Management appliance Web UI: l l Adding Tables to a Custom Report Using the Web UI below Defining Filters for Table Attributes on a Custom Report Section Using the Web UI on page 464 l Editing the Table Section of a Custom Report Using the Web UI on page 466 l Cloning a Table Section of a Custom Report Using the Web UI on page 478 l Deleting a Table Section From a Custom Report Using the Web UI on page 470 A custom report can contain one or more table sections. You can choose the attributes for each section individually. The attributes are the table columns that you can select in a custom report. You can use filter options to define the match criteria for table columns that are displayed in each section of the custom report. For details about how to define filters for table attributes in a custom report section, see Defining Filters for Table Attributes on a Custom Report Section Using the Web UI on page 464. When you select the csv output format, xml output format, or json output format to write the custom report to a CSV file, XML file, or JSON file, you can preview only 5 rows. When you select the pdf output format to write the custom report to an Adobe PDF file, you can preview 5, 25, 50, or 100 rows. Prerequisites l l Access to the Web UI of the Central Management appliance as Admin or Analyst You have defined the settings for the custom report. For details about how to define the settings for the custom report, see Defining Settings in a Custom Report Using the Web UI on page 445. Adding Tables to a Custom Report Using the Web UI Follow these steps to add a table to a section of a custom report for managed appliances using the Central Management appliance Web UI. You can modify the table settings to change the content in the custom report. 460 © 2019 FireEye Release 8.7 Customizing Reports for Managed Appliances You can add a table to a section of a custom report only using the Web UI. If you want to completely delete a section of a custom report, click Delete in the Configure Section page. To preview your report, click the toggle button ( ) in the custom report configuration page. Click the button again to return to edit mode. Prerequisites l l Access to the Web UI of the Central Management appliance as Admin or Analyst You have defined the settings for the custom report using the Central Management Web UI. For details about how to define the settings for the custom report, see Defining Settings in a Custom Report Using the Web UI on page 445. To add a table to a section of a custom report section: 1. In the Custom Reports page, enter the report title of the report to be modified. 2. Click Next Step. 3. In the next page, click Add Section. The Configure Section window opens. 4. Click the Table icon. In the Visualization Type area, a green check mark indicates that a table is selected. 5. Click Next. The table section details and settings are displayed. © 2019 FireEye 461 Central Management Administration Guide CHAPTER 27: Working with Reports for Managed Appliances 6. In the Section Details area: l Enter the name of the table for your custom report section. l (Optional) Enter a description to define the report section. 7. In the Table Settings area: l l Choose the type of data and table from the Table Type drop-down menu. The available table options depend on the appliance that is connected to your Central Management appliance. In the Select Table Columns area, select the columns you want to view for the custom report. The available column options are based on the table option you selected. You cannot select the columns to view for the following table types: l Appliance Status Report l Sensor Status Report l Email Counters Hourly Stats l URL Counters in Email Hourly Stats 8. (Optional) To preview the table settings, select the Preview checkbox. The table columns that you selected are displayed. 462 © 2019 FireEye Release 8.7 Customizing Reports for Managed Appliances If you need to refresh the content, click the refresh icon ( ). This icon also allows you to preview the new settings while the Preview checkbox is selected. 9. Click Save. If you want to define the filter selection criteria of a table, click Next. For details about how to filter table attributes on a report section, see Defining Filters for Table Attributes on a Custom Report Section Using the Web UI on the next page. 10. (Optional) If you want to delete the table section completely, click Delete. Click Yes. You have the option to generate the report by clicking Generate Report. The following message appears: The custom report is added to the top of the generated custom report list. The report status is displayed as "In progress" in the Generated Custom Reports table. The status is updated as soon as the generated report is available. © 2019 FireEye 463 Central Management Administration Guide CHAPTER 27: Working with Reports for Managed Appliances Defining Filters for Table Attributes on a Custom Report Section Using the Web UI Follow these steps to define filters for table attributes on a custom report section for managed appliances using the Central Management appliance Web UI. You can use filter options to define the match criteria for attributes that are the table columns displayed in each section of the custom report. You can define filters for table attributes on a custom report section only using the Web UI. You cannot define filters for the following table types: l Appliance Status Report l Sensor Status Report l Email Counters Hourly Stats l URL Counters in Email Hourly Stats If you want to completely delete a section of a custom report, click Delete in the Configure Section page. Prerequisites l l l 464 Access to the Web UI of the Central Management appliance as Admin or Analyst You have defined the settings for the custom report using the Central Management Web UI. For details about how to define the settings for the custom report, see Defining Settings in a Custom Report Using the Web UI on page 445. You have added one or more table sections to a custom report using the Central Management Web UI. For details about how to add a table to a section of a custom reports, see Adding Tables to a Custom Report Using the Web UI on page 460. © 2019 FireEye Release 8.7 Customizing Reports for Managed Appliances To define filters for table attributes on a custom report section: 1. In the Settings page, click Next. The filter selection area is displayed. 2. In the Add Filters area: l l Choose an attribute. The available options depend on the table option you selected. Choose the operation (for example, In, Not In, Like, or =) to match the particular attribute. The available operations depend on the attribute you selected. l Enter any value you want to associate with the attribute. l Choose And or Or as the logical operation to associate with the attribute. l Click Add Filter. You can add multiple filters at one time. l To delete a filter, click the Delete (trash can) icon. 3. Repeat the previous step for each filter you want to define. 4. In the Additional Filters area: l l © 2019 FireEye Select either Not Acknowledged, Acknowledged, or Both. The default value is Not Acknowledged. (Optional) In the Limit field, enter the number of rows that you want displayed in the output. 465 Central Management Administration Guide l CHAPTER 27: Working with Reports for Managed Appliances Choose All Sensors or the applicable sensor or sensor-enabled integrated appliance that is connected to this Central Management appliance. The options in the Additional Filters area are based on the table option you selected. 5. (Optional) To preview the table settings, select the Preview checkbox. The table columns that you selected are displayed. If you need to refresh the content, click the refresh icon ( ). This icon also allows you to preview the new settings while the Preview checkbox is selected. 6. Click Save. If there is a problem with the filter criteria that you defined, the following message appears. Correct the filter definition. Editing the Table Section of a Custom Report Using the Web UI Follow these steps to edit the table section in a custom report for managed appliances using the Central Management appliance Web UI. You can change the table columns that you want displayed in the section of a custom report. When you change attributes of the table section of a custom report, the updated report section overwrites the existing report section. You can edit the table section of a custom report only using the Web UI. If you want to completely delete a section of a custom report, click Delete in the Configure Section page. To preview your report, click the toggle button ( ) in the custom report configuration page. Click the button again to return to edit mode. 466 © 2019 FireEye Release 8.7 Customizing Reports for Managed Appliances Prerequisites l l l Access to the Web UI of the Central Management appliance as Admin or Analyst You have defined the settings for the custom report using the Central Management Web UI. For details about how to define the settings for the custom report, see Defining Settings in a Custom Report Using the Web UI on page 445. You have added one or more table sections to a new custom report for a managed appliance using the Central Management Web UI. For details about how to add a table to a section of a custom report, see Adding Tables to a Custom Report Using the Web UI on page 460. To edit the table section of a custom report: 1. In the Custom Reports page, locate the report section whose attribute you want to edit. 2. Click Edit. The Configure Section window opens for the relevant report section. In the Visualization Type area, a green check mark indicates that a table is selected. 3. Click Next. The table section details and settings are displayed. 4. In the Section Details area: l l Change the name of the table for your custom report section. (Optional) In the Description field, enter a description to define the report section. 5. In the Table Settings area: l © 2019 FireEye Change the table type and data from the Table Type drop-down menu. The available table options depend on the appliance that is connected to your 467 Central Management Administration Guide CHAPTER 27: Working with Reports for Managed Appliances Central Management appliance. l In the Select Table Columns area, select the columns you want to view for the custom report. The available column options are based on the table option you selected. 6. (Optional) To preview the graph settings, select the Preview checkbox. The table attributes that you changed are displayed. If you need to refresh the content, click the refresh icon ( ). 7. Click Save. 8. Drag the table section to the intended position in the custom report. You have the option to generate the report by clicking Generate Report. The following message appears: The custom report is added to the top of the generated custom report list. The report status is displayed as "In progress" in the Generated Custom Reports table. The status is updated as soon as the generated report is available. Cloning a Table Section of a Custom Report Using the Web UI Follow these steps to clone a table section of a custom report and save it as a new table section using the Central Management appliance Web UI. The new table section inherits the attributes from the existing table section. When you clone the attributes of an existing report, the updated report will not overwrite the existing section. You can clone a table section of a new custom report only using the Web UI. If you want to completely delete a section of a custom report, click Delete in the Configure Section page. To preview your report, click the toggle button ( ) in the custom report configuration page. Click the button again to return to edit mode. 468 © 2019 FireEye Release 8.7 Customizing Reports for Managed Appliances Prerequisites l l l Access to the Web UI of the Central Management appliance as Admin or Analyst You have defined the settings for the custom report using the Central Management Web UI. For details about how to define the settings for the custom report, see Defining Settings in a Custom Report Using the Web UI on page 445. You have generated one or more custom reports for a managed appliance using the Central Management Web UI. To clone a table section of a custom report: 1. In the Generated Custom Reports portion of the Custom Reportspage, locate the report whose section or characteristics you want to clone. 2. Click the action icon ( ). 3. Click Clone. The table attributes of the existing report section are copied as a new section. 4. Click Edit. The Configure Section window opens for the relevant report section. In the Visualization Type area, a green check mark indicates that a table is selected. © 2019 FireEye 469 Central Management Administration Guide CHAPTER 27: Working with Reports for Managed Appliances 5. Click Next. The table section details and settings are displayed. 6. Change the data you want displayed. 7. Click Save. 8. Drag the section to the intended position in the custom report. You have the option to generate the report by clicking Generate Report. The following message appears: The custom report is added to the top of the generated custom report list. The report status is displayed as "In progress" in the Generated Custom Reports table. The status is updated as soon as the generated report is available. Deleting a Table Section From a Custom Report Using the Web UI Follow these steps to delete a table section from a custom report for managed appliances using the Central Management appliance Web UI. You can delete a section from a custom report only using the Web UI. Prerequisites l l 470 Access to the Web UI of the Central Management appliance as Admin or Analyst You have added one or more table sections to a new custom report for a managed appliance using the Central Management Web UI. For details about how to add a table to a section of a custom report, see Adding Tables to a Custom Report Using the Web UI on page 460. © 2019 FireEye Release 8.7 Customizing Reports for Managed Appliances To delete a table section from a custom report: 1. In the Custom Reports page, locate the table section you want to delete. 2. Click the action icon ( ). 3. Click Delete. The table section is removed from the custom report. You must generate the report for the changes to take effect. Creating a Custom Report from a Predefined Report Template You can clone a predefined report template and edit its attributes to generate a custom report. When you select the Show Pre-populated Reports checkbox in the Generated Custom Reports table, you can view all the available static reports as predefined report templates. The available predefined report templates depend on the appliance that is connected to your Central Management appliance. The predefined report template shows data generated during the past 3 months by default. After you clone a predefined report template, you can change the report settings, add sections, edit sections, clone sections, or delete sections. If your Central Management appliance is connected to an Email Security — Server Edition appliance, you can create a custom report based on a clone of the following predefined report templates: l Email Executive Summary l Email Activity l Email Hourly Stat © 2019 FireEye 471 Central Management Administration Guide CHAPTER 27: Working with Reports for Managed Appliances For detailed information about reports on the Email Security — Server Edition appliance, refer to the "Reports" chapter of the Email Security — Server Edition User Guide. If your Central Management appliance is connected to an File Security appliance, you can create a custom report based on a clone of the File Executive Summary predefined report template. For detailed information about reports on the File Security appliance, refer to the "Reports" chapter of the File Security User Guide. If your Central Management appliance is connected to an Network Security appliance, you can create a custom report based on a clone of the following predefined report templates: l Executive Summary l Callback Server l Infected Hosts Trend l Malware Activity For detailed information about reports on the Network Security appliance, refer to the "Reports" chapter of the Network Security User Guide. If your Central Management appliance is connected to an IPS-enabled Network Security appliance, you can create a custom report based on a clone of the following predefined report templates as a PDF file or as a CSV file: l IPS Executive Summary l IPS Top N Attacks l IPS Top N Attackers l IPS Top N MVX-Correlated l IPS Top N Victims For detailed information about IPS-specific reports, refer to the "IPS Reports" chapter of the Network Security IPS Feature Guide. You can clone a predefined report template only using the Web UI. Prerequisites l Access to the Web UI of the Central Management appliance as Admin or Analyst Creating a Custom Report from a Predefined Report Template Using the Web UI Follow these steps to create a custom report from a predefined report template using the Central Management appliance Web UI. 472 © 2019 FireEye Release 8.7 Customizing Reports for Managed Appliances To preview your report, click the toggle button ( ) in the custom report configuration page. Click the button again to return to edit mode. To create a clone of a predefined report template: 1. In the Web UI, choose Reports > Custom Reports. 2. Select the Show Pre-populated Reports checkbox. All the available static reports are displayed as predefined report templates. 3. In the Generated Custom Reports table, locate the report template you want to clone. 4. Click the action icon ( ) in the Action column. 5. Click Clone. The attributes or characteristics for each section of the report template appear. © 2019 FireEye 473 Central Management Administration Guide CHAPTER 27: Working with Reports for Managed Appliances 6. Drag the section to the intended position in the custom report. 7. To edit the table attributes or graph characteristics of a section and save it as part of a new report, click Edit. For details about how to edit a graph section, see Editing the Graph Section of a Custom Report Using the Web UI on page 454. For details about how to edit a table section, see Editing the Table Section of a Custom Report Using the Web UI on page 466. 8. To create a clone of a section, click Clone. The attributes of the existing report section are copied as a new section. 9. If you want to delete a clone of the applicable section from the report, click Delete. You have the option to generate the report by clicking Generate Report. The following message appears: The custom report is added to the top of the generated custom report list. The report status is displayed as "In progress" in the Generated Custom Reports table. The status is updated as soon as the generated report is available. 474 © 2019 FireEye Release 8.7 Customizing Reports for Managed Appliances Editing and Cloning Reports That Have Been Generated You can edit and clone reports that have been generated by using the Central Management appliance Web UI: l l l l Editing the Table Attributes of a Generated Custom Report Using the Web UI below Editing the Graph Sections of a Generated Custom Report Using the Web UI on the next page Cloning a Table Section of a Custom Report Using the Web UI on page 478 Cloning a Graph Section of a Generated Custom Report Using the Web UI on page 479 Prerequisites l l l Access to the Web UI of the Central Management appliance as Admin or Analyst You have defined the settings for the custom report using the Central Management Web UI. For details about how to define the settings for the custom report, see Defining Settings in a Custom Report Using the Web UI on page 445. You have generated one or more custom reports for a managed appliance using the Central Management Web UI. Editing the Table Attributes of a Generated Custom Report Using the Web UI Follow these steps to edit the attributes that are the table columns of a custom report that have been generated for managed appliances using the Central Management appliance Web UI. When you change the table attributes of a custom report that has been generated, the updated report overwrites the existing report. You can edit the table attributes of a custom report only using the Web UI. If you want to completely delete a section of a custom report, click Delete in the Configure Section page. To preview your report, click the toggle button ( ) in the custom report configuration page. Click the button again to return to edit mode. © 2019 FireEye 475 Central Management Administration Guide CHAPTER 27: Working with Reports for Managed Appliances Prerequisites l l Access to the Web UI of the Central Management appliance as Admin or Analyst You have generated one or more custom reports for a managed appliance using the Central Management Web UI. To edit the table attributes of a generated custom report: 1. In the Web UI, choose Reports > Custom Reports. 2. In the Generated Custom Reports table, locate the custom report you want to edit. 3. Click the action icon ( ) in the Action column. 4. Click Edit. Each section of the report appears in the custom report section configuration page. For details about how to edit the table section in a custom report, see Editing the Table Section of a Custom Report Using the Web UI on page 466. Editing the Graph Sections of a Generated Custom Report Using the Web UI Follow these steps to edit the graph sections of a custom report that have been generated for managed appliances using the Central Management appliance Web UI. You can change the graph characteristics that you want displayed in the report section of a custom report that has been generated. When you change characteristics of the graph section of a new custom report, the updated report overwrites the existing report. You can edit the graph section of a generated custom report only using the Web UI. 476 © 2019 FireEye Release 8.7 Customizing Reports for Managed Appliances If you want to completely delete a section of a custom report, click Delete in the Configure Section page. To preview your report, click the toggle button ( ) in the custom report configuration page. Click the button again to return to edit mode. Prerequisites l l l Access to the Web UI of the Central Management appliance as Admin or Analyst You have defined the settings for the custom report using the Central Management Web UI. For details about how to define the settings for the custom report, see Defining Settings in a Custom Report Using the Web UI on page 445. You have generated one or more custom reports for a managed appliance using the Central Management Web UI. To edit the graph sections of a generated custom report: 1. In the Web UI, choose Reports > Custom Reports. 2. In the Generated Custom Reports table, locate the custom report you want to edit. 3. Click the action icon ( ) in the Action column. 4. Click Edit. Each section of the report appears in the custom report section configuration page. For details about how to edit the graph section in a custom report, see Editing the Graph Section of a Custom Report Using the Web UI on page 454. © 2019 FireEye 477 Central Management Administration Guide CHAPTER 27: Working with Reports for Managed Appliances Cloning a Table Section of a Custom Report Using the Web UI Follow these steps to clone a table section of a custom report and save it as a new table section using the Central Management appliance Web UI. The new table section inherits the attributes from the existing table section. When you clone the attributes of an existing report, the updated report will not overwrite the existing section. You can clone a table section of a new custom report only using the Web UI. If you want to completely delete a section of a custom report, click Delete in the Configure Section page. To preview your report, click the toggle button ( ) in the custom report configuration page. Click the button again to return to edit mode. Prerequisites l l l Access to the Web UI of the Central Management appliance as Admin or Analyst You have defined the settings for the custom report using the Central Management Web UI. For details about how to define the settings for the custom report, see Defining Settings in a Custom Report Using the Web UI on page 445. You have generated one or more custom reports for a managed appliance using the Central Management Web UI. To clone a table section of a custom report: 1. In the Generated Custom Reports portion of the Custom Reportspage, locate the report whose section or characteristics you want to clone. 2. Click the action icon ( 478 ). © 2019 FireEye Release 8.7 Customizing Reports for Managed Appliances 3. Click Clone. The table attributes of the existing report section are copied as a new section. 4. Click Edit. The Configure Section window opens for the relevant report section. In the Visualization Type area, a green check mark indicates that a table is selected. 5. Click Next. The table section details and settings are displayed. 6. Change the data you want displayed. 7. Click Save. 8. Drag the section to the intended position in the custom report. You have the option to generate the report by clicking Generate Report. The following message appears: The custom report is added to the top of the generated custom report list. The report status is displayed as "In progress" in the Generated Custom Reports table. The status is updated as soon as the generated report is available. Cloning a Graph Section of a Generated Custom Report Using the Web UI Follow these steps to clone a graph section of an existing custom report and save it as a new section for managed appliances using the Central Management appliance Web UI. You can create a new graph section based on a clone of an existing section. The new graph section inherits the match characteristics from the graph section of the existing report. © 2019 FireEye 479 Central Management Administration Guide CHAPTER 27: Working with Reports for Managed Appliances When you clone the characteristics of an existing report, the updated report will not overwrite the existing section. You can clone a graph section of a generated custom report only using the Web UI. If you want to completely delete a section of a custom report, click Delete in the Configure Section page. To preview your report, click the toggle button ( ) in the custom report configuration page. Click the button again to return to edit mode. Prerequisites l l l Access to the Web UI of the Central Management appliance as Admin or Analyst You have defined the settings for the custom report. For details about how to define the settings for the custom report, see Defining Settings in a Custom Report Using the Web UI on page 445. You have generated one or more custom reports for a managed appliance using the Central Management Web UI. To clone a graph section of a generated custom report: 1. In the Web UI, choose Reports > Custom Reports. 2. In the Generated Custom Reports table, locate the custom report you want to clone. 3. Click the action icon ( ) in the Action column. 4. Click Clone. The characteristics for each section of the report appears. For details about how to clone a graph section in a custom report, see Cloning a Graph Section of a Custom Report Using the Web UI on page 456. 480 © 2019 FireEye Release 8.7 Customizing Reports for Managed Appliances Sending, Downloading, and Deleting Custom Reports You can send, download, and delete custom reports that have been generated by using the Central Management appliance Web UI: l Sending Generated Custom Reports by Email Using the Web UI below l Downloading a Generated Custom Report Using the Web UI on page 483 l Deleting a Generated Custom Report Using the Web UI on page 484 Prerequisites l l l Access to the Web UI of the Central Management appliance as Admin or Analyst You have defined the settings for the custom report using the Central Management Web UI. For details about how to define the settings for the custom report, see Defining Settings in a Custom Report Using the Web UI on page 445. You have generated one or more custom reports for a managed appliance using the Central Management Web UI. Sending Generated Custom Reports by Email Using the Web UI Use the Generated Custom Reports table to automatically send a generated custom report as an email attachment to a list of recipients for managed appliances using the Central Management appliance Web UI. You can send generated custom reports by email only using the Web UI. Prerequisites l l l Access to the Web UI of the Central Management appliance as Admin or Analyst You have defined the settings for the custom report using the Central Management Web UI. For details about how to define the settings for the custom report, see Defining Settings in a Custom Report Using the Web UI on page 445. You have generated one or more custom reports for a managed appliance using the Central Management Web UI. To send a generated custom report by email: 1. In the Web UI, choose Reports > Custom Reports. The page lists the custom reports for a managed appliance that have already been generated in the custom reports database. 2. In the Generated Custom Reports table, select the generated custom report. © 2019 FireEye 481 Central Management Administration Guide 3. Click the action icon ( CHAPTER 27: Working with Reports for Managed Appliances ) in the Action column. 4. Click Email. The Email Report window opens. 5. In the Recipients field, enter the email address of the report recipient. To add multiple recipients, press Enter for each additional email address. To delete a recipient, click X next to the email address you want to delete. 482 © 2019 FireEye Release 8.7 Customizing Reports for Managed Appliances 6. Click Send. The Central Management appliance sends the generated custom report by email to the intended recipients. The following message appears: Downloading a Generated Custom Report Using the Web UI Follow these steps to download a generated custom report from the Central Management appliance to your local desktop using the Central Management appliance Web UI. You can download a generated custom report only using the Web UI. Prerequisites l l Access to the Web UI of the Central Management appliance as Admin or Analyst You have generated one or more custom reports for a managed appliance using the Central Management Web UI. To download a generated custom report: 1. In the Web UI, choose Reports > Custom Reports. The page lists the custom reports for a managed appliance that have already been generated. 2. In the Generated Custom Reports table, locate the custom report you want to download to your desktop. © 2019 FireEye 483 Central Management Administration Guide 3. Click the action icon ( CHAPTER 27: Working with Reports for Managed Appliances ) in the Action column. 4. Click Download. Deleting a Generated Custom Report Using the Web UI Use the Generated Custom Reports table to delete a custom report that has been generated from the custom reports database for managed appliances using the Central Management appliance Web UI. You can delete a generated custom report only using the Web UI. Prerequisites l l l Access to the Web UI of the Central Management appliance as Admin or Analyst You have defined the settings for the custom report. For details about how to define the settings for the custom report, see Defining Settings in a Custom Report Using the Web UI on page 445. You have generated one or more custom reports for a managed appliance using the Central Management Web UI. To delete a generated custom report from the custom reports database: 1. In the Web UI, choose Reports > Custom Reports. The page lists the custom reports for a managed appliance that have already been generated in the custom reports database. 2. In the Generated Custom Reports table, select one or more custom reports to delete from the custom reports database. 3. Click the action icon ( ) in the Action column. 4. Click Delete. A dialog box prompts you to confirm your changes. 484 © 2019 FireEye Release 8.7 Generating and Scheduling Reports for Managed Appliances 5. Click Yes. The reports you selected are removed from the custom reports database. Generating and Scheduling Reports for Managed Appliances All static reports that are available to all managed appliances can be generated or scheduled. You also have the option to schedule a custom report that has been generated on managed Email Security — Server Edition, Network Security, and File Security appliances. For example, the following illustration is from a Central Management appliance that manages one or more IPS-enabled Network Security appliances. All IPSenabled Network Security static report types are included in the Report Type drop-down list. Generating Reports for Managed Appliances Using the Web UI Use the Generate Report page to generate static reports for managed appliances. © 2019 FireEye 485 Central Management Administration Guide CHAPTER 27: Working with Reports for Managed Appliances To generate static reports: 1. In the Web UI, choose Reports > Static Reports. 2. Generate the static reports as described in the User Guide for the managed appliance. For information about generating a SmartVision alerts report, see the NX Series SmartVision Feature Guide. For SmartVision appliances, generate the SmartVision Alert static report as described in the NX Series SmartVision Feature Guide. A SmartVision appliance can be any of the following: o SmartVision Edition sensor o SmartVision-enabled NX Series sensor o SmartVision-enabled NX Series integrated appliance You can generate a SmartVision Alerts report from the Web UI only. A SmartVision Alerts report cannot be customized. For IPS-enabled Network Security appliances, generate the static reports as described in the IPS Feature Guide. Scheduling Reports for Managed Appliances Using the Web UI Use the Schedule Report page to schedule static or custom reports for managed appliances. You can schedule custom reports that have been generated for managed Email Security — Server Edition, Network Security, and File Security appliances if you select the Make Schedulable checkbox in the Reports > Custom Reports page on the Central Management appliance. To schedule static reports: 1. In the Web UI, choose Reports > Schedule Reports. 2. Schedule the static reports as described in the User Guide for the managed appliance. For IPS-enabled Network Security appliances, schedule the static reports as described in the IPS Feature Guide. You can schedule a SmartVision Alerts report from the Web UI only. A SmartVision Alerts report cannot be customized. 486 © 2019 FireEye Release 8.7 Generating and Scheduling Reports for Managed Appliances To schedule custom reports: 1. In the Central Management appliance Web UI, choose Reports > Schedule Reports. 2. In the Report Type drop-down menu under "Custom Reports", select the custom report that has been generated for managed Email Security — Server Edition, Network Security, and File Security appliances. 3. In the Scheduled drop-down menu, set the time frequency: l hourly l daily l weekly l monthly 4. In the Time drop-down menu, set the time of day in hours and minutes (00:00). 5. If you selected a weekly report, specify the report day of the week in the WeekDay field. 6. If you selected a monthly report, specify the report day of the month in the MonthDay field. 7. In the Delivery drop-down menu, specify the delivery method. The default delivery is email. l email—Deliver the custom report as a file attached to email. l file—Deliver the custom report as a file linked from the Web UI. 8. In the Time Frame drop-down menu, select the time period for this custom report: l past day—Report covers analysis generated during the past 24 hours. l past week—Report covers analysis generated during the past 7 days. l past month—Report covers analysis generated during the past 1 month. l past 3 months—Report covers analysis generated during the past 3 months. 9. Click Schedule Report. The scheduled report is added to the top of the scheduling list. Generating and Scheduling Reports for Managed Appliances Using the CLI Use the commands in this section to generate and schedule static reports for managed appliances. The commands are executed once; they are not stored. NOTE: For comprehensive information about the reporting commands, see the User Guide for the managed appliance. © 2019 FireEye 487 Central Management Administration Guide CHAPTER 27: Working with Reports for Managed Appliances NOTE: If you omit the command parameter from these commands, you will be prompted for it, and the characters you enter will be masked for confidentiality. NOTE: This topic describes how to execute a single command. You can also define a profile of commands that run in sequence unattended. See Working with Command Profiles on page 412. To execute a command on an appliance: 1. Enable the CLI configuration mode: hostname > enable hostname # configure terminal 2. Execute the command: hostname (config) # cmc execute appliance <applianceName> command ["<command>"] where command is a form of the report generate or report schedule command and must be enclosed in double quotation marks. To execute a command on a group of appliances: 1. Enable the CLI configuration mode: hostname > enable hostname # configure terminal 2. Execute the command: hostname (config) # cmc execute group <groupName> command ["<command>"] where command is a form of the report generate or report schedule command and must be enclosed in double quotation marks. IMPORTANT: You can cancel the execution of outstanding commands, as described in Canceling Outstanding Commands on page 403. Example This example generates an Alert Details report on behalf of the NX-04 appliance. hostname (config) # cmc execute appliance NX-04 command "report generate type Alert_Details report_format csv report_detail normal alert_type malwareobject time_frame past_month transport file" Execute report command. Check email or WebUI for report. 488 © 2019 FireEye Central Management Administration Guide CHAPTER 28: Checking Status and Health of Managed Appliances There are several ways to view the status and health of managed appliances. An administrator can recheck the status and reset the connection status from the Central Management Web UI. From the Central Management CLI, an administrator can define the following settings for status and health checks on managed appliances: l l l l l Enable/Disable—Whether status checks will be performed on all managed appliances or specific managed appliances. By default, status checks are enabled. Interval—Time delay between the start of one check and the next check. The default is 60 seconds. Timeout—The amount of time to wait for an appliance to send its status to Central Management appliance. If a timeout occurs, a status failure is logged and the connection between the appliance and the Central Management appliance is broken. The default is 30 seconds. Force Check—Forces an immediate status check of all managed appliances, even if checking is disabled overall with the no cmc status enable command. Status Test Criteria—Enable or disable testing the status of a specific criterion (such as the fan, support key, and so on) on all managed appliances. NOTE: Forced checking and status tests are not performed on a specific appliance if status checks are disabled for that appliance. NOTE: See Defining Status and Health Check Settings for Managed Appliances Using the CLI on page 496 for information about changing these settings. © 2019 FireEye 489 Central Management Administration Guide CHAPTER 28: Checking Status and Health of Managed Appliances Prerequisites l Monitor, Operator, or Admin access to view status and health l Admin access to recheck and reset status and configure status check criteria Checking Status and Health of Managed Appliances Using the Web UI Use the Sensors page to check the status and health of managed appliances. The Connection and Health columns provide high-level information. Additional information is displayed if you hover over an icon in the columns, as shown in the following examples. Detailed information is displayed when you click the appliance name in the Sensor column, as shown in the following example and described in Appliance Information on page 373. 490 © 2019 FireEye Release 8.7 Checking Status and Health of Managed Appliances Using the Web UI Refreshing the Status Information An administrator can do the following when there are connectivity or health warnings: l l Recheck collects the appliance details and health status, and updates the information in the Connection and Health columns and the expanded section. Reset checks the connection status when the Central Management appliance has no connectivity to the appliance. Reset also restores the connectivity if the underlying cause is removed. Connectivity loss can happen for the following reasons: l l The appliance is offline. The appliance is online but there is a serious issue (for example, the database or a process is down, an out-of-memory condition exists, or an incorrect IP address was configured for the appliance). To check status and health: 1. Click the Appliances tab. The Sensors tab should be selected. 2. Hover over icons in the Connection and Health columns to view additional information. 3. Click the appliance name in the Sensor column to view appliance details. To recheck the status: l Click Select > Recheck in the Action column in the row for the appliance you want to recheck. © 2019 FireEye 491 Central Management Administration Guide CHAPTER 28: Checking Status and Health of Managed Appliances IMPORTANT! The Recheck option is not available if the managed appliance initiated the connection to the Central Management appliance, as described in the System Administration Guide or Administration Guide for the managed appliance. To reset connectivity: l Click Reset in the Connection column for the appliance. Checking Status and Health of Managed Appliances Using the CLI Use the commands in this section to check the status and health of managed appliances. To view status: 1. Go to CLI enable mode: hostname > enable 2. View status: l To view high-level status of all appliances: hostname # show cmc appliances brief l To view health check criteria and detailed status information: hostname # show cmc status l To view the connection status of all appliances: hostname # show cmc appliances l To view comprehensive information about a specific appliance: hostname # show cmc appliances <applianceName> l To view comprehensive information about all appliances: hostname # show cmc appliances detail NOTE: You can also run Network Security network deployment checks using the cmc execute appliance <NXApplianceName> command deployment check commands. For details, see the NX Series System Administration Guide. 492 © 2019 FireEye Release 8.7 Checking Status and Health of Managed Appliances Using the CLI Examples show cmc appliances brief This example shows that three appliances are enabled for Central Management management, one appliance is disconnected, and two appliances failed status checks. hostname # show cmc appliances brief Appliance Address Enabled --------------------ex-03 172.30.1.1 yes nx-02 172.70.1.1 yes fx-04 172.20.1.1 yes nx-01 172.70.2.1 yes nx-05 172.40.1.1 yes Connected --------no yes yes yes yes Health -----CRIT ok WARN ok ok Product ------eMPS wMPS fMPS wMPS wMPS show cmc status This example shows the status check settings and criteria, and then shows the status of each appliance that can be managed by this Central Management appliance. hostname-01 # show cmc status Status checking enabled: yes Check interval: 60 seconds Timeout: 30 seconds Status criteria: "alive" test enabled: "content-key" test enabled: "disk_space" test enabled: "eula" test enabled: "fan" test enabled: "feature: test enabled: "power_supply" test enabled: "product_key" test enabled: "raid" test enabled: "support_key" test enabled: "temperature" test enabled: "user_role" test enabled: Appliance ex-03: Last checked: Connected at last check: Replied to last check: Last check succeeded: Failed checks: alive failed content_key failed disk_space failed eula failed fan failed feature failed power_supply failed product_key failed raid failed support_key failed temperature failed user_role failed © 2019 FireEye yes yes yes yes yes yes yes yes yes yes yes yes 2014/12/23 21:28:02 no no no 493 Central Management Administration Guide Appliance nx-02: Last checked: Connected at last check: Replied to last check: Last check succeeded: Appliance fx-04: Last checked: Connected at last check: Replied to last check: Last check succeeded: Failed checks: content_key failed CHAPTER 28: Checking Status and Health of Managed Appliances 2014/12/23 21:28:02 yes yes yes 2014/12/23 21:28:02 yes yes no show cmc appliances This example displays the status of each appliance that can be managed by this Central Management appliance. In this case, the Network Security appliance initiated the request to be managed, the Email Security — Server Edition appliance is not currently connected, and the Central Management appliance initiated the connection between itself and the File Security appliance. hostname # show cmc appliances Appliance nx-02: Address: Enabled: Connected: Status check OK: Version compatible: 172.70.1.1 yes yes (client-initiated) yes yes Appliance ex-03: Address: Enabled: Connected: Status check OK: Version compatible: 172.30.1.1 yes no no unknown Appliance fx-04: Address: Enabled: Connected: Status check OK: Version compatible: 172.20.1.1 yes yes (server-initiated) no yes show cmc appliances <applianceName> This example displays the status and settings for the nx-02 appliance. The Central Management appliance initiated the connection with the appliance. hostname # show cmc appliances nx-02 Appliance nx-02 Connection status: Connected: Connection failure reason: Connection last formed: 494 yes (server-initiated) None 2014/12/23 21:13:37 © 2019 FireEye Release 8.7 Checking Status and Health of Managed Appliances Using the CLI Connection last broken: Last connection attempt: Next connection attempt: Current time: Status check OK: Server username on client: Client username on server: Appliance Client Client Client Client Status: software version: product name: software match: software compatible: Appliance ID: Product model: Content version: Content channel: Content sharing type: Configuration: Enabled: Address: SSH port: Web UI protocol: Web UI HTTP port: Web UI HTTPS port: Auto-connect: Status check enabled: Client requests enabled: Comment: Authentication: Authentication type: password username: password password: ssh-dsa2 username: ssh-dsa2 identity: ssh-rsa2 username: ssh-rsa2 identity: 2014/12/23 21:13:36 2014/12/23 21:13:36 2014/12/23 21:25:36 yes admin cmcclient wMPS (wMPS) 7.7.0.420682 wMPS Power no yes 002590AEE884 FireEyeNX900 432-lb.198 stable all yes 172.10.0.0 22 http 9023 (active) 443 yes yes yes password admin ******** admin admin Validation for client-initiated connections: Source address: (same as main address) Source port: (no restriction) show cmc appliances detail The show cmc appliances detail command output is the same as the show cmc appliances <applianceID> command output, except it displays information about all managed appliances, not just one. © 2019 FireEye 495 Central Management Administration Guide CHAPTER 28: Checking Status and Health of Managed Appliances Defining Status and Health Check Settings for Managed Appliances Using the CLI Use the commands in this section to define status and health check settings for managed appliances. To define status check settings: 1. Enable the CLI configuration mode: hostname > enable hostname # configure terminal 2. Define settings: l To enable status checking on all managed appliances: hostname (config) # cmc status enable l To disable status checking on all managed appliances: hostname (config) # no cmc status enable l To enable status checking on a specific managed appliance: hostname (config) # cmc appliance <applianceName> check-status l To disable status checking on a specific managed appliance: hostname (config) # no cmc appliance <applianceName> check-status l To set the interval between status checks: hostname (config) # cmc status check-interval <seconds> l To specify the amount of time to wait for an appliance to send its status: hostname (config) # cmc status timeout <seconds> l To force an immediate check of all managed appliances: hostname (config) # cmc status force-check 3. Save your changes: hostname (config) # write memory To define the status check criteria to include: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Display the current criteria status: hostname (config) # show cmc status 496 © 2019 FireEye Release 8.7 Defining Status and Health Check Settings for Managed Appliances Using the CLI 3. Specify the criteria to include: l To enable status checking of a specific criterion: hostname (config) # cmc status criteria <criterionName> enable l To disable status checking of a specific criterion: hostname (config) # no cmc status criteria <criterionName> enable 4. Repeat the previous step for each test you want to enable or disable. 5. Save your changes: hostname (config) # write memory Example This example increases the time period between status checks to 90 seconds, and disables the temperature and raid criteria. hostname (config) cmc status check-interval 90 hostname (config) # no cmc status criteria temperature enable hostname (config) # no cmc status criteria raid enable © 2019 FireEye 497 Central Management Administration Guide 498 CHAPTER 28: Checking Status and Health of Managed Appliances © 2019 FireEye Central Management Administration Guide CHAPTER 29: Updating Managed Appliances You can update managed appliances with the latest appliance system image and guest images from the Central Management Web UI or CLI. When the Central Management appliance is in "online" mode (that is, connected to the DTI network), checks for newer available versions are automatically performed for managed appliances that have the appropriate licenses installed. In online mode, the Central Management appliance stores the images in a DTI cache on the Central Management appliance. If an update is requested, and the requested image is not already in the cache, the Central Management appliance downloads it. A Central Management administrator can manually download images to the cache when it is convenient instead of waiting for an update request. This can save bandwidth and shorten the maintenance window for updating appliances. For details, see Understanding the DTI Cache on page 137 and Downloading Software Updates to the DTI Cache on page 139. You can update multiple appliances at the same time. Each appliance is updated independently and does not depend on updates being completed on other appliances. However, if the images are not already in the cache, and if the DTI source server is very busy or if the connection to it is slow, the update could time out. System images should be updated before you install guest images. If you request system image and guest images updates at the same time, the system image is updated first. However, if the appliance is rebooted before the guest images are downloaded (for example, if you choose to automatically reboot the appliance after the system image update), the request to download guest images is lost, so you must request it again. You could instead stagger the updates to minimize the impact to the system. For example, you could update the appliance software images, but then wait until off-hours or a maintenance window to update the guest images, because guest images take longer to download and install. © 2019 FireEye 499 Central Management Administration Guide CHAPTER 29: Updating Managed Appliances IMPORTANT! If an appliance is running a system image version that your Central Management appliance no longer supports, a message is displayed on the Central Management Dashboard, and you should update the appliance immediately. Data will not be aggregated from that appliance to the Central Management appliance until you update, and you will be unable to make configuration changes on behalf of the appliance. NOTE: These procedures show how to update managed appliances when the Central Management appliance is in "online" mode and connected to the DTI network. When the Central Management appliance is not connected to the DTI network, it can be in "local" or "URL" mode, in which it downloads the updates from a file that is either stored locally or hosted on a local site identified by a URL. For details, see the FireEye DTI Offline Update Portal Guide. NOTE: These procedures show how to update software images and guest images. By default, security content is automatically downloaded to the cache and updated on managed appliances. For details about changing the update settings, see the System Administration Guide or Administration Guide for the managed appliance. Prerequisites l Admin access l DTI network access l FIREEYE_SUPPORT license on each managed appliance for system image updates l CONTENT_UPDATES license on each managed appliance for security content updates Updating Managed Appliances Using the Web UI Use the appliance update page to determine whether the latest appliance system image and guest images are installed, and to update them as needed. You can also use this page to view the installed security content version. NOTE: You can perform this procedure whether the managed appliance uses CMS, CDN, or DTI as its DTI source server. (See Changing the Active Setting for a DTI Service on page 131 for details about these options.) 500 © 2019 FireEye Release 8.7 Updating Managed Appliances Using the Web UI This page contains the information described in the following table. Field Description Sensor (hostname) The display name of the appliance. Connection The status of the connection between the Central Management appliance and the managed appliance. The connection is established. The connection failed; the appliance cannot be updated until the connection is reestablished. Product The type of appliance. System Software Status The installed appliance software version. If other versions are available, you can select a version or select none to do this later. Detection Engine Status Whether the latest guest images are installed. If not, you can select latest to install them or select none to do this later. NOTE: This column is empty for an appliance in MVX sensor mode. Sensor Update Status Info Indicators and information about current and available versions or the update being performed. All available guest images and patches have been updated. An error occurred, such as the update timing out. New updates are available. The installed appliance software version is not supported by the Central Management appliance. An immediate reload is required to complete the upgrade. If updates are available for an appliance, the checkbox in the Sensor (hostname) column can be selected, and a message is displayed in the column. For example: © 2019 FireEye 501 Central Management Administration Guide CHAPTER 29: Updating Managed Appliances To update an appliance: 1. Click the Appliances tab. The Sensors tab should be selected. 2. On the Sensors page, click Actions > Update Sensors. 3. If you want to filter by appliance group, select the group in the Sensor Group dropdown list. 4. Select the checkbox for each appliance you want to update. 5. To update the system image: a. Select the version from the drop-down list in the System Software Status column. For example: If you want to postpone this update, select none. b. The appliance must be rebooted after the upgrade. If you want this to happen automatically, select the Auto Reboot checkbox. 6. If the guest images need to be updated, select latest in the Detection Engine Status column. (If you want to postpone this update, select none.) NOTE: Appliances in MVX sensor mode do not have guest images, so the Detection Engine Status column is empty. 7. Click Update Selected Sensors. Status messages will be displayed in the Sensor Update Status Info column. For example: 502 © 2019 FireEye Release 8.7 Updating Managed Appliances Using the CLI 8. If you did not select auto reboot, the following message is displayed after the update is done: Click the Reload checkbox, and then click OK when prompted to confirm the action. Updating Managed Appliances Using the CLI Use the commands in this section to update the system image and guest images for managed appliances. NOTE: This section provides basic commands used to update software images and download and install default guest images. For comprehensive information about using the CLI to update appliances, see the System Administration Guide or Administration Guide for your appliance or the CLI Command Reference. NOTE: To update VX Series appliances, use the fenet update appliance commands, as described in the MVX Smart Grid Administration Guide. To install the latest system image and reboot the appliance: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Initiate the update process: hostname (config) # fenet appliance manage <applianceName> upgrade 3. View the progress: hostname (config) # cmc execute appliance <applianceName> command "show fenet image status" © 2019 FireEye 503 Central Management Administration Guide CHAPTER 29: Updating Managed Appliances 4. Save your changes: hostname (config) # cmc execute appliance <applianceName> command "write memory" To download and install guest images: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Download the latest guest images: hostname (config) # cmc execute appliance <applianceName> command "guest-images download" 3. Verify that the guest images download is complete: hostname (config) # cmc execute appliance <applianceName> command "show guest-images download" 4. Install the guest images hostname (config) # cmc execute appliance <applianceName> command "guest-images install" 5. Verify that the guest images are installed properly: hostname (config) # cmc execute appliance <applianceName> command "show guest-images" 6. Save your changes: hostname (config) # cmc execute appliance <applianceName> command "write memory" NOTE: It can take a long time to download guest images. If you need to cancel the download, use the cmc execute appliance <applianceName> command "guest-images download cancel" command. To resume the download, use cmc execute appliance <applianceName> command "guest-images download resume" command. Example This example installs the latest guest images on the FX-05 appliance. hostname (config) # cmc execute appliance FX-05 command "guest-images install" ===========Appliance FX-05========== Execution was successful. Execution output: Found guest-images that can be installed Installing guest-images Terminating running work orders and virtual analysis subsystem ........ Restarting WebUI .... Installation complete! 504 © 2019 FireEye Release 8.7 About Custom IOC Feeds CHAPTER 30: Configuring Custom IOC Feeds This chapter covers the following information: l About Custom IOC Feeds below l Enabling or Disabling Custom IOC Feeds on page 507 l Creating a Custom Blacklist from Third-Party Feeds on page 514 l Uploading a Third-Party Feed on page 516 l Viewing Custom Feed Details on page 518 l Deleting Third-Party IOC Feeds Using the Web UI on page 521 l Downloading a Third-Party Feed Using the Web UI on page 523 About Custom IOC Feeds The Central Management appliance can receive indicators of compromise (IOCs) from the following custom feeds. l l l Third-party feeds send IOCs to the Central Management appliance from a thirdparty (non-FireEye) product. DTI feeds provide files from FireEye's Dynamic Threat Intelligence (DTI) cloud. A single local feed sends IOCs to the Central Management appliance from NX, EX, FX, and AX Series appliances. A local feed is a system-generated feed that is managed by the Central Management appliance. You cannot upload, delete, edit, or download a local feed. The IOCs from custom feeds are distributed to managed Network Security appliances in a standard format. You can create customized lists of IOCs received from these feeds and use them as a custom blacklist on the Central Management appliance. The types of IOCs are URL indicators, IP address indicators, domain indicators, and indicators with hashes of malicious files. You can create a list of for each type of indicator, or you can combine them into a standard format called STIX (Structured Threat Information Expression). You configure the managed Network Security appliances to block or allow traffic that matches the custom blacklist. If traffic is blocked, you are notified that a block occurred. If traffic is not blocked, an alert is created and you are notified that a match occurred. © 2019 FireEye 505 Central Management Administration Guide CHAPTER 30: Configuring Custom IOC Feeds Only one master custom blacklist is created from all the feeds. This master blacklist is maintained on the Central Management appliance and is copied to all the managed Network Security appliances. IMPORTANT! Enabling third-party feeds or the local feed on the Central Management appliance can negatively impact the performance of the appliance. Task List for Managing Custom IOC Feeds Complete the steps for managing custom IOC feeds in the following order: 1. Verify that the managed Network Security appliances are deployed in TAP mode or inline mode. 2. On the Central Management appliance, enable custom IOC feeds. For details, see Enabling or Disabling Custom IOC Feeds on the facing page. 3. Create a flat file or XML-based file in STIX format that contains custom blacklist entries. Verify the file is accessible from the local desktop from which you access the Central Management Web UI. For details about how to create a custom blacklist from a third-party feed, see Creating a Custom Blacklist from Third-Party Feeds on page 514. 4. Upload the third-party feed blacklist to a Central Management appliance. For details about how to upload a third-party feed, see Uploading a Third-Party Feed on page 516. 5. View the details of the malware events that matched the name of the custom blacklist feed. For details, see Viewing Custom Feed Details Grouped by Alert Using the Web UI on page 520. 506 © 2019 FireEye Release 8.7 Enabling or Disabling Custom IOC Feeds Enabling or Disabling Custom IOC Feeds This section describes how to enable or disable a Central Management appliance to receive indicators (IOCs) from a custom feed and distribute them to all managed Network Security appliances or a specific managed Network Security appliance. When the custom IOC feed feature is disabled, DTI feeds are not pushed to all managed Network Security appliances or a specific managed Network Security appliance. A Central Management appliance cannot distribute indicators of compromise (IOCs) to managed SmartVision Edition sensors. You can enable or disable the custom IOC feed features only using the CLI. Thirdparty feeds are enabled by default when you add the Network Security appliance to the Central Management appliance. The local feed is disabled by default. DTI feeds are automatically pushed to the managed Network Security appliance. Enabling third-party feeds or the local feed on the Central Management appliance can negatively impact the performance of the appliance. IMPORTANT! IOC feeds are not supported on integrated FireEye NX 300 models that are managed by the Central Management appliance. Prerequisites l Admin access to the Central Management appliance. l A connection to the Dynamic Threat Intelligence (DTI) Cloud. l Managed Network Security appliance deployed in TAP mode or inline mode. © 2019 FireEye 507 Central Management Administration Guide CHAPTER 30: Configuring Custom IOC Feeds Enabling or Disabling Third-Party IOC Feeds on All Appliances Using the CLI These procedures describe how to enable or disable a Central Management appliance to receive indicators (IOC) from a third-party feed and distribute them to all managed Network Security appliances. A Central Management appliance cannot distribute indicators of compromise (IOCs) to managed SmartVision Edition sensors. To enable a third-party feed for all managed Network Security appliances: 1. Log in to the Central Management CLI. 2. Enable CLI configuration mode. cm-hostname > enable cm-hostname # configure terminal 3. Enable IOCs from a third-party feed for all managed Network Security appliances. cm-hostname (config) # custom content enable 4. Verify the status of third-party IOC feeds. cm-hostname (config) # show custom content enable status CMS status CM-1 : enabled LMS status B9-vNX2500-1 : enabled B9-vNX6500-1 : enabled Bolt : enabled SystemVX12500-1 : enabled SystemVX12500-2 : enabled 5. Save your changes. cm-hostname (config) # write memory To disable a third-party feed for all managed Network Security appliances: 1. Log in to the Central Management CLI. 2. Enable CLI configuration mode. cm-hostname > enable cm-hostname # configure terminal 3. Disable IOCs from all third-party feeds on the CM. cm-hostname (config) # no custom content enable 508 © 2019 FireEye Release 8.7 Enabling or Disabling Custom IOC Feeds 4. Verify the status of IOC customizations. cm-hostname (config) # show custom content enable status CMS status CM-1 : disabled LMS status B9-vNX2500-1 : enabled B9-vNX6500-1 : enabled Bolt : enabled SystemVX12500-1 : enabled SystemVX12500-2 : enabled 5. Save your changes. cm-hostname (config) # write memory Enabling or Disabling the Local Feed on All Appliances Using the CLI These procedures describe how to to enable and disable a Central Management appliance to receive indicators (IOCs) from the local feed and distribute them to all managed Network Security appliances. A Central Management appliance cannot distribute indicators of compromise (IOCs) to managed SmartVision Edition sensors. Enabling the local feed on the Central Management appliance can negatively impact the performance of the appliance. The local feed only provides data when there are actual alerts. To enable the local feed for all managed Network Security appliances: 1. Log in to the Central Management CLI. 2. Enable CLI configuration mode. cm-hostname > enable cm-hostname # configure terminal 3. Enable local signature generation settings. The local feed does not work if this is not enabled. By default, local signature generation is already enabled. cm-hostname (config) # localsig enable 4. Enable IOCs from a third-party feed for all managed Network Security appliances. The local feed does not work if third-party feeds are not enabled. cm-hostname (config) # custom content enable 5. Enable IOCs from the local feed. cm-hostname (config) # localsig localfeed enable © 2019 FireEye 509 Central Management Administration Guide CHAPTER 30: Configuring Custom IOC Feeds 6. Verify the status of third-party IOC feeds. cm-hostname (config) # show custom content enable status CMS status CM-1 : enabled LMS status B9-vNX2500-1 : enabled B9-vNX6500-1 : enabled Bolt : enabled SystemVX12500-1 : enabled SystemVX12500-2 : enabled 7. Verify the status of the local feed. CMS1 > show localsig LocalSig Generator Enabled : YES Running : running Rule Versions : 1 Active rules : 1337 LocalFeed : Enabled 8. Save your changes. cm-hostname (config) # write memory To disable the local feed for all managed Network Security appliances: 1. Log in to the Central Management CLI. 2. Enable CLI configuration mode. cm-hostname > enable cm-hostname # configure terminal 3. You can disable IOCs from the local feed in a number of ways: l Disable IOCs from the local feed on the CM. cm-hostname (config) # no localsig localfeed enable l Disable IOCs from all third-party feeds on the CM. When you disable IOCs from the third-party feeds, the IOCs from the local feed are also disabled. cm-hostname (config) # no custom content enable l Disable local signature generation settings. When you disable local signature generation settings, the IOCs from the local feed are also disabled. cm-hostname (config) # no localsig enable 510 © 2019 FireEye Release 8.7 Enabling or Disabling Custom IOC Feeds 4. Verify the status of third-party IOC feeds. cm-hostname (config) # show custom content enable status CMS status CM-1 : disabled LMS status B9-vNX2500-1 : enabled B9-vNX6500-1 : enabled Bolt : enabled SystemVX12500-1 : enabled SystemVX12500-2 : enabled 5. Verify the status of the local IOC feed. CMS1 > show localsig LocalSig Generator Enabled : YES Running : running Rule Versions : 1 Active rules : 1337 LocalFeed : Disabled 6. Save your changes. cm-hostname (config) # write memory Enabling or Disabling Third-Party IOC Feeds on a Specific Appliance Using the CLI These procedures describe how to enable or disable a Central Management appliance to receive indicators (IOC) from a third-party feed and distribute them to a specific managed Network Security appliance. A Central Management appliance cannot distribute indicators of compromise (IOCs) to managed SmartVision Edition sensors. You can verify that this feature is disabled when you log in to the managed Network Security appliance. To enable a third-party feed for a specific managed Network Security appliance: 1. Log in to the Central Management CLI. 2. Enable CLI configuration mode. cm-hostname > enable cm-hostname # configure terminal 3. Enable IOCs from a third-party feed for a managed Network Security appliance. cm-hostname (config) # custom content enable on lms <applianceID> where applianceID is the Network Security appliance record name. © 2019 FireEye 511 Central Management Administration Guide CHAPTER 30: Configuring Custom IOC Feeds 4. Verify the status of IOC customizations. cm-hostname (config) # show custom content enable status CMS status CM-1 : enabled LMS status B9-vNX2500-1 : enabled 5. Save your changes. cm-hostname (config) # write memory To disable a third-party feed for a specific managed Network Security appliance: 1. Log in to the Central Management CLI. 2. Enable CLI configuration mode. cm-hostname > enable cm-hostname # configure terminal 3. Disable IOCs from a third-party feed for a specific managed Network Security appliance. cm-hostname (config) # no custom content enable on lms <applianceID> where applianceID is the Network Security appliance record name. 4. Save your changes. cm-hostname (config) # write memory 5. Log in to the CLI on the managed Network Security appliance. 6. Enable CLI configuration mode. nx-hostname > enable nx-hostname # configure terminal 7. Verify the status of third-party IOC feeds. nx-hostname (config) # show custom content enable status Custom content : disabled 512 © 2019 FireEye Release 8.7 Enabling or Disabling Custom IOC Feeds Enabling or Disabling the Local IOC Feed on a Specific Appliance Using the CLI The local feed is enabled or disabled for a specific managed appliance only by enabling or disabling the third-party feed for the specific appliance. A Central Management appliance cannot distribute indicators of compromise (IOCs) to managed SmartVision Edition sensors. To enable the local feed for a specific managed Network Security appliance: 1. Log in to the Central Management CLI. 2. Enable CLI configuration mode. cm-hostname > enable cm-hostname # configure terminal 3. Enable local signature generation settings. The local feed does not work if this is not enabled. By default, local signature generation is already enabled. cm-hostname (config) # localsig enable 4. Enable IOCs from a third-party feed for a managed Network Security appliance. cm-hostname (config) # custom content enable on lms <applianceID> where <applianceID> is the Network Security appliance record name. This thirdparty feed identifies the managed appliance for the local feed. The local feed does not work if this third-party feed is not enabled. 5. Enable IOCs from the local feed. cm-hostname (config) # localsig localfeed enable 6. Verify the status of IOC customizations. cm-hostname (config) # show custom content enable status CMS status CM-1 : enabled LMS status B9-vNX2500-1 : enabled 7. Verify the status of the local IOC feed. CMS1 > show localsig LocalSig Generator Enabled : YES Running : running Rule Versions : 1 Active rules : 1337 LocalFeed : Enabled 8. Save your changes. cm-hostname (config) # write memory © 2019 FireEye 513 Central Management Administration Guide CHAPTER 30: Configuring Custom IOC Feeds To disable the local feed for a specific managed Network Security appliance: 1. Log in to the Central Management CLI. 2. Enable CLI configuration mode. cm-hostname > enable cm-hostname # configure terminal 3. Disable IOCs from a third-party feed for a specific managed Network Security appliance. When you disable IOCs from a third-party feed for a managed appliance, the IOCs from the local feed for the appliance are also disabled. cm-hostname (config) # no custom content enable on lms <applianceID> where applianceID is the Network Security appliance record name. 4. Save your changes. cm-hostname (config) # write memory 5. Log in to the CLI on the managed Network Security appliance. 6. Enable CLI configuration mode. nx-hostname > enable nx-hostname # configure terminal 7. Verify the status of third-party IOC feeds. nx-hostname (config) # show custom content enable status Custom content : disabled Creating a Custom Blacklist from ThirdParty Feeds You can upload up to 30 unique feeds to the Central Management appliance from a flat file or an XML-based file in STIX 1.2 format. Configure a combined maximum of 25,000 custom blacklist entries on all of the feeds by specifying each blacklist entry on a separate line. A unique name is required for each feed. The feed name that you specify appears as the malware name in the Alerts > Alerts > Alerts page on the managed Network Security appliance. For details about how to view the details of a custom feed, see Viewing Custom Feed Details on page 518. FireEye recommends that you make sure that there are no invalid or duplicate blacklist entries so that you do not reach the allotted limit. Follow these guidelines when you create a blacklist: l 514 FireEye recommends that you specify only public IP addresses in the custom blacklist. © 2019 FireEye Release 8.7 l l l l Creating a Custom Blacklist from Third-Party Feeds FireEye recommends that you create the list of URLs in an ASCII text file. The maximum number of characters is 2500 for all URLs. Import STIX 1.2 files. The domain entries in STIX 1.0.1 are not supported. FireEye recommends that you upload third-party feeds that contain only a .txt file extension because incorrect file extensions can cause problems when creating a feed. Specify URL entries in the custom blacklist at the subdirectory level (for example, http://test.com/testfolder1/1.html). Malicious URLs are not blocked if they are specified at the directory level (for example, http://test.com/testfolder1/). To include an optional comment string as part of your feed entry, follow these guidelines: l Begin the comment with <feed># l No spaces are allowed before the hash sign. l ASCII characters only. l Maximum characters of 62. l Comments are not supported in STIX files. Use the Upload Feed page to import a custom blacklist specific to the following types of content: l l l l IP addresses—A custom list of remote addresses. You can specify the list of IP addresses in a flat file. The IP address feed file is used as a flat file and provides the same functionality as the corresponding XML-based file in STIX format. Domain Names—A custom list that contains the entries of known suspicious or malicious domains. You can specify the list of domains in a flat file. The domain feed file is used as a flat file and provides the same functionality as the corresponding XML-based file in STIX format. URLs—A custom list that contains entries of known suspicious or malicious URLs. You can specify the list of URLs in a flat file. The URL feed file is used as a flat file and provides the same functionality as the corresponding XML-based file in STIX format. Hash Files—A custom list that contains entries of known suspicious or malicious files that are represented as a list of MD5 or SHA-256 hashes in a flat file. The hash feed file is used as a flat file and provides the same functionality as the corresponding XML-based file in STIX format. IMPORTANT! You cannot import hash files on FireEye NX 10000 models that are managed by the Central Management appliance. l STIX—A shared list of suspected malicious URL indicators, list of IP address indicators, list of domain indicators, and list of indicators with MD5 and SHA-256 hashes of malicious files. You can upload a standard STIX 1.2 file in place of the other four feed files. © 2019 FireEye 515 Central Management Administration Guide CHAPTER 30: Configuring Custom IOC Feeds Uploading a Third-Party Feed In the following example of the Appliance Settings: Third Party Feeds page, the managed Network Security appliance does not yet contain third-party feeds. NOTE: You can upload a third-party feed only using the Web UI. The local feed is managed (uploaded and deleted) automatically by the Central Management appliance. You cannot upload it. Prerequisites l Log in to the Web UI of the Central Management appliance as Admin. l A connection to the Dynamic Threat Intelligence (DTI) Cloud. l A managed Network Security appliance is deployed in TAP mode or inline mode. l l Enable IOCs from third-party feeds. For details, see Enabling or Disabling Custom IOC Feeds on page 507. Create a flat file or an XML-based file in STIX 1.2 format that contains custom blacklist entries. Verify that the file is accessible from the local desktop from which you access the Web UI. For details, see Creating a Custom Blacklist from Third-Party Feeds on page 514. Uploading a Third-Party Feed Using the Web UI Follow these steps to upload a third-party feed to the Central Management appliance using the Web UI. 516 © 2019 FireEye Release 8.7 Uploading a Third-Party Feed To upload a third-party feed to a Central Management appliance: 1. Log in to the Central Management appliance as an administrator. 2. In the Web UI, choose Settings > Appliance Settings. 3. Select the managed Network Security appliance and then select 3rd Party Feeds. The page lists the custom feeds that are uploaded. 4. Click Upload New Feed. 5. Enter the name of the feed in the Feed Name field. 6. If you want to override an existing feed with an updated flat file, select the Override checkbox. 7. Click Choose File to select the flat file or STIX file you want to import. 8. Choose content type from the Type drop-down menu. © 2019 FireEye l IP l URL l Hash MD5 517 Central Management Administration Guide l Hash SHA-256 l Domain l STIX CHAPTER 30: Configuring Custom IOC Feeds 9. Choose the feed action from the Action drop-down menu. l Alert l Block 10. (Optional) Enter explanatory information about the intelligence feed in the Comment field. 11. Click Upload to upload the feed. l l The system checks the entries in the custom blacklist file. A progress message appears: If there is a problem with the feed that you imported (for example, invalid entries or the wrong format), the following message appears: Viewing Custom Feed Details View details about the status of custom IOC feeds, the total number of custom IOC feeds, and the total number of all the custom blacklist entries that you configured on managed Network Security appliances from the Central Management appliance. View the local feed status using the CLI. Track the number of blacklist entries that were configured for each third-party feed using the CLI. Prerequisites l Admin access to the Central Management appliance. l A connection to the Dynamic Threat Intelligence (DTI) Cloud. l A managed Network Security appliance is deployed in TAP mode or inline mode. l 518 Enable IOCs from custom feeds. For details, see Enabling or Disabling Custom IOC Feeds on page 507. © 2019 FireEye Release 8.7 l l Viewing Custom Feed Details Create a flat file or an XML-based file in STIX 1.2 format that contains custom blacklist entries. Verify that the file is accessible from the local desktop from which you access the Web UI. For details, see Creating a Custom Blacklist from Third-Party Feeds on page 514. Upload one or more third-party feeds to a managed Network Security appliance from a flat file or an XML-based file in STIX 1.2 format. For details about how to upload a feed, see Uploading a Third-Party Feed on page 516. Viewing Custom Feed Details Using the Web UI In the following example of the Appliance Settings: Third Party Feeds page, the managed Network Security appliance contains five custom feeds. To view custom feed details: 1. In the Web UI, choose Settings > Appliance Settings. 2. Select the managed Network Security appliance and then select 3rd Party Feeds. The page lists the custom feeds that are uploaded. 3. In the table, view the details of each type of custom blacklist entry that was configured for a custom feed. Viewing Custom Feed Details Using the CLI Follow these steps to view custom feed details and to track the number of blacklist entries that were configured for each third-party feed using the CLI. You can view the status of the local feed in the CLI, but not local feed details. To view the custom feed details in the CLI: 1. Log in to the Central Management CLI. 2. Enable CLI configuration mode. cm-hostname > enable cm-hostname # configure terminal © 2019 FireEye 519 Central Management Administration Guide CHAPTER 30: Configuring Custom IOC Feeds 3. View the details for each type of blacklist entry that was configured for a third-party feed. cm-hostname (config) # show custom content feed status Total no. of feeds: 5 Total count of all entries in feeds : 22 custom_feed_1 source: custom feed test action: alert type : url url count : 6 update_date : 2017/07/06 22:38:26 custom_feed_2 source: IP feed action: alert type : ip ip count : 4 update_date : 2017/07/06 22:24:25 custom_feed_3 source: URL flat file action: alert type : url url count : 6 update_date : 2017/07/06 22:26:15 custom_feed_4 source: STIX domain watchlist action: block type : stix domain count : 3 update_date : 2017/07/06 22:32:45 custom_feed_5 source: STIX URL watchlist action: alert type : stix url count : 3 update_date : 2017/07/06 22:34:03 4. View the status of the local feed. cm-hostname (config) # show localsig LocalSig Generator Enabled : YES Running : running Rule Versions : Active rules : 0 LocalFeed : Enabled Viewing Custom Feed Details Grouped by Alert Using the Web UI The Alerts > Alerts > Alerts page lists the details of the event results table, grouped by alert, of the malware events that matched the name of the custom blacklist feed that you imported on a managed Network Security appliance from the Central Management appliance. You can drill down to identify matched traffic that was either blocked or not blocked for the following types of malware: 520 © 2019 FireEye Release 8.7 l l l Deleting Third-Party IOC Feeds Using the Web UI Domain Match—Domain that matches the name of the feed that contains the entries of known suspicious or malicious domains that you imported. Infection Match—Pattern that matches the name of the feed that contains entries of known suspicious or malicious URLs or IP addresses that you imported. Malware Object—Hash that matches the name of the feed that contains entries of MD5 or SHA-256 file types that you imported. To view the custom feed details grouped by alert on a managed Network Security appliance: 1. Log in to the managed Network Security Web UI. 2. Choose Alerts > Alerts > Alerts. 3. To expand an entry, click the alert type in the Alert Type column. Local feed data is automatically removed when the corresponding locally generated rules (localsig rules) expire. You cannot delete local feed data. Deleting Third-Party IOC Feeds Using the Web UI Follow these steps to delete third-party feeds from the Central Management appliance using the Web UI. NOTE: You can delete a third-party feed only using the Web UI. The local feed is managed (uploaded and deleted) automatically by the Central Management appliance. Local feed data is automatically removed when the corresponding locally generated rules (localsig rules) expire. You cannot delete local feed data. © 2019 FireEye 521 Central Management Administration Guide CHAPTER 30: Configuring Custom IOC Feeds IMPORTANT: When a file hash feed is added on the Central Management appliance and you do not want to impact appliance performance, choose one of the following options to stop calculating the MD5 or SHA-256 hashes that are detected in network traffic: l l Log in locally to each managed Network Security appliance to disable the file inspection feature. Use the no bottracker fi-md5 enable command to disable calculating MD5 hashes. Use the no bottracker fi-sha256 enable command to disable calculating SHA-256 hashes. Delete all the hash MD5 or SHA-256 feed files on the Central Management appliance Web UI. However, all the hash MD5 or SHA-256 feed files will be deleted from all the managed Network Security appliances that are connected to this Central Management appliance. For details about how to enable or disable the option to inspect and calculate MD5 or SHA-256 hash files, refer to the Network Security User Guide. Prerequisites l l Log in to the Web UI of the Central Management appliance as Admin. Upload one or more feeds to a managed Network Security appliance from a flat file or an XML-based file in STIX 1.2 format. For details about how to upload a feed, see Uploading a Third-Party Feed on page 516. To delete a third-party IOC feed: 1. In the Web UI, choose Settings > Appliance Settings. 2. Select the managed Network Security appliance and then select 3rd Party Feeds. The page lists the custom feeds that are uploaded. 3. In the table, select the check box next to the third-party feed you want to delete. You can select multiple feeds at one time. 4. Click Delete Feed. A dialog box prompts you to confirm your changes. 5. Click Yes. The feed is removed from the table. The following message appears: 6. Close the message. 522 © 2019 FireEye Release 8.7 Downloading a Third-Party Feed Using the Web UI Downloading a Third-Party Feed Using the Web UI Follow these steps to download a third-party IOC feed from the Central Management appliance using the Web UI. NOTE: You can download a custom IOC feed only using the Web UI. You cannot download the local feed. Prerequisites l l Log in to the Web UI of the Central Management appliance as Admin. Upload one or more third-party feeds to a managed Network Security appliance from a flat file or an XML-based file in STIX 1.2 format. For details about how to upload a feed, see Uploading a Third-Party Feed on page 516. To download a third-party IOC feed: 1. In the Web UI, choose Settings > Appliance Settings. 2. Select the managed Network Security appliance and then select 3rd Party Feeds. The page lists the custom feeds that are uploaded. 3. In the table, locate the third-party feed you want to download to your local desktop. 4. In the Download column, click the download icon. © 2019 FireEye 523 Central Management Administration Guide 524 CHAPTER 30: Configuring Custom IOC Feeds © 2019 FireEye Release 8.7 Overview of Filtering Alerts Using Tags and Rules CHAPTER 31: Filtering Alerts Using Tags and Rules This chapter covers the following information: l Overview of Filtering Alerts Using Tags and Rules below l Configuring Tags and Values on the next page l Configuring Rules to Manage Alert Tags on page 534 l l l Viewing Tags for an Alert for Managed Email Security — Server Edition Appliances Using the Web UI on page 549 Viewing Tags for an Alert for Managed Network Security Appliances Using the Web UI on page 550 Adding Tags to Alerts Manually for Managed Appliances Using the Web UI on page 550 Overview of Filtering Alerts Using Tags and Rules NOTE: Alerts can be filtered using tags and rules only on managed Email Security — Server Edition and Network Security appliances. The Central Management appliance allows you to define tags and rules so that they can be used to filter alerts on managed appliances. You can define a number of tags to filter out alerts that you want to retain on managed appliances. A tag can be used to filter related alerts that contain the same tag name or value. For example, alerts can be tagged to identify traffic that contains the specified virtual local area network (VLAN) or subnet on managed appliances. Tags are automatically added to the database on the Central Management appliance. A rule can be used to manage alert tags on managed appliances. A rule can be configured based on different alert attributes (for example, source IP address, target IP address, or severity type). Each rule can be associated with a relevant action and applied to all incoming alerts that contain the matched alert attributes. Task List for Filtering Alerts Using Tags and Rules Complete the steps for filtering alerts using tags and rules in the following order: © 2019 FireEye 525 Central Management Administration Guide CHAPTER 31: Filtering Alerts Using Tags and Rules 1. Log in to the Central Management Web UI. 2. Add tags and values to the tag configuration table. See Adding Tags Using the Web UI on the facing page and Adding Values to a Tag Using the Web UI on page 530. 3. Configure rules to manage alert tags on managed appliances. See Configuring Rules to Manage Alert Tags on page 534. 4. View tags that are associated with an alert in the managed appliance Web UI. See Viewing Tags for an Alert for Managed Email Security — Server Edition Appliances Using the Web UI on page 549 and Viewing Tags for an Alert for Managed Network Security Appliances Using the Web UI on page 550. 5. If desired, manually add tags to an alert in the Alerts page on a managed Network Security appliance. See Adding a Tag to an Alert for Managed Appliances Using the Web UI on page 551. Configuring Tags and Values You can configure tags and values that you associate with an alert on managed appliances by using the Central Management appliance Web UI: l Adding Tags Using the Web UI on the facing page l Editing Tags Using the Web UI on page 528 l Deleting Tags Using the Web UI on page 529 l Adding Values to a Tag Using the Web UI on page 530 l Editing Values for a Tag Using the Web UI on page 531 l Deleting Values From a Tag Using the Web UI on page 533 You can configure restricted or unrestricted tags and associate them to filter incoming alerts on the managed appliances. A restricted tag can be modified, deleted, or changed to an unrestricted tag by a user that is assigned an Admin role. An unrestricted tag can be modified or deleted by a user that is assigned an Admin role or Analyst role. The total number of alerts and values are associated with a tag name. For example, you can define a tag with the name "Region" and the value "US". All the incoming alerts are filtered by "Region" as the tag name in the Alerts page on the managed appliances. Tags are automatically added to the database on the Central Management appliance. In the following example, the Central Management appliance does not yet contain tags. 526 © 2019 FireEye Release 8.7 Configuring Tags and Values Usage Guidelines Follow these usage guidelines when you create tags and values to associate with an alert: l The name and value of the tag can contain alphanumeric characters only. Tag names and values are case-sensitive. UTF-8 is also supported. l The name of the tag can contain up to 100 characters. l Only a user that is assigned an Admin role can restrict a tag from other users. l l Only an Admin user can modify, delete, and change a restricted tag to an unrestricted tag. A restricted tag can be added only from the Settings > CM Settings > Alert Management > Tags page on the Central Management appliance. Prerequisites l Access to the Web UI of the Central Management appliance as Admin or Analyst l Admin, Analyst, or Monitor access to view restricted and unrestricted tags Adding Tags Using the Web UI Follow these steps to add tags to the tag configuration table that are associated with an alert on managed appliances using the Central Management appliance Web UI. NOTE: You can add tags to the table only using the Web UI. To add a tag: 1. In the Web UI, choose Settings > CM Settings > Alert Management > Tags. 2. Click Create Tag. The Create Tag window opens. 3. In the Name field, enter the name of the tag. © 2019 FireEye 527 Central Management Administration Guide CHAPTER 31: Filtering Alerts Using Tags and Rules 4. (Optional) Select the Restricted checkbox to restrict the tag only to users that are assigned an Admin role. 5. Click Apply. The following message appears: Editing Tags Using the Web UI Follow these steps to edit tags on the tag configuration table that are associated with alerts on managed appliances using the Central Management appliance Web UI. NOTE: You can edit tags on the table only using the Web UI. NOTE: If you change the name of an existing tag, the renamed tag retains all its tag values and alerts. Prerequisites l Access to the Web UI of the Central Management appliance as Admin or Analyst l Admin access to edit a restricted tag l Admin or Analyst access to edit an unrestricted tag l You have added one or more tags to a database on managed appliances using the Central Management Web UI. For details about how to add a tag to an alert, see Adding Tags Using the Web UI on the previous page. To edit a tag: 1. In the Web UI, choose Settings > CM Settings > Alert Management > Tags. 2. In the table, locate the tag you want to edit. 528 © 2019 FireEye Release 8.7 Configuring Tags and Values 3. Click the action icon ( ) in the Actions column. 4. Click Edit. The Edit Tag window opens. 5. In the Name field, edit the name of the tag. 6. (Optional) Select the Restricted checkbox to restrict the tag only to users that are assigned an Admin role. 7. Click Apply. The following message appears: Deleting Tags Using the Web UI Follow these steps to delete tags and all the associated values from the tag configuration table using the Central Management appliance Web UI. All the tags and the associated values are automatically removed from the associated alerts on the managed appliances. NOTE: You can delete tags and all the associated values from the table only using the Web UI. Prerequisites l Access to the Web UI of the Central Management appliance as Admin or Analyst l Admin access to delete a restricted tag l Admin or Analyst access to delete an unrestricted tag © 2019 FireEye 529 Central Management Administration Guide l CHAPTER 31: Filtering Alerts Using Tags and Rules You have added one or more tags to a database on managed appliances using the Central Management Web UI. For details about how to add a tag to an alert, see Adding Tags Using the Web UI on page 527. To delete a tag: 1. In the Web UI, choose Settings > CM Settings > Alert Management > Tags. 2. In the table, locate the tag you want to delete. 3. Click the action icon ( ) in the Actions column. 4. Click Delete. A dialog box prompts you to confirm your changes. 5. Click Yes. The tag is removed from the table. The following message appears: Adding Values to a Tag Using the Web UI Use the Settings > CM Settings > Alert Management > Tags page to add values to a tag using the Central Management appliance Web UI. Click the plus icon ( ) to expand the tag entry. The drill-down view displays the values that have already been added to a tag and the number of alerts associated with a tag. You can add multiple values to an alert tag. An alert can be matched with any value that you configured. The default value is an empty string that is associated with a tag. 530 © 2019 FireEye Release 8.7 Configuring Tags and Values NOTE: You can add values to a tag only using the Web UI. Prerequisites l l Access to the Web UI of the Central Management appliance as Admin or Analyst You have added one or more tags to a database on managed appliances using the Central Management Web UI. For details about how to add a tag, see Adding Tags Using the Web UI on page 527. To add a value to a tag: 1. In the Web UI, choose Settings > CM Settings > Alert Management > Tags. 2. In the table, locate the tag to which you want to add a value. 3. Click the plus icon ( ) to expand the tag entry. 4. Click Add Value. The Add Value window opens. 5. In the Value field, enter the value you want to associate with a tag. 6. Click Apply. The following message appears: 7. Repeat the previous steps to configure additional values. Editing Values for a Tag Using the Web UI Follow these steps to edit values that are associated with a tag on the managed appliances using the Central Management appliance Web UI. © 2019 FireEye 531 Central Management Administration Guide CHAPTER 31: Filtering Alerts Using Tags and Rules NOTE: You can edit values to a tag only using the Web UI. Prerequisites l Log in to the Web UI of the Central Management appliance as Admin or Analyst l Admin access to edit a value for a restricted tag l Admin or Analyst access to edit a value for an unrestricted tag l l You have added one or more tags using the Central Management Web UI. For details about how to add a tag, see Adding Tags Using the Web UI on page 527. You have added one or more values to a tag. For details about how to add a value to a tag, see Adding Values to a Tag Using the Web UI on page 530. To edit the values for a tag: 1. In the Web UI, choose Settings > CM Settings > Alert Management > Tags. 2. In the table, locate the tag whose value you want to edit. 3. Click the plus icon ( ) to expand the tag entry. 4. In the table, locate the value you want to edit. 5. Click the action icon ( ) in the Actions column. 6. Click Edit. The Edit Value window opens. If a value has not yet been assigned, the Current Value line does not appear. 7. In the Value field, modify the value you want to associate with a tag. 8. Click Apply. 532 © 2019 FireEye Release 8.7 Configuring Tags and Values The following message appears: Click Cancel to cancel the entry. Deleting Values From a Tag Using the Web UI Follow these steps to delete values from a tag and all associated alerts on the managed appliances using the Central Management appliance Web UI. NOTE: You can delete values from a tag only using the Web UI. Prerequisites l Admin access to delete a value from a restricted tag l Admin or Analyst access to delete a value from an unrestricted tag l l You have added one or more tags to a database on managed appliances using the Central Management Web UI. For details about how to add a tag, see Adding Tags Using the Web UI on page 527. You have added one or more values to associate with a tag to a managed appliance using the Central Management Web UI. For details about how to add a value to a tag, see Adding Values to a Tag Using the Web UI on page 530. To delete a value from a tag: 1. In the Web UI, choose Settings > CM Settings > Alert Management > Tags. 2. Click the plus icon ( ) to expand the tag entry. 3. In the table, locate the value you want to delete. 4. Click the action icon ( ) in the Actions column. 5. Click Delete. A dialog box prompts you to confirm your changes. 6. Click Yes. © 2019 FireEye 533 Central Management Administration Guide CHAPTER 31: Filtering Alerts Using Tags and Rules The value is removed from the tag entry. The following message appears: Configuring Rules to Manage Alert Tags You can configure rules that are used to manage alert tags on managed appliances by using the Central Management appliance Web UI. You can configure rules that match criteria and perform certain actions that are associated with the user-defined tags to filter incoming alerts on the managed appliances. Each rule can be associated with multiple actions. If the rule condition is matched, a tag will either be added to an alert to include the matched condition or deleted from an alert to exclude the matched condition. Each rule is carried out based on the priority order that you specified in the rules configuration table. In the following example, the Central Management appliance does not yet contain rules. This section covers the following information: l l l l l l 534 Adding a Rule to Match a Condition for a Particular IP Address Using the Web UI on the facing page Adding a Rule to Match a Condition for a Particular VLAN Using the Web UI on page 537 Adding a Rule to Match a Condition for a Particular Appliance Using the Web UI on page 538 Adding a Rule to Match a Condition for a Particular Product Type Using the Web UI on page 540 Adding a Rule to Match a Condition for a Particular Severity Type Using the Web UI on page 542 Adding a Rule to Match a Condition for a Particular Email Using the Web UI on page 543 l Editing a Rule Using the Web UI on page 545 l Deleting a Rule for an Alert Tag Using the Web UI on page 547 l Setting or Changing the Priority of Rules Using the Web UI on page 548 © 2019 FireEye Release 8.7 Configuring Rules to Manage Alert Tags Usage Guidelines Follow these usage guidelines when you configure rules that are used to manage tags on managed appliances: l The name of the rule can contain alphanumeric characters. l Only unrestricted tags can be created by using rules. l A rule must contain at least one condition and one action. l A rule cannot contain multiple values for a single condition. l A single rule can contain different criteria entries (but not duplicate entries). l A single rule can contain multiple actions. Prerequisites l Access to the Web UI of the Central Management appliance as Admin or Analyst Adding a Rule to Match a Condition for a Particular IP Address Using the Web UI Follow these steps to add a rule to match a condition for a particular IP address using the Central Management appliance Web UI. You can configure a rule to match traffic from a particular target, identified by the victim IP address. You can also configure a rule to match traffic from a particular source, identified by an attacker appliance. You can add the relevant tag to this rule for all incoming alerts that contain the specified source IP address or target IP address. NOTE: You can add rules to match a condition for a particular IP address only using the Web UI. To add a rule to match a condition for a particular IP address: 1. In the Web UI, choose Settings > CM Settings > Alert Management > Rules. 2. Click Create Rule. The Create Rule window opens. © 2019 FireEye 535 Central Management Administration Guide CHAPTER 31: Filtering Alerts Using Tags and Rules 3. In the Rule Name field, enter the name of the rule. 4. In the Matching Criteria area: l l l l Choose Source IP or Target IP. Choose in prefix, not in prefix, present, not present, equal to, or not equal to as the operation to match the particular IP address. Enter the IP address of the source or target. Click Add Condition. The source IP address or target IP address condition is added to the match criteria table. 5. In the Associated Actions area: l l l Choose Alert Tag Add to add a tag to an alert that includes the rule that contains the matched condition. Or choose Alert Tag Delete to delete a tag from an alert that includes the rule that contains the matched condition. Enter any value you want to associate with the tag. Select an existing tag or tag/value pair, or enter a new tag or tag/value pair. Click Add Action. The rule action is added to the associated tag table. 6. Click Apply. The following message appears: 536 © 2019 FireEye Release 8.7 Configuring Rules to Manage Alert Tags Adding a Rule to Match a Condition for a Particular VLAN Using the Web UI Follow these steps to add a rule to match a condition for a particular VLAN using the Central Management appliance Web UI. You can configure a rule to match traffic from a particular VLAN. You can add the relevant tag to this rule for all incoming alerts that contain the specified VLAN identification value. NOTE: You can add or delete rules to match a condition for a particular VLAN only using the Web UI. To add a rule to match a condition for a particular VLAN: 1. In the Web UI, choose Settings > CM Settings > Alert Management > Rules. 2. Click Create Rule. The Create Rule window opens. 3. In the Rule Name field, enter the name of the rule. 4. In the Matching Criteria area: l l l © 2019 FireEye Choose VLAN. Choose equal to, not equal to, greater than, less than, less than or equal to, or greater than or equal to as the operation to match the particular VLAN. Enter the VLAN ID. Valid characters are alphanumeric characters. 537 Central Management Administration Guide l CHAPTER 31: Filtering Alerts Using Tags and Rules Click Add Condition. The VLAN condition is added to the match criteria table. 5. In the Associated Actions area: l l l Choose Alert Tag Add to add a tag to an alert that includes the rule that contains the matched condition. Or choose Alert Tag Delete to delete a tag from an alert that includes the rule that contains the matched condition. Enter any value you want to associate with the tag. Select an existing tag or tag/value pair, or enter a new tag or tag/value pair. Click Add Action. The rule action configuration is added to the associated tag table. 6. Click Apply. The following message appears: Adding a Rule to Match a Condition for a Particular Appliance Using the Web UI Follow these steps to add a rule to match a condition for a particular appliance using the Central Management appliance Web UI. You can configure a rule to match traffic from a particular appliance that generated the alerts. You can add the relevant tag to this rule for all incoming alerts that contain the specified appliance record name. NOTE: You can add or delete rules to match a condition for a particular appliance only using the Web UI. To add a rule to match a condition for a particular appliance: 1. In the Web UI, choose Settings > CM Settings > Alert Management > Rules. 2. Click Create Rule. The Create Rule window opens. 538 © 2019 FireEye Release 8.7 Configuring Rules to Manage Alert Tags 3. In the Rule Name field, enter the name of the rule. 4. In the Matching Criteria area: l l l l Choose Appliance ID. Choose equal to or not equal to as the operation to match the particular appliance ID. Enter the appliance ID. Choose Appliances > Sensors to obtain the appliance ID of the managed Network Security appliance or the managed Email Security — Server Edition appliance. The appliance ID is displayed in the Sensor ID column. Click Add Condition. The appliance ID condition is added to the match criteria table. 5. In the Associated Actions area: l l l © 2019 FireEye Choose Alert Tag Add to add a tag to an alert that includes the rule that contains the matched condition. Or choose Alert Tag Delete to delete a tag from an alert that includes the rule that contains the matched condition. Enter any value you want to associate with the tag. Select an existing tag or tag/value pair, or enter a new tag or tag/value pair. Click Add Action. The rule action configuration is added to the associated tag table. 539 Central Management Administration Guide CHAPTER 31: Filtering Alerts Using Tags and Rules 6. Click Apply. The following message appears: Adding a Rule to Match a Condition for a Particular Product Type Using the Web UI Follow these steps to add a rule to match a condition for a particular product type that is connected to this Central Management appliance using the Central Management appliance Web UI. You can configure a rule to match traffic from a particular product type. You can add the relevant tag to this rule for all incoming alerts that contain the specified product type that is connected to this Central Management appliance. NOTE: You can add or delete rules to match a condition for a particular product type only using the Web UI. To add a rule to match a condition for a particular product type: 1. In the Web UI, choose Settings > CM Settings > Alert Management > Rules. 2. Click Create Rule. The Create Rule window opens. 540 © 2019 FireEye Release 8.7 Configuring Rules to Manage Alert Tags 3. In the Rule Name field, enter the name of the rule. 4. In the Matching Criteria area: l l l l Choose Product Type. Choose equal to or not equal to as the operation to match the particular product type. Choose a product type from the drop-down list. Click Add Condition. The product type condition is added to the match criteria table. 5. In the Associated Actions area: l l l Choose Alert Tag Add to add a tag to an alert that includes the rule that contains the matched condition. Or choose Alert Tag Delete to delete a tag from an alert that includes the rule that contains the matched condition. Enter any value you want to associate with the tag. Select an existing tag or tag/value pair, or enter a new tag or tag/value pair. Click Add Action. The rule action configuration is added to the associated tag table. 6. Click Apply. The following message appears: © 2019 FireEye 541 Central Management Administration Guide CHAPTER 31: Filtering Alerts Using Tags and Rules Adding a Rule to Match a Condition for a Particular Severity Type Using the Web UI Follow these steps to add a rule to match a condition for a particular severity type using the Central Management appliance Web UI. You can configure a rule to match traffic from a particular severity type. You can add the relevant tag to this rule for all incoming alerts that contain the specified severity type. NOTE: You can add or delete rules to match a condition for a particular severity type only using the Web UI. To add a rule to match a condition for a particular severity type: 1. In the Web UI, choose Settings > CM Settings > Alert Management > Rules. 2. Click Create Rule. The Create Rule window opens. 3. In the Rule Name field, enter the name of the rule. 4. In the Matching Criteria area: 542 © 2019 FireEye Release 8.7 Configuring Rules to Manage Alert Tags l l l l Choose Severity. Choose equal to, not equal to, greater than, less than, less than or equal to, or greater than or equal to as the operation to match the particular severity type. Depending on the operation for the severity criteria, choose critical, major, or minor as the severity type. Click Add Condition. The severity condition is added to the match criteria table. 5. In the Associated Actions area: l l l Choose Alert Tag Add to add a tag to an alert that includes the rule that contains the matched condition. Or choose Alert Tag Delete to delete a tag from an alert that includes the rule that contains the matched condition. Enter any value you want to associate with the tag. Select an existing tag or tag/value pair, or enter a new tag or tag/value pair. Click Add Action. The rule action configuration is added to the associated tag table. 6. Click Apply. The following message appears: Adding a Rule to Match a Condition for a Particular Email Using the Web UI Follow these steps to add a rule to match a condition for a particular email address using the Central Management appliance Web UI. You can configure a rule to match traffic sent from a particular sender email address or sent to a recipient email address. You can add the relevant tag to this rule for all incoming alerts that contain the specified sender email address or recipient email address. NOTE: You can add or delete rules to match a condition for a particular email only using the appliance Web UI. To add a rule to match a condition for a particular email: 1. In the Web UI, choose Settings > CM Settings > Alert Management > Rules. 2. Click Create Rule. The Create Rule window opens. © 2019 FireEye 543 Central Management Administration Guide CHAPTER 31: Filtering Alerts Using Tags and Rules 3. In the Rule Name field, enter the name of the rule. 4. In the Matching Criteria area: l l l l Choose Email Sender or Email Recipient. Choose equal to, not equal to, present, or not present as the operation to match the particular email. Enter the email address of the sender or recipient. Click Add Condition. The sender email or recipient email condition is added to the match criteria table. 5. In the Associated Actions area: l l l Choose Alert Tag Add to add a tag to an alert that includes the rule that contains the matched condition. Or choose Alert Tag Delete to delete a tag from an alert that includes the rule that contains the matched condition. Enter any value you want to associate with the tag. Select an existing tag or tag/value pair, or enter a new tag or tag/value pair. Click Add Action. The rule action configuration is added to the associated tag table. 6. Click Apply. The following message appears: 544 © 2019 FireEye Release 8.7 Configuring Rules to Manage Alert Tags Editing a Rule Using the Web UI Follow these steps to edit a rule that is used to manage an alert tag on a managed appliance using the Central Management appliance Web UI. NOTE: You can edit rules for an alert tag only using the Web UI. Usage Guidelines Follow these usage guidelines when you edit a rule to manage an alert tag on a managed appliance: l l l A rule must contain at least one condition and one action. If you want to delete a condition or action, you must delete a rule. A rule can contain one condition and multiple actions. If you want to delete an action, you must delete the action. If you want to delete a condition, you must delete a rule. A rule can contain multiple conditions and one action. If you want to delete a condition, you must delete the condition. If you want to delete an action, you must delete a rule. Prerequisites l l l Access to the Web UI of the Central Management appliance as Admin or Analyst You have added one or more tags to a database on a managed appliance. For details about how to add a tag to an alert, see Adding Tags Using the Web UI on page 527. You have added one or more rules to a managed appliance. For details about how to configure rules to manage a tag, see Configuring Rules to Manage Alert Tags on page 534. To edit a rule for an alert tag: 1. In the Web UI, choose Settings > CM Settings > Alert Management > Rules. 2. In the table, locate the rule you want to edit. © 2019 FireEye 545 Central Management Administration Guide 3. Click the action icon ( CHAPTER 31: Filtering Alerts Using Tags and Rules ) in the Actions column. 4. Click Edit. The Edit Rule window opens. 5. In the Rule Name field, edit the name of the rule. 6. In the Matching Criteria area: 546 l Choose the relevant match criteria and operation from the drop-down list. l Enter the relevant value. l Click Add Condition. The condition is added to the match criteria table. l Locate the condition you want to delete in the table. © 2019 FireEye Release 8.7 Configuring Rules to Manage Alert Tags l Click the Delete (trash can) icon. The condition that was previously used in the rule is deleted. 7. In the Associated Actions area: l l l l Choose Alert Tag Add to add a tag to an alert that includes the rule that contains the matched condition. Or choose Alert Tag Delete to delete a tag from an alert that includes the rule that contains the matched condition. Enter any value you want to associate with the tag. Select an existing tag or tag/value pair, or enter a new tag or tag/value pair. Click Add Action. The rule action configuration is added to the associated tag table. Click the Delete (trash can) icon. The tag that was previously used in the rule is deleted. 8. Click Apply. The following message appears: Deleting a Rule for an Alert Tag Using the Web UI Follow these steps to delete a rule completely for an alert tag on a managed appliance using the Central Management appliance Web UI. NOTE: You can delete rules for an alert tag only using the Web UI. Prerequisites l l l Log in to the Web UI of the Central Management appliance as Admin or Analyst You have added one or more tags to a database on a managed appliance. For details about how to add a tag to an alert, see Adding Tags Using the Web UI on page 527. You have added one or more rules to a managed appliance. For details about how to configure rules to manage a tag, see Configuring Rules to Manage Alert Tags on page 534. © 2019 FireEye 547 Central Management Administration Guide CHAPTER 31: Filtering Alerts Using Tags and Rules To delete a rule for an alert tag: 1. In the Web UI, choose Settings > CM Settings > Alert Management > Rules. 2. In the table, locate the rule you want to delete. 3. Click the action icon ( ) in the Actions column. 4. Click Delete. A dialog box prompts you to confirm your changes. 5. Click Yes. The applicable rule is removed from the table. The following message appears: Setting or Changing the Priority of Rules Using the Web UI Follow these steps to set or change the priority order of the rules to filter incoming alerts on managed appliances using the Central Management appliance Web UI. NOTE: You can change the priority of the rules only using the Web UI. Prerequisites l l l 548 Access to the Web UI of the Central Management appliance as Admin or Analyst You have added one or more tags to a managed appliance. For details about how to add a tag to an alert, see Adding Tags Using the Web UI on page 527. You have added one or more rules to a managed appliance. For details about how to configure rules to manage a tag, see Configuring Rules to Manage Alert Tags on page 534. © 2019 FireEye Release 8.7 Viewing Tags for an Alert for Managed Email Security — Server Edition Appliances Using the Web UI To set or change the priority of the rules: 1. In the Web UI, choose Settings > CM Settings > Alert Management > Rules. 2. In the Order column, enter the priority for the rule you want to change. Then press Enter. Each rule priority can be changed one at a time. The priority order for this rule is changed and the priority order for all the rules affected by the change is changed. The following message appears: Viewing Tags for an Alert for Managed Email Security — Server Edition Appliances Using the Web UI The Email Alerts page on the Central Management appliance lists the tags associated with an email alert that is tagged based on the matched criteria that you defined in the tags and rules. If an alert contains a restricted tag, the letter "[R]" is displayed next to the tag entry. © 2019 FireEye 549 Central Management Administration Guide CHAPTER 31: Filtering Alerts Using Tags and Rules Prerequisites l Access to the Web UI of the Central Management appliance as Admin, Analyst, or Monitor. Viewing Tags for an Alert for Managed Network Security Appliances Using the Web UI The Alerts > NX > Alerts page on the Central Management appliance lists the tags associated with an alert based on the matched criteria that you defined in the tags and rules. If an alert contains a restricted tag, the letter "[R]" is displayed next to the tag entry. Prerequisites l Access to the Web UI of the Central Management appliance as Admin, Analyst, or Monitor Adding Tags to Alerts Manually for Managed Appliances Using the Web UI You can manually add tags to associate with an Network Security alert on the Alerts page by using the Central Management appliance Web UI. The tags that you add manually affect only the alert to which they were added. This section covers the following information: 550 © 2019 FireEye Release 8.7 l l l Adding Tags to Alerts Manually for Managed Appliances Using the Web UI Adding a Tag to an Alert for Managed Appliances Using the Web UI below Editing a Tag for an Alert for Managed Appliances Using the Web UI on the next page Deleting a Tag From an Alert for Managed Appliances Using the Web UI on page 553 NOTE: You cannot manually add, edit, or delete tags for an alert in the Email Alerts page using the Central Management appliance Web UI. Adding a Tag to an Alert for Managed Appliances Using the Web UI Follow these steps to manually add a tag to an Network Security alert in the Alerts page on a Central Management appliance using the Web UI. NOTE: You can manually add tags to an Network Security alert in the Alerts page only using the Central Management appliance Web UI. NOTE: You can manually add only unrestricted tags to an Network Security alert in the Alerts page on the Central Management appliance. Prerequisites l Access to the Web UI of the Central Management appliance as Admin or Analyst To add tags to alerts for a managed Network Security appliance: 1. In the Central Management appliance Web UI, choose Alerts > NX > Alerts. 2. In the table on the NX: Alerts page, locate the alert you want to tag. 3. Click the action icon ( ) in the Actions column. 4. Click Add Tag. The Add Tag window opens. © 2019 FireEye 551 Central Management Administration Guide CHAPTER 31: Filtering Alerts Using Tags and Rules 5. In the field, enter the tag. You can enter multiple tags at one time. The list of existing tags is also displayed when you create a new tag. You can select multiple existing tags. NOTE: A user that is assigned an Analyst role can view only unrestricted tags in the list. 6. If you want to save your changes, click Apply. Otherwise, click Cancel. The following message appears: Editing a Tag for an Alert for Managed Appliances Using the Web UI Follow these steps to manually edit a tag that is associated with an Network Security alert in the Alerts page on a Central Management appliance using the Web UI. NOTE: You can manually edit tags in the Alerts page only using the Central Management appliance Web UI. NOTE: You can manually edit only unrestricted tags in the Alerts page on the Central Management appliance. NOTE: A user that is assigned an Admin Role can edit a restricted tag. Prerequisites 552 l Access to the Web UI of the Central Management appliance as Admin or Analyst l Admin access to edit a restricted tag © 2019 FireEye Release 8.7 Adding Tags to Alerts Manually for Managed Appliances Using the Web UI To edit tags for an alert for a managed Network Security appliance: 1. In the Central Management appliance Web UI, choose Alerts > NX > Alerts. 2. In the table on the NX: Alerts page, locate the tag you want to edit for an alert. 3. Click the edit icon (blue pencil) next to the tag you want to edit. The Edit Tag window opens. 4. In the Name field, modify the name of the tag that is associated with an alert. 5. In the Value field, modify the name of the value that is associated with a tag. 6. Click Apply. The following message appears: Deleting a Tag From an Alert for Managed Appliances Using the Web UI Follow these steps to manually delete a tag from an Network Security alert in the Alerts page on a Central Management appliance using the Web UI. NOTE: You can delete tags in the Alerts page only using the Central Management appliance Web UI. © 2019 FireEye 553 Central Management Administration Guide CHAPTER 31: Filtering Alerts Using Tags and Rules Prerequisites l Access to the Web UI of the Central Management appliance as Admin or Analyst l Admin access to delete a restricted tag To delete a tag from an alert for a managed Network Security appliance: 1. In the Central Management appliance Web UI, choose Alerts > NX > Alerts. 2. In the table on the NX: Alerts page, locate the tag you want to delete from an alert. 3. Click the delete icon (blue trash can) next to the tag you want to delete. A dialog box prompts you to confirm your changes. 4. Click Yes. The tag is removed from the alert on the event results table. The following message appears: 554 © 2019 FireEye Central Management Administration Guide PART V: Appendices l Configuring Secure Shell (SSH) Authentication on page 557 l Configuring Network Address Translation (NAT) on page 575 l Configuring the CM Peer Service on page 591 l Monitoring Email Alerts from the Email Security - Cloud Edition. on page 613 © 2019 FireEye 555 Central Management Administration Guide 556 PART V: Appendices © 2019 FireEye Central Management Administration Guide About SSH Authentication APPENDIX A: Configuring Secure Shell (SSH) Authentication This section covers the following information: l About SSH Authentication below l User Authentication on the next page l Host-Key Authentication on page 565 About SSH Authentication The Secure Shell (SSH) protocol is used for secure communication between the Central Management appliance and the appliances it manages. When the Central Management appliance initiates the connection, it logs in as a remote "admin" user on the managed appliance. When the managed appliance initiates the connection, it logs in as a remote "admin" user on the Central Management appliance. SSH user authentication verifies the identity of the remote user attempting the connection. SSH host authentication verifies the identity of the Central Management appliance to the managed appliance and verifies the identity of the managed appliance to the Central Management appliance. NOTE: The topics in this section describe how to configure SSH authentication for a server-initiated connection (where the Central Management administrator adds an appliance directly from the Central Management Web UI or CLI). For information about a client-initiated connection (where a managed appliance administrator sends a request for management to the Central Management appliance, and a Central Management administrator accepts or rejects the request), see the System Administration Guide or Administration Guide for the managed appliance. © 2019 FireEye 557 Central Management Administration Guide APPENDIX A: Configuring Secure Shell (SSH) Authentication User Authentication The remote user can authenticate using either a password or a public key. After the connection is established, it is controlled by the configured password or the public key. Password Authentication With password authentication, a password is configured for the remote user. This is the initial authentication type for an appliance that is added to the Central Management appliance using the Web UI. Public Key Authentication Public key authentication uses a pair of keys—a public key and a private key. With public key authentication, an SSH-DSA2 or SSH-RSA2 identity is configured for the remote user and is pushed to the managed appliance. Benefits of public key authentication include: l l The private key remains on the CM appliance and cannot be computed from the public key. This is an advantage over password authentication, where the password could be cracked. If you use password authentication, password change policies can break the connection between the Central Management platform and the managed appliance. For example, suppose users on a managed Email Security — Server Edition appliance must change their passwords every 90 days. As a Central Management administrator, you might be unaware of this policy. After the password for the remote user changes, the connection to the Email Security — Server Edition appliance will be broken until you change the password on the Central Management appliance. Best Practice: Because password change policies apply only to password authentication, FireEye recommends using public key authentication for this connection. For details, see the following topics: 558 l Creating a Public Key Using the CLI on the facing page l Configuring User Authentication Using the Web UI on page 562 l Configuring User Authentication Using the CLI on page 563 © 2019 FireEye Release 8.7 User Authentication Creating a Public Key Using the CLI Use the commands in this section to create a new public key for SSH user authentication. You can use this key instead of the password to authenticate the remote user. NOTE: If no SSH-DSA2 or SSH-RSA2 public keys exist, you can use the Web UI to create an "admin" SSH-DSA2 key and an "admin" SSH-RSA2 key. For details, see Importing a Host Key into the Global Host-Keys Database Using the Web UI on page 568. To create a public key: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Create the public key: hostname (config) # cmc auth <keyType> identity <identityName> generate where <keyType> can be ssh-dsa2 or ssh-rsa2 and <identityName> is a userfriendly name. 3. Verify your changes: hostname (config) # show cmc auth identities 4. Save your changes: hostname (config) # write memory 5. Push the key to the managed appliance as described in Pushing a Public Key Using the CLI on the next page. To remove a public key: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Remove the public key: hostname (config) # no cmc auth <keyType> identity <identityName> 3. Verify your change: hostname (config) # show cmc auth identities 4. Save your changes: hostname (config) # write memory Example The following example creates an SSH-DSA2 identity named "admin4" on the NX-04 appliance. © 2019 FireEye 559 Central Management Administration Guide APPENDIX A: Configuring Secure Shell (SSH) Authentication NX-04 (config) # cmc auth ssh-dsa2 identity admin4 NX-04 (config) # show cmc auth identities DSA2 identity admin4: Public Key: ssh-dss AAA3NzaC1kc3MAAACBAJl3PisWNnz/gYLvL4JC7xFMoq3HE89rai7trnJmpxjylArYhf MzaGndFA4qGRZMFzhiz9Jhi/+W1ufIrXLGzakC0lAAAAFQCuMCsMwMGN9zT5w2JCiDt7D6orNwAA . . . NOTE: This example is from an Network Security appliance, but it is representative of CM appliances as well. Pushing a Public Key Using the CLI Use the commands in this section to push the public key of an SSH-DSA2 or SSH-RSA2 identity to the managed appliance. When a remote Central Management user and this identity are used to authenticate against the appliance, the connection is established only if the appliance already has this key. NOTE: You can also use the Central Management Web UI to push the key. For details, see Importing a Host Key into the Global Host-Keys Database Using the Web UI on page 568. To push a public key: 1. Log in to the Central Management CLI. 2. Go to CLI configuration mode: cm-hostname > enable cm-hostname # configure terminal 3. Push the key to the appliance: cm-hostname (config) # cmc appliance <applianceID> auth <keyType> identity <identityName> push [username <username> password <password>] where the username and password options allow the remote user to log in to the appliance to push the public key before the appliance is connected. 4. Verify your change: a. Log in to the managed appliance CLI. b. Go to CLI enable mode: appl-hostname > enable c. Verify that the key is present: appl-hostname # show ssh client 560 © 2019 FireEye Release 8.7 User Authentication Examples Pushing an SSH-DSA2 Public Key The following example displays the public key string of the Central Management SSHDSA2 identity named "admin4," and then pushes it to the Email Security — Server Edition appliance. It then displays the SSH authorized keys on the Email Security — Server Edition appliance to verify that the key was pushed. CM-08 (config) # cmc auth ssh-dsa2 identity admin4 CM-08 (config) # show cmc auth identities DSA2 identity admin4: Public Key: ssh-dss AAA3NzaC1kc3MAAACBAJl3PisWNnz/gYLvL4JC7xFMoq3HE89rai7trnJmpxjylArYhf MzaGndFA4qGRZMFzhiz9Jhi/+W1ufIrXLGzakC0lAAAAFQCuMCsMwMGN9zT5w2JCiDt7D6orNwAA . . CM-08 (config) # cmc appliance EX-03 auth ssh-dsa2 identity admin4 push Push of identity for user admin onto EX-03 succeeded. EX-03 # show ssh client . . SSH authorized keys: User admin: Key 1: ssh-dss AAA3NzaC1kc3MAAACBAJl3PisWNnz/gYLvL4JC7xFMoq3HE89rai7trnJmpxjylArYhf MzaGndFA4qGRZMFzhiz9Jhi/+W1ufIrXLGzakC0lAAAAFQCuMCsMwMGN9zT5w2JCiDt7D6orNwAA . . . Pushing an SSH-RSA2 Public Key and Establishing a Connection The following example logs the remote user into the Email Security — Server Edition appliance to push the Central Management SSH-RSA2 identity named "admin6" to the Email Security — Server Edition appliance. It then establishes the connection between the Central Management platform and the Email Security — Server Edition appliance. CM-02 (config) # cmc appliance EX-05 CM-02 (config) # cmc appliance EX-05 username admin password admin CM-02 (config) # cmc appliance EX-05 CM-02 (config) # cmc appliance EX-05 CM-02 (config) # show cmc appliances Appliance EX-05: address 172.17.74.54 auth ssh-rsa2 identity admin6 push authtype ssh-rsa2 auth ssh-rsa2 identity admin6 EX-05 Connection status: Connected: yes (server-initiated) . . . Authentication: Authentication type: ssh-rsa2 password username: admin password password: ******** ssh-dsa2 username: admin ssh-dsa2 identity: © 2019 FireEye 561 Central Management Administration Guide ssh-rsa2 username: ssh-rsa2 identity: APPENDIX A: Configuring Secure Shell (SSH) Authentication admin admin6 Configuring User Authentication Using the Web UI Use the Sensors page to configure authentication parameters for the remote user the Central Management appliance uses to log in to an appliance to establish the connection. This is an existing "admin" user on the managed appliance. When you add an appliance using the Web UI, you must configure a username and password, so the Central Management appliance initially uses password authentication. After the appliance is connected, you can select an SSH-DSA2 or SSH-RSA2 key, which changes the authentication type accordingly. IMPORTANT! After you configure SSH-DSA2 or SSH-RSA2 authentication, the only way to return to password authentication using the Web UI is to delete the appliance and then add it again. To configure SSH-RSA2 or SSH-DSA2 authentication: 1. In the appliance row, click Select > Use CMS Public Key to Connect. The Password field is replaced by the CMS Public Key field. 2. Click the Select a key drop-down list. 562 © 2019 FireEye Release 8.7 User Authentication 3. To configure SSH-RSA2 authentication, do one of the following: l l Select an existing key. Select No RSA keys. Create one, and then select the rsa-admin key that is created. 4. To configure SSH-DSA2 authentication, do one of the following: l l Select an existing key. Select No DSA keys. Create One, and then select the dsa-admin key that is created. 5. Click Update. NOTE: The connection will be interrupted briefly. Error messages and indicators will be displayed, but they will clear as soon as the connection is reestablished. 6. Verify that the key is displayed in the Public Key Used column for the appliance. Configuring User Authentication Using the CLI Use the commands in this section to configure authentication parameters for the remote user the Central Management appliance uses to log in to a managed appliance to establish the connection. This is an existing "admin" user on the managed appliance. NOTE: See the ssh and cmc commands in the CLI Command Reference for advanced authentication options. To configure password authentication: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Specify the "password" authentication type: hostname (config) # cmc appliance <identityID> authtype password 3. Specify the remote user to log in to the managed appliance: hostname (config) # cmc appliance <applianceID> auth password username <username> 4. Specify the password used to authenticate the remote user: hostname (config) # cmc appliance <applianceID> auth password password <password> 5. Save your changes: hostname (config) # write memory © 2019 FireEye 563 Central Management Administration Guide APPENDIX A: Configuring Secure Shell (SSH) Authentication To configure SSH-DSA2 authentication: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Specify the SSH-DSA2 authentication type: hostname (config) # cmc appliance <applicationID> authtype ssh-dsa2 3. Specify the remote user to log in to the managed appliance: hostname (config) # cmc appliance <applianceID> auth ssh-dsa2 username <username> 4. Specify the named identity used to authenticate the remote user: hostname (config) # cmc appliance <applianceID> auth ssh-dsa2 identity <identityName> where <identityName> is the name of an existing identity. 5. Save your changes: hostname (config) # write memory To configure SSH-RSA2 authentication: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. Specify the SSH-RSA2 authentication type: hostname (config) # cmc appliance <applianceID> authtype ssh-rsa2 3. Specify the remote user to log in to the managed appliance: hostname (config) # cmc appliance <applianceID> auth ssh-rsa2 username <username> 4. Specify the named identity used to authenticate the remote user: hostname (config) # cmc appliance <applianceID> auth ssh-rsa2 identity <identityName> where <identityName> is the name of an existing identity. 5. Save your changes: hostname (config) # write memory Example The following example configures SSH-RSA2 authentication parameters used to log in to the NX-04 appliance. hostname (config) # cmc appliance NX-04 auth authtype ssh-rsa2 hostname (config) # cmc appliance NX-04 auth ssh-rsa2 username cmcadmin2 hostname (config) # cmc appliance NX-04 auth ssh-rsa2 identity admin2 564 © 2019 FireEye Release 8.7 Host-Key Authentication Host-Key Authentication Host-key authentication can be used to prevent man-in-the-middle attacks, in which another server poses as the managed appliance or the Central Management appliance and intercepts the traffic between them. When the Central Management appliance and the managed appliance connect the first time using a server-initiated connection, a key exchange takes place. The managed appliance sends a copy of its host key to the Central Management appliance, where it is compared to the keys in the Central Management hostkeys database. If strict host-key checking is enabled, the connection can be established only if the key that is sent matches an entry in the local host-keys database for the Central Management remote user. If global host-key checking is enabled, the connection can be established only if the key that is sent matches an entry in the Central Management global host-keys database. You can enforce strict host-key checking, global host-key checking, or both. IMPORTANT: Host keys are stored in the configuration database, so they are included in the backup file. NOTE: In compliance mode, both strict and global host-key checking is enforced. For details, see the FIPS 140-2 and Common Criteria Addendum. NOTE: The same scenario pertains to the primary and secondary Central Management platforms in a Central Management High-Availability (HA) deployment. In this case, the two Central Management platforms exchange keys, and the connection is established if the keys match. For details, see the Central Management High Availability Guide. For details, see the following topics: l Obtaining a Host Key Using the Web UI on the next page l Obtaining a Host Key Using the CLI on page 567 l l l Importing a Host Key into the Global Host-Keys Database Using the Web UI on page 568 Importing a Host Key into the Global Host-Keys Database Using the CLI on page 570 Enabling Strict and Global Host-Key Checking Using the CLI on page 572 Prerequisites l Admin access to configure authentication and create keys. l Monitor, Operator, or Admin access to obtain managed appliance host keys. © 2019 FireEye 565 Central Management Administration Guide l APPENDIX A: Configuring Secure Shell (SSH) Authentication The private key remains on the Central Management appliance and cannot be computed from the public key. Obtaining a Host Key Using the Web UI Use the Certificate Management page to obtain the host key of the managed appliance. This is the key that you will import into the global host-keys database of the Central Management appliance. NOTE: This procedure applies to managed appliances running Release 7.6.0 or later. If the appliance is running an earlier release, see Obtaining a Host Key Using the CLI on the facing page. NOTE: You must use the CLI to obtain the host key of a managed VX Series appliance. IMPORTANT! The host-key string may need to be modified in a Network Address Translation (NAT) deployment. For details, see Configuring Global HostKey Authentication in a NAT Deployment on page 590. To obtain a host key: 1. Log in to the managed appliance Web UI. 2. Click the Settings tab. 3. Click Certificates/Keys on the sidebar. 4. Copy the string starting with the IP address. 5. Do one of the following: l l l 566 Paste the key into the Central Management CLI, as described in Importing a Host Key into the Global Host-Keys Database Using the CLI on page 570. Paste the key into the Central Management Web UI, as described in Importing a Host Key into the Global Host-Keys Database Using the Web UI on page 568. Paste the key into a text file and save it for later. © 2019 FireEye Release 8.7 Host-Key Authentication Obtaining a Host Key Using the CLI Use the command in this section to obtain the host key of the managed appliance. This is the key that you will import into the global host-keys database of the Central Management appliance. IMPORTANT! You must obtain the RSA v2 key. IMPORTANT! The host-key string may need to be modified in Network Address Translation (NAT) deployments. For details, see Configuring Global Host-Key Authentication in a NAT Deployment on page 590. To obtain the host key: 1. Log in to the managed appliance CLI. 2. View the keys: l If the appliance is running Release 7.6.0 or later: hostname > show ssh server host-keys interface ether1 l If the appliance is running an earlier release: hostname > show ssh server host-keys 3. Locate the RSA v2 host key entry. 4. Do one of the following, depending on whether you will add the key using the Central Management Web UI or CLI: l l Web UI: Copy the key string, starting with the IP address and ending with the last character. Omit the double quotation marks at the beginning and end of the host key entry. CLI: Copy the key string as described above, but include the double quotation marks. 5. Do one of the following: l l l Paste the key into the Central Management Web UI, as described in Importing a Host Key into the Global Host-Keys Database Using the Web UI on the next page. Paste the key into the Central Management CLI, as described in Importing a Host Key into the Global Host-Keys Database Using the CLI on page 570. Paste the key into a text file and save it for later. Example This example displays the host keys for a managed appliance. The RSA v2 key is highlighted for illustration. © 2019 FireEye 567 Central Management Administration Guide APPENDIX A: Configuring Secure Shell (SSH) Authentication Acme-05 > show ssh server host-keys interface ether1 SSH server configuration: SSH server enabled: yes . . . Interface listen enabled: yes Listen Interfaces: Interface: ether1 Host Key Finger RSA v1 host RSA v2 host DSA v2 host Prints and Key Lengths: key: 33:20:5f:af:65:33:e8:62:26:3c:25:d0:1f:2d:8a:54 (2048) key: 54:fa:10:2a:f4:c2:cf:3a:46:b1:a4:ed:72:78:b8:22 (2048) key: 99:59:a8:a1:d8:3e:df:2e:74:fc:6a:be:be:d2:62:32 (1024) Host Keys: RSA v1 host key: "172.17.74.40 2048 65537 2767892723557105143394492343612763 94200729942394341979526174787907308831935615818924165744283828800766510523178479 02037474895252247975570054315595358600142845914848782710493540937857691486699538 04205200729560274476403668156602030333253822356382587237819555941646603447324517 63747513796533041848893042157553987170029619742182277730552872281173097286794724 22744200184844597327452806661880313000836518022137675657765205670872217927843062 15703217249958957713631587970078908302914798758861955796169110420493384623007632 35665546051494669314340340626018765311569680255688151929860734984461083957535425 72032093143856912019598" RSA v2 host key : "172.17.74.40 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzd5JwK BjHLe/jxkF0JzWcXOTw9l0bz2SctkQrihkqg/zXqrmxAfgbzYulDSIxOKZTh2VBnKsy0qRWrCps64Itl h6iRlr7Jxa+jAtTAGsygD0GsSKy13wfsJDhMfWk/nrEqicQ4BJN4M/8AzP+0ATQ2QeZ3nGRRzAiyqkn4 K8cRLJ1E80SnLrwElvw805LZWqNLSQwz6tF+8L1vrmr1kzutl082NBV548AU0wptE6Z2f2oxUobcax+e qS6QMp5nnbPTDLJTbHChsVVrchTCwfGdNnjkawdDC6IhLk0BdncChpTS9E+ZF/F67YwpuIpgraWcoXuZ xZDTwHDYPZfNtk5" DSA v2 host key: "172.17.74.40 ssh-dss AAAAB3NzaC1kc3MAAACBAMY7tSZt46Qrv/hqL 1tazYjXNzkyLTWp54DjfkxzE//+qjE0AUr9hTU3ZmHYChzUVTEKj7syaxd+4Y+8IZ94eRVcnrH/jrqtE aJ64SvoUqGkbKKezUbCVfSrzGgTV/A0dUzLYMLbOEMrTMcXki+DnaUSd80PCWLvq0Mcg0IpXAAAAFQDI tRIv/iH3AAy23h3cnWzp3dpOXQAAAIAS0AONTi0O8A+f1HNOm3PzS02ZQ9ittHxA1ISs7yE6dcbj9JrW Vf1w2lJTEZAJPQz/c9NysGVJusll6Aj1aqQ6EKuhKlPcpY0PyCVKT3TGgY93i648umYZSs9+HzoLY1/a TnnkBGDQ8mFbjhyw3UdeiFjamVVr+4o8QwMbDXAfXAAAAIEAjBMXsp4gK5yvsAgBqcZeZm3vW4zYUpZZ 374A3ANXENWTh2yyQd8Ig1gB0YKDBhSHD6sZpPg88WSDxK3IAdifYGx+FAhowiuWcI+kA0UeiAb9/C+A 653zii1Nc85/fsIwl3GIjmp/xO23b+9YmHY8V5CsT+mmSIYQutCIzUVWbcYvEc=" Importing a Host Key into the Global Host-Keys Database Using the Web UI Use the Add Sensor Host Key dialog box to import the host keys of managed appliances into the Central Management global host-key database. You can import keys from managed appliances and appliances that are not currently being managed by the Central Management appliance. IMPORTANT: The key you import must start with the appliance IP address and it must not be enclosed in double quotation marks. If the key starts with the hostname, replace the hostname with the IP address. 568 © 2019 FireEye Release 8.7 Host-Key Authentication Alternatively, you can import the key for a specific appliance as part of the connection settings. You can edit the settings of an existing managed appliance in the Edit Sensor dialog box, or import the key while you are configuring the initial connection with an appliance in the Add New Sensor dialog box. (See Adding an Appliance Using the Central Management Web UI on page 364 and Modifying Managed Appliance Information Using the Web UI on page 379 for instructions.) CAUTION! If compliance mode is not enabled, global host-key authentication is optional. If you choose to use global host-key authentication, you must explicitly enable it in addition to importing the global host key. For details, see Enabling Strict and Global Host-Key Checking Using the CLI on page 572. IMPORTANT: Before you perform this procedure, you must obtain the host key from the managed appliance. For appliances running Release 7.6.0 or later, you can obtain this key from the appliance Web UI or CLI. For appliances running an earlier release, you must obtain this key from the CLI. For details, see Obtaining a Host Key Using the Web UI on page 566 or Obtaining a Host Key Using the CLI on page 567. To import a host key: 1. Click the Appliances tab. The Sensors tab should be selected. 2. Click Actions > Sensor Host Keys. The Add Sensor Host Key dialog box opens. 3. Paste the key into the Host Key field. 4. Click Add Key. To remove a host key: 1. Click the Appliances tab. The Sensors tab should be selected. 2. Click Actions > Sensor Host Keys. © 2019 FireEye 569 Central Management Administration Guide APPENDIX A: Configuring Secure Shell (SSH) Authentication 3. Locate the key in the Sensor Host Key section of the Add Sensor Host Key dialog box. 4. Click Remove. 5. Click OK to confirm the action. CAUTION! If you remove a host key that is in use, the connection between the Central Management appliance and the managed appliance is broken. Importing a Host Key into the Global Host-Keys Database Using the CLI Use the commands in this section to import the host key from an appliance into the Central Management global host-keys database. This procedure is required for global hostkey authentication, in which the connection will be allowed only if the host key the appliance sends is already in this database. CAUTION! If you choose to use global host-key authentication, you must explicitly enable the feature in addition to importing the host key. For details, see Enabling Strict and Global Host-Key Checking Using the CLI on page 572. IMPORTANT! Before you perform this procedure, you must obtain the host key from the managed appliance. You can obtain this key from the appliance Web UI or CLI. For details, see Obtaining a Host Key Using the Web UI on page 566 or Obtaining a Host Key Using the CLI on page 567. IMPORTANT! The host-key string may need to be modified in a Network Address Translation (NAT) deployment. For details, see Configuring Global HostKey Authentication in a NAT Deployment on page 590. NOTE: See the ssh commands in the CLI Command Reference for advanced authentication options. To import a host key: 1. Log in to the Central Management CLI. 2. Go to CLI configuration mode: hostname > enable hostname # configure terminal 570 © 2019 FireEye Release 8.7 Host-Key Authentication 3. Import the key into the global host-keys database: hostname (config) # ssh client global known-host "<keyString>" IMPORTANT! The key must start with the managed appliance IP address, and it must be enclosed in double quotation marks. If the key starts with the hostname, replace the hostname with the IP address. 4. Verify your change: hostname (config) # show ssh client 5. Save your changes: hostname (config) # write memory To remove a host key: 1. Log in to the Central Management CLI. 2. Go to CLI configuration mode: hostname > enable hostname # configure terminal 3. Remove the key: hostname (config) # no ssh client global known-host "<keyString>" 4. Verify your change: hostname (config) # show ssh client 5. Save your changes: hostname (config) # write memory CAUTION! If you delete a host key that is in use, the connection between the Central Management appliance and the managed appliance is broken. Example This example imports the host key from a managed appliance into the Central Management platform global host-key database. hostname (config) # ssh client global known-host "172.17.74.54 ssh-rsa AAAAB3 NAfgbzYulDSIxOKZTh2VBnKsy0qRWrCps64Itlh6iRlr7JxazaC1yc2EAAAADAQABAAABAQCzd5Jw Ktk5BjHLe/jxkF0JzWcXOTw9l0bz2SctkQrihkqg/zXqrmxtE6Z2f2oxUobcax+eqS6QMp5nnbPTD LJTbHCNnjkawdDC6IhLk0BdncChpTS9E+ZF/F67YwpuIpgraWrchTCwfG+jAtTAGsygD0VVrchTCc ncChpTS9E+ZF/F67YwpuIpgraWcoXuZxZKy13wfsJDhMfWk/nrEqicQ4BJN4M/8AzP+fd9sda3li" hostname (config) # show ssh client SSH client Strict Hostkey Checking: ask Minimum protocol version: 2 Cipher list: compatible Minimum key length: 1024 bits SSH Global Known Hosts: Entry 1: Host: © 2019 FireEye 172.17.74.54 571 Central Management Administration Guide APPENDIX A: Configuring Secure Shell (SSH) Authentication Finger Print: 54:fa:10:2a:f4:c2:cf:3a:46:b1:a4:ed:72:78:b8:22 Key Length (bits): 2048 ... Enabling Strict and Global Host-Key Checking Using the CLI Use the commands in this section to enable strict host-key checking, global host-key checking, or both. l l With strict host-key checking, the connection will be allowed only if the local hostkeys database for the Central Management remote user already has an entry that matches the key the managed appliance sends. With global host-key checking, the connection will be allowed only if the Central Management global host-keys database already has an entry that matches the key the managed appliance sends. CAUTION! When you enable global host-key authentication, any established connections will be broken until you explicitly add the host key to the global hostkeys database. See Importing a Host Key into the Global Host-Keys Database Using the Web UI on page 568 or Importing a Host Key into the Global HostKeys Database Using the CLI on page 570 for instructions. NOTE: See the ssh and cmc commands in the CLI Command Reference for advanced authentication options. To enable strict host-key checking: 1. Log in to the CM CLI. 2. Go to CLI configuration mode: hostname > enable hostname # configure terminal 3. Enable strict host-key checking: hostname (config) # cmc auth ssh host-key strict 4. Verify your changes: hostname (config) # show cmc auth ssh 5. Save your changes: hostname (config) # write memory 572 © 2019 FireEye Release 8.7 Host-Key Authentication To enable global host-key checking: 1. Log in to the CM CLI. 2. Go to CLI configuration mode: hostname > enable hostname # configure terminal 3. Enable global host-key checking: hostname (config) # cmc auth ssh host-key global-only 4. Verify your changes: hostname (config) # show cmc auth ssh 5. Save your changes: hostname (config) # write memory To disable strict or global host-key authentication: 1. Log in to the CM CLI. 2. Go to CLI configuration mode: hostname > enable hostname # configure terminal 3. Perform the following steps as needed. l To disable strict host-key checking: hostname (config) # no cmc auth ssh host-key strict l To disable global host-key checking: hostname (config) # no cmc auth ssh host-key global 4. Verify your changes: hostname (config) # show cmc auth ssh 5. Save your changes: hostname (config) # write memory Example This example enforces both strict and global host-key checking on a Central Management appliance. hostname (config) # cmc auth ssh host-key strict hostname (config) # cmc auth ssh host-key global-only hostname (config) # show cmc auth ssh CMC SSH configuration: Strict host key checking enabled: Global only known hosts enabled: Minimum protocol version: Cipher list: Minimum key length: © 2019 FireEye yes yes 2 compatible 1024 bits 573 Central Management Administration Guide 574 APPENDIX A: Configuring Secure Shell (SSH) Authentication © 2019 FireEye Central Management Administration Guide About NAT Address Mapping APPENDIX B: Configuring Network Address Translation (NAT) The following sections describe how to add an appliance to the Central Management platform for management in a deployment in which the Central Management platform, the appliance, or both are behind a NAT gateway. l l About NAT Address Mapping below Mappings Used When the Central Management Appliance Initiates the Connection on the next page l Mappings Used When the Managed Appliance Initiates the Connection on page 580 l Configuring Global Host-Key Authentication in a NAT Deployment on page 590 l l Adding an Appliance in a NAT Deployment (Using the Central Management Appliance) on page 584 Accepting a Management Request in a NAT Deployment on page 586 IMPORTANT! Network address translation (NAT) is not supported in Central Management high availability (HA) deployments. About NAT Address Mapping To implement NAT deployment in a Central Management network, a network administrator needs to map source-to-destination IP address and port pairs so a connection to the managed appliance behind the NAT gateway can be established. Managed appliances can use either one or two ports for the connection and for the management and DTI network traffic. By default, one port is used. The steps for switching between single-port and dual-port communication in a NAT deployment are described in the System Administration Guide or Administration Guide for the managed appliance. © 2019 FireEye 575 Central Management Administration Guide APPENDIX B: Configuring Network Address Translation (NAT) Port Accessibility for Single-Port Communication For a single-port configuration, the remote management (SSH) port needs to be accessible. This port is used to initiate the connection, to configure and monitor the appliance, and to request software updates (such as security content, guest images, and system images) from the DTI source server. Port 22 is the default. Port Accessibility for Dual-Port Communication For a dual-port configuration, the following ports need to be accessible: l l l Remote management (SSH) port—The management port used to initiate the connection, and for the Central Management appliance to use to configure and monitor the appliance. Port 22 is the default. DTI network service (HTTPS) port—The port used to request software updates (such as security content, guest images, and system images) from the DTI source server. Port 443 is the default. DTI address for the Central Management platform—If the Central Management appliance is behind a NAT gateway, the network administrator must map an accessible DTI server IP address and HTTPS port. For details, see the System Administration Guide or Administration Guide for the managed appliance. Mappings Used When the Central Management Appliance Initiates the Connection This topic shows the NAT address mapping required for each supported topology in which the Central Management appliance initiates the process of adding an appliance for management. l Central Management Appliance Is Behind a NAT Gateway on the facing page l Managed Appliance Is Behind a NAT Gateway on page 578 l l Central Management and Managed Appliance Are Behind Different NAT Gateways on page 579 Central Management and Managed Appliance Are In an External Network on page 580 Some topologies use virtual IP addresses. These addresses are mapped on the NAT gateway to reach a Central Management platform or managed device that is in an internal network behind the gateway. 576 © 2019 FireEye Release 8.7 Mappings Used When the Central Management Appliance Initiates the Connection NOTE: Only those addresses that need mapping are shown. If no mapping is indicated, the default IP addresses and default ports (22, or 22 and 443) will be used. Central Management Appliance Is Behind a NAT Gateway This section describes the mappings required for deployments in which the Central Management platform is behind the NAT gateway and initiates the connection to configure and manage the appliance. NOTE: The following single-port diagrams use the Email Security — Server Edition appliance as the managed appliance, and the dual-port diagrams use the Network Security appliance as the managed appliance. However, they are representative of other managed appliances as well. Single-Port Communication No NAT address mapping is required if the Central Management appliance initiates the connection and the managed appliance is in an external network and configured for single-port communication. © 2019 FireEye 577 Central Management Administration Guide APPENDIX B: Configuring Network Address Translation (NAT) Dual-Port Communication No NAT address mapping is required if the Central Management appliance initiates the connection and the managed appliance is in an external network and configured for dualport communication. However, because the Central Management platform is in an internal network, the accessible DTI server IP address and HTTPS port must be mapped to the Central Management internal IP address and port 443 so that the managed appliance can request software updates. Managed Appliance Is Behind a NAT Gateway NAT address mapping is required for deployments in which the Central Management appliance initiates the connection to configure and manage the managed appliance that is behind a NAT gateway. The mapping details depend on whether the managed appliance is configured for single-port or dual-port communication. Single-Port Communication If the Central Management appliance initiates the connection to the managed appliance that is behind a NAT gateway and configured for single-port communication, a virtual NAT IP address and port must be mapped to the managed appliance internal IP address and port 22. The mapping enables the Central Management appliance to initiate the connection and then configure and monitor the managed appliance. The managed appliance uses the mapping to request software updates. 578 © 2019 FireEye Release 8.7 Mappings Used When the Central Management Appliance Initiates the Connection Dual-Port Communication If the Central Management appliance initiates the connection to the managed appliance that is behind a NAT gateway and configured for dual-port communication, a virtual NAT IP address and port must be mapped to the managed appliance internal IP address and port 22. The Central Management appliance uses the mapping to initiate the connection and then configure and manage the managed appliance. Because the Central Management appliance is in an external network, no mapping is required for the managed appliance to request software updates. Central Management and Managed Appliance Are Behind Different NAT Gateways NAT address mappings are required for deployments in which the Central Management appliance initiates the connection to the managed appliance and where the two devices are behind different NAT gateways. The mapping details depend on whether the managed appliance is configured for single-port or dual-port communication. Single-Port Communication If the Central Management appliance initiates the connection, the managed appliance is configured for single-port communication, and the two devices are behind different NAT gateways, the virtual IP address and port of NAT gateway 2 must be mapped to the internal IP address and port 22 of the managed appliance. The mapping enables the Central Management appliance to initiate a connection and then configure and monitor the managed appliance, and for the managed appliance to request software updates. © 2019 FireEye 579 Central Management Administration Guide APPENDIX B: Configuring Network Address Translation (NAT) Dual-Port Communication If the managed appliance is configured for dual-port communication and if the managed appliance and the Central Management appliance are behind different NAT gateways, the following NAT address mappings are required: l l A virtual NAT gateway 2 IP address and port must be mapped to the managed appliance internal IP address and port 22. The mapping enables the Central Management appliance to initiate the connection and then configure and monitor the appliance. The accessible DTI server IP address and HTTPS port must be mapped to a virtual NAT gateway 1 IP address and port, and the virtual NAT gateway 1 IP address and port must be mapped to the Central Management internal IP address and port 443. These mappings enable the managed appliance to request software updates. Central Management and Managed Appliance Are In an External Network No NAT address mapping is required if the Central Management appliance initiates the connection and the managed appliance is in an external network. Mappings Used When the Managed Appliance Initiates the Connection This section shows the NAT address mapping required for each supported topology in which the managed appliance initiates the connection with the Central Management appliance: l l l l 580 Central Management Appliance Is Behind a NAT Gateway on the facing page Managed Appliance Is Behind a NAT Gateway on page 582 Central Management and Managed Appliance Are Behind Different NAT Gateways on page 582 Central Management and Managed Appliance Are in External Networks on page 584 © 2019 FireEye Release 8.7 Mappings Used When the Managed Appliance Initiates the Connection Some topologies use virtual IP addresses. These addresses are mapped on the NAT gateway to reach a Central Management appliance or managed device that is in an internal network behind the gateway. NOTE: Only those addresses that need mapping are shown. If no mapping is indicated, the default IP addresses and default ports (22, or 22 and 443) will be used. Central Management Appliance Is Behind a NAT Gateway NAT address mappings are required for deployments in which the managed appliance initiates a connection to the Central Management appliance behind a NAT gateway. The mapping details depend on whether the managed appliance is configured for single-port or dual-port communication. Single-Port Communication If the managed appliance is configured for single-point communication and initiates a connection with the Central Management appliance behind a NAT gateway, a virtual NAT IP address and port must be mapped to the internal Central Management IP address and port 22. The managed appliance uses the mapping to send a request to be added to the Central Management appliance for management and also to request software updates. © 2019 FireEye 581 Central Management Administration Guide APPENDIX B: Configuring Network Address Translation (NAT) Dual-Port Communication If the managed appliance is configured for dual-port communication and initiates a connection with the Central Management appliance behind a NAT gateway, a virtual NAT IP address and port must be mapped to the internal Central Management IP address and port 22. The managed appliance uses the mapping in order to send a request to be added to the Central Management appliance for management and also to request software updates. However, because the Central Management appliance is in an internal network, the accessible DTI server IP address and HTTPS port must be mapped to the Central Management internal IP address and port 443 so that the managed appliance can request software updates. Managed Appliance Is Behind a NAT Gateway No mapping is required because the Central Management appliance is in an external network and the managed appliance can access it. Central Management and Managed Appliance Are Behind Different NAT Gateways NAT address mappings are required for deployments in which the managed appliance initiates a connection to the Central Management appliance and where the two devices are behind different NAT gateways. The mapping details depend on whether the managed appliance is configured for single-port or dual-port communication. 582 © 2019 FireEye Release 8.7 Mappings Used When the Managed Appliance Initiates the Connection Single-Port Communication If the managed appliance is configured for single-port communication and if the managed appliance and the Central Management appliance are behind different NAT gateways, the virtual NAT gateway 1 IP address and port must be mapped to the Central Management internal IP address and port 22. The Central Management appliance uses the mapping to configure and monitor the appliance. The managed appliance uses the mapping to send a request to be added to the Central Management appliance for management and also to request software updates. Dual-Port Communication If the managed appliance is configured for dual-port communication and if the managed appliance and the Central Management appliance are behind different NAT gateways, the following NAT address mappings are required: l l The virtual NAT gateway 1 IP address and port must be mapped to the Central Management internal IP address and port 22. The mapping enables the managed appliance to send a request to be added to the Central Management appliance for management and for the Central Management appliance to configure and manage the appliance. The managed appliance internal IP address and port 443 must be mapped to a virtual NAT gateway 2 IP address and port. The virtual NAT gateway 1 IP address and port must be mapped to the Central Management internal IP address and port 443 for the appliance. The mappings enable the appliance to request software updates. © 2019 FireEye 583 Central Management Administration Guide APPENDIX B: Configuring Network Address Translation (NAT) Central Management and Managed Appliance Are in External Networks No NAT address mapping is required if the two devices are in external networks and the managed appliance initiates the connection. Adding an Appliance in a NAT Deployment (Using the Central Management Appliance) A Central Management administrator can add an appliance that is behind a NAT gateway to the Central Management appliance. NOTE: This procedure must be performed using the Central Management CLI, not the Web UI. Prerequisites l l l l Operator or Admin access Network address translation (NAT) mapping as described in About NAT Address Mapping on page 575. The virtual NAT IP address and port that map to the appliance internal IP address and SSH port Unique hostname for each appliance being added Adding an Appliance in a NAT Deployment Using the Central Management CLI Use the commands in this section to add an appliance that is behind a NAT gateway to the Central Management appliance. NOTE: The procedure in this section includes the basic steps for adding an appliance. Additional options are available. See the CLI Command Reference for a full list of the cmc commands and details about their parameters and usage. 584 © 2019 FireEye Release 8.7 Adding an Appliance in a NAT Deployment (Using the Central Management Appliance) To add an appliance: 1. Log in to the Central Management CLI. 2. Go to CLI configuration mode: cm-hostname > enable cm-hostname # configure terminal 3. Specify the virtual NAT IP address that is mapped to the appliance internal IP address: cm-hostname (config) # cmc appliance <applianceID> address where applianceID is the appliance record name. IMPORTANT: Specify the IP address, not the hostname. Otherwise, if the hostname changes later, the connection will be broken and the appliance will need to be added again. 4. (Optional) Specify the virtual NAT port that is mapped to the appliance internal SSH port: cm-hostname (config) # cmc appliance port <port> The port defaults to 22 if it is not specified. 5. Configure authentication: cm-hostname (config) # cmc appliance <applianceID> authtype <authtype> cm-hostname (config) # cmc appliance <applianceID> auth <authtype> username <username> cm-hostname (config) # cmc appliance <applianceID> auth <authtype> password <password> | identity <identity> where authtype can be password, ssh-dsa2, or ssh-rsa-2. (See Configuring User Authentication Using the CLI on page 563 for details.) 6. (Optional) Add a comment describing the appliance: cm-hostname (config) # cmc appliance <applianceID> comment <comment> 7. Save your changes: cm-hostname (config) # write memory Example The following example adds Acme-NX to the Central Management appliance and configures password authentication. cm-hostname cm-hostname cm-hostname cm-hostname cm-hostname cm-hostname © 2019 FireEye (config) (config) (config) (config) (config) (config) # # # # # # cmc cmc cmc cmc cmc cmc appliance appliance appliance appliance appliance appliance Acme-NX Acme-NX Acme-NX Acme-NX Acme-NX Acme-NX address 10.3.3.6 port 1000 authtype password password username admin3 password password 12345abcde comment New York NX Series 585 Central Management Administration Guide APPENDIX B: Configuring Network Address Translation (NAT) Accepting a Management Request in a NAT Deployment A Central Management administrator can view a list of appliances that requested to be added for management, and accept or reject them. After a request is accepted, the appliance is added to the Central Management appliance. Requirements for Establishing a Successful Connection To accept a management request and successfully establish and maintain the connection, the following must be in place: l l l The rendezvous process is enabled on the Central Management appliance (enabled by default). To verify and enable the process, see Preparing the Central Management to Accept a Management Request on page 367. The appliance has a permanent hostname. If the hostname is changed, the connection will be broken and cannot be reset. If this happens, the appliance must be removed from the Central Management appliance and then added again using the new hostname. The Central Management appliance and the requesting appliance have the same rendezvous service name. The rendezvous process has an identifier (known as service name) that is set to "cmc" by default. The Central Management appliance and the requesting appliance must have the same service name; if you change the service name on one, you must change it on the other as well. The cmc rendezvous service-namehostname command changes the service name; the no cmc rendezvous service-name command restores the default value. For details, see the CLI Command Reference. The auto-connect feature must be enabled on the requesting appliance. To prevent future connection issues, do not enable the auto-connect feature from the Central Management appliance on behalf of a managed appliance that was added using a client-initiated connection. The value of the Auto-connect field in the output of the show cmc client command on the managed appliance is yes. The value of the Auto-connect field in the output of the show cmc appliance <appliance ID> command on the Central Management appliance is no. Prerequisites l 586 Operator or Admin access © 2019 FireEye Release 8.7 Accepting a Management Request in a NAT Deployment Accepting a Management Request in a NAT Deployment Using the Central Management Web UI Use the Connection Requests dialog box to accept or reject a request to be managed. NOTE: If requests from appliances are waiting for approval., a message is displayed in the notification bell at the top right of the Central Management Web UI. To accept a request to be managed from an appliance: 1. If the Central Management appliance has never accepted a request for management, ensure that it meets the requirements described in Preparing the Central Management to Accept a Management Request on page 367. 2. Log in to the Central Management Web UI. 3. Do one of the following to open the Connection Requests dialog box: l l Click the button in the notification bell message. Click the Appliances tab. The Sensors tab should be selected. Click Actions > Waiting Connection Requests. The IP address and hostname of the requesting appliances are displayed. © 2019 FireEye 587 Central Management Administration Guide APPENDIX B: Configuring Network Address Translation (NAT) 4. To approve the request and add the appliance: a. Select its checkbox and then click Accept. b. When prompted, confirm your action. The appliance is added to the list on the page, and it becomes a member of the system group for that appliance type. The appliance hostname becomes the display name shown in the Sensor column. You can add the appliance to a different group or create a new group for the appliance as described in Grouping Appliances on page 405. 5. To reject the request (for example, if you do not recognize the appliance): a. Select its checkbox and then click Reject. b. When prompted, confirm your action. NOTE: See Viewing Managed Appliance Information Using the Web UI on page 375 for information about the status indicators and the actions you can take from this page. Accepting a Management Request in a NAT Deployment Using the Central Management CLI Use the commands in this section to accept or reject a request by an appliance to be added to the Central Management appliance for management. To accept a request to be managed: 1. If the Central Management appliance has never accepted a request for management, ensure that it meets the requirements described in Preparing the Central Management to Accept a Management Request on page 367. 2. Log in to the Central Management CLI. 3. Go to CLI configuration mode: hostname > enable hostname # configure terminal 588 © 2019 FireEye Release 8.7 Accepting a Management Request in a NAT Deployment 4. Accept one or more requests. l To accept a specific appliance: cm-hostname (config) # cmc rendezvous server accept client <hostname> where <hostname> is the hostname of the requesting appliance. Do not specify the IP address, because multiple appliances behind the same NAT gateway have the same IP address. l To accept all appliances in the list: cm-hostname (config) # cmc rendezvous server accept all 5. Save your changes. hostname (config) # write memory To reject a request from an appliance to be managed: 1. Go to CLI configuration mode: hostname > enable hostname # configure terminal 2. View the list of requests: cm-hostname (config) # show cmc rendezvous 3. Reject one or more requests: l To reject a specific appliance: cm-hostname (config) # no cmc rendezvous server accept client <hostname> where <hostname> is the hostname of the requesting appliance. Do not specify the IP address, because multiple appliances behind the same NAT gateway have the same IP address. l To reject all appliances in the list: cm-hostname (config) # no cmc rendezvous server accept all 4. Save your changes. hostname (config) # write memory Example In this example, the request from the nx-02 appliance is accepted and the request from the nx-04 appliance is rejected. cm-hostname (config) # show cmc rendezvous CMC rendezvous service name: cmc CMC server: Server rendezvous enabled: yes Auto-accept enabled: no © 2019 FireEye 589 Central Management Administration Guide APPENDIX B: Configuring Network Address Translation (NAT) Clients waiting approval: nx-02 (3.3.3.6) nx-04 (3.3.3.6) ... cm-hostname (config) # cmc rendezvous server accept client nx-02 cm-hostname (config) # no cmc rendezvous server accept client nx-04 cm-hostname (config) # write memory Configuring Global Host-Key Authentication in a NAT Deployment When global host-key authentication is enforced on the Central Management appliance, you must obtain the public host key from managed appliance and import it into the Central Management global host-keys database. This is described in Configuring Secure Shell (SSH) Authentication on page 557. The managed appliance host-key string includes its IP address. If the managed appliance is in an internal network behind a NAT gateway, the IP address in the key string you obtain from the managed appliance Web UI or CLI must be replaced with the virtual IP address that is mapped to the managed appliance on the NAT gateway. Example In this example, the Email Security — Server Edition appliance is behind the NAT gateway. Its IP address is 2.2.2.5, and its virtual IP address is 3.3.3.5. The host-key string you obtain from the appliance Web UI or CLI starts with "2.2.2.5". For example: 2.2.2.5 ssh-rsa BEWDS4d65dj/T29+6a38loABAAABAQDZZJLE/ftkUddyNW6KdqEQXjS0Pjb tzTn3OB51Qg0fdeQHrJgFHM2/4C9WtDkwuX5jd7gdWnSWYwrXDv657thlyRPIt4Wxjf0bpOolPKAe ... Before you import the host-key into the Central Management global host-keys database, you must replace "2.2.2.5" with "3.3.3.5." For example: 3.3.3.5 ssh-rsa BEWDS4d65dj/T29+6a38loABAAABAQDZZJLE/ftkUddyNW6KdqEQXjS0Pjb tzTn3OB51Qg0fdeQHrJgFHM2/4C9WtDkwuX5jd7gdWnSWYwrXDv657thlyRPIt4Wxjf0bpOolPKAe ... 590 © 2019 FireEye Central Management Administration Guide About CM Peer Service APPENDIX C: Configuring the CM Peer Service This appendix describes how to configure the CM Peer Service, and addresses the following topics: l About CM Peer Service below l Enabling or Disabling the CM Peer Service on page 593 l Generating and Importing Authentication Tokens Between CM Peers on page 595 l Enabling or Disabling All the Features of the CM Peer Service on the Peers on page 600 l CM Peer Distributed Correlation on page 603 l CM Peer Signature Sharing on page 607 l Allowing or Preventing a CM Peer to Use a Proxy Server on page 610 About CM Peer Service Large enterprise customers often use separate networks where each network is managed by a separate Central Management appliance and a separate team within the enterprise. For instance, one enterprise might configure their network into email and Web networks, where the email team manages all Email Security — Server Edition appliances, and the Web team manages all Network Security appliances. Another enterprise might use geographically distributed Central Management networks (for example, US, EU, APAC). Customers can benefit from using the CM Peer Service when they have multiple Central Management appliances that are managing multiple appliances as independent groups within the same environment. The CM Peer Service enables two Central Management appliances to communicate with each other to share local detection information, such as Network Security and Email Security — Server Edition URL correlation and locally generated signatures. © 2019 FireEye 591 Central Management Administration Guide APPENDIX C: Configuring the CM Peer Service The CM Peer Service provides a backbone to connect distributed Central Management networks. It enables two-way (CM-to-CM) interactions that allow enterprises to share vital information, such as alerts and signatures, between two or more separate Central Management networks. The CM Peer Service is used when one or more Central Management appliances are managing different appliances. The following diagram shows how the CM Peer Service is configured for two separate Central Management networks on a WAN. The CM Peer Service supports both LANs and WANs. When the CM Peer Service is enabled, you can access the following features: l l l CM Peer Distributed Correlation—Enables CM peers in one network to correlate email events detected by their Email Security — Server Edition appliance with malicious URLs detected by the Network Security appliance that is managed by CM peers in a different network. For details about the CM Peer Distributed Correlation feature, see CM Peer Distributed Correlation on page 603. CM Peer Signature Sharing— Allows CM peers to share locally generated signatures with remote CM peers. For details about the CM Peer Signature Sharing feature, see CM Peer Signature Sharing on page 607. CM Peer Update—Sends the new primary node's address information to the original primary node's peer after a failover. This feature allows seamless routing to the new primary node peer, and it is used in a Central Management High Availability (HA) configuration. IMPORTANT: The CM Peer Distributed Correlation and CM Peer Signature Sharing features must both be enabled when one Central Management platform manages both the Network Security and Email Security — Server Edition appliances. Otherwise, you need to enable only CM Peer Signature Sharing. For information on how the CM Peer Service (and associated features) works in a Central Management HA configuration, refer to the Central Management High Availability Guide. Task List for Configuring the CM Peer Service Complete the steps for configuring the CM Peer Service in the following order: 592 © 2019 FireEye Release 8.7 Enabling or Disabling the CM Peer Service 1. Log in to the CLI. 2. Enable the CM Peer Service on each of the participating Central Management appliances. For details about how to enable the peer service, see Enabling or Disabling the CM Peer Service below. 3. Generate and import authentication tokens to provide communication between CM peers. You must configure at least one relationship with two CM peers. Each peer must import a unique authentication token from every other CM peer. For details about how to generate and import authentication tokens, see Generating and Importing Authentication Tokens Between CM Peers on page 595. 4. Enable the CM Peer Distributed Correlation and CM Peer Signature Sharing features of the CM Peer Service on each CM peer. For details about how to enable all the features on each CM peer, see Enabling or Disabling All the Features of the CM Peer Service on the Peers on page 600. 5. Enable the malware-object notification setting on all the CM peers. For details about how to configure event notifications, see Event Notifications on page 295. 6. Enable the local signature generation settings on all the CM peers. Use the localsig enable command. 7. Verify the details for all the connected CM peers. For details about how to verify the details of the CM Peer Service on each peer, see Enabling or Disabling All the Features of the CM Peer Service on the Peers on page 600. Enabling or Disabling the CM Peer Service Use the CLI commands to enable or disable the CM Peer Service on each of the participating Central Management appliances. When you disable the CM Peer Service on a Central Management appliance, it can no longer interact with other CM peers. NOTE: You can enable or disable CM Peer Service only using the CLI. CM Peer Service is enabled by default. IMPORTANT: You cannot make configuration changes when the CM Peer Service is disabled. If you want to make peer service configuration changes and enable the CM Peer Service later, use the cms peer-service enable command later. © 2019 FireEye 593 Central Management Administration Guide APPENDIX C: Configuring the CM Peer Service Prerequisites l Admin access to the Central Management appliance. l A connection to the Dynamic Threat Intelligence (DTI) Cloud. l Network connectivity over SSH (port 22) and HTTPS (port 443) must be allowed on each of the participating Central Management appliances. Enabling or Disabling the CM Peer Service Using the CLI Follow these steps to enable or disable the CM Peer Service using the CLI. To enable the CM Peer Service: 1. Go to CLI configuration mode. CMS1 > enable CMS1 # configure terminal 2. Enable CM Peer Service on the platform. CMS1 (config) # cms feature peer-service enable 3. Verify the status of the CM Peer Service. CMS1 (config) # show cms peer-service CMS peer-service enabled: yes 4. Repeat this procedure for each CM peer. To disable the CM Peer Service: 1. Go to CLI configuration mode. CMS1 > enable CMS1 # configure terminal 2. Disable CM Peer Service on the Central Management appliance. CMS1 (config) # no cms feature peer-service enable 3. Verify the status of the CM Peer Service. CMS1 (config) # show cms peer-service CMS peer-service enabled: no 4. Repeat this procedure for each CM peer. 594 © 2019 FireEye Release 8.7 Generating and Importing Authentication Tokens Between CM Peers Generating and Importing Authentication Tokens Between CM Peers Every CM peer has its own unique CM Peer Service authentication token (auth-token). The token is required for communication with each peer based on the following secure interactions: l l Authentication—Authenticates each CM peer based on public or private keys. Authorization—Authorizes each peer to access only the CM Peer Service on the local system. All other management access is protected. In addition, each peer's access is limited to specific features that are enabled locally for that peer through the CM Peer Service interface. l Confidentiality—Provides encryption for all CM Peer Service communications. l Integrity—Provides communication integrity. In order for the CM peers to interact, each peer that wants to participate in the CM Peer Service must import the unique authentication token from the other CM peers. When a peer’s authentication token is imported, the peer is approved for CM Peer Service (and associated features) with your Central Management appliance. Importing a token is similar to creating an account. Therefore, the token must be from a trusted source that is authenticated with a secure out-of-band mechanism. For example, if the token is sent in a signed email, the sender of the email can be validated to be the administrator of the originating CM peer. After the token is generated, it can be reused for the token exchange with all other peers. FireEye recommends that you reuse the same token for each exchange. If you generate a new token, it must be reimported on all the other participating CM peers to resume CM Peer Service functionality. IMPORTANT: If you change the hostname or IP address of any CM peer, you must generate a new token for that CM peer and import it on all the peers of that Central Management network. NOTE: You can generate and import authentication tokens only using the CLI. Prerequisites l Admin access to the Central Management appliance. l A connection to the Dynamic Threat Intelligence (DTI) Cloud. © 2019 FireEye 595 Central Management Administration Guide l APPENDIX C: Configuring the CM Peer Service Network connectivity over SSH (port 22) and HTTPS (port 443) must be allowed on each of the participating Central Management appliances. l Each CM peer must have a unique hostname. l CM Peer Service must be enabled on your Central Management appliance. Generating and Importing Tokens for CM Peers Using the CLI Use the CLI commands to generate and import authentication tokens for CM peers. This section describes how to configure a single relationship with two CM peers. In this example, CM peer 1 (CMS1) is administered by Admin1 and CM peer 2 (CMS2) is administered by Admin2. IMPORTANT: After you import the token, a CM peer is able to interact with the CM Peer Service on your Central Management appliance. The hostname of the CM peer is automatically used as the name of the peer, and the IP address is determined by the value of the token. All CM peers must have unique IP addresses and hostnames. NOTE: You can export an existing token from a CM peer if you do not want to generate a new token. For details about how to export an existing authentication token, see Exporting an Existing Token from a CM Peer Using the CLI on page 599. When you import the token, a CM peer is disabled, by default, while the features are enabled by default. To generate an authentication token for a CM peer: 1. Go to CLI configuration mode. CMS1 > enable CMS1 # configure terminal 2. (Admin1) Generate an authentication token. Partial output of the generated token is displayed. CMS1 (config) # cms peer-service auth-token generate AUTH-TOKEN = "PD94bWwg.........." AUTH-TOKEN CHECKSUM = "cc47ba112df7e0743a41761491435ffb" . . . 596 © 2019 FireEye Release 8.7 Generating and Importing Authentication Tokens Between CM Peers 3. (Admin1) Copy all the characters within the quotes, but do not copy the quotes, from the generated auth-token. 4. (Admin1) Paste the token of CMS1 to an out-of-band mechanism (for example, a signed email). 5. (Admin1) Send the generated token of CMS1 to Admin2 through a secure out-ofband mechanism (for example, a signed email). To import an authentication token for peer setup: 1. Go to CLI configuration mode. CMS2 > enable CMS2 # configure terminal 2. (Admin2) Import the authentication token from CMS1. Paste the generated token of CMS1 on the same line as the command. CMS2 (config) # cms peer-service auth-token import <CMS_peer_one_token> NOTE: The actual hostname of CMS1 is automatically used after the token has been imported. 3. (Admin2) Generate an authentication token for CMS2. CMS2 (config) # cms peer-service auth-token generate AUTH-TOKEN = "PD94bWwg.........." AUTH-TOKEN CHECKSUM = "360a37cc532b9e2e75b674eb3b5fe2e0" . . . 4. (Admin2) Copy all the characters within the quotes, but do not copy the quotes, from the generated auth-token. 5. (Admin2) Paste the token of CMS2 to an out-of-band mechanism (for example, a signed email). 6. (Admin2) Send the generated token of CMS2 to Admin1 through a secure out-ofband mechanism (for example, a signed email). 7. (Admin1) Import the authentication token from CMS2. Paste the generated token of CMS2 on the same line as the command. CMS1 (config) # cms peer-service auth-token import <CMS_peer_two_token> NOTE: The actual hostname of the CMS2 is automatically used after the token has been imported. © 2019 FireEye 597 Central Management Administration Guide APPENDIX C: Configuring the CM Peer Service 8. (Admin1) Verify that CMS1 is connected to CMS2. CMS1 (config) # show cms peer-service CMS peer-service enabled: yes ----------------------------------------------------------------------CMS peer CMS2: Enabled: no Hostname: CMS2 Address: 172.16.216.51 Auth-token checksum: 360a37cc532b9e2e75b674eb3b5fe2e0 . . . ----------------------------------------------------------------------- 9. (Admin2) Verify that CMS2 is connected to CMS1. CMS2 (config) # show cms peer-service CMS peer-service enabled: yes ----------------------------------------------------------------------CMS peer CMS1: Enabled: no Hostname: CMS1 Address: 10.11.121.13 Auth-token checksum: cc47ba112df7e0743a41761491435ffb . . . ----------------------------------------------------------------------- NOTE: For multiple CM peers, repeat these steps on each CM peer until all the authentication tokens are imported on all the peers. Importing New Tokens for an Existing CM Peer Using the CLI Use the CLI commands to import new authentication tokens for an existing CM peer. If you have already imported the authentication token for an existing peer and you want to import a new token for that peer, you must delete the connection to the CM peer first before importing the new token. 598 © 2019 FireEye Release 8.7 Generating and Importing Authentication Tokens Between CM Peers To import a new authentication token for an existing CM peer: 1. Go to CLI configuration mode. CMS1 > enable CMS1 # configure terminal 2. Delete a CM peer connection. CMS1 (config) # cms peer <peer_hostname> delete 3. Import the new token from the specified CM peer. Paste the token of the specified CM peer on the same line as the command. CMS1 (config) # cms peer-service auth-token import <peer_token> Exporting an Existing Token from a CM Peer Using the CLI Use the CLI commands to export an existing authentication token from a CM peer. Use this procedure when you want to use an existing token with another CM peer but do not want to generate a new token. When a token is exported, it is displayed. You can copy the existing token and send it to the administrator of a CM peer. To export an existing authentication token with a CM peer: 1. Go to CLI configuration mode. CMS1 > enable CMS1 # configure terminal 2. Export an existing token. Partial output of the existing token is displayed. CMS1 (config) # cms peer-service auth-token export AUTH-TOKEN = "PD94bWwg.........." AUTH-TOKEN CHECKSUM = "234b19a369887ef5b0bbfd269c477704" . . . 3. Copy all the characters of the existing token within the quotes, but do not copy the quotes, from the exported auth-token. 4. Paste the exported token to an out-of-band mechanism (for example, a signed email). 5. Send the exported token to the administrator of the CM peer. © 2019 FireEye 599 Central Management Administration Guide APPENDIX C: Configuring the CM Peer Service Enabling or Disabling All the Features of the CM Peer Service on the Peers Use the CLI commands in this topic to enable or disable the CM Peer Distributed Correlation and CM Peer Signature Sharing features of the CM Peer Service on each CM peer. When you enable each CM peer, all the features are enabled. When you disable the CM Peer Service, CM peers can no longer interact with your Central Management appliance. However, you can enable or disable access to the CM Peer Distributed Correlation and CM Peer Signature Sharing features individually on each CM peer. Each administrator must verify the CM Peer Service connection to all CM peers. A status refresh is triggered in the following instances: l l l Periodically about every 1 to 5 minutes. Different interactions and different peers can be refreshed at different 1—minute to 5—minute intervals. Whenever any peer service configuration changes (for example, a new token is imported, a feature on a CM peer is disabled, and so on). When Central Management high availability (HA) failover occurs (when the secondary node becomes the new primary node). For information about how the CM Peer Service (and associated features) works in a HA configuration, refer to the Central Management High Availability Guide. The status might display "UNKNOWN" temporarily until the status is retrieved at the beginning of the refresh cycle. NOTE: You can enable or disable the CM Peer Service features on each CM peer only using the CLI. Prerequisites l Admin access to the Central Management appliance. l A connection to the Dynamic Threat Intelligence (DTI) Cloud. l l l 600 Network connectivity over SSH (port 22) and HTTPS (port 443) must be allowed on each of the participating Central Management appliances. CM Peer Service must be enabled on each of the participating Central Management appliances. Authentication tokens must be exchanged for communication between CM peers. © 2019 FireEye Release 8.7 Enabling or Disabling All the Features of the CM Peer Service on the Peers Enabling or Disabling All the Features of the CM Peer Service on the Peers Using the CLI Follow these steps to enable or disable all the features of the CM Peer Service on each CM peer using the CLI. To enable all the features of the CM Peer Service: 1. Go to CLI configuration mode. CMS1 > enable CMS1 # configure terminal 2. Enable all the CM Peer Service features on a CM peer. CMS1 (config) # cms peer <peer_hostname> enable 3. Save your changes. CMS1 (config) # write memory 4. Repeat this procedure for each CM peer. 5. Verify the status for all the connected CM peers. The following example verifies that CMS1 is connected to CMS2. CMS1 (config) # show cms peer-service CMS peer-service enabled: yes ----------------------------------------------------------------------CMS peer CMS2: Enabled: yes Hostname: CMS2 Address: 172.16.216.51 Auth-token checksum: 360a37cc532b9e2e75b674eb3b5fe2e0 Interactions with peer: Distributed CMS Correlation: Enabled: yes Status: OK @ 2016/01/27 18:58:51 Dynamic Threat Intelligence (DTI): Enabled: no Proxy mode: No proxy Status: UNKNOWN @ N/A Update Peer: Enabled: yes Status: OK @ 2016/01/27 18:56:30 © 2019 FireEye 601 Central Management Administration Guide APPENDIX C: Configuring the CM Peer Service ----------------------------------------------------------------------- To disable all the features of the CM Peer Service: 1. Go to CLI configuration mode. CMS1 > enable CMS1 # configure terminal 2. Disable all the CM Peer Service features on a CM peer. CMS1 (config) # no cms peer <peer_hostname> enable 3. Save your changes. CMS1 (config) # write memory 4. Repeat this procedure for each CM peer. 5. Verify the status for all the CM peers. The following example verifies that CMS1 is not connected to CMS2. CMS1 (config) # show cms peer-service CMS peer-service enabled: yes ----------------------------------------------------------------------CMS peer CMS2: Enabled: no Hostname: CMS2 Address: 172.16.216.51 Auth-token checksum: 360a37cc532b9e2e75b674eb3b5fe2e0 Interactions with peer: Distributed CMS Correlation: Enabled: yes Status: OK @ 2016/01/27 18:58:51 Dynamic Threat Intelligence (DTI): Enabled: no Proxy mode: No proxy Status: UNKNOWN @ N/A Update Peer: Enabled: yes Status: OK @ 2016/01/27 18:58:51 ----------------------------------------------------------------------- 602 © 2019 FireEye Release 8.7 CM Peer Distributed Correlation Deleting a CM Peer Using the CLI Follow these steps to delete a CM peer from the Peer Service relationship (not from the network) using the CLI. All configuration information and data associated with that peer will be removed, including the IP address and peer name. The CM peer is no longer connected to the Peer Service. If you want to reconnect to the same peer, you must import the existing token again. IMPORTANT: If you delete a CM peer and then want to add the CM peer back, you must import the token again. For information about how to import a token for an existing CM peer, see Importing New Tokens for an Existing CM Peer Using the CLI on page 598. To delete a CMS peer: 1. Go to CLI configuration mode. CMS1 > enable CMS1 # configure terminal 2. Delete a CMS peer. CMS1 (config) # cms peer <peer_hostname> delete 3. Save your changes. CMS1 (config) # write memory 4. Verify that all configuration information associated with that peer is removed. The following example verifies that all information associated with CMS2 is removed. CMS1 (config) # show cms peer-service CMS peer-service enabled: yes CM Peer Distributed Correlation CM Peer Distributed Correlation matches events detected by an appliance with events that are received from a CM peer in another network. CM Peer Distributed Correlation allows two Central Management networks to share information. Information about a malicious URL found in one Central Management network is shared with other Central Management networks. A typical correlation matches malicious URL events detected by the Network Security appliance with email events detected by the Email Security — Server Edition appliance. URL events and email events are linked to each other in the Web UI after they have been matched. For example, when a malicious URL is detected by the Network Security appliance, the URL is correlated by the Central Management appliance with the originating email on the Email Security — Server Edition appliance. For details about © 2019 FireEye 603 Central Management Administration Guide APPENDIX C: Configuring the CM Peer Service Network Security and Email Security — Server Edition event correlation, see Reviewing Email Alerts Correlated with Web Events on page 434. Alert notifications from a CM peer are missing the missing product and version attributes in the <alert> tag of the notification. When the malware-object notification setting is enabled on the Central Management appliance, Distributed Cross-CM alert notifications that contain information about the sender, intended recipient(s), and malicious URL are sent from the Central Management appliance or managed appliances. For details about how to manage the distribution of alert notifications for the Central Management appliance and managed appliances, see Managing the Distribution of Alert Notifications on page 421. Prerequisites l Admin access to the Central Management appliance. l A connection to the Dynamic Threat Intelligence (DTI) Cloud. l l l l Network connectivity over SSH (port 22) and HTTPS (port 443) must be allowed on each of the participating Central Management appliances. CM Peer Service must be enabled on each of the participating Central Management appliances. Authentication tokens must be exchanged for communication between the CM peers. The malware-object notification setting must be enabled on all the CM peers. For details about how to configure event notifications, see Event Notifications on page 295. Enabling or Disabling CM Peer Distributed Correlation Using the CLI Follow these steps to enable or disable the CM Peer Distributed Correlation feature on each CM peer using the CLI. To enable the CM Peer Distributed Correlation feature: 1. Go to CLI configuration mode. CMS1 > enable CMS1 # configure terminal 2. Enable the CM Peer Distributed Correlation feature on a CM peer. CMS1 (config) # cms peer <peer_hostname> interaction dist-correlation enable 3. Save your changes. 604 © 2019 FireEye Release 8.7 CM Peer Distributed Correlation CMS1 (config) # write memory 4. Verify the Distributed Correlation status on a CM peer. The following example verifies that Distributed Correlation is enabled on CMS2. CMS1 (config) # show cms peer-service CMS peer-service enabled: yes ----------------------------------------------------------------------CMS peer CMS2: Enabled: yes Hostname: CMS2 Address: 172.16.216.51 Auth-token checksum: 360a37cc532b9e2e75b674eb3b5fe2e0 Interactions with peer: Distributed CMS Correlation: Enabled: yes Status: OK @ 2016/01/27 18:59:38 Dynamic Threat Intelligence (DTI): Enabled: yes Proxy mode: No proxy Status: OK @ 2016/01/27 18:59:38 Update Peer: Enabled: yes Status: OK @ 2016/01/27 19:02:23 ----------------------------------------------------------------------- To disable the CM Peer Distributed Correlation feature: 1. Go to CLI configuration mode. CMS1 > enable CMS1 # configure terminal 2. Disable the CM Peer Distributed Correlation feature on a CM peer. CMS1 (config) # no cms peer <peer_hostname> interaction distcorrelation enable 3. Verify the Distributed Correlation status on a CM peer. The following example verifies that Distributed Correlation is disabled on CMS2. CMS1 (config) # show cms peer-service CMS peer-service enabled: yes ----------------------------------------------------------------------CMS peer CMS2: © 2019 FireEye 605 Central Management Administration Guide APPENDIX C: Configuring the CM Peer Service Enabled: yes Hostname: CMS2 Address: 172.16.216.51 Auth-token checksum: 360a37cc532b9e2e75b674eb3b5fe2e0 Interactions with peer: Distributed CMS Correlation: Enabled: no Status: UNKNOWN @ N/A Dynamic Threat Intelligence (DTI): Enabled: yes Proxy mode: No proxy Status: OK @ 2016/01/27 18:59:38 Update Peer: Enabled: yes Status: OK @ 2016/01/27 19:02:23 ----------------------------------------------------------------------- Viewing CM Peer Distributed Correlation Alerts in the Web UI When CM Peer Distributed Correlation is enabled, a globe icon in the URL column on the Email Security — Server Edition: Email Alerts page indicates that a user clicked a malicious URL that was detected by an Network Security appliance that was managed by CM peers. The Email Alerts page lists the results, grouped by recipient, of the correlated email events detected by the Email Security — Server Edition appliance in one network with malicious URLs detected by the Network Security appliance that was managed by a CM peer in a different network. 606 © 2019 FireEye Release 8.7 CM Peer Signature Sharing CM Peer Signature Sharing The CM Peer Signature Sharing feature allows CM peers to share locally generated signatures with remote CM peers using the CM Peer Service. When local signature generation settings are enabled, you can verify the number of active rules that are shared with local and remote CM peers by using the show localsig command. When CM Peer Signature Sharing is disabled, local and remote peers do not share locally generated signatures. An enterprise customer can have geographically distributed Central Management networks (for example, US, EU, APAC) with separate Central Management appliances that are all connected using the CM Peer Service. CM Peer Signature Sharing allows the Central Management appliance in the Central Management network in the US to share locally generated signatures with the other platforms in the EU and APAC. When one peered Central Management network identifies a malicious URL, the signature is shared with all the other peered Central Management networks. When deployed inline in block mode, any appliance in the EU or APAC automatically blocks a malicious URL identified in the US. Therefore, all users are protected in all peered Central Management networks. Prerequisites l Admin access to the Central Management appliance. l A connection to the Dynamic Threat Intelligence (DTI) Cloud. l l l l l Network connectivity over SSH (port 22) and HTTPS (port 443) must be allowed on each of the participating Central Management appliances. The Email Security — Server Edition appliance must be deployed in block mode. The Network Security appliance must be deployed inline and the monitoring interface must be configured for inline blocking. CM Peer Service must be enabled on each of the participating Central Management appliances. Authentication tokens must be exchanged for communication between the CM peers. The local signature generation settings must be enabled on all the CM peers using the localsig enable command. Enabling or Disabling CM Peer Signature Sharing Using the CLI Follow these steps to enable or disable DTI interaction between CM peers for CM Peer Signature Sharing using the CLI. © 2019 FireEye 607 Central Management Administration Guide APPENDIX C: Configuring the CM Peer Service To enable CM Peer Signature Sharing: 1. Go to CLI configuration mode. CMS1 > enable CMS1 # configure terminal 2. Generate a key file to enable DTI interaction between CM peers to share locally generated signatures with remote CM peers. CMS1 (config) # cms peer <peer_hostname> interaction dti enable 3. Save your changes. CMS1 (config) # write memory 4. Verify the DTI interaction status with a CM peer for CM Peer Signature Sharing. The following example verifies that DTI interaction with CMS2 is enabled for CM Peer Signature Sharing. CMS1 (config) # show cms peer-service CMS peer-service enabled: yes ----------------------------------------------------------------------CMS peer CMS2: Enabled: yes Hostname: CMS2 Address: 172.16.216.51 Auth-token checksum: 360a37cc532b9e2e75b674eb3b5fe2e0 Interactions with peer: Distributed CMS Correlation: Enabled: yes Status: OK @ 2016/01/27 19:07:26 Dynamic Threat Intelligence (DTI): Enabled: yes Proxy mode: No proxy Status: OK @ 2016/01/27 19:07:26 Update Peer: Enabled: yes Status: OK @ 2016/01/27 19:07:26 ----------------------------------------------------------------------- To disable DTI interaction with a CM peer for CM Peer Signature Sharing: 1. Go to CLI configuration mode. CMS1 > enable 608 © 2019 FireEye Release 8.7 CM Peer Signature Sharing CMS1 # configure terminal 2. Disable DTI interaction with a CM peer for CM Peer Signature Sharing. CMS1 (config) # no cms peer <peer_hostname> interaction dti enable 3. Save your changes. CMS1 (config) # write memory 4. Verify the DTI interaction status with a CM peer for CM Peer Signature Sharing. The following example verifies that DTI interaction with CMS2 is disabled for CM Peer Signature Sharing. CMS1 (config) # show cms peer-service CMS peer-service enabled: yes ----------------------------------------------------------------------CMS peer CMS2: Enabled: yes Hostname: CMS2 Address: 172.16.216.51 Auth-token checksum: 360a37cc532b9e2e75b674eb3b5fe2e0 Interactions with peer: Distributed CMS Correlation: Enabled: yes Status: OK @ 2016/01/27 19:07:26 Dynamic Threat Intelligence (DTI): Enabled: no Proxy mode: No proxy Status: UNKNOWN @ N/A Update Peer: Enabled: yes Status: OK @ 2016/01/27 19:07:26 ----------------------------------------------------------------------- Viewing the Number of Rules for CM Peer Signature Sharing Using the CLI Follow these steps to view the number of active rules that are shared between local and remote CM peers for CM Peer Signature Sharing using the CLI. © 2019 FireEye 609 Central Management Administration Guide APPENDIX C: Configuring the CM Peer Service NOTE: When the DTI feature is enabled, there will be a slight discrepancy in the Active rules value in the show localsig command output. This discrepancy is due to the way data is aggregated and synchronized. To view the number of active rules for CM Peer Signature Sharing: 1. Go to CLI enable mode. CMS1 > enable 2. Verify the number of active rules that are shared between CM peers. CMS1 > show localsig LocalSig Generator Enabled : YES Running : running Rule Versions : 1 Active rules : 1337 LocalFeed : Disabled Allowing or Preventing a CM Peer to Use a Proxy Server Use the CLI commands to allow or prevent a CM peer to use a proxy server to connect to other remote CM peers. If you allow a CM peer to use a proxy server, the proxy settings will be the same as those configured for DTI interaction to connect to other remote CM peers. By default, a CM peer does not use a proxy server to connect to other remote peers. NOTE: You can allow or prevent a CM peer to use a proxy server only using the CLI. Prerequisites l Admin access to the Central Management appliance. l A connection to the Dynamic Threat Intelligence (DTI) Cloud. l l l 610 Network connectivity over SSH (port 22) and HTTPS (port 443) must be allowed on each of the participating Central Management appliances. CM Peer Service must be enabled on each of the participating Central Management appliances. Authentication tokens must be exchanged for communication between the CM peers. © 2019 FireEye Release 8.7 Allowing or Preventing a CM Peer to Use a Proxy Server Allowing or Preventing a CM Peer to Use a Proxy Server Using the CLI Follow these steps to allow or to prevent a CM peer to use a proxy server to connect to other remote CM peers. To allow a CM peer to use a proxy server: 1. Go to CLI configuration mode. CMS1 > enable CMS1 # configure terminal 2. Identify a CM peer to use the same proxy server settings that are configured for DTI interaction to connect to other remote CM peers. CMS1 (config) # cms peer <peer_hostname> interaction dti proxy mode use-fenet 3. Save your changes. CMS1 (config) # write memory 4. Verify the proxy server status on a CM peer. The following example verifies that CMS2 is allowed to use a proxy server. CMS1 (config) # show cms peer-service CMS peer-service enabled: yes ----------------------------------------------------------------------CMS peer CMS2: Enabled: yes Hostname: CMS2 Address: 172.16.216.51 Auth-token checksum: 360a37cc532b9e2e75b674eb3b5fe2e0 Interactions with peer: Distributed CMS Correlation: Enabled: Status: 19:12:59 yes OK @ 2016/01/27 Dynamic Threat Intelligence (DTI): Enabled: yes Proxy mode: Use FENET proxy settings Status: OK @ 2016/01/27 19:12:59 Update Peer: Enabled: © 2019 FireEye yes 611 Central Management Administration Guide APPENDIX C: Configuring the CM Peer Service Status: OK @ 2016/01/27 19:12:59 ----------------------------------------------------------------------- To prevent a CM peer from using a proxy server: 1. Go to CLI configuration mode. CMS1 > enable CMS1 # configure terminal 2. Prevent a CM peer from using any proxy server to connect to other remote CM peers for DTI interaction. CMS1 (config) # cms peer <peer_hostname> interaction dti proxy mode noproxy 3. Save your changes. CMS1 (config) # write memory 4. Verify the proxy server status on a CM peer. The following example verifies that CMS2 is not allowed to use a proxy server. CMS1 (config) # show cms peer-service CMS peer-service enabled: yes ----------------------------------------------------------------------CMS peer CMS2: Enabled: yes Hostname: CMS2 Address: 172.16.216.51 Auth-token checksum: 360a37cc532b9e2e75b674eb3b5fe2e0 Interactions with peer: Distributed CMS Correlation: Enabled: yes Status: OK @ 2016/01/27 19:07:26 Dynamic Threat Intelligence (DTI): Enabled: yes Proxy mode: No proxy Status: OK @ 2016/01/27 19:07:26 Update Peer: Enabled: yes Status: OK @ 2016/01/27 19:07:26 ----------------------------------------------------------------------- 612 © 2019 FireEye Central Management Administration Guide Enabling the ETP Cloud Endpoint Using the CLI APPENDIX D: Monitoring Email Alerts from the Email Security Cloud Edition. You can configure the Central Management Appliance Dashboard to monitor email alerts from the Email Security Cloud. On the Central Management appliance, you need a license with your client ID. To see if it is configured, log in to your Central Management appliance and look for Customer ID (under the username drop-down) in the Web UI, or enter the show version command in the CLI. If you do not have a customer ID, contact FireEye Support. The protocol is Web Socket over TLS using port 443. The access points are us1.fireeyecloud.com and us2.fireeyecloud.com. These are both needed and back each other up. The CMS has a 1-hour idle connection timeout and therefore will disconnect from ETP occasionally. Enabling the ETP Cloud Endpoint Using the CLI The ETP Cloud endpoint has to be enabled before the Central Management appliance can monitor alerts from ETP Cloud. The following are the CLI provisioning commands to enter from the CLI. You will create two access points using the destination URLs, (one endpoint and the URL). You will specify a nickname, such as, "email-server" and specify the URL. The nickname you define for the access point has local significance, so you can use whatever you like as long as it is consistent. © 2019 FireEye 613 Central Management Administration Guide APPENDIX D: Monitoring Email Alerts from the Email Security - Cloud Edition. To enable the ETP endpoint: 1. Go to CLI configuration mode: cm-1 > enable cm-1 # configure terminal 2. Specify the endpoint name and access point: cm-1 (config) # cloud etp endpoint <etp-endpoint-name> uri <cloud etp uri> 3. If you are prompted, enter your username and password: cm-1 (config) # cloud etp endpoint <etp-endpoint-name> username <fenet_ username> password <fenet_password> 4. Enable the endpoint: cm-1 (config) # cloud etp endpoint <etp-endpoint-name> enable 5. Save your changes: cm-1 (config) # write memory 6. Verify the configuration: cm-1 (config) # show cloud etp status Endpoint: everest: Address: wss://iad-cc-api-vip-stage1.cso.fireeye.com:443 Enabled: yes JobWorker Connected: yes NotifHandler Connected: yes 7. To show the configured ETP instances: cm-1 (config) # show cloud etp configuration To remove the configuration and all its associated objects and alerts from the CM: cm-1 (config) # no cloud etp endpoint <etp-endpoint-name> ETP Cloud Aggregation An aggregator process receives data from the ETP Cloud and aggregates it into the Central Management appliance database for display on the Central Management appliance Web UI. To display the configuration of the aggregator: cm-1 (config) # show aggregator configuration To display the configuration of the aggregator endpoints: cm-1 (config) # show aggregator endpoints configuration 614 © 2019 FireEye Release 8.7 Viewing Email Alerts from the ETP Cloud in the Web UI Solving Connection Issues The following commands are usedto troubleshoot connection issues and used only when asked to do so by FireEye Support. To enable/disable SSL certification verification in the aggregator: cm-1 (config) # [no] aggregator ssl cert-verify To set the aggregator log level: cm-1 (config) # aggregator consumer logging level [debug|info|notice|warning|error] To set the SSL cipher list to use with the WebSocket connection: cm-1 (config) # aggregator ssl cipher-list To set the minimum TLS version to use with the WebSocket connection: cm-1 (config) # aggregator ssl min-version Viewing Email Alerts from the ETP Cloud in the Web UI On the Central Management appliance Dashboard, you can select ETP from the All Groups menu or an ETP instance from the All Appliances menu. For the selected groups and instances, you can view: l Total Malicious emails l Malicious URLs l Malicious Attachments l ETP Alerts You can view email alerts on the Central Management Dashboard by going to the Alerts tab and selecting one of the categories displayed under What's Happening: © 2019 FireEye 615 Central Management Administration Guide APPENDIX D: Monitoring Email Alerts from the Email Security - Cloud Edition. You can view detailed status of the ETP instance's connection by selecting an instance from the All Appliances drop-down to view the Summary. Note that ETP Cloud instances are not listed on the Appliances tab: 616 © 2019 FireEye Index ArcSight 220, 233 A AAA 161 admin password 78, 106 alert correlation 433-434, 437, 439-440 alert distribution 421 authentication SSH 557 automatic backups 253 AWS deployment 96 alert update settings, overview 341 B alert updates, configuring 342 backup, database AMI image 96 estimating space 248 appliance license 115 overview 245 appliance management scheduling with CLI 254 adding appliances 363, 366 task list 246 alert correlation 433-434, 437, 439440 uploading files 257 alert distribution 421 viewing results 246 configuring 383 groups 405 monitoring 421 using CLI 251 backups automatic 253 badges peer service 591 correlated alert 433-434, 437 profiles 412 endpoint 440 removing appliances 371 Blue Coat ProxySG 220 updating appliances 499 boot manager utilities 349 viewing information 373 Boot menu 349 © 2019 FireEye 617 Index browser support IPMI 61 Web UI 37 database 245-246, 248-249, 253, 256-258, 262 task list 246 date and time 179 C configuring NTP servers cache for DTI downloads 139-140, 144, 146-148 Central Management authentication 557, 590 using the Central Management Web UI 182 using the CLI 183 checks, health 269 NTP (network time protocol) authentication using the CLI 186 client-initiated connection 366 setting manually 179 certificates 161 CONTENT_UPDATES license 116 Create HA Pair link 376 custom IOC feeds creating a custom blacklist 514 deleting third-party feeds using the Web UI 521 downloading third-party feeds using the Web U 523 enabling or disabling 507 overview 505 task list 506 uploading a third-party feed 516 uploading using the Web UI 516 viewing details 518 viewing details using the CLI 519 using the CLI 180 setting the time zone using the Central Management Web UI 191 using the CLI 191 synchronizing to DTI server 192 disk space management on-demand 345 overview 345 disk wipe 358 distributed correlation, peer service enabling or disabling 604 overview 603 viewing alerts 606 DNS settings 199 viewing details using the Web UI 519 domain name settings 200 viewing from Alerts > Alerts > Alerts 520 DTI network DSA2 public keys 558-560, 562-563 automatic license updates 128 D automatic updates 137 DA_HANCOM license 116 changing active settings 131-134, 152 Dashboard 39 configuring credentials 152 618 © 2019 FireEye, Inc. Index download cache 139-140, 144, 146148 FIREEYE_APPLIANCE license 115 overview 127 Firefox browser 37, 61 populate cache 139-140, 144, 146-148 front panel, removing 57 FIREEYE_SUPPORT license 116 services 130 software updates 129 stats uploads 137 status 269 system health monitoring 129 G groups 405 Guest Images 220 H threat intelligence 127 hardware status 271 updating stats 155 health checks 269, 274, 489 upgrading from 220-221, 223 host-key authentication 565-568, 570, 572 uploading stats automatically by CLI 157 uploading stats manually by CLI 158 using HTTP proxy 136 HTTP proxy for DTI network requests 136 HTTP proxy server, configuring settings 207 validating 149-150 I E IP filtering 204, 206 email notifications for alerts 295 IPMI endpoint compromised 440 accessing the device serial port 63 endpoint contained 440 browser support 61 entropy 112 checking the device sensors 64 erasing hard disk 358 logging in 61 ESXi deployment 86 resetting 64 Ethernet port status 273 restarting the device 62 EULA (End User License Agreement) 76-77, 219, 221, 224 updating firmware 203 IPMI port 83 event correlation 433-434, 437, 439-440 IPv6, enabling 201 event notifications 295 daily digest, CSV fields 297 J Juniper STRM 220 F FireEye as a Service (FAAS) 122, 202 FireEye Network Security 30 © 2019 FireEye, Inc. K KVM deployment 101 619 Index management path 31 L LCD 57, 81 license management 115 about FireEye license keys 115 automatic updates 118 management request, accepting 366 MD_ACCESS license 116 media wipe 358 MIB, downloading to Apple devices 282 manual installation 121 to Linux devices 282 viewing notifications 125 license tokens 108 liquid crystal display 57, 81 local IOC feeds enabling or disabling 507 overview 505 viewing details 518 viewing details using the CLI 519 viewing details using the Web UI 519 viewing from Alerts > Alerts > Alerts 520 log files 233 configuring minimum level using the CLI to Windows devices 281 MVX cluster 30 N Network Address Translation (NAT) 575, 584, 586, 590 mappings for CM-initiated connections 576 mappings for VX-initiated connections 580 network administration 197, 203-204, 206, 212, 214 network proxy 220 network requirements 75 Network Security 30 for local drive 240, 242 network settings 197 for syslog server 238 notifications 163 configuring syslog server using the CLI 237 uploading to network using the CLI 244 viewing using the CLI 236 Log Manager 233 alert update 341 alert updates 342 NTP (Network Time Protocol) configuring authentication using the CLI 186 configuring servers 181 logs 233 using the Central Management Web UI 182 M using the CLI 183 management interface, defining ether2 210 NX Series High Availability (HA) 376 management network settings 199, 209 620 © 2019 FireEye, Inc. Index O R one-way sharing license rechecking appliance 491 override overview 117 one-way sharling license override using CLI 117 resetting appliance 491 resolution, screen 37 restore, database Open Virtualization Format (OVF) 86 guidelines 258 OVA image 86 overview 245 task list 246 P using CLI 260 password authentication 558 passwords changing admin 78, 106 Tools menu 352 peer service viewing results 246 riskware alert 426 RSA2 public keys 558-560, 562-563 rsyslog notifications 305, 328 allowing or preventing use of proxy server 610 S deleting peers 603 Secure Shell (SSH) authentication 557 distributed correlation alerts 606 security content updates license 116 distributed correlation feature 603 security content, validated 153 enabling or disabling 593 security content, validation 153-154 enabling or disabling all features 600 exporting existing tokens 599 screen resolution 37 about 153-154 serial port generating and importing tokens 595 accessing from a terminal server 77 importing new tokens 598 accessing from a Linux system 77 overview 591 accessing from a PC laptop 77 signature sharing feature 607 accessing from an Apple laptop 77 task list 592 settings 76 profiles 412 server-initiated connections 363 proxy notifications 340 Services Health 271 proxy server, configuring settings 207 signature sharing, peer service public key authentication 558-560 Q Q1 Lab QRadar 220 © 2019 FireEye, Inc. enabling or disabling 607 overview 607 viewing rules 609 621 Index SMTP email notification settings 313 time and date SNMP notifications 279 configuring NTP authentication using the CLI 186 software upgrades 219 configuring NTP servers SSH-DSA2, SSH-RSA2 public keys 558560, 562-563 using the Central Management Web UI 182 status using the CLI 183 DTI network 272 Ethernet port information 273 hardware information 271 services information 271 system information 270 version information 269 summary results 265-266 support license 116 system entropy 112 system status 270 setting manually 179 using the CLI 180 setting the time zone using the Central Management Web UI 191 using the CLI 191 time and date settings 179 time zone 190 setting using the Central Management Web UI 191 setting using the CLI 191 T tokens, license 108 testing deployment 265-266 Tools menu 349 third-party IOC feeds accessing 354 creating a custom blacklist 514 disabling 356 deleting using the Web UI 521 Manufacture Appliance option 350 downloading using the Web UI 523 Reset admin Password option 349 enabling or disabling 507 Return to Image Boot Menu option 350 overview 505 uploading 516 uploading using the Web UI 516 viewing details 518 viewing details using the CLI 519 viewing details using the Web UI 519 viewing from Alerts > Alerts > Alerts 520 setting password 352 viewing availability 357 Wipe Appliance Media and Manufacture Appliance option 350 Wipe Appliance Media option 349 triage collections, triage packages download 440 two-way sharing license 116 path to DTI cloud 31 622 © 2019 FireEye, Inc. Index sharing data with the DTI 155, 157158 U upgrades 219 user authentication 557, 562-563 user interfaces CLI 56 IPMI 60 LCD 81 Web UI 37, 39, 54 V version status 269 virtual appliances AWS deployment 96 KVM deployment 101 licensing 108 VMware ESXi deployment 86 VPN, enabling 122, 202 W Web browser support IPMI 61 Web UI 37 Web UI 39, 54 © 2019 FireEye, Inc. 623 Index 624 © 2019 FireEye, Inc. Technical Support For technical support, contact FireEye through the Support portal: https://csportal.fireeye.com Documentation Documentation for all FireEye products is available on the FireEye Documentation Portal (login required): https://docs.fireeye.com/ © 2019 FireEye 625 FireEye, Inc. | 601 McCarthy Blvd. | Milpitas, CA | 1.408.321.6300 | 1.877.FIREEYE | www.fireeye.com/company/contact-us.html © 2019 FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye, Inc. All other brands, products, or service names are or may be trademarks or service marks of their respective owners.

CM Administration Guide 8.7.0 en

Related documents

Products

Support

CM Administration Guide 8.7.0 en

Related documents

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib