Professional Documents
Culture Documents
D O C U M E N T A T I O N
SYSTEM SECURITY
SYSTEM SECURITY GUIDE
RELEASE 2021.1
PART I: Overview 17
CHAPTER 1: AAA Concepts 19
© 2021 FireEye 3
Contents
4 © 2021 FireEye
Contents
© 2021 FireEye 5
Contents
6 © 2021 FireEye
Contents
© 2021 FireEye 7
Contents
8 © 2021 FireEye
Contents
© 2021 FireEye 9
Contents
10 © 2021 FireEye
Contents
CHAPTER 19: Managing Your Own FireEye IAM User Account 293
About Managing Your Own User Account 294
Account Enrollment 294
IAM Username and Password 294
Phone Number 295
Backup Codes for 2FA 295
Enrolling Your New FireEye IAM User Account 295
Setting User Information and Preferences for Your IAM Account 299
Viewing Your IAM Login Activity 304
Changing the Password for Your IAM User Account 305
About Two-Factor Authentication 306
© 2021 FireEye 11
Contents
12 © 2021 FireEye
Contents
© 2021 FireEye 13
Contents
14 © 2021 FireEye
Contents
© 2021 FireEye 15
Contents
16 © 2021 FireEye
Release 2021.1
PART I: Overview
l AAA Concepts on page 19
© 2021 FireEye 17
System Security Guide PART I: Overview
18 © 2021 FireEye
System Security Guide
CHAPTER 1: AAA Concepts
AAA (authentication, authorization, and accounting) is a security framework that validates
user identities, enforces access to resources, and audits user activities and usage.
l Authentication validates users before they are allowed to access the system. Each user
has a unique identity and associated credentials. The authentication process
compares the login credentials the user provides with the user credentials stored in
a database. If the credentials match, the user is granted access to the system;
otherwise, the authentication fails and the user is denied access.
l Authorization provides access control. You configure authorization by assigning
users roles, which offer a specific set of capabilities on the appliance. You can also
configure access groups on a Central Management appliance, which controls which
alerts users with the analyst and monitor roles can view and manage.
l Accounting tracks user activities and resource usage.
© 2021 FireEye 19
System Security Guide CHAPTER 1: AAA Concepts
20 © 2021 FireEye
Release 2021.1
l Enabling or Disabling the Log Out Message Setting Using the CLI on page 26
l Authentication Methods on page 23
l Local Authentication on page 29
l Remote Authentication on page 65
l Common Access Card (CAC) for Certificate Authentication on page 79
l Secure Shell (SSH) Authentication on page 115
l Single Sign-On Authentication on page 143
© 2021 FireEye 21
System Security Guide PART II: Authentication
22 © 2021 FireEye
System Security Guide
CHAPTER 2: Authentication
Methods
Depending on your environment, FireEye includes multiple authentication methods for
you to use:
© 2021 FireEye 23
System Security Guide CHAPTER 2: Authentication Methods
Authentication Order
An authentication methods list defines the order in which authentication should be
attempted, and provides backup methods in the event that a method fails to authenticate a
user. The local method must be included in the list, preferably first to reduce the risk of
local account access issues.
If a method denies a user or is not reachable, the next method in the list is tried. If there are
multiple servers within a method (assuming the method is contacting authentication
servers), and a server timeout is encountered, then the next server in the list is tried.
If the current server being contacted issues an authentication reject, no other servers for
that method are tried and the next method in the list is attempted. If no method validates a
user, the user is denied access to the appliance.
You can configure the system to track authentication attempts, limit authentication based
on previous failures, and so on.
Prerequisites
l Admin access
1. Go to CLI configuration mode:
hostname > enable
hostname # configure terminal
For example, if you want to set the authentication order to first authenticate against
an LDAP server, second authenticate against a RADIUS server, and finally locally
on the appliance, enter the following:
hostname # (config) aaa authentication login default ldap radius local
24 © 2021 FireEye
Release 2021.1 Example: Configuring Authentication
Example: Configuring Authentication
This procedure describes how to use CLI commands to configure authentication for an
appliance.
Prerequisites
l Admin access
1. Go to CLI configuration mode:
hostname > enable
hostname # configure terminal
2. Authenticate first from the local user/password settings, then from RADIUS if that
does not work, then from LDAP if RADIUS does not work, and finally from
TACACS+ if LDAP does not work:
hostname (config) # aaa authentication login default local radius ldap
tacacs+
3. For users who do not exist in the local user/password settings, if there is no Local-
User attribute returned by the RADIUS, LDAP, or TACACS+ server at login time, the
login will have the same capabilities as the Monitor user. Otherwise, it will have the
capabilities of the username given by the attribute.
hostname (config) # aaa authorization map default-user monitor
hostname (config) # aaa authorization map order remote-first
6. Configure the fully-qualified hostname of the LDAP server. The hostname (not the IP
address) is needed for the optional TLS certificate validation to work.
hostname (config) # ldap host orange.purple.com
© 2021 FireEye 25
System Security Guide CHAPTER 2: Authentication Methods
Prerequisites
l Admin access to enable or disable the display of the log out message setting.
l Monitor or Analyst access to verify whether the log out message setting is enabled
or disabled.
1. Go to CLI configuration mode.
hostname > enable
hostname # configure terminal
2. Enable the display of the log out message when your session is closed.
hostname (config) # aaa authentication logout user-message enable
26 © 2021 FireEye
Release 2021.1 Enabling or Disabling the Log Out Message Setting Using the CLI
1. Go to CLI configuration mode.
hostname > enable
hostname # configure terminal
2. Disable the display of the log out message when your session is closed.
hostname (config) # no aaa authentication logout user-message enable
© 2021 FireEye 27
System Security Guide CHAPTER 2: Authentication Methods
28 © 2021 FireEye
System Security Guide User Accounts and System Accounts
NOTE: For more information about managing user accounts, see Assigning Roles
for Local User Accounts on page 173, Capabilities of Local Roles on page 390, and
Capabilities of Local Roles on Endpoint Security Appliances on page 397.
admin
This role enables a user to perform all appliance product functions and have full
access to all Web UI views, all CLI commands, and the API. The primary function of
this role is to configure and control the system.
© 2021 FireEye 29
System Security Guide CHAPTER 3: Local Authentication
analyst
This role enables a system analyst to focus on detecting malware and taking
appropriate action, including setting up alerts and reports.
For more information about analyst roles on Endpoint Security appliances, see Analyst
User Account Roles Specific to Endpoint Security Appliances on the facing page.
api_admin
This role is a Web service API role, and it grants API access to Endpoint Security
appliance features only. Users assigned the api_admin role can perform all of the
functions of an api_analyst, but in addition they can maintain API custom policy
channels and can contain hosts.
api_analyst
This role is a Web service API role, and it grants only API access to the appliance
features.
api_monitor
This role is a Web service API role, and it grants only API access to existing reports on
the appliance. Unlike the api_analyst, an api_monitor cannot generate reports or
perform other actions.
auditor
This role enables a user to view System Logs and Audit Logs only. The only other
roles that grant access to these logs are the Admin and Monitor roles.
fe_services
This role is a FireEye Managed Defense account used to maintain the connection to the
Managed Defense backend. Users assigned this role have API and CLI access to
Endpoint Security appliance features and can run CLI commands, but they cannot log
into the Web UI.
monitor
This role grants read-only access to the appliance setting screens, the Health Check
page, and the Appliance Update page. A monitor cannot request data or take actions
on the system. Monitors do not have access to appliance product features or the API
and can only run CLI show commands. On some systems, they also have access to
some malware analysis functions.
operator
This role grants a subset of the capabilities associated with the admin role. Operators
have read-only access to Web UI dashboards, can run CLI show commands only, and
have no access to the API. Operators can adjust some, but not all, appliance settings
and can perform log management and appliance updates.
On the Endpoint Security appliance, Operators can also perform agent upgrades.
30 © 2021 FireEye
Release 2021.1 User Accounts and System Accounts
reject
A user with a reject user account is automatically locked out and is denied access of
any kind to the appliance.
analyst
On an Endpoint Security appliance, this role enables users to perform most Endpoint
Security appliance functions, except approving containment requests and stopping
containment. They have no access to agent or appliance settings. They have read-only
access to the maintenance of host sets, and they cannot maintain data acquisition
scripts. They have no access to the API and can only run CLI show commands.
analyst_sr
On an Endpoint Security appliance, this role grants users the same capabilities as the
analyst role, but they can perform most other Endpoint Security appliance functions,
except approving containment requests and stopping containment. They have no
access to agent or appliance settings. They have read-only access to the maintenance of
host sets, but can fully maintain data acquisition scripts. They have no access to the
API and can only run CLI show commands.
investigator
On an Endpoint Security appliance, this role enables users to perform the same
functions as the analyst and analyst_sr roles, but they can also approve containment
requests and stop containment of host endpoints. Investigators have no access to the
API and can only run CLI show commands.
NOTE: You cannot create or modify system accounts. The appliance Web UI and
CLI display system account status information so that you can verify that these
accounts are not used to log in to the appliance. System accounts can be locked
out so they cannot be used to log in to the appliance.
© 2021 FireEye 31
System Security Guide CHAPTER 3: Local Authentication
On appliances other than the Central Management appliance, a default system account
corresponds to each of the following system-defined roles:
ccd_node
This role enables remote login to Virtual Execution compute nodes in an on-premises
MVX cluster. Use of this role is limited to internal communication between standard
compute nodes and compute nodes that have been designated as broker nodes. This
type of communication uses the cluster communication process (CCD) and the
TLS/SSH protocol.
ccd_sensor
This role enables remote login to a Virtual Execution compute node in an on-premises
MVX cluster. Use of this role is limited to internal communication between standard
compute nodes and Network Security sensors. This type of communication uses the
cluster communication process (CCD) and the GCL protocol that is based on TLS/SSH.
cmcrendv
This role enables remote login to initiate a persistent connection from an appliance to a
Central Management appliance. Use of this role is limited to communication from a
rendezvous client and the GCL protocol that is based on SSH.
hasync
This role enables remote login used to initiate a persistent connection between two
Network Security nodes in an HA deployment. Use of this role is limited to the HA
appliance reboot monitoring daemon (hamon) on the Network Security appliance and
the GCL protocol that is based on SSH.
32 © 2021 FireEye
Release 2021.1 Managing User Accounts
Role—Each user is given a role, and this role determines the abilities of the user. For
example, only users with an admin role can add and remove users to the system by
default. For more information on roles, see Assigning Roles for Local User Accounts on
page 173.
Password—The password is the secret information, known only to the user, that is used to
authenticate the user on the system. By default, passwords must be 8 to 32 characters in
length. You can configure rules for stricter password security. For details, see Managing
User Password Validation Policies on page 55 and Managing Password Change Policies
on page 48. Users have the ability to change their own passwords. For more information,
see Managing Your Own Account on page 42.
Account Status—The account status specifies whether the user is currently authorized to
log in to the system and for how long. For more information on Account Status, see
Managing Account Status on page 40.
NOTE: For a managed appliance, you can perform this procedure on the Central
Management appliance as well as the local appliance. The procedure remains the
same. However, you will need to take the additional step to locate the appliance on
the Central Management Web UI. For instructions on locating an appliance on the
Central Management Web UI, see the Central Management Administration Guide.
Prerequisites
l Admin access
© 2021 FireEye 33
System Security Guide CHAPTER 3: Local Authentication
NOTE: For a managed appliance, you can perform this procedure on the Central
Management appliance as well as the local appliance. The procedure remains the
same. However, you will need to take the additional step to locate the appliance on
the Central Management CLI. For instructions on locating an appliance on the
Central Management CLI, see the FireEye Central Management Administration Guide.
Prerequisites
l Admin access
1. Go to CLI enable mode:
hostname > enable
34 © 2021 FireEye
Release 2021.1 Managing User Accounts
2. Use the show usernames command to see the list of user accounts and system
accounts.
hostname > show usernames
User Accounts
-------------
USERNAME FULL NAME ROLE ACCOUNT STATUS
admin System Administrator admin Password set
analyst System Analyst analyst Password set
api_analyst API Analyst api_analyst Password set
api_monitor API Monitor api_monitor Password set
auditor System Auditor auditor Password set
fe_services FireEye Services User fe_services Password set
monitor System Monitor monitor Password set
operator System Operator operator Password set
reject Reject User Account locked out
System Accounts
---------------
USERNAME FULL NAME ROLE ACCOUNT STATUS
ccd_node ccd_node user ccd_node Local password login disabled
ccd_sensor ccd_sensor user ccd_sensor Local password login disabled
cmcrendv CMC Rendezvous User cmcrendv Password set
hasync HA synchronization user hasync Password set
NOTE: For a managed appliance, you can perform this procedure on the Central
Management appliance as well as the local appliance. The procedure remains the
same. However, you will need to take the additional step to locate the appliance on
the Central Management Web UI. For instructions on locating an appliance on the
Central Management Web UI, see the Central Management Administration Guide.
Prerequisites
l Admin access
© 2021 FireEye 35
System Security Guide CHAPTER 3: Local Authentication
7. (Optional) For Monitor users only, specify a subnet, subnet mask, and VLAN for the
user.
Once the user account is created, the user configuration is displayed in the user account
list.
NOTE: For a managed appliance, you can perform this procedure on the Central
Management appliance as well as the local appliance. The procedure remains the
same. However, you will need to take the additional step to locate the appliance on
the Central Management CLI. For instructions on locating an appliance on the
Central Management CLI, see the FireEye Central Management Administration Guide.
Prerequisites
l Admin access
1. Go to CLI configuration mode:
hostname > enable
hostname # configure terminal
3. Assign a role to the user account with the username <username> role sub-
command.
The following example assigns a role to the user account nx-3_operator:
hostname (config) # username nx-3_operator role operator
36 © 2021 FireEye
Release 2021.1 Managing User Accounts
4. Assign a password to the user account with the username <username> role
<role> password sub-command.
The following example assigns the password mArT!n1_@ to the user account nx-3:
hostname (config) # username nx-3_operator password mArT!n1_@
5. (Optional) For monitor accounts only, configure a subnet and VLAN ID for the
specified user account. Use the username <username> subnet and
username <usename> vlan sub-commands:
username <username> subnet <networkPrefix>
username <username> vlan <vlanNumber>
The following example configures the subnet and a VLAN ID for the user account
nx-3_operator:
hostname (config) # username nx-3_operator subnet 24
hostname (config) # username nx-3_operator vlan 22
To see the list of user accounts, enter the show usernames command. See Viewing the List
of Accounts Using the Appliance CLI on page 34.
NOTE: For a managed appliance, you can perform this procedure on the Central
Management appliance as well as the local appliance. The procedure remains the
same. However, you will need to take the additional step to locate the appliance on
the Central Management Web UI. For instructions on locating an appliance on the
Central Management Web UI, see the Central Management Administration Guide.
Prerequisites
l Admin access
© 2021 FireEye 37
System Security Guide CHAPTER 3: Local Authentication
The selected user account will be removed and the account will no longer show on the All
Users table.
NOTE: For a managed appliance, you can perform this procedure on the Central
Management appliance as well as the local appliance. The procedure remains the
same. However, you will need to take the additional step to locate the appliance on
the Central Management CLI. For instructions on locating an appliance on the
Central Management CLI, see the FireEye Central Management Administration Guide.
Prerequisites
l Admin access
1. Go to CLI configuration mode:
hostname > enable
hostname # configure terminal
38 © 2021 FireEye
Release 2021.1 Managing User Accounts
NOTE: For a managed appliance, you can perform this procedure on the Central
Management appliance as well as the local appliance. The procedure remains the
same. However, you will need to take the additional step to locate the appliance on
the Central Management CLI. For instructions on locating an appliance on the
Central Management CLI, see the FireEye Central Management Administration Guide.
Prerequisites
l Admin access
1. Go to CLI configuration mode:
hostname > enable
hostname # configure terminal
2. Determine the user who is locked out using the show aaa authentication
attempts command:
hostname (config) # show aaa authentication attempts
1. Go to CLI configuration mode:
hostname > enable
hostname # configure terminal
2. Determine the user who is locked out using the show aaa authentication
attempts command:
hostname (config) # show aaa authentication attempts
3. Unlock all user accounts by using the aaa authentication attempts reset all
command:
hostname (config) # aaa authentication attempts reset all
© 2021 FireEye 39
System Security Guide CHAPTER 3: Local Authentication
Account Status Description
Account locked out The user cannot log in at all. This could be due to the account
status being configured this way explicitly, or due to too many
unsuccessful login attempts.
Local password The user cannot log in to the appliance locally using a password,
login disabled but can log in using an SSH authorized key.
Password set The user can log in to the appliance locally using a username and
password.
The provided Operator, Analyst, and Auditor system accounts have the "local login
disabled" status set by default, so they cannot log in until an administrator changes their
account status by setting passwords for them. The provided Monitor account defaults to
the "account locked out" status for security.
NOTE: The VX Series appliance has a CLI, but it does not have a Web UI. The
recommended method for this configuration on a VX Series appliance is through
the managing Central Management appliance Web UI.
40 © 2021 FireEye
Release 2021.1 Managing Account Status
NOTE: This example is from a Network Security appliance, but the Account
Status setting is representative of other appliances as well.
Prerequisites
l Admin access
1. Click the Settings tab on all products other than the Endpoint Security appliance.
Select Appliance Settings from the Admin menu on the Endpoint Security
appliance.
© 2021 FireEye 41
System Security Guide CHAPTER 3: Local Authentication
4. In the Update User section, select an account status from the Account Status list.
5. Click Update User.
Prerequisites
l Admin access
1. Go to CLI configuration mode:
hostname > enable
hostname # configure terminal
2. Change the password for the specified user. Use the following command:
username <username> password
3. Disable the means to log in to this account. Use the following command:
username <username> disable
42 © 2021 FireEye
Release 2021.1 Managing Your Own Account
l Remove SSH known host entries so they can log in to remote hosts whose host keys
have changed.
l Restrict the ways they can log in locally.
l View their account information, including when their password will expire and
whether they authenticate using a password or an SSH authorized key.
You can use the Web UI (if your appliance has one) to change your password. You can use
the CLI to change your password and perform the other account management functions
available to you.
Users with the Admin role do not have access to this page. Users with the Admin role
manage their own accounts using the User Account Settings page instead.
1. Go to the Settings > My Account page or, for an HX Series appliance, the Admin
> Appliance Settings > My Account page.
2. Enter your current password in the Current Password box (if present).
3. Enter your new password in the New Password box.
4. Enter your new password again in the Confirm Password box.
5. Click Update User.
© 2021 FireEye 43
System Security Guide CHAPTER 3: Local Authentication
If you are required to enter your current password when you change your password, you can do
this in two different ways:
l You can specify your password interactively by entering the command and then
entering your current password after the CLI prompts you.
If you enter an invalid current password, you must wait three seconds before trying again.
You can set a password with an encrypted string by specifying the hashed string in the
command.
CAUTION! If your role is Monitor, Analyst, or Auditor, you can change your
own account password, but you cannot save the changes. This is because your
role does not permit committing system changes. Your password changes could
be lost if an administrator reboots without saving changes or reverts to the last
saved configuration.
Only Administrators and Operators are allowed to save system changes.
Prerequisites
l Any role
For example:
hostname (config) # username tsmith password 12345!@#$%AbCdE
If you are required to enter your current password when you change your password:
44 © 2021 FireEye
Release 2021.1 Managing Your Own Account
hostname (config) #username <username> password <password>
Current password:678910!@#$%FgHiJ
For example:
username tsmith password 12345!@#$%AbCdE curr-password
678910!@#$%FgHiJ
Use the following command to set your password with an encrypted string:
username <username> password 7<encrypted-password>
For example:
hostname (config) # username tsmith password 7
$6$iWtdrQBA$eaJzOvEERGSgYezdnvZ4cU0vMhbBziMtRPfUe7INU8qD9xo0WUCfaF/LqkJ
4agxo1kJj2kXYuWUGY00qeslJ5.
Example
In this example, Marie changes her password and then displays her account information
two ways.
hostname (config) # username marieb password 12345!@#$%AbCdE
hostname (config) # show usernames user marieb
Local username: marieb
Full name:
Account status: Password set
Role: operator
© 2021 FireEye 45
System Security Guide CHAPTER 3: Local Authentication
Prerequisites
l Any role
3. To display your own account information, enter one of the following commands:
l show usernames user <username>
l show whoami
Prerequisites
l Any role
46 © 2021 FireEye
Release 2021.1 Managing Your Own Account
3. Generate a new identify that allows you to open a Secure Shell (SSH) session on
another device from this appliance. Use the following command:
ssh client user <username> ...
See the CLI Reference for command usage and parameters.
4. View your own SSH client identities:
hostname (config) # show ssh client
CAUTION! Although you can change your own user account with a Monitor,
Analyst, or Auditor role, you cannot save the changes to memory. Your changes
could be lost if an administrator reboots without saving changes or reverts to the
last saved configuration.
Prerequisites
l Any role
l Specify that you cannot log in to the appliance locally using a password, but
can do so using an SSH authorized key. Use the following command:
username <username> disable login
l Specify that you cannot log in to the appliance locally, but can log in
remotely. Use the following command:
username <username> disable local-login
© 2021 FireEye 47
System Security Guide CHAPTER 3: Local Authentication
The password change features described in this section are disabled by default.
The new password must be different from the current password, even if no password reuse
restrictions are configured. After users change their passwords, they must log out and then
log in again to access the functionality their role allows.
You can also configure when the system should start warning users that their passwords
will expire. The warnings are displayed after the user logs in.
l In the Web UI (except for VX Series appliances), the warning appears in the
Dashboard:
l In the CLI, the warning appears below a "Password change notice" banner:
If the password is not changed before it expires, the account will not be locked.
In the Web UI, users will be taken directly to the My Account Settings page where a
message is displayed as shown:
48 © 2021 FireEye
Release 2021.1 Configuring Password Policies
Until the user changes the password and then logs out and then logs back in, the Web UI
limits user privileges to changing the passwords.
In the CLI, a message is displayed as shown:
Users will be unable to do anything except change their passwords and run a small
number of basic commands that do not impact the system or show sensitive information
(such as show whoami, show cli, and cli session).
You can disable the maximum password age policy for specific users. Passwords of these
users who have this policy disabled will not expire.
For a managed appliance, you can perform this procedure on the Central Management
appliance as well as the local appliance. Use cmc execute appliance <applianceName>
© 2021 FireEye 49
System Security Guide CHAPTER 3: Local Authentication
Prerequisites
l Admin access
1. Go to CLI configuration mode:
hostname > enable
hostname # configure terminal
2. Specify the number of days before a password must be changed. Use the following
command:
aaa authentication password local require-change max-password-age all
<days>
where <days> is a values from 1 through 999.
3. Verify your change:
hostname (config) # show aaa authentication password
Prerequisites
l Admin access
50 © 2021 FireEye
Release 2021.1 Configuring Password Policies
1. Go to CLI configuration mode:
hostname > enable
hostname # configure terminal
NOTE: This setting affects only users who are created after this change was
made. It does not affect users who were created prior to setting this condition,
even if those users have not logged in yet.
Prerequisites
l Admin access
To require new users to change their passwords after their first login:
1. Go to CLI configuration mode:
hostname > enable
hostname # configure terminal
© 2021 FireEye 51
System Security Guide CHAPTER 3: Local Authentication
Prerequisites
l Admin access
1. Go to CLI configuration mode:
hostname > enable
hostname # configure terminal
1. Go to CLI configuration mode:
hostname > enable
hostname # configure terminal
2. To specify the change password on next log in for the user, use the following
command:
aaa authentication password local require-change force user <username>
52 © 2021 FireEye
Release 2021.1 Configuring Password Policies
l The My Account Settings page in the Web UI includes a Current Password field.
l Local login commands such as username <userName> password <password>
prompt for the current password if the user does not supply it as a command
parameter.
CAUTION! Custom scripts that use the CLI to configure user accounts may
need to be updated if the current password is required. For example, a script
that sets the password for a user needs to be modified to accommodate the
prompt for the current password.
Use the commands in this section to require users to enter their current password as well
as their new password when they change passwords.
For a managed appliance, you can perform this procedure on the Central Management
appliance as well as the local appliance. The procedure remains the same. However, you
will need to take the additional step to locate the appliance on the Central Management
CLI. For instructions on locating an appliance on the Central Management CLI, see the
FireEye Central Management Administration Guide.
To require current passwords:
1. Go to CLI configuration mode:
hostname > enable
hostname # configure terminal
NOTE: To disable the feature, use the no aaa authentication password local
change require-current command.
© 2021 FireEye 53
System Security Guide CHAPTER 3: Local Authentication
Prerequisites
l Admin access
1. Go to CLI configuration mode:
hostname > enable
hostname # configure terminal
2. To specify the number of days of advance notice, use the following command:
aaa authentication password local require-change advance-warning
<days>
54 © 2021 FireEye
Release 2021.1 Configuring Password Policies
l Local password validation rules are not applied to passwords managed by remote
authentication tools such as Active Directory, LDAP or a RADIUS server.
l Password validation rules are enforced only when the user sets a plain text string as
the password. They are not applied to passwords that are configured as a hashed
value. For full enforcement, you can prevent administrators from configuring
passwords as hashed values, described in Prohibiting Hashed Passwords Using the
CLI on page 61.
l Password validation rules are enforced only when a password is first added to the
system. They are not applied to passwords that already exist.
For example, the following command removes the configured restriction on the number of
characters than can be repeated consecutively in a password:
no aaa authentication password local max-chars-repeats
© 2021 FireEye 55
System Security Guide CHAPTER 3: Local Authentication
The following command removes configured requirement for the minimum number of
upper-case characters in a password:
no aaa authentication password local character-type upper-case minimum
Prerequisites
l Admin access
1. Go to CLI configuration mode:
hostname > enable
hostname # configure terminal
56 © 2021 FireEye
Release 2021.1 Configuring Password Policies
Prerequisites
l Admin access
1. Go to CLI configuration mode:
hostname > enable
hostname # configure terminal
Example
See Example: Configuring Password Validation Policies on page 62.
© 2021 FireEye 57
System Security Guide CHAPTER 3: Local Authentication
A password can be reused immediately after the password history is cleared or the feature
is disabled. In both cases, information about the current password, such as the date and
time it was set, is retained.
This procedure describes how to configure the number of times users must change a
password before using it again, and to clear the password history for a specific user or all
users.
Prerequisites
l Admin access
1. Go to CLI configuration mode:
hostname > enable
hostname # configure terminal
58 © 2021 FireEye
Release 2021.1 Configuring Password Policies
1. Go to CLI configuration mode:
hostname > enable
hostname # configure terminal
2. Clear the history for a specific user. Use the following command:
aaa authentication password local history clear user <userName>
Example
See Example: Configuring Password Validation Policies on page 62.
l The My Account Settings page in the Web UI includes a Current Password field.
l Local login commands such as username <userName> password <password>
prompt for the current password if the user does not supply it as a command
parameter.
CAUTION! Custom scripts that use the CLI to configure user accounts may
need to be updated if the current password is required. For example, a script
that sets the password for a user needs to be modified to accommodate the
prompt for the current password.
Use the commands in this section to require users to enter their current password as well
as their new password when they change passwords.
For a managed appliance, you can perform this procedure on the Central Management
appliance as well as the local appliance. The procedure remains the same. However, you
will need to take the additional step to locate the appliance on the Central Management
© 2021 FireEye 59
System Security Guide CHAPTER 3: Local Authentication
CLI. For instructions on locating an appliance on the Central Management CLI, see the
FireEye Central Management Administration Guide.
To require current passwords:
1. Go to CLI configuration mode:
hostname > enable
hostname # configure terminal
NOTE: To disable the feature, use the no aaa authentication password local
change require-current command.
You can limit the use of hashed passwords by administrators, and you can specify LCD
password validation requirements.
l Local password validation rules are not applied to passwords managed by remote
authentication tools such as Active Directory, LDAP or a RADIUS server.
l Password validation rules are enforced only when a password is first added to the
system. They are not applied to passwords that already exist.
60 © 2021 FireEye
Release 2021.1 Configuring Password Policies
Prerequisites
l Admin access
1. Go to CLI configuration mode:
hostname > enable
hostname # configure terminal
© 2021 FireEye 61
System Security Guide CHAPTER 3: Local Authentication
If you want to set the minimum length of the LCD password, use the command
hostname (config) # aaa authentication password lcd length minimum <number>
where number is 0 by default.
Prerequisites
l Admin access
1. Go to CLI configuration mode:
hostname > enable
hostname # configure terminal
Minimum length: 8
Maximum length: 32
Maximum character repeats: 1
Minimum lower case characters: 0
62 © 2021 FireEye
Release 2021.1 Configuring Password Policies
Minimum length: 10
© 2021 FireEye 63
System Security Guide CHAPTER 3: Local Authentication
64 © 2021 FireEye
System Security Guide
CHAPTER 4: Remote
Authentication
For security, the provided Monitor user account is locked out by default. This account must
be enabled before remote users can be mapped to it. For more information, see Managing
Account Status on page 40.
NOTE: A user with a reject user account is automatically locked out and is not
associated with a role by default.
Prerequisites
l Admin access to the appliance.
l If a remote authentication server is configured with an IPv6 address: In the Configure
IPv6 section of the Network Settings page of the appliance Web UI, the Global IPv6
and Management Interface IPv6 checkboxes are selected. (They are selected by
default.)
© 2021 FireEye 65
System Security Guide CHAPTER 4: Remote Authentication
To configure a RADIUS server:
1. Configure a secret key on the authentication server. The same key must be
configured on both the server and the appliance.
2. Create a dictionary to reference the following mapping data:
VENDOR FireEye 25597
BEGIN-VENDOR FireEye
ATTRIBUTE FireEye-Local-User 1 string
END-VENDOR FireEye
where Local-User is the mapping attribute with an index of 1 that matches the
FireEye code.
6. Restart the RADIUS server after authentication mappings are modified. For example,
enter service radiusd restart.
66 © 2021 FireEye
Release 2021.1 Configuring RADIUS Authentication Using the CLI
Auth-Type := System causes the RADIUS server to use the password file on
the server for user passwords. Passwords for users with the Admin or Monitor
role must be specified on an individual basis.
You can configure some RADIUS settings globally, so the settings apply to all
new RADIUS servers configured on an appliance and become the new default
settings. For example, you could use the radius-server timeout <seconds>
command to configure the timeout value for all RADIUS servers.
where ip address is the IPv4 or IPv6 address of the RADIUS server and key
string is the secret key configured on the RADIUS server.
2. By default, the appliance retransmits a request that previously timed out after three
seconds. To change the number of seconds:
hostname (config) # radius-server host <ip address> timeout <seconds>
© 2021 FireEye 67
System Security Guide CHAPTER 4: Remote Authentication
5. Add RADIUS authentication to the authentication method list in the desired order.
For example:
hostname (config) # aaa authentication login default local radius
See the CLI Command Reference for a complete list of RADIUS server commands
and parameters.
Examples
The following example configures a RADIUS server and changes the timeout and
retransmit values.
hostname (config) # radius-server host 192.168.1.1 key 12345678
hostname (config) # radius-server host 192.168.1.1 timeout 5
hostname (config) # radius-server host 192.168.1.1 retransmit 2
hostname (config) # aaa authentication login default local radius
hostname (config) # show radius
RADIUS Settings:
Authentication and Authorization are enabled in AAA configuration.
RADIUS DEFAULTS:
Key: ********
Timeout: 3
Retransmit: 1
RADIUS servers:
192.168.1.1:1812
Enabled: yes
Key: *********
Timeout: 5
Retransmit: 2
The following example configures three RADIUS servers on the appliance, and then
defines global settings for the timeout and retransmit values.
hostname (config) # radius-server host 192.168.1.2 key 12345678
hostname (config) # radius-server host fdd3:c75:345::8a4 key 34567890
hostname (config) # radius-server host 192.168.3.4 key 98765432
hostname (config) # aaa authentication login default local radius
hostname (config) # radius-server timeout 5
hostname (config) # radius-server retransmit 1
hostname (config) # show radius
RADIUS Settings:
Authentication and Authorization are enabled in AAA configuration.
RADIUS defaults:
Key: ********
Timeout: 5
Retransmit: 1
RADIUS servers:
68 © 2021 FireEye
Release 2021.1 Configuring TACACS+ Authentication
192.168.1.2:1812
Enabled: yes
Key: ********
Timeout: 5 (default)
Retransmit: 1 (default)
fdd3:c75:345::8a4:1812
Enabled: yes
Key: ********
Timeout: 5 (default)
Retransmit: 1 (default)
192.168.3.4:1812
Enabled: yes
Key: ********
Timeout: 5 (default)
Retransmit: 1 (default)
user=t-monitor {
pap = cleartext “test123”
service = fireeye-exec {
“local-user-name-fireeye” = “monitor”
}
}
© 2021 FireEye 69
System Security Guide CHAPTER 4: Remote Authentication
maps to the appliance admin role, and the t-monitor user maps to the appliance
monitor role.
You can configure some TACACS+ settings globally, so the settings apply to all
TACACS+ servers configured on an appliance and become the new default
settings. For example, you could use the tacacs-server timeout <seconds>
command to configure the timeout value for all TACACS+ servers.
where ip address is the IPv4 address of the TACACS+ server and key string is
the secret key configured on the TACACS+ server.
2. By default, the appliance retransmits a request that previously timed out after three
seconds. To change the number of seconds:
hostname (config) # tacacs-server host <ip address> timeout <seconds>
70 © 2021 FireEye
Release 2021.1 LDAP Server Configuration
See the CLI Command Reference for a complete list of TACACS+ server commands
and parameters.
Example
The following example configures a TACACS+ server and changes the timeout and
retransmit values.
hostname (config) # radius-server host 192.168.2.1 key 12345678
hostname (config) # radius-server host 192.168.2.1 timeout 5
hostname (config) # radius-server host 102.168.2.1 retransmit 2
hostname (config) # aaa authentication login default local tacacs+
hostname (config) # show tacacs
TACACS+ Settings:
Authentication and Authorization are enabled in AAA configuration.
Accounting is disabled in AAA configuration.
TACACS+ DEFAULTS:
Key: ********
Timeout: 3
Retransmit: 1
TACACS+ servers:
192.168.2.1:49
Enabled: yes
Auth Type: pap
Key: *********
Timeout: 5
Retransmit: 2
© 2021 FireEye 71
System Security Guide CHAPTER 4: Remote Authentication
Configuring an LDAP Server
For LDAP configuration, localUserNameFireEye is the attribute name for mapping to the
Admin or Monitor role.
NOTE: This topic describes how to configure the LDAP server, not the FireEye
appliance. Your configuration should follow standard LDAP protocol; the
examples in this topic are provided for illustration only.
To configure an LDAP server:
2. Define users.
3. On the appliance, define the server host, base-dn, and login-attribute.
4. Run the service ldap start CLI command after configuring authentication
mappings.
Prerequisites
l Admin access
1. Go to CLI configuration mode:
hostname > enable
hostname # configure terminal
72 © 2021 FireEye
Release 2021.1 LDAP Server Configuration
The following example defines a filter that allows "operator" role users in the Acme
IT network group to log in using LDAP.
hostname (config) # ldap search-filter "(|
(memberOf=cn=Operators2,ou=Network Group,dc=acmeit,dc=com)"
© 2021 FireEye 73
System Security Guide CHAPTER 4: Remote Authentication
The following example shows how to define attributes on the FireEye appliance:
ldap host hostname
ldap base-dn cn=ldap-monitor,ou=users,dc=fireeye,dc=com ldap login-attribute
uid
Prerequisites
l Admin access
1. Go to CLI configuration mode:
hostname > enable
hostname # configure terminal
2. Configure the host to send LDAP authentication requests. Use the following
command:
ldap host <adServerHostnameIpaddress>
3. Configure the LDAP user search base. Use the following command:
ldap base-dn <ldapBaseDN>
4. Set the Distinguished Name used to bind to the server. Use the following command:
ldap bind-dn <searchUserDN>
74 © 2021 FireEye
Release 2021.1 Local Overrides of Remote User Mappings
5. Configure the credentials used to bind to the server. Use the following command:
ldap bind-password <searchUserPassword>
6. Configure which attribute holds the login name. Use the following command:
ldap login-attribute sAMAccountName
If the user is authenticated by the remote server but the remote server does not return the
attribute string, the remote user is logged in as the default local user. This is specified by
the aaa authorization map default-user CLI command, as described in the following
topic:
l Mapping Remote Users to Default Local Users Using the CLI on page 77.
l Mapping to a local user account according to rules set by the aaa authorization
map order CLI command. The mapping can come from the local configuration or
© 2021 FireEye 75
System Security Guide CHAPTER 4: Remote Authentication
An administrator can use the aaa authorization rules rule CLI command to
configure rules in the local configuration that override this mapping when the specified
conditions are met. Rule criteria include the following:
l Authentication type
l Remote user name
l Local user name (before the override)
l LDAP group
l LDAP search filter
The first rule that evaluates as "true" will override the initial mapping, and the remaining
rules will not be considered. If a rule includes multiple criteria, every criterion must be met
before the rule itself can evaluate as true. For example, if a rule specifies that the remote
username must be "alice" and that the LDAP group cannot be "group_a" , the rule will
evaluate as true if the user is Alice, but only if she is in a group other than Group A.
For more information, see Locally Overriding Remote User Mappings Using the CLI below.
Prerequisites
l Admin access
1. Go to CLI configuration mode:
hostname > enable
hostname # configure terminal
76 © 2021 FireEye
Release 2021.1 Local Overrides of Remote User Mappings
6. To create a new rule or to modify an existing rule, use the following command:
aaa authorization rules rule <wordPair>
Prerequisites
l Admin access
1. Go to CLI configuration mode:
hostname > enable
hostname # configure terminal
2. To specify the default local user account, use the following command:
aaa authorization map default-user <username>
Any non-mapped users will default to the specified local user account.
3. Save your changes:
hostname (config) # write memory
© 2021 FireEye 77
System Security Guide CHAPTER 4: Remote Authentication
78 © 2021 FireEye
System Security Guide About CAC for Certificate Authentication
© 2021 FireEye 79
System Security Guide CHAPTER 5: Common Access Card (CAC) for Certificate Authentication
The keys and the certificates are stored on the CAC card. CAC satisfies a two-factor
authentication (2FA) because you must place a physical card in a CAC reader and know a
Personal Identification Number (PIN). The CAC card stores the public certificates and the
corresponding private keys that belong to the user.
The certificate is automatically uploaded from the CAC card to the browser, and the user
selects an installed certificate to log in. The user is prompted to enter the PIN of the CAC
card. If the PIN is validated, the card unlocks a private key that is used to set up a TLS
connection with the appliance. The certificate identifies the user and it is used to set up a
TLS connection. If the certificate is verified and signed by a trusted Certificate Authority
(CA) and has not been revoked, the user is authenticated and can log in to the Web UI. The
private key never leaves the CAC card.
The following are the two security elements to allow the user to gain access to the Web UI:
80 © 2021 FireEye
Release 2021.1 Configuring a CA Certificate Bundle
4. Enable policy settings of the Web UI for certificate authentication. For details about
how to enable policy settings of the Web UI, see Enabling or Disabling the Policy
Settings of the Web UI for Certificate Authentication on page 86.
5. Configure user attributes for certificate authentication. For details about how to
configure the user attributes for certificate authentication, see Configuring the User
Attributes for Certificate Authentication on page 96.
6. (Optional) Enable and configure OCSP so that the appliance can validate certificate
revocation. For details about how to enable and configure OCSP for certificate
validation, see Enabling or Disabling OCSP Using the CLI on page 89
7. (Optional) Download a local Certificate Revocation List (CRL) file from a specified
remote location so that the appliance can validate certificate revocation. For details
about how to download a local CRL file for certificate validation, see Downloading
a Local CRL File Using the CLI on page 95.
8. Configure LDAP mappings for authorization if you selected to configure an LDAP
server to authorize users. For details about how to configure LDAP mappings for
authorization, see Configuring LDAP for Authorization on page 99.
9. Configure local user mappings for authorization. For details about how to configure
local user mappings for authorization, see Configuring Local User Mappings for
Authorization on page 107.
On Central Management and Network Security appliances the user can log in to the Web
UI for certificate authentication by entering the user name and password provided by the
administrator, using a certificate, or both. For details about how to log in to the Web UI, see
Logging in to the Web UI for Certificate Authentication on page 112.
The appliance supports single PEM-encoded certificates. A set of intermediate and root CA
certificates are used to validate the certificates from the CAC card and they are presented to
the appliance. You can download a certificate bundle from a remote URL, import all the
certificates to the appliance, and add the certificates to the specified bundle list.
The following important attributes are provided in the certificate:
© 2021 FireEye 81
System Security Guide CHAPTER 5: Common Access Card (CAC) for Certificate Authentication
l Subject
l Public Key
l Serial Number
l Valid to (expiration date)
l Key Usage
l Subject Alternative Name
For details about how to define the certificate attributes, see Defining Default Certificate
Attributes on page 273.
Prerequisites
l Admin access to the appliance.
l (Optional) LDAP servers have been configured to authorize users. For details about
how to configure an LDAP server, see LDAP Server Configuration on page 71.
where <bundle_name> is the name of the certificate bundle. The bundle must be
named client-cert-auth.
<certificate_name> is the name of the certificate that already has been configured.
3. Verify the list of all the certificates that have been added to the bundle.
hostname (config) # show crypto certificate bundle client-cert-auth
Certificate bundle 'client-cert-auth':
Certificate with name 'client-cert-auth-0235cfce'
82 © 2021 FireEye
Release 2021.1 Configuring a CA Certificate Bundle
© 2021 FireEye 83
System Security Guide CHAPTER 5: Common Access Card (CAC) for Certificate Authentication
Issuer:
Common Name: vps1_root_ca_1
Country: US
State or Province: CA
Locality: Milpitas
Organization: FireEye
Organizational Unit: CAou
2. Depending on whether you want to keep the certificates in the database, choose one
of the following options:
l To delete the certificates from a bundle and delete them directly from the
database:
hostname (config) # no crypto certificate bundle <bundle_name>
cert-name <certificate_name>
where <bundle_name> is the name of the certificate bundle. The bundle must
be named client-cert-auth.
<certificate_name> is the name of the certificate that already has been
configured.
l To delete the certificates from a bundle but keep them in the database:
hostname (config) # no crypto certificate bundle <bundle_name>
cert-name <certificate_name> keep-member-certs
where <bundle_name> is the name of the certificate bundle. The bundle must
be named client-cert-auth.
<certificate_name> is the name of the certificate that already has been
configured.
3. Verify that the specified certificate is deleted from the bundle named client-cert-
auth.
hostname (config) # show crypto certificate bundle client-cert-auth
84 © 2021 FireEye
Release 2021.1 Configuring a CA Certificate Bundle
2. Specify the name for the certificate bundle and download it.
hostname (config) # crypto certificate bundle <bundle_name> fetch url
<url>
where:
l <bundle_name> is the name of the certificate bundle. The bundle must be
client-cert-auth.
l <url> is the direct path to the certificate file. The <url> is specified with
remote server Administrator credentials (<username> and <password>), the
remote server( <hostname>), the path and filename in which to save the
certificate bundle (<path/filename>) in the following format:
scp://<username>[:<password>]@<hostname>/<path/filename>
© 2021 FireEye 85
System Security Guide CHAPTER 5: Common Access Card (CAC) for Certificate Authentication
4. Verify the list of all the certificate bundle names. The comment is added
automatically when you import a certificate bundle.
hostname (config) # show crypto certificate bundle
Bundle name Comment
=======================================================================
client-cert-auth Imported from
http://builds.eng.fireeye.com/~john.doe/vps1-cacerts.pem
5. (Optional) View the Privacy Enhanced Email (PEM) encrypted ASCII string of the
certificate bundle.
hostname (config) # show crypto certificate bundle client-cert-auth pem
-----BEGIN CERTIFICATE-----
MIIFRzCCBC+gAwIBAgIJANHeZPrkimh2MA0GCSqGSIb3DQEBCwUAMGcxCzAJBgNV
BAYTAlVTMQswCQYDVQQIDAJDQTERMA8GA1UEBwwITWlscGl0YXMxEDAOBgNVBAoM
B0ZpcmVFeWUxDTALBgNVBAsMBENBb3UxFzAVBgNVBAMMDnZwczFfcm9vdF9jYV8x
.....
-----END CERTIFICATE-----
l Log in to the Web UI using the user name and password provided by their
administrator or using a certificate when a client X.509 certificate is optional for user
authentication. For details, see Logging in to the Web UI for Certificate
Authentication on page 112.
l Log in to the Web UI using a certificate when a client X.509 certificate is mandatory
for user authentication. For details, see Logging in to the Web UI for Certificate
Authentication on page 112.
When certificate authentication is not mandatory, you can configure the appliance not to
accept a client X.509 certificate.
86 © 2021 FireEye
Release 2021.1 Enabling or Disabling the Policy Settings of the Web UI for Certificate Authentication
NOTE: You cannot use other authentication methods that are already configured
to log in to the Web UI.
NOTE: You can enable or disable the policy settings of the Web UI for certificate
authentication only using the CLI. Policy settings are disabled by default.
Prerequisites
l Admin access to the appliance.
l (Optional) LDAP servers have been configured to authorize users. For details about
how to configure an LDAP server, see LDAP Server Configuration on page 71.
l A Certificate Authority (CA) certificate bundle has been downloaded, and an
imported certificate has been added to an existing bundle from a specified URL. For
details about how to download CA certificate bundle, see Downloading a CA
Certificate Bundle Using the CLI on page 85.
Use the CLI commands in this section to enable or disable the policy settings of the Web UI
to authenticate users using a X.509 certificate.
© 2021 FireEye 87
System Security Guide CHAPTER 5: Common Access Card (CAC) for Certificate Authentication
NOTE: Users log in to the Web UI either using the user name and
password provided by their administrator or using an optional X.509
certificate.
2. Disable the policy settings of the Web UI to not accept a client X.509 certificate.
hostname (config) # aaa authentication certificate web policy disabled
3. Verify the status for the policy settings of the Web UI.
hostname (config) # show aaa authentication certificate
Certificate based authentication settings:
Web Policy : disabled
.....
88 © 2021 FireEye
Release 2021.1 Configuring Certificate Revocation for Certificates
Both the Online Certificate Status Protocol (OCSP) and the Certificate Revocation List (CRL)
protocol are used to validate whether an X.509 certificate has been revoked. OCSP is used
as an alternative to the CRL.
OCSP servers are also referred as OCSP responders. OCSP allows the appliance to check if
a certificate has been revoked without downloading and searching the entire list. If an
OCSP URL is found in the certificate, the OCSP responder is queried to determine the
status of the certificate revocation. If an OCSP URL is not found in the certificate or the
appliance cannot communicate with the OCSP responder from the certificate, a configured
default URL is used.
A CRL contains a list of certificates that have been revoked or can no longer be trusted.
When a TLS connection is set up with the appliance, part of the authentication process is
to validate that the certificate is not listed in the CRL. Each entry in the list corresponds to
the certificate number and the date of the revoked certificate.
Prerequisites
l Admin access to the appliance.
l (Optional) LDAP servers have been configured to authorize users. For details about
how to configure an LDAP server, see LDAP Server Configuration on page 71.
l A Certificate Authority (CA) certificate bundle has been downloaded, and an
imported certificate has been added to an existing bundle from a specified URL. For
details about how to download CA certificate bundle, see Downloading a CA
Certificate Bundle Using the CLI on page 85.
l Policy settings of the Web UI have been enabled for certificate authentication. For
details about how to enable policy settings of the Web UI, see Enabling or Disabling
the Policy Settings of the Web UI for Certificate Authentication on page 86.
© 2021 FireEye 89
System Security Guide CHAPTER 5: Common Access Card (CAC) for Certificate Authentication
When OCSP is enabled and the appliance cannot reach the OCSP server, the user is denied
access to the Web UI.
To enable OCSP:
To disable OCSP:
90 © 2021 FireEye
Release 2021.1 Configuring Certificate Revocation for Certificates
2. Enable the override of the OCSP responder from the certificate that is being
validated and instead use the default OCSP responder.
hostname (config) # aaa authentication certificate ocsp override-
responder
2. Disable the override of the OCSP responder from the certificate that is being
validated.
© 2021 FireEye 91
System Security Guide CHAPTER 5: Common Access Card (CAC) for Certificate Authentication
2. Specify the default OCSP URL so that certificate revocation can be validated.
hostname (config) # aaa authentication certificate ocsp default URL
<URL>
where <URL> is the default URL that is configured on the appliance. This URL is
based on the configuration of the OCSP override responder.
3. Verify the configuration of the OCSP URL.
hostname (config) # show aaa authentication certificate
Certificate based authentication settings:
Web Policy : required
Certificate field for username : x509-cert-subject-cn
CA certificate bundle : client-cert-auth
OCSP enabled : no
Default OCSP URL : http://10.3.13.219:80
...
92 © 2021 FireEye
Release 2021.1 Configuring Certificate Revocation for Certificates
2. Enable the appliance to allow the user to log in to the Web UI even when the basic
constraints extension is not included in the X.509 certificate.
hostname (config) # aaa authentication certificate validation allow-
missing-basic-constraints
© 2021 FireEye 93
System Security Guide CHAPTER 5: Common Access Card (CAC) for Certificate Authentication
2. Disable the option to allow the user to log in to the Web UI when the basic
constraints extension is not included in the X.509 certificate.
hostname (config) # no aaa authentication certificate validation allow-
missing-basic-constraints
94 © 2021 FireEye
Release 2021.1 Configuring Certificate Revocation for Certificates
where <URL> is the direct path to the certificate file. The <url> is specified with
remote server Administrator credentials (<username> and <password>), the remote
server (<hostname>), the path and filename in which to save the certificate bundle
(<path/filename> )in the following format:
scp://<username>[:<password>]@<hostname>/<path/filename>
NOTE: If you do not specify the remote host administrator password in the
aaa authentication certificate crl fetch url command (where the
password would be visible as clear text), the CLI prompts for the password
and obfuscates the keyboard input as you type it.
4. (Optional) Specify a filename to save the CRL file that you downloaded.
© 2021 FireEye 95
System Security Guide CHAPTER 5: Common Access Card (CAC) for Certificate Authentication
NOTE: If you do not specify a filename, the CRL file will be saved to the
appliance locally and the remote filename will be used.
96 © 2021 FireEye
Release 2021.1 Configuring the User Attributes for Certificate Authentication
Attribu
Description
te
x509- Name of the entry for the subject field in the certificate. The subject is the
cert- Distinguished Name (DN) and is the X.509 structure. Each entry has a unique
subject identifier.
The following example shows the DN format for CAC:
C=US, O=Test Government, OU=Test Department, OU=Test Agency,
CN=Test Cardholder
x509- Common Name (CN) entry from the DN attribute that is associated in a
cert- certificate. For example, CN=Test Cardholder.
subject-
cn
x509- The email address in the Subject Alternative Name (SAN) field of the
cert- certificate. You are allowed to have multiple subfields for SAN.
san-
email
x509- The user name of the email address without the domain name in the
cert- certificate.
san-
email-
userna
me
x509- User Principal Name (UPN) attribute that is encoded in the Other Name field
cert- of the SAN field in the certificate.
san-
upn
NOTE: You can configure the user attributes for certificate authentication only
using the CLI.
© 2021 FireEye 97
System Security Guide CHAPTER 5: Common Access Card (CAC) for Certificate Authentication
Prerequisites
l Admin access to the appliance.
l (Optional) LDAP servers have been configured to authorize users. For details about
how to configure an LDAP server, see LDAP Server Configuration on page 71.
l A Certificate Authority (CA) certificate bundle has been downloaded, and an
imported certificate has been added to an existing bundle from a specified URL. For
details about how to download CA certificate bundle, see Downloading a CA
Certificate Bundle Using the CLI on page 85.
l Policy settings of the Web UI for certificate authentication have been enabled. For
details about how to enable policy settings of the Web UI, see Enabling or Disabling
the Policy Settings of the Web UI for Certificate Authentication on page 86.
2. Specify the name of the entry for the subject field in the certificate.
hostname (config) # aaa authentication certificate username x509-cert-
subject
3. Specify an entry for the Common Name (CN) from the DN attribute that is
associated in a certificate.
hostname (config) # aaa authentication certificate username x509-cert-
subject-cn
4. Specify an email address in the Subject Alternative Name (SAN) field of the
certificate. You are allowed to have multiple subfields for SAN.
hostname (config) # aaa authentication certificate username x509-cert-
san-email
5. Specify the user name of the email address without the domain name in the
certificate.
98 © 2021 FireEye
Release 2021.1 Configuring LDAP for Authorization
6. Specify the User Principal Name (UPN) that is encoded in the "Other Name" field of
the SAN field in the certificate.
hostname (config) # aaa authentication certificate username x509-cert-
san-upn
7. Specify the user name of the UPN attribute without the domain name in the
certificate.
hostname (config) # aaa authentication certificate username x509-cert-
san-upn-username
l Enabling or Disabling the LDAP Server for Certificate Authorization Using the CLI
on page 101
l Configuring an LDAP Attribute to Match a Certificate Authorization Field Using the
CLI on page 102
l Removing an LDAP Attribute for Certificate Authorization Using the CLI on
page 103
l Configuring the Certificate Fields to Match the LDAP Field for Authorization Using
the CLI on page 103
© 2021 FireEye 99
System Security Guide CHAPTER 5: Common Access Card (CAC) for Certificate Authentication
l Defining LDAP Search Filters for Certificate Authorization Using the CLI on
page 105
l Removing LDAP Search Filters for Certificate Authorization Using the CLI on
page 105
l Enabling or Disabling the LDAP Override for Certificate Authorization Using the
CLI on page 106
When the appliance needs to determine the identity of the user, the Subject Alternative
Name (SAN) extension with the User Principal Name (UPN) extension in the certificate can
be used as an identifier when matching the certificate to an entry in the Active Directory
(AD), which is supported by the LDAP protocol.
When the certificate is validated, the AD server uses the Principal Name field (Principal
Name=user@fully.qualified.domain.name) in the SAN with the UPN of the certificate to
search for the user in the Active Directory. The server permits or denies access to the Web
UI based on the matched fields.
The user schema name and login name for the LDAP attribute are used to match the
configured certificate authorization field. An administrator can configure the LDAP record
to map the login name. An administrator can define an LDAP search filter in the
configuration that controls which users can log in using a certificate and then can be
authorized using LDAP.
Prerequisites
l Admin access to the appliance.
l LDAP servers have been configured to authorize users. For details about how to
configure an LDAP server, see LDAP Server Configuration on page 71.
l A Certificate Authority (CA) certificate bundle has been downloaded, and an
imported certificate has been added to an existing bundle from a specified URL. For
details about how to download CA certificate bundle, see Downloading a CA
Certificate Bundle Using the CLI on page 85.
l Policy settings of the Web UI for certificate-based authentication have been enabled.
For details about how to enable policy settings of the Web UI, see Enabling or
Disabling the Policy Settings of the Web UI for Certificate Authentication on page 86.
l User attributes for certificate authentication have been configured. For details about
how to configure the user attributes for certificate authentication, see Configuring the
User Attributes for Certificate Authentication on page 96.
l Online Certificate Status Protocol (OCSP) has been enabled and configured so that
the appliance can validate certificate revocation. For details about how to enable
and configure OCSP for certificate revocation, see Enabling or Disabling OCSP Using
the CLI on page 89 and Adding or Removing the OCSP URL Using the CLI on
page 92.
2. Enable the LDAP server to map a remote user to a local user account for certificate-
based authentication.
hostname (config) # aaa authorization certificate map-ldap enable
2. Specify the LDAP user schema name for LDAP to match the configured certificate
authorization field.
hostname (config) # aaa authorization certificate map-ldap match-ldap-
attribute uid
3. Specify which attribute holds the login name to match the configured certificate
authorization field.
hostname (config) # aaa authorization certificate map-ldap match-ldap-
attribute sAMAccountName
4. Specify which attribute holds an email address to match the configured certificate
authorization field.
hostname (config) # aaa authorization certificate map-ldap match-ldap-
attribute mail
To configure the certificate fields to match the LDAP field for authorization:
2. Specify the name of the subject field in the certificate to match the LDAP field. The
subject is the Distinguished Name (DN) and is the X.509 structure. Each entry has a
unique identifier.
hostname (config) # aaa authorization certificate map-ldap match-cert-
field x509-cert-subject
3. Specify an entry for the Common Name (CN) from the DN attribute that is
associated in a certificate to match the LDAP field.
hostname (config) # aaa authorization certificate map-ldap match-cert-
field x509-cert-subject-cn
4. Specify an email address in the Subject Alternative Name (SAN) field of the
certificate to match against the LDAP field. You are allowed to have multiple
subfields for the SAN.
hostname (config) # aaa authorization certificate map-ldap match-cert-
field x509-cert-san-email
5. Specify the user name of the email address without the domain name in the
certificate to match against the LDAP field.
hostname (config) # aaa authorization certificate map-ldap match-cert-
field x509-cert-san-email-username
6. Specify the User Principal Name (UPN) that is encoded in the Other Name field of
the Subject Alternative Name to match against the LDAP field.
hostname (config) # aaa authorization certificate map-ldap match-cert-
field x509-cert-san-upn
7. Specify the user name of the UPN field without the domain name in the certificate to
match against the LDAP field.
hostname (config) # aaa authorization certificate map-ldap match-cert-
field x509-cert-san-upn-username
8. Verify the setting of the certificate field to match the LDAP field.
hostname (config) # show aaa authorization certificate
Certificate based authorization settings:
LDAP enabled : yes
LDAP Match Attribute : uid
Certificate field to match : x509-cert-san-email-username
LDAP Search Filter : Not configured
Username override : no
If the login is mapped to the LDAP account, an administrator can use the ldap login-
attribute command to override the username setting, and instead use the username from
the LDAP attribute.
To enable the LDAP override for certificate authorization:
2. Enable the LDAP override of the username setting that was specified with the aaa
authentication certificate username command, and instead use the username
from the LDAP attribute.
hostname (config) # aaa authorization certificate map-ldap username-
override
2. Disable the LDAP override of the username setting that was specified with the aaa
authentication certificate username command.
hostname (config) # no aaa authorization certificate map-ldap username-
override
Prerequisites
l Admin access to the appliance.
l A Certificate Authority (CA) certificate bundle has been downloaded, and an
imported certificate has been added to an existing bundle from a specified URL. For
details about how to download CA certificate bundle, see Downloading a CA
Certificate Bundle Using the CLI on page 85.
l Policy settings of the Web UI for certificate-based authentication have been enabled.
For details about how to enable policy settings of the Web UI, see Enabling or
Disabling the Policy Settings of the Web UI for Certificate Authentication on page 86.
l User attributes for certificate authentication have been configured. For details about
how to configure the user attributes for certificate authentication, see Configuring the
User Attributes for Certificate Authentication on page 96.
l Online Certificate Status Protocol (OCSP) has been enabled and configured so that
the appliance can validate certificate revocation. For details about how to enable
and configure OCSP for certificate revocation, see Enabling or Disabling OCSP Using
the CLI on page 89 and Adding or Removing the OCSP URL Using the CLI on
page 92.
l Enable all authorization rules. Use the aaa authorization rules enable
command.
NOTE: A user with a reject user account is automatically locked out and is not
associated with a role by default.
2. Match all authorization rules for users who were authenticated using an X.509
certificate.
hostname (config) # aaa authorization rules rule append tail match-
auth-method x509-cert map-local-user <role>
where <role> is the assigned role that allows the user to perform certain
operations.
3. Verify the status of the new authorization rules that are matched using the X.509
certificate authentication method.
hostname (config) # show aaa authorization rules
------------------------------------------------
# AAA Authorization Rules : Enabled
------------------------------------------------
# Rule Statements
------------------------------------------------
# 1 Match Auth Methods : x509-cert
-->Action Map Local User : monitor
# 2 Match x509 Cert Subject : C=US, ST=CA,
L=Milpitas, O=FireEye, OU=Engineering, CN=Test Cardholder
-->Action Map Local User : monitor
2. Prevent a new authorization rule from being matched for users who were
authenticated using an X.509 certificate.
hostname (config) # aaa authorization rules rule append tail match-not-
auth-method x509-cert map-local-user <role>
where <role> is the assigned role that allows the user to perform certain
operations.
3. Verify the status of the new authorization rules that are matched using the X.509
certificate authentication method.
hostname (config) # show aaa authorization rules
------------------------------------------------
# AAA Authorization Rules : Enabled
------------------------------------------------
# Rule Statements
------------------------------------------------
# 1 Match Auth Methods : x509-cert
NOTE: A user with a reject user account is automatically locked out and is not
associated with a role by default.
2. Specify an authorization rule to match against the name of the subject field in the
X.509 certificate. The subject is the Distinguished Name (DN) and is the X.509
structure. Each entry has a unique identifier.
hostname (config) # aaa authorization rules rule append tail match-
x509-cert-subject "<string>" map-local-user <role>
where <string> is extracted from the subject field of the certificate and is matched
against the string that is in the rule. For example, C=US, ST=CA, L=Milpitas,
O=FireEye, OU=Engineering, CN=Test Cardholder.
<role> is the assigned role that allows the user to perform certain operations.
3. Specify an authorization rule to match against an entry for the Common Name (CN)
from the DN attribute of an X.509 certificate.
hostname (config) # aaa authorization rules rule append tail match-
x509-cert-subject-cn "<string>" map-local-user <role>
where <string> is extracted from the subject field of the certificate and is matched
against the string that is in the rule. For example, CN=Test Cardholder.
<role> is the assigned role that allows the user to perform certain operations.
where <string> is extracted from the Subject Alternative Name field of the
certificate and is matched against the string that is in the rule. For example,
email:test.cardholder@fireeye.com.
<role> is the assigned role that allows the user to perform certain operations.
where <string> is extracted from the Subject Alternative Name field without the
domain name of the X.509 certificate and is matched against the string that is in the
rule. For example, test.cardholder.
<role> is the assigned role that allows the user to perform certain operations.
6. Specify an authorization rule to match against the User Principal Name (UPN) that
is encoded in the "Other Name" field of an X.509 certificate.
hostname (config) # aaa authorization rules rule append tail match-
x509-cert-san-upn "<string>" map-local-user <role>
where <string> is extracted from the Subject Alternative Name field for the "Other
Name" value of the X.509 certificate and is matched against the string that is in the
rule. For example, Principal Name:test.cardholder@fireeye.com.
<role> is the assigned role that allows the user to perform certain operations.
7. Specify an authorization rule to match against the username of the UPN field of an
X.509 certificate.
hostname (config) # aaa authorization rules rule append tail match-
x509-cert-san-upn-username <string> map-local-user <role>
where <string> is extracted from the certificate and is matched against the string
that is in the rule. For example, test.cardholder.
<role> is the assigned role that allows the user to perform certain operations.
The log out message will not be displayed if it is disabled. Use the aaa
authentication logout user-message enable command to display the
log out message. For details about how to enable the log out message
setting, see Enabling or Disabling the Log Out Message Setting Using the
CLI on page 26.
SSH host authentication verifies the identity of the Central Management appliance to the
managed appliance and verifies the identity of the managed appliance to the Central
Management appliance.
The topics in this section describe how to configure SSH authentication
Server-initiated connection
With this type of connection, the Central Management administrator adds an
appliance directly from the Central Management Web UI or CLI. For information about
a client-initiated connection (where a managed appliance administrator sends a
request for management to the Central Management appliance, and a Central
Management administrator accepts or rejects the request), see the System Administration
Guide or Administration Guide for the managed appliance.
Client-initiated connection
With this type of connection, a managed appliance administrator sends a request for
management to the Central Management appliance, and a Central Management
administrator accepts or rejects the request). For information about a server-initiated
connection (where the Central Management administrator adds an appliance directly
from the Central Management Web UI or CLI, see the Central
Management Administration Guide.
User Authentication
The remote user can authenticate using either a password or a public key. After the
connection is established, it is controlled by the configured password or the public key.
Password Authentication
With password authentication, a password is configured for the remote user. This is the
initial authentication type for an appliance that is added to the Central Management
appliance using the Web UI.
Public Key Authentication
Public key authentication uses a pair of keys—a public key and a private key. With public
key authentication, an SSH-DSA2 or SSH-RSA2 identity is configured for the remote user
and is pushed to the appliance.
Benefits of public key authentication include:
l The private key remains on the managed appliance and cannot be computed from
the public key. This is an advantage over password authentication, where the
l If you use password authentication, password change policies can break the
connection between the Central Management platform and the managed appliance.
1. Go to CLI configuration mode:
hostname > enable
hostname # configure terminal
5. (Central Management only) Push the key to the managed appliance as described in
Pushing a Public Key Using the Central Management CLI on the facing page.
1. Go to CLI configuration mode:
hostname > enable
hostname # configure terminal
Example
The following example creates an SSH-DSA2 identity named "admin4" on the NX-04
appliance.
NX-04 (config) # cmc auth ssh-dsa2 identity admin4
NX-04 (config) # show cmc auth identities
DSA2 identity admin4:
Public Key:
ssh-dss AAA3NzaC1kc3MAAACBAJl3PisWNnz/gYLvL4JC7xFMoq3HE89rai7trnJmpxjylArYhf
MzaGndFA4qGRZMFzhiz9Jhi/+W1ufIrXLGzakC0lAAAAFQCuMCsMwMGN9zT5w2JCiDt7D6orNwAA
.
.
.
NOTE: You can also use the Central Management Web UI to push the key. For
details, see Importing a Host Key into the Global Host-Keys Database Using the
Central Management Web UI on page 131.
where the username and password options allow the remote user to log in to the
appliance to push the public key before the appliance is connected.
4. Verify your change:
a. Log in to the managed appliance CLI.
b. Go to CLI enable mode:
appl-hostname > enable
Examples
.
.
CM-08 (config) # cmc appliance EX-03 auth ssh-dsa2 identity admin4 push
Push of identity for user admin onto EX-03 succeeded.
EX-03 # show ssh client
.
.
SSH authorized keys:
User admin:
Key 1:
ssh-dss AAA3NzaC1kc3MAAACBAJl3PisWNnz/gYLvL4JC7xFMoq3HE89rai7trnJmpxjylArYhf
MzaGndFA4qGRZMFzhiz9Jhi/+W1ufIrXLGzakC0lAAAAFQCuMCsMwMGN9zT5w2JCiDt7D6orNwAA
.
.
.
Connection status:
Connected: yes (server-initiated)
.
.
.
Authentication:
Authentication type: ssh-rsa2
password username: admin
password password: ********
ssh-dsa2 username: admin
ssh-dsa2 identity:
ssh-rsa2 username: admin
ssh-rsa2 identity: admin6
After the appliance is connected, you can select an SSH-DSA2 or SSH-RSA2 key, which
changes the authentication type accordingly.
1. In the Action column for the appliance, click Use CMS Public Key to Connect. The
Password field is replaced by the CMS Public Key field.
2. Click the Select a Key drop-down list.
3. To configure SSH-DSA2 authentication, do one of the following:
l Select an existing key.
l Select No dsa keys. Create One, and then select the dsa-admin key that is
created.
4. To configure SSH-RSA2 authentication, do one of the following:
l Select an existing key.
l Select No rsa keys. Create one, and then select the rsa-admin key that is
created.
5. Click Update Sensor.
NOTE: The connection will be interrupted briefly. Error messages and
indicators will be displayed, but they will clear as soon as the connection
is reestablished.
6. Verify that the key is displayed in the Public Key Used column for the appliance.
NOTE: See the ssh and cmc commands in the CLI Reference for advanced
authentication options.
1. Go to CLI configuration mode:
hostname > enable
hostname # configure terminal
On a managed appliance:
cmc client server auth authtype password
On a managed appliance:
cmc client server auth password password <password>
1. Go to CLI configuration mode:
hostname > enable
hostname # configure terminal
4. Specify the existing named identity used to authenticate the remote user.
On a Central Management appliance:
cmc appliance <applianceID> auth ssh-dsa2 identity <identityName>
On a managed appliance:
cmc client server auth ssh-dsa2 identity <identityName>
1. Go to CLI configuration mode:
hostname > enable
hostname # configure terminal
On a managed appliance, use the following command to specify the name of the
remote user to log in to the Central Management appliance:
cmc client server auth ssh-rsa2 username <username>
4. Use the following command to specify the existing named identity used to
authenticate the remote user:
cmc appliance <applianceID> auth ssh-rsa2 identity <identityName>
Example
The following example configures a Central Management appliance with SSH-RSA2
authentication parameters used to log in to the NX-04 managed appliance:
hostname (config) # cmc appliance NX-04 auth authtype ssh-rsa2
hostname (config) # cmc appliance NX-04 auth ssh-rsa2 username cmcadmin2
hostname (config) # cmc appliance NX-04 auth ssh-rsa2 identity admin2
Host-Key Authentication
This section covers the following information:
If strict host-key checking is enabled, the connection can be established only if the key
that is sent matches an entry in the local host-keys database for the Central
Management remote user. If global host-key checking is enabled, the connection can be
established only if the key that is sent matches an entry in the Central Management
global host-keys database.
If strict host-key checking is enabled, the connection can be established only if the key
that is sent matches an entry in the local host-keys database for the managed
appliance remote user. If global host-key checking is enabled, the connection can be
established only if the key that is sent matches an entry in the managed appliance
global host-keys database.
You can enforce strict host-key checking, global host-key checking, or both. In compliance
mode, both strict and global host-key checking is enforced. For details, see the FIPS 140-2
and Common Criteria Addendum.
In the case of primary and secondary Central Management platforms in a Central
Management High-Availability (HA) deployment, the two Central Management platforms
exchange keys, and the connection is established if the keys match. For details, see the
Central Management High Availibility Guide.
Prerequisites
l Admin access to configure authentication and create keys.
To use the Web UI to obtain the host key of a supported appliance, use the Certificate
Management page:
l On a Central Management appliance, the host key is the key that you will import
into the global host-keys database of the managed appliance:
l On a managed appliance, the host key is the key that you will import into the global
host-keys database of the Central Management appliance:
Prerequisites
l Admin access to configure authentication and create keys.
3. In the Keys section of the page, find the string that identifies the host key.
l On a managed appliance:
Appliance Public Key (Use this key for managed appliance connections)
l Paste the key into the CLI, as described in Importing a Host Key into the
Central Management Global Host-Keys Database Using the CLI on page 133
or Importing a Host Key into the Managed Appliance Global Host-Keys
Database Using the CLI on page 134.
l Paste the key into a text file and save it for later.
4. Do one of the following, depending on whether you will add the key using the
Central Management appliance Web UI or CLI:
l Web UI: Copy the key string, starting with the IP address and ending with
the last character. Omit the double quotation marks at the beginning and end
of the host key entry.
l CLI: Copy the key string as described above, but include the double
quotation marks.
5. Do one of the following:
l Paste the key into the Central Management Web UI, as described in Importing
a Host Key into the Global Host-Keys Database Using the Central
Management Web UI on page 131.
l Paste the key into the Central Management CLI, as described in Importing a
Host Key into the Central Management Global Host-Keys Database Using the
CLI on page 133 or Importing a Host Key into the Managed Appliance
Global Host-Keys Database Using the CLI on page 134.
l Paste the key into a text file and save it for later.
Example
This example displays the host keys for a managed appliance. The RSA v2 key is
highlighted for illustration.
Acme-05 > show ssh server host-keys interface ether1
SSH server configuration:
SSH server enabled: yes
.
.
.
Interface listen enabled: yes
Listen Interfaces:
Interface: ether1
Host Keys:
RSA v1 host key: "172.17.74.40 2048 65537 2767892723557105143394492343612763
94200729942394341979526174787907308831935615818924165744283828800766510523178479
02037474895252247975570054315595358600142845914848782710493540937857691486699538
04205200729560274476403668156602030333253822356382587237819555941646603447324517
63747513796533041848893042157553987170029619742182277730552872281173097286794724
22744200184844597327452806661880313000836518022137675657765205670872217927843062
15703217249958957713631587970078908302914798758861955796169110420493384623007632
35665546051494669314340340626018765311569680255688151929860734984461083957535425
72032093143856912019598"
RSA v2 host key : "172.17.74.40 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzd5JwK
BjHLe/jxkF0JzWcXOTw9l0bz2SctkQrihkqg/zXqrmxAfgbzYulDSIxOKZTh2VBnKsy0qRWrCps64Itl
h6iRlr7Jxa+jAtTAGsygD0GsSKy13wfsJDhMfWk/nrEqicQ4BJN4M/8AzP+0ATQ2QeZ3nGRRzAiyqkn4
K8cRLJ1E80SnLrwElvw805LZWqNLSQwz6tF+8L1vrmr1kzutl082NBV548AU0wptE6Z2f2oxUobcax+e
qS6QMp5nnbPTDLJTbHChsVVrchTCwfGdNnjkawdDC6IhLk0BdncChpTS9E+ZF/F67YwpuIpgraWcoXuZ
xZDTwHDYPZfNtk5"
DSA v2 host key: "172.17.74.40 ssh-dss AAAAB3NzaC1kc3MAAACBAMY7tSZt46Qrv/hqL
1tazYjXNzkyLTWp54DjfkxzE//+qjE0AUr9hTU3ZmHYChzUVTEKj7syaxd+4Y+8IZ94eRVcnrH/jrqtE
aJ64SvoUqGkbKKezUbCVfSrzGgTV/A0dUzLYMLbOEMrTMcXki+DnaUSd80PCWLvq0Mcg0IpXAAAAFQDI
tRIv/iH3AAy23h3cnWzp3dpOXQAAAIAS0AONTi0O8A+f1HNOm3PzS02ZQ9ittHxA1ISs7yE6dcbj9JrW
Vf1w2lJTEZAJPQz/c9NysGVJusll6Aj1aqQ6EKuhKlPcpY0PyCVKT3TGgY93i648umYZSs9+HzoLY1/a
TnnkBGDQ8mFbjhyw3UdeiFjamVVr+4o8QwMbDXAfXAAAAIEAjBMXsp4gK5yvsAgBqcZeZm3vW4zYUpZZ
374A3ANXENWTh2yyQd8Ig1gB0YKDBhSHD6sZpPg88WSDxK3IAdifYGx+FAhowiuWcI+kA0UeiAb9/C+A
653zii1Nc85/fsIwl3GIjmp/xO23b+9YmHY8V5CsT+mmSIYQutCIzUVWbcYvEc="
Example
This example displays the Central Management host keys. The RSA v2 key is highlighted
for illustration.
CM-08 > show ssh server host-keys interface ether1
SSH server configuration:
SSH server enabled: yes
.
.
.
Interface listen enabled: yes
Listen Interfaces:
Interface: ether1
Host Keys:
RSA v1 host key: "10.11.121.13 2048 65537 2767892723557105143394492343612763
94200729942394341979526174787907308831935615818924165744283828800766510523178479
02037474895252247975570054315595358600142845914848782710493540937857691486699538
04205200729560274476403668156602030333253822356382587237819555941646603447324517
63747513796533041848893042157553987170029619742182277730552872281173097286794724
22744200184844597327452806661880313000836518022137675657765205670872217927843062
15703217249958957713631587970078908302914798758861955796169110420493384623007632
35665546051494669314340340626018765311569680255688151929860734984461083957535425
72032093143856912019598"
l Import the key for a specific appliance as part of the connection settings. You can
edit the settings of an existing managed appliance, or import the key while you are
configuring the initial connection with an appliance.
l Import keys from other appliances, even those appliances that are not currently
being managed by the Central Management appliance.
IMPORTANT: Before you perform this procedure, you must obtain the host key
from the managed appliance. For appliances running Release 7.6.0 or later, you
can obtain this key from the appliance Web UI or CLI. For appliances running
an earlier release, you must obtain this key from the CLI. For details, see
Obtaining a Host Key Using the Web UI on page 126 or Obtaining the Central
Management Appliance Host Key Using the CLI on page 130 or Obtaining a
Managed Appliance Host Key Using the CLI on page 128.
4. Click Update Sensor. The key is added to the global host-keys database and
displayed in the Sensor Host Keys section.
l Click Remove in the row for the key in the Sensor Host Keys section.
CAUTION! If you delete a host key that is in use, the connection between the
Central Management appliance and the managed appliance is broken.
IMPORTANT! Before you perform this procedure, you must obtain the host key
from the managed appliance. You can obtain this key from the appliance Web
UI or CLI. For details, see Obtaining a Host Key Using the Web UI on page 126,
Obtaining a Managed Appliance Host Key Using the CLI on page 128, or
Obtaining the Central Management Appliance Host Key Using the CLI on
page 130.
NOTE: See the ssh commands in the CLI Reference for advanced authentication
options.
CAUTION! If you delete a host key that is in use, the connection between the
Central Management appliance and the managed appliance is broken.
Example
This example imports the host key from a managed appliance into the Central
Management platform global host-key database.
hostname (config) # ssh client global known-host "172.17.74.54 ssh-rsa AAAAB3
NAfgbzYulDSIxOKZTh2VBnKsy0qRWrCps64Itlh6iRlr7JxazaC1yc2EAAAADAQABAAABAQCzd5Jw
Ktk5BjHLe/jxkF0JzWcXOTw9l0bz2SctkQrihkqg/zXqrmxtE6Z2f2oxUobcax+eqS6QMp5nnbPTD
LJTbHCNnjkawdDC6IhLk0BdncChpTS9E+ZF/F67YwpuIpgraWrchTCwfG+jAtTAGsygD0VVrchTCc
ncChpTS9E+ZF/F67YwpuIpgraWcoXuZxZKy13wfsJDhMfWk/nrEqicQ4BJN4M/8AzP+fd9sda3li"
hostname (config) # show ssh client
SSH client Strict Hostkey Checking: ask
Minimum protocol version: 2
Cipher list: compatible
Minimum key length: 1024 bits
required for global host-key authentication, in which the connection will be allowed only if
the host key the Central Management appliance sends is already in this database.
IMPORTANT! Before you perform this procedure, you must obtain the host key
from the Central Management appliance. You can obtain this key from the
Central Management appliance Web UI or CLI. For details, see Obtaining a
Host Key Using the Web UI on page 126, Obtaining a Managed Appliance Host
Key Using the CLI on page 128, or Obtaining the Central Management
Appliance Host Key Using the CLI on page 130.
NOTE: See the ssh commands in the CLI Reference for advanced authentication
options.
CAUTION! If you delete a host key that is in use, the connection between the
Central Management appliance and the managed appliance is broken.
Example
This example imports the host key from a Central Management appliance into the
managed appliance global host-key database.
hostname (config) # ssh client global known-host "10.11.121.13 ssh-rsa AAAAB3
NzaC1yc2EAAAADAQABAAABAQDZZJLE/ftkUddyNW6KdqEQXjS0PjbtzTn3OB51Qg0fdeQHrJgFHM2
/4C9WtDkwuX5jd7gdWnSWYwrXDv657thlyRPIt4Wxjf0bpOolPKAe6shgYq35NxalYDt7Pa/oym51
SN/x9dGaaTFOHvvdAf0Gu5E7nv3YjLjmSgdpSp7auHnYsyJ5O+xlYocXtoBq6jOueyxm8qm76IWL0
07JIJ7ZLgMI8FjZ5gp48r+Hnjrdio2rhKKUP/6B0jpHRxsd8yPxMgJpyz2Dwv9ZIJha67f6sgWYdt
4yxfBc9yr7yG3iVWVJcLE+83aY24X7DBUXFnG3AeciDpEqAit2dPF586hJ"
hostname (config) # show ssh server host-keys
SSH client Strict Hostkey Checking: ask
Minimum protocol version: 2
Cipher list: compatible
Minimum key length: 1024 bits
6. To add the host-key to the global database, follow the instructions at Importing a
Host Key into the Central Management Global Host-Keys Database Using the CLI
on page 133 or, for a Central Management appliance, Importing a Host Key into the
Global Host-Keys Database Using the Central Management Web UI on page 131.
Example
This example enforces both strict and global host-key checking on a Central Management
appliance or a managed appliance.
hostname (config) # cmc auth ssh host-key strict
hostname (config) # cmc auth ssh host-key global-only
hostname (config) # show cmc auth ssh
Example
In this example, the Email Security — Server Edition appliance is behind the NAT
gateway. Its IP address is 2.2.2.5, and its virtual IP address is 3.3.3.5.
The host-key string you obtain from the appliance Web UI or CLI starts with "2.2.2.5". For
example:
2.2.2.5 ssh-rsa BEWDS4d65dj/T29+6a38loABAAABAQDZZJLE/ftkUddyNW6KdqEQXjS0Pjb
tzTn3OB51Qg0fdeQHrJgFHM2/4C9WtDkwuX5jd7gdWnSWYwrXDv657thlyRPIt4Wxjf0bpOolPKAe
...
Before you import the host-key into the Central Management appliance global host-keys
database, you must replace "2.2.2.5" with "3.3.3.5." For example:
3.3.3.5 ssh-rsa BEWDS4d65dj/T29+6a38loABAAABAQDZZJLE/ftkUddyNW6KdqEQXjS0Pjb
tzTn3OB51Qg0fdeQHrJgFHM2/4C9WtDkwuX5jd7gdWnSWYwrXDv657thlyRPIt4Wxjf0bpOolPKAe
...
Example
In this example, the Central Management appliance is behind the NAT gateway. Its
IP address is 1.1.1.5, and its virtual IP address is 3.3.3.5.
The host-key string you obtain from the Central Management appliance Web UI or CLI
starts with "1.1.1.5". For example:
1.1.1.5 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzd5JwKBjHLe/jxkF0JzWcXOTw9l0
bz2SctkQrihkqg/zXqrmxAfgbzYulDSIxOKZTh2VBnKsy0qRWrCps64Itlh6iRlr7Jxa+jAtTAGsy
...
Before you import the host-key into the Email Security — Server Edition appliance global
host-keys database, you must replace "1.1.1.5" with "3.3.3.5." For example:
3.3.3.5 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzd5JwKBjHLe/jxkF0JzWcXOTw9l0
bz2SctkQrihkqg/zXqrmxAfgbzYulDSIxOKZTh2VBnKsy0qRWrCps64Itlh6iRlr7Jxa+jAtTAGsy
...
FireEye Identity and Access Management (IAM) provides user provisioning through role-
based access control policies. Using the default IAM organization administrator account,
you log in to the FireEye Cloud Web UI to configure security policies, other FireEye IAM
users, and user access controls.
FireEye IAM enables Helix to support single sign-on (SSO). Users authenticate against
FireEye IAM when they log in to a Helix appliance with their FireEye IAM account
credentials. The appliance verifies the user’s identity and obtains information from the
user’s ID token, access token, or session token. The user can navigate among components
without logging in to each appliance locally.
Helix Mode
In a Helix deployment, a FireEye appliance can be in one of three Helix modes:
Helix mode is disabled by default, and it is enabled when it is set to cloud or on-premises.
For details, see the Helix Integration Guide.
l required―Users sign in once at a FireEye Cloud Account login page with FireEye
IAM credentials. Users can pivot to any Helix component without logging in again
until the SSO session expires. See When SSO Authentication Is Required on
page 148.
l disabled―Users log in at the standard appliance Web UI login page with local
credentials for that appliance. See When SSO Authentication Is Disabled on the next
page.
l allowed―Users can sign in either locally or at the FireEye Cloud Account login
page. See When SSO Authentication Is Allowed on page 152.
Single sign-on authentication is disabled by default, and it is enabled when it is set SSO
authentication mode to required or allowed.
This login sequence applies to each individual Helix appliance in the organization. This is
the default setting.
Dialog Box
Description
Field
Auth Method Local means that the user logged in locally to the appliance using their
appliance-specific credentials.
The log out message will not be displayed if it is disabled. Use the aaa
authentication logout user-message enable command to display the log out
message. For details about how to enable the log out message setting, see
Enabling or Disabling the Log Out Message Setting Using the CLI on page 26.
When you click Sign In Using Single Sign-On, the FireEye Cloud Account login page
appears. Enter your FireEye IAM account credentials.
After you authenticate against FireEye IAM, the Alerts page of the requested appliance
appears. You can access other Helix components in your network without logging in
locally to individual appliances, as long as your SSO session has not expired.
Information about the authentication methods is displayed in the logout dialog box:
Auth Method The value oidc means that the user logged in with
SSO authentication using FireEye IAM credentials.
Also log me out of Single Sign-On The user has the option to log out of both the local
session and the SSO session.
After you log out from the local session, the following page appears:
To log out from a local session to an appliance while your SSO session remains active:
3. Click Logout.
The appliance logout page shown above appears.
4. Click Appliance Console.
The Central Management appliance Dashboard appears.
To log out from your SSO session and any local sessions to individual appliances:
3. Click Logout.
The appliance logout page shown above appears.
The login page also offers three ways to log in to the appliance if both a certificate and SSO
are optional for user authentication:
After you click Logout, your session is closed and the dual login page appears again.
The log out message will not be displayed if it is disabled. Use the aaa
authentication logout user-message enable command to display the log out
message. For details about how to enable the log out message setting, see
Enabling or Disabling the Log Out Message Setting Using the CLI on page 26.
Prerequisites
l Admin access to a Helix appliance CLI.
3. To display Helix configuration settings, including SSO authentiation mode, use the
show helix command.
Helix Configurations:
Enabled : no
Mode : cloud
Single Sign-On : disabled
Console URL : http:///google.com
Alert Sync Enabled : yes
Alert Sync From : 0 days old
Alert Sync Max Count : 10000
Helix Configurations:
Enabled : yes
Mode : cloud
Single Sign-On : disabled
Console URL : http:///google.com
Alert Sync Enabled : yes
Alert Sync From : 0 days old
Alert Sync Max Count : 10000
Helix Configurations:
Enabled : yes
Mode : on-premises
Single Sign-On : required
Console URL : http:///google.com
Alert Sync Enabled : yes
Alert Sync From : 0 days old
Alert Sync Max Count : 10000
In this example, SSO authentication for the Web UI is disabled, which is the default
setting.
hostname # show aaa authentication oidc
OIDC based authentication settings:
Web Policy : disabled
ID-token field for username : oidc-preferred-username
Prerequisites
l Your FireEye IAM organization and user accounts are configured. See FireEye IAM
Overview on page 281
l Admin access to a Helix appliance CLI.
l Use the following CLI configuration command to put the appliance in Helix
mode and set SSO authentication mode to required:
hostname (config) # helix mode on-premises with-sso
4. Verify your changes. Use the following commands, as described in Viewing Helix
Mode and SSO Authentication Mode Using the CLI on page 155.
l hostname (config) # show helix
5. (Optional) After the appliance is running in Helix mode, you can use the following
command to administratively disable SSO authentication without causing the
appliance to exit Helix mode:
hostname (config) # aaa authentication oidc web policy disabled
Security Assertion Markup Language (SAML) extends the Single Sign-On (SSO) standard to
authenticate and authorize users.
SAML is an XML and Web based open standard protocol for federated authentication and
authorization processes between separate identity providers and service providers. SAML
shares or "federates" user identities within a network.
SAML configuration involves these roles:
l Users—a human user that requests a service from the service provider. Also known
as a principal.
l Identity provider (IdP)—the entity that does authentication assertions with a single
sign-on (SSO). The IdP is a third-party service that creates, manages, and verifies the
authenticity of the user within a federation or distributed network. Examples of an
IdP are Okta and Microsoft Active Directory Federation Services (ADFS).
l Service provider (SP)—the entity that uses the IdP to authenticate the identity of the
user so that it can authorize access to its services. The FireEye appliance operates as
the SAML SP.
Your SAML IdP solution depends on your security and network requirements.
Refer to your IdP server installation and configuration documentation to
integrate with FireEye appliances.
SAML passes credentials about users, logins, and attributes between the IdP and SP. The
credentials are in the form of assertions. An assertion is an XML metadata file that the IdP
posts to a location that the SP retrieves. The metadata contains the user's identify or profile.
With SAML, the user only needs to log in once using single sign-on (SSO) on the FireEye
appliance. The user log in generates an SP authentication SAML request that is redirected
to the IdP via the Web UI. When the request is received, the IdP generates and returns a
SAML authentication response that contains the stored user attributes back to the SP.
For SAML authentication and authorization to work:
l An Assertion Consumer Service URL (ACS Endpoint) must be configured on the IdP
l An IdP login URL must be configured on the FireEye appliance operating as an SP.
This information is the metadata that is configured on the IdP and SP. See Configuring
SAML Authorization on page 166.
Prerequisites
l Admin access to the FireEye appliance (SP).
l Admin access to the SAML IdP service.
l Communication between the SAML IdP service and the FireEye appliance.
l If using access groups, access group rules must be configured for SAML.
l If using AAA authorization rules, they must be configured for SAML.
Prerequisites
l Admin access to the appliance.
to the IdP login page without clicking the Sign in using SAML link.
See Redirecting to the IdP Login Page Using the CLI below to enable or disable the feature.
Prerequisites
l Admin access to the appliance.
3. Disable the existing policy and restore it to the default SAML behavior.
hostname (config) # no aaa authentication saml web policy
Prerequisites
l Admin access to the FireEye appliance operating as SAML SP.
l Admin access to the SAML IdP server.
l SAML Web policy setting is enabled by using the CLI.
l SAML IdP metadata file.
3. Click Choose File. This is the metadata file obtained from your SAML IdP server.
Examples:
aaa authentication saml idp fetch meta-data-url
https://172.16.142.99/IDPMetadata.xml
Download the service provider metadata and upload it to your IdP server. The metadata
file includes the single sign-on (SSO) Assertion Consumer Service URL (ACS Endpoint)
and the entity ID. The metadata is used by the IdP server to learn where the SP SAML
requests are posted. The metadata is also referred to as the SP login URL.
You can download the SP metadata directly from a standalone appliance or from the
Central Management appliance for a managed appliance using the Web UI or CLI.
Prerequisites
l Admin access to the FireEye appliance operating as a SAML SP.
l Admin access to the SAML IdP server.
l SAML Web policy setting is enabled by using the CLI.
3. Download the appliance XML metadata by specifying your admin login, password,
and path to the metadata.
hostname # aaa authentication saml download meta-data <meta-data-
pathname>
For example,
aaa authentication saml download meta-data
scp://<username>:<password>@x.x.x.x/var/www/html/saml-server-xml/
Prerequisites
l Admin access to the appliance.
l Admin access to the Identity Provider
l appliance.role.cms—Central Management
l appliance.role.wmps—Network Security
l appliance.role.emps—Email Security — Server Edition
l appliance.role.fmps—File Protect
l appliance.role.mas—Malware Analysis
l appliance.role.hx—Endpoint Security
l appliance.role.default—used for any designated FireEye appliance configured as an
SP.
When a user logs into a FireEye appliance through an SAML IdP server authorization, the
user must be first mapped to one of the following user roles:
l admin
l analyst
l auditor
l monitor
l operator
Guidelines
l The "appliance.role.<product type>" attribute takes precedence over the
"appliance.role.default" attribute.
l The "appliance.role.default" attribute can be configured on the IdP server or the
backend LDAP database where you define the user attributes.
l The user privileges are restricted to the product specified in the attribute name and
value configuration.
l The user privileges are asigned for each product specified in the
"appliance.role.<product type>" attribute.
Assigned Product
User Name IdP Configuration
Role Type
appliance.role.default admin
l In this example, the user "enterpriseadmin1" is assigned the admin role on the
Central Management, File Protect, and Network Security SP appliances.
Assigned Product
User Name IdP Configuration
Role Type
appliance.role.cms monitor
l In this example, the user "cmsadmin1" is assigned the monitor role on the Central
Management appliance SP.
To map the login user to a local user, use the match-saml-attribute value with
the key-value pair to define the statement.
hostname # show aaa authorization rules
--------------------------------------------------------------
# AAA Auhorization Rules : Enabled
--------------------------------------------------------------
# Rule Statements
--------------------------------------------------------------
# 1
Match saml namid : cmsmonitor
-->Action Map Local User : admin
Comment : mapping monitor user to admin
# 2
Match saml attribute : Email-Address:cmsadmin@exqa.com
-->Action Map Local User : monitor
For detailed information, see Configuring Access Groups for Alerts on page 175
IMPORTANT! If you change a role while the user is logged in, the user will be
forcibly logged out. When the user logs in again, the capabilities associated
with the new role are available to the user.
NOTE: The VX Series appliance has a CLI, but it does not have a Web UI. The
recommended method for this configuration on a VX Series appliance is through
the managing Central Management appliance Web UI.
Prerequisites
l Admin access
1. Click the Settings tab on all appliances except the Endpoint Security server. On the
Endpoint Security appliance, select Appliance Settings from the Admin menu.
Prerequisites
l Admin access
1. Go to CLI configuration mode:
hostname > enable
hostname # configure terminal
where <role> is one of the roles listed in Assigning Roles for Local User Accounts
on the previous page.
3. Save your changes:
hostname (config) # write memory
You can use access groups to control which alerts users with the analyst and monitor roles
can view and manage. The system processes two types of rules to authorize access to
alerts.
l Access group rules define the criteria that must be matched in an alert that the
Central Management appliance receives from a managed Network Security or Email
Security — Server Edition appliance or from a managed ETP instance. If an alert
matches the criteria defined by the access group rules applied to an access group,
users in that access group can view and manage that alert. You can define multiple
access group rules for an access group.
l Authorization rules define the criteria that must be matched in the Central
Management Web UI login request. If there is a match, the user is added to the
access group associated with the rule. You can define multiple authorization rules
for an access group.
For example, suppose a Central Management appliance manages Network Security and
Email Security — Server Edition appliances. An authorization rule specifies that members
of the infosec LDAP group are added to the nx-alerts access group. The access group rules
defined for the nx-alerts access group specify that all alerts from managed Network Security
appliances should be displayed, except for alerts with "minor" severity. When Joe (a
member of the infosec LDAP group) logs in to the Central Management Web UI, he will see
the Alerts > NX pages, but not the Alerts > EX pages. The Alerts > NX pages will show all
major and critical alerts from all managed Network Security appliances.
This feature only affects users with the analyst and monitor roles.
Users with the admin role have unlimited access to alerts, and users with other
roles have no access to alerts by default; however, the admin can configure full UI
access to non-administrators with the aaa authorization access-groups group
<group name> rules rule command. Access groups have no effect on what
users can do with alerts. Analyst and monitor users can both view and manage
the alerts to which they have access.
Analyst and monitor users have no access to the CM Dashboard or the Reports
pages when this feature is enabled.
1. Create access groups. See Creating Access Groups for Alerts below.
2. Define access group rules. See Defining Access Group Rules on page 183.
3. Define authorization rules. See Defining Authorization Rules on page 185.
4. Enable access groups. See Enabling and Disabling Access Groups for Alerts on
page 186.
Prerequisites
l Admin access to the Central Management CLI
where:
l access group name is the name of the access group.
Example
The following example creates the "nx-alerts" access group on the cm-03 appliance.
cm-03 (config) # aaa authorization access-groups group nx-alerts
cm-03 (config) # show aaa authorization access-groups nx-alerts
-----------------------------------------------------
# Group: nx-alerts
-----------------------------------------------------
No Rules Configured
Defining Rules
A rule consists of the statements you define when you create the rule. You use key-value
pairs and other command options to define the statements. The statements do the
following:
l Specify the position of the rule in the rule list, and delete duplicate rules.
l Specify matching criteria to apply to alert objects. These statements are defined in
access group rules.
l Specify matching criteria to apply to login requests, and add optional comments.
These statements are defined in authorization rules.
The system processes all of the rules in the defined sequence, instead of stopping when the
first match is found. For access group rules, this allows the user access to all of the alerts
that match the criteria in all rules defined for the user's access groups. For authorization
rules, this allows the user to be added to multiple access groups and allows users who
meet multiple match criteria to be added to the same access group.
l A rule can include multiple match options, but only one of each type. For example,
a rule cannot have two match-ldap-group <group DN> options. There are two
exceptions:
l The match-access-group <access group> match option, as described in
grant-access-group <access group> on page 183.
l The match-alert-tag <tag name> match option, as described in match-
alert-tag <tag name> on page 180.
l If a rule includes more than one match option (an AND operation), both statements
must be true to achieve a match.
For example, a rule that grants access to the "nx-alerts" access group has two
statements. One statement specifies that the mapped local user name is anne and the
other statement specifies that the user is a member of the infosec LDAP group. Anne
has a local user account on the Central Management appliance, but she is not a
member of the "infosec" LDAP group, so she will not be added to the "nx-alerts"
access group.
l If you want to achieve a match if only one of a series of statements is true (an
OR operation), you must create a separate rule for each statement.
For example, if the matching criteria in the previous example were specified in
separate rules instead of as statements in one rule, both Anne and the members of
the "infosec" LDAP group will be added to the "nx-alerts" access group.
l If you remove all matching criteria statements from an authorization rule, all
analyst and monitor users will be granted access to that access group and will be
subject to the rules defined for it.
l Do not use the match-not command option to remove a match criterion, even if
that command option was used to add the match criterion. For example, use the no
aaa authorization access-groups group nx-alerts rules rule 3 match-
alert-severity command to remove a match criterion that was added using the
match-not-alert-severity minor option.
l Do not include the command option value to remove a match criterion. For
example, in the previous item, minor is not included in the command that
removes the alert severity match criterion.
Command Options
The following tables describe the key-value pairs and other options you can use to define
rules.
Command
Description
Option
append Inserts the new rule after the highest-numbered rule, or at position 1 if there
tail are no existing rules.
insert Inserts the new rule at the specified position. If there is already a rule in this
<rule position, that rule and all other rules are moved up one position.
number>
set <rule Creates a new rule at the specified position. If there is already a rule in this
number> position, it is replaced by the new rule.
modify Creates or modifies a rule at the specified position. If there is already a rule
<rule in this position, the old values for an existing match option are retained
number> unless they are modified by new values for that match option.
dup-delete Delete rules that are the same as the specified rule. (Rules that are the same
except for their comments are not deleted.)
Command
Description
Option
match-alert-tag Match the specified restricted tag. (The tag must already be created
<tag name> and designated as "restricted" using the Central Management Web UI.
See the Central Management Administration Guide for details.)
To match multiple tags, add a separate match-alert-tag <tag name>
option for each tag.
Command
Description
Option
match-all-alerts Match all alerts from all managed Network Security appliances, Email
Security — Server Edition appliances, and ETP instances.
match-yara- Match YARA rules modification and deletion access for users in the
rules-access Network Security appliance.
Command
Description
Option
Command
Description
Option
match-x509-cert- Match the specified subject field in the client X.509 certificate. The
subject <string> subject field contains the Distinguished Name (DN).
match-x509-cert- Match the specified email address in the Subject Alternate Name
san-email (SAN) field in the X.509 client certificate.
<string>
match-x509-cert- Match the specified user name portion of the email address in the
san-email- X.509 client certificate.
username
<string>
match-x509-cert- Match the specified User Principal Name (UPN) attribute from the
san-upn <string> SAN/Other Name field in the X.509 client certificate.
match-x509-cert- Match the user name from the UPN attribute in the X.509 client
san-upn- certificate.
username
<string>
match-x509-cert- Match the specified Common Name (CN) entry from the DN attribute
subject-cn in the X.509 client certificate.
<string>
Command
Description
Option
match-oidc- Match the specified username portion of the email address in the
email-username OIDC identity token.
<string>
grant-access- Grant the user who matches the criteria in the rule access to the
group <access specified access group or groups. To apply the rule to multiple access
group> groups, you can do one of the following:
Prerequisites
l Admin access to the Central Management appliance.
l Access groups have been created.
l If alert matching rules will filter on alert tags: Restricted alert tags and rules have been
created for managed Network Security and Email Security — Server Edition
appliances. For instructions, see the "Filtering Alerts Using Tags and Rules" chapter
of the Central Management Administration Guide.
where:
l access group name specifies the name of the access group.
l position option specifies the position of the rule in the list. For a
description of the possible values, see Rule Operation Options on page 179.
l match option specifies the alert criteria to match. For a description of the
possible values, see Access Group Rule Options on page 179.
4. Verify your changes:
cm-hostname (config) # show aaa authorization access-groups rules
Example
The following example creates a rule that grants users in the nx-alerts access group access
to all major and critical alerts from the acme-nx2500 appliance.
cm-05 (config) # aaa authorization access-groups group nx-alerts rules rule
append tail match appliance-name acme-nx2500 match-not-alert-severity minor
cm-05 (config) # show aaa authorization access-groups group nx-alerts
Prerequisites
l Admin access to the Central Management appliance.
l Access groups have been created.
where:
l position option specifies the position of the rule in the list. For a
description of the possible values, see Rule Operation Options on page 179.
l match option specifies the authorization criteria to match. For a description
of the possible values, see Authorization Rule Options on page 181.
l access group name specifies the name of the access group.
Example
The following example creates a rule that grants users in the infosec LDAP group access to
the alerts defined for the nx-alerts access group.
cm-05 (config) # aaa authorization access-groups rules rule append tail
match-ldap-group infosec grant-access-group nx-alerts
cm-05 (config) # show aaa authorization access-groups rules
l If you enable access groups before they are configured, analyst and monitor users
will have no access to alerts.
l If access groups are configured but not enabled, analyst and monitor users will have
access to all alerts.
If you later disable access groups for alerts, configured access groups are not removed but
have no effect. Analyst and monitor users in configured access groups will have access to
all alerts after access groups for alerts are disabled.
Prerequisites
l Admin access to the Central Management appliance
Example
The following example enables access groups for alerts on the cm-05 appliance.
cm-05 (config) # aaa authorization access-groups area alerts enable
Type 'YES' to confirm enabling access groups that limit access to certain
objects like alerts for non-admin users: YES
cm-05 (config) # show aaa authorization access-groups
----------------------------------------------
# Group: nx-alerts
----------------------------------------------
# Rule Statements
----------------------------------------------
#1 Not Match Alert Severity: minor
...
Example
The following example disables access groups for alerts on the cm-05 appliance. The nx-
alerts access group is not removed, but has no effect unless access groups for alerts are re-
enabled.
cm-05 (config) # no aaa authorization access-groups area alerts enable
cm-05 (config) # show aaa authorization access-groups
----------------------------------------------
# Group: nx-alerts
----------------------------------------------
# Rule Statements
----------------------------------------------
#1 Not Match Alert Severity: minor
...
If you change rule criteria while users are logged in, the changes will take effect
after the user logs out and then logs in again. You can view the users who are
still logged in after a change has been made, and can forcibly log them out. See
Viewing Access Group Users Using the CLI on page 195.
Task Procedure
Change rule Use the modify <rule number> rule management command option,
matching and enter the match option with the new value.
criteria values.
Apply an Use the modify <rule number> rule management command option,
authorization and specify the other access group in the grant-access-group
rule to other <group name> command option. If you want to keep existing access
access groups groups, you must re-enter them. Otherwise, they will be overwritten.
Add a match Use the modify <rule number> rule management command option,
option to a rule and specify the new match option.
Add a Use the modify <rule number> rule management command option,
comment to an and use the comment "<comment>" command option to add the
authorization comment. Enclose the comment in double quotation marks if the
rule comment includes multiple words.
Task Procedure
Remove all Use the no aaa authorization access-groups group <group name>
access group rules all command.
rules.
Prerequisites
l Admin access to the Central Management appliance
Examples
The following examples illustrate some of the tasks described in the previous table.
The following example changes the LDAP group to match in authorization rule 6 to
infosec-hq.
The following example uses two match-access-group command options to add the ex-
alerts access group to authorization rule 2 and retain the nx-alerts access group.
cm-09 (config) # aaa authorization access-groups rules rule modify 2 match-
access-group ex-alerts match-access-group nx-alerts
The following example uses a comma-separated list to add the ex-alerts access group to
authorization rule 2 and retain the nx-alerts access group.
cm-09 (config) # aaa authorization access-groups rules rule modify 2 match-
access-group ex-alerts,nx-alerts
The following example adds an alert severity match option to access group rule 1.
cm-01 (config) # aaa authorization access-groups group nx-alerts rules rule
modify 1 match-not-alert-severity minor
Task Procedure
Prerequisites
l Admin access to the Central Management appliance
Examples
The following examples illustrate the tasks described in the previous table.
Prerequisites
l Monitor, Operator, or Admin access to the Central Management CLI
Examples
The following example shows information about the nx-alerts access group.
cm-01 # show aaa authorization access-groups group nx-alerts
-----------------------------------------------------------
# Group: nx-alerts
-----------------------------------------------------------
# Rule Statements
-----------------------------------------------------------
#1 Not Match Alert Severity: minor
Match Appliance Name: nx2500-01
-----------------------------------------------------------
# Group: nx-alerts
-----------------------------------------------------------
# Rule Statements
-----------------------------------------------------------
#1 Not Match Alert Severity: minor
Match Appliance Name: nx2500-01
-----------------------------------------------------------
# Group: ex-alerts Description : Central Region EX
-----------------------------------------------------------
# Rule Statements
-----------------------------------------------------------
#1 Match Alert Source IP: 172.1.2.0/24
Example
The following example shows the authorization rules configured on the cm-02 appliance.
cm-02 # show aaa authorization access-groups rules
---------------------------------------------------------
# AAA Authorization Access-groups Rules : Enabled
---------------------------------------------------------
# Rule Statements
---------------------------------------------------------
# 1 Match LDAP Group : infosec
Grant Access Groups : nx-alerts
The * to the left of the username in the example indicates the user who ran the
command. The (*) to the right of an access group name indicates that the
associated user was logged in while changes were made to rules for that access
group. The changes will not take effect for that user until the user logs out and
then logs in again. You can use the aaa login-session force-logout
<username> or aaa login-session force-logout all command to log out a
specified user or all users.
3. View users:
cm-hostname # show users access-groups
Example
The following examples shows the users who are currently logged in to the cm-06
appliance, and the access groups granted to the analyst and monitor users.
cm-06 # show users access-groups
USERNAME REMOTE USERNAME ACCESS-GROUPS
* admin
analyst2 nx-alerts
monitor1 ex-alerts(*)
operator4
---------------------------------------------------------------
# Group: nx-east Description : eastern region NX alerts
---------------------------------------------------------------
# Rule Statements
---------------------------------------------------------------
#1 Comment: major and critical malware-object alerts
Match Alert Tag: malware-object
Not Match Alert Severity: minor
As an administrator, you can use access groups to enable users with analyst and monitor
roles to modify and delete YARA roles in the Network Security appliance. By default, these
users have read-only privilege.
Users that you add to this access group can upload and delete YARA rules in addition to
the privileges assigned to their role.
Follow the below steps to authorize the access group users to modify the YARA rules:
1. Enable the yara_rules area for access groups. See Enabling and Disabling Access
Groups for YARA Rules below.
2. Create an access group. See Creating Access Groups for YARA Rules on page 200.
3. Authorize the group with the access group command option match-yara-rules-
access.
Prerequisites
l Admin access to the Network Security appliance
Example
The following example enables access groups for YARA rules access on theNetwork
Security appliance.
hostname (config) # aaa authorization access-groups area yara_rules enable
Type 'YES' to confirm enabling access groups that limit access to certain
objects like alerts for non-admin users: YES
hostname (config) # show aaa authorization access-groups
Example
The following example disables access groups for alerts on the Network Security appliance.
The nx-alerts access group is not removed, but has no effect unless access groups for alerts
are re-enabled.
hostname (config) # no aaa authorization access-groups area yara_rules enable
hostname (config) # show aaa authorization access-groups
Prerequisites
l Admin access to the Network Security CLI.
where:
l access group name is the name of the access group.
Example
The following example creates the "special-analysts" access group on the Network Security
appliance.
hostname (config) # aaa authorization access-groups group special-analysts
hostname (config) # show aaa authorization access-groups group special-
analysts
-----------------------------------------------------
# Group: special-analysts
-----------------------------------------------------
No Rules Configured
The rule will match the access rights to YARA rules for users that are part of the access
group.
For more information on defining access group rules, see Defining Rules on page 177.
Prerequisites
l Admin access to the Network Security CLI.
l Access groups have been created.
where:
l access group name is the name of the access group.
Example
The following example enables the access group "special-analysts" to modify and delete
YARA rules.
hostname (config) # aaa authorization access-groups group special-analysts
rules rule append tail match-yara-rules-access
hostname (config) # show aaa authorization access-groups group special-
analysts
------------------------------------------------
# Group: special-analysts
------------------------------------------------
# Rule Statements
------------------------------------------------
#1
Match YARA rules access
Prerequisites
l Admin access to the Network Security CLI.
l Access groups have been created.
l YARA rules access is granted to the access group.
where:
l access group name is the name of the access group.
Example
The following example adds the user "analyst_a" to the "special-analysts" access group on
the Network Security appliance.
hostname (config) # aaa authorization access-groups rules rule append tail
grant-access-group special_analysts match-mapped-local-username analyst_a
hostname (config) # show aaa authorization access-groups rules
--------------------------------------------------------------
# AAA Authorization Access-groups Rules : Enabled
--------------------------------------------------------------
# Rule Statements
--------------------------------------------------------------
# 1
Match Map Local Users : analyst_a
Grant Access Groups : special_analysts
l Accounting on page 207
l Which user made the change (login and logout details, including the origin,
authentication method, and role).
l Authentication failures and lockouts.
l The interface used to make the change: Command Line Interface (CLI), Web UI,
Serial Console, or LCD Panel Interface.
l The change that was made.
l The date and time the change was made.
l The session ID used to initiate the change. The session ID persists for the duration of
the session, which starts when the user logs in and ends when the user logs out.
Audit log messages are also logged to the system log. The audit log messages in this log
are prefixed with AUDIT: and tagged as described in the following table so you can quickly
locate them.
See Managing Audit Logs Using the CLI on the facing page for information about
configuring and viewing audit logs.
NOTE: You can use the aaa accounting CLI command to send audit messages
to TACACS+ servers.
Prerequisites
l Admin access
1. Go to CLI configuration mode:
hostname > enable
hostname # configure terminal
2. Display the active audit log file, a list of all audit log files, an archived audit log file,
or selected entries in the active audit log:
hostname (config) # show log audit
3. Enable the override of the global minimum severity level of audit log messages
saved in log files on the local disk:
hostname (config) # logging local override class audit
4. Enable the global minimum severity level of the audit log messages with the
specified severity level:
hostname (config) # logging local override class audit priority
<severityLevel>
5. Upload the active audit log file to the specified network location:
hostname (config) # logging files audit upload current <path>
PART V: Certificates
MTA Certificates are only available on the Email Security — Server Edition
appliances.
The system self-signed certificate is the default active HTTPS certificate and the default
MTA certificate. You can configure an alternate certificate, which can be a certificate issued
by your own organization (also a self-signed certificate) or a certificate issued by a public
certificate authority (CA).
You can use the following methods to obtain and install a certificate:
l Upload both an existing certificate file and the matching private key file from your
local file system. (Web UI only)
l Enter the public and private key PEM strings at the command line. (CLI only)
l Create your own self-signed certificate. This process automatically generates an
internal matching private key that is paired with the certificate.
l Manually create a Certificate Signing Request (CSR) to obtain a server certificate
from a public certificate authority (CA). (See Obtaining a CA Certificate from a
Trusted Public Certificate Authority (CA) on page 245.)
l Use the Email Security — Server Edition Web UI to create a Certificate Signing
Request (CSR) to obtain an MTA certificate from a public certificate authority (CA).
This process automatically generates an internal matching private key that is paired
with the certificate when you import it, so do not explicitly import a private key
with the CA-provided certificate.
Usage Guidelines
l Each appliance needs a unique HTTPS certificate and matching private key. The
MTA also needs an certificate and matching private key. The system self-signed
certificate serves as both the HTTPS and MTA certificate by default.
l The certificate and private key must be configured as a Privacy Enhanced Email
(PEM) encrypted ASCII string.
The PEM string must be formatted in the following order:
1. Double quotation marks
2. A new line
3. BEGIN delimiter string
4. ASCII block
5. END delimiter string
6. A new line
7. Double quotation marks
If a comment is added, it must follow the final double quotation marks and be on
the same line. Any commentary outside the BEGIN and END delimiter strings is
ignored.
The following is an example PEM string (with a truncated ASCII block):
>"
>>----BEGIN CERTIFICATE-----
>MIIEujCCA6KgAwIBAgIJAI/1cFcdOeykMA0GCSqGSIb3DQEBBQ
>UAMIGZMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5p
>YTERMA8GA1UEBxMITWlscGl0YXMTJDE3GDS9DYEDLO9EWS6Fx=
>.
>.
>.
>----END CERTIFICATE-----
>
>"
l The active HTTPS certificate uses the reserved name web-cert. The active MTA
certificate uses the reserved name mta-cert.
l You cannot add a new web-cert or mta-cert certificate if one already exists. You
must delete or rename the existing certificate first.
l After you add the new certificate, you must explicitly activate it for the Web server
or MTA.
l The HTTPS certificate you import or create can have a unique name, but it must be
renamed to "web-cert" before you can activate it.
l The MTA certificate you import or create can have a unique name, but must be
renamed to "mta-cert" before you can activate it.
l The certificate section of the show configuration CLI command output indicates
whether a private key is defined for each certificate. Private key PEM strings are
omitted.
l If a private key has a passphrase, the key must be converted to an unlocked private
key PEM string before it can be imported.
Prerequisites
l Operator or Admin access
Viewing Certificates
The appliance provides a simple way to view the following:
l Common certificate attributes, such as the name, status, and expiration date
l All certificate attributes, which include the signature and public key algorithms in
addition to the common attributes
l Certificate configuration (CLI only)
l Public key PEM string of a certificate (CLI only)
NOTE: The Web UI also displays the public key of the appliance. This key is
used to authenticate the connection between a Central Management appliance
and its managed appliances. For details, see Obtaining a Host Key Using the
Web UI on page 126.
Prerequisites
l Monitor, Operator, or Admin access
NOTE: The Keys section at the bottom of the page pertains to Secure Shell (SSH)
host key authentication. For details, see Obtaining a Host Key Using the Web UI
on page 126.
NOTE: The VX Series appliance has a CLI, but it does not have a Web UI. The
recommended method for this configuration on a VX Series appliance is through
the managing Central Management appliance Web UI.
To view certificates:
Example
The following example shows the attributes of a system self-signed certificate.
After you click system-self-signed, the following window opens. Scroll down to view all of
the data.
NOTE: In this example, the https in the address bar is crossed out because self-
signed certificates are not typically included in the trusted root of the browser.
NOTE: The command output indicates whether a private key is defined for each
certificate. Private key PEM strings are omitted for security.
Examples
Common Attributes for All Certificates
The following example shows common attributes for all certificates in the certificate
database.
hostname # show crypto certificate
Certificate with name 'server' (default-cert)
Private Key: present
Serial Number: 0x71a676d9a1j5d8a316488f9d683kkc0
SHA-1 Fingerprint: 7g04933d77491wgeg2h78d2a6f34s50cech324c78
Validity:
Starts: 2015/02/26 15:40:47
Expires: 2017/11/21 15:40:47
Issuer:
Common Name: acme-hostname
Country: US
State or Province: NY
Locality: Albany
Organization: Acme, Inc
Organizational Unit: IT
Issuer:
Common Name: Symantec Class 3 EV SSLCA - G3
Country: US
State or Province: CA
Locality: Mountain View
Organization: Symantec Corporation
Organizational Unit: Symantec Trust Network
Certificate with name 'system-self-signed'
Private Key: present
Serial Number: 0x54a623d9a1f5d7a207788f2e683ffc0
SHA-1 Fingerprint: 7k04833m77951wgjr2h94d2a6f34b60pgph984v43
Validity:
Starts: 2015/04/22 15:40:47
Expires: 2016/04/21 15:40:47
Subject:
Common Name: acme-hostname
Country: US
State or Province: CA
Locality: Milpitas
Organization: FireEye, Inc.
Organizational Unit: Network Security Management
Issuer:
Common Name: acme-hostname
Country: US
State or Province: CA
Locality: Milpitas
Organization: FireEye, Inc.
Organizational Unit: Network Security Management
Certificate Configuration
The following example shows the certificate configuration for an appliance.
hostname # show configuration
...
##
## X.509 certificates configuration
##
## Certificate name system-self-signed, ID
9c077abarhb9e10d698c98e03431bbba410965b8
## (public-cert config omitted since private-key config is hidden)
crypto certificate min-key-size 2048
crypto certificate secure-hashes-only
##
6OYnuufKkHDaCC58g7OMMeOMu11XWScCy/44q2WMs1oNhKrcQHivHilKrAXB8Str
a2bSHcWutnu1OamRmglrkFmhS10NrNUIu5OwluTO3QF7FxA1EBwqEJ/8YrKhQb4p
aL4b0xRuNleRmy4GnR/k3a7Jllf9/qnpXYWIdtkyHOqx/854wxsdOiZYU9U1ZYEe
4Es9hEk5pkRvnioS0lJZWTGmt9a0EjpgZXIMcSxukeyZ4UPKaie8gypIPtK+ia9e
vXwAvTn745uZs06piroFhIOkPkG1H4pahgdi4uPntSosmHI63i0bc9VnN7QK0Rg=
-----END CERTIFICATE-----
Prerequisites
l Operator or Admin access
NOTE: You can also download the certificate to your local file system, but there is
typically no reason to do so.
NOTE: The VX Series appliance has a CLI, but it does not have a Web UI. The
recommended method for this configuration on a VX Series appliance is through
the managing Central Management appliance Web UI.
1. Click the Settings tab on all appliances except the HX Series. On the HX Series
appliance, select Appliance Settings from the Admin menu.
2. Click Regenerate.
3. When prompted, click OK to confirm that you want to regenerate the certificate.
4. Confirm that the certificate was regenerated:
l The Time Remaining changes to 365 days, and the Expire Date changes
accordingly.
l A message at the top of the page informs you that the regeneration was
successful.
1. Click Export.
2. Verify that the system-self-signed.crt file was downloaded to your computer.
Example
The following example regenerates the system self-signed certificate and extends the
expiration date by two years.
hostname (config) # crypto certificate system-self-signed regenerate days-
valid 730
hostname (config) # show crypto certificate name system-self-signed
Certificate with name 'system-self-signed'
Comment: system-generated self-signed certificate
Private Key: present
Serial Number: 0x71a676d9a1j5d8a316488f9d683kkc0
SHA-1 Fingerprint: 7g04933d77491wgeg2h78d2a6f34s50cech324c78
Validity:
Starts: 2015/04/25 20:32:50
Expires: 2017/04/22 20:32:50
...
NOTE: The VX Series appliance has a CLI, but it does not have a Web UI. The
recommended method for this configuration on a VX Series appliance is through
the managing Central Management appliance Web UI.
To import an HTTPS certificate:
11. If you want to activate the certificate, select the After import, activate checkbox.
NOTE: The certificate can be activated later, if you prefer. For details, see
Activating Named Certificates on page 240.
1. Click the Settings tab on all appliances except the HX Series. On the HX Series,
select Appliance Settings from the Admin menu.
IMPORTANT! If the certificate you import or generate will be used on the Web
server, you must specify "web-cert" as the certificate name, and then activate the
certificate as described in Activating Named Certificates on page 240. Likewise,
if the certificate will be used on the MTA, you must specify "mta-cert" as the
certificate name, and then activate the certificate.
Importing a Certificate
IMPORTANT! Do not add a private key for an MTA certificate if the certificate
was obtained using a CSR generated from the Certificate Management page in
the Web UI.
where:
l <certificateName> can be a name of your choice, but must be changed to
"web-cert" or "mta-cert" before it can be activated.
l <pemString> is the public certificate PEM string.
where:
l <certificateName> can be a name of your choice, but must be
changed to "web-cert" or "mta-cert" before it can be activated on the
Web server or MTA.
l <attribute_1>, <attribute_2>, and <attribute_n> are attribute
names, and <value> is the value of the specified attribute. For
descriptions of the attributes and values, see Defining Default
Certificate Attributes on page 273.
3. Save your changes.
hostname (config) # write memory
where <days> is the number of days before the certificate expires. If the days-valid
parameter is not included, the default attribute value is used.
3. (On the Email Security — Server Edition Appliance Only) Regenerate the MTA
certificate:
hostname (config) # crypto certificate name mta-cert regenerate[days-
valid <days>]
where <days> is the number of days before the certificate expires. If the days-valid
parameter is not included, the default attribute value is used.
4. Verify your changes:
hostname (config) # show crypto certificate name web-cert
hostname (config) # show crypto certificate name mta-cert
NOTE: Because private keys are sensitive, you can export only the public key.
Examples
Importing a Certificate and Key
The following example imports a certificate and its private key.
hostname (config) # crypto certificate name acme.cert3.pem public-cert pem "
>
> -----BEGIN CERTIFICATE-----
> MIID2jJUAsKgAwIBAgIBBjANBgkqhkiG8g0BAQUFADCBsDELMAkGA1UEBhMCVVMx
> FjAUBgNVBAgTNT1hc3NhY2h1c2V0dHMxFDASBgNVBAcTC1dlc3Rib3JvdWdoMRsw
> GQYDVQQKExJUYWxsIE1hcGxlIFN5c3RlbXMxEDAOBgNVBAsTB3Rtkq1lbmcxHjAc
> BgNVBAMTFW9jdGFnb24udGFsbG1hcGxlLmNvbTEkMCIGCSqGSIb3DQEJARYVc2xh
.
.
.
> -----END CERTIFICATE-----
>
> "
Successfully installed certificate with name 'acme.cert3.pem'
Validity:
Starts: 2015/04/25 20:32:50
Expires: 2017/04/22 20:32:50
.
.
c. If you imported an existing certificate file, proceed to the next step. Otherwise,
proceed to step 6.
5. If the certificate you just imported already existed (that is, it was not obtained from a
CSR as described in the previous step), import the matching private key:
a. Click Choose File.
b. In the dialog box that opens, navigate to the private key .pem file in your
local file system.
6. Select the certificate you want to activate after it is imported.
NOTE: The certificate can be activated later, if you prefer. For details, see
Activating Named Certificates on page 240.
7. Click Commit. The certificate is added to the certificate database with the name mta-
cert.
4. Provide values for the attributes in the section that opens. For descriptions of the
attributes, see Defining Default Certificate Attributes on page 273.
5. Click Commit. The certificate is added to the certificate database with the name mta-
cert.
4. Provide values for the attributes in the section that opens. For descriptions of the
attributes, see Defining Default Certificate Attributes on page 273.
5. Click Commit.
6. Click Export Certificate Signing Request. A message at the top of the page informs
you that the export was successful.
7. Locate the mta-csr.crt file in your local file system, and send it to the certificate
authority (CA).
8. When you receive the certificate from the CA, import it as described in Importing an
MTA Certificate on page 235.
To export an MTA certificate:
Downloading Certificates
You can download the public and private keys for a certificate from a URL to add the
certificate to the certificate database.
Prerequisites
l Operator or Admin access
To download a certificate:
1. Go to CLI configuration mode:
hostname > enable
hostname # configure terminal
where:
l URL is the direct path to the certificate or private key file.
Example
This example downloads a certificate and private key, and adds it to the certificate
database with the name "newcert."
hostname (config) # crypto certificate name newcert fetch public-cert-url
http://acme/security/certs/acme.crt private-key-url
http://acme/security/certs/acme.key
Prerequisites
l Operator or Admin access.
l The named certificate is in the certificate database.
NOTE: The VX Series appliance has a CLI, but it does not have a Web UI. The
recommended method for this configuration on a VX Series appliance is through
the managing Central Management appliance Web UI.
1. Click the Settings tab on all appliances except the HX Series. On the HX Series
appliance, select Appliance Settings from the Admin menu.
2. Click Certificates/Keys in the sidebar and locate the HTTPS Configuration section.
NOTE: If you type web server certificate name ? at the command line, a list
of all certificates in the certificates database will be displayed. However, only the
"web-cert" or "system-self-signed" certificate can be activated. Likewise on the
Email Security — Server Edition appliance, if you type email-analysis mta
certificate name ? , a list of all certificates in the certificates database will be
displayed, but only the "mta-cert" or "system-self-signed" certificate can be
activated.
Example
The following example activates web-cert on the Web server, which is currently using the
system self-signed certificate.
hostname (config) # show web
l The CA certificate validates the ownership of the public key contained within the
certificate. The public key is used to establish trusted communication between the
appliance and the Web browsers running the Web UI, the Email Security — Server
Edition appliance and a downstream MTA, and the File Protect appliance and a
WebDAV server.
l The CA bundle includes the root and intermediate certificates between the holder of
the CA certificate and the public CA. This bundle constitutes the CA certificate's
chain of trust.
The example in this section creates a private 2048-bit key named fireeye.key that is
encrypted with DES3. OpenSSL is used to create the private key and the CSR.
Prerequisites
l System with OpenSSL installed
To obtain a CA certificate:
When prompted, enter a passphrase you will remember, and then enter it again to
confirm it.
2. Create an unencrypted (unlocked) copy of the private key.
OpenSSL> rsa -in fireeye.key -out fireeye-unencrypted.key
When prompted, enter the passphrase you entered in the previous step.
3. Create the CSR:
OpenSSL> req -new -key fireeye.key -out fireeye.csr
or
OpenSSL> req -new -key fireeye-unencrypted.key -out fireeye.csr
If you entered the command with the encrypted key, enter the passphrase you
provided in the first step.
If you are using the Chrome browser, you need to add the Subject Alternative Name
and Alt Names to the new key. For example:
[v3_req]
basicConstraints = CA:FALSE
subjectAltName = @alt_names
[alt_names]
DNS.1 = dnstest.dns.local
DNS.2 = dnstest
Be sure to delete the unencrypted copy of the private key after you import it into
the appliance.
NOTE: A server with a publicly issued certificate could start using a new
certificate that is not yet part of the well-known bundle. In this case, you
must add the new certificate to the default CA list as a supplemental
certificate.
By default, most SSL-enabled applications refer to the well-known bundle first, and then
look for a certificate in the default CA list. You can configure some applications to use only
the well-known bundle. For details, see the email ssl ca-list, ldap ssl ca-list, and
web client ssl ca-list commands in the CLI Reference. An exception is malware event
notifications, where the appliance automatically refers to the default CA list to verify the
identity of the server to which it posts the notifications. Another exception is email
forwarding, where the Email Security — Server Edition appliance automatically refers to
the default CA list to verify the identity of the mail server to which it forwards the emails.
Prerequisites
l Operator or Admin access
NOTE: The VX Series appliance has a CLI, but it does not have a Web UI. The
recommended method for this configuration on a VX Series appliance is through
the managing Central Management appliance Web UI.
1. Click the Settings tab on all appliances except the HX Series. On the HX Series
appliance select Appliance Settings from the Admin menu.
Example:
hostname (config) # crypto certificate name cert0 public-cert pem
"MIIEujCCA6KgAwIBAgIJAI/1cFcdOeykMA0GCSqGSIb3DQEBBQ
UAMIGZMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5p
YTERMA8GA1UEBxMITWlscGl0YXMTJDE3GDS9DYEDLO9EWS6Fx=..."
comment "certificate import example
3. If you want to import a private key directly, use the following command:
hostname (config) # crypto certificate name <certName> private-key pem
"<pemString>"
Example:
hostname (config) # crypto certificate name cert1 private-key pem
"MIIEujCCA6KgAwIBAgIJAI/1cFcdOeykMA0GCSqGSIb3DQEBBQ
UAMIGZMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5p
YTERMA8GA1UEBxMITWlscGl0YXMTJDE3GDS9DYEDLO9EWS6Fx=..."
4. If instead you want to import the private key by entering it when prompted and
with secure echo of your response, use the following command:
hostname (config) # crypto certificate name <certName> prompt-private-
key
The <certName> parameter is the unique name by which the certificate is identified.
The following example imports a private key that you enter when prompted.
hostname (config) # crypto certificate name Cert2 prompt-private-key
Format Requirements
The PEM string must be formatted in the following order:
If a comment is added, it must follow the final double quotation marks and be on the same
line. Any commentary outside the BEGIN and END delimiter strings is ignored.
The following is an example PEM string (with a truncated ASCII block):
>"
>>----BEGIN CERTIFICATE-----
>MIIEujCCA6KgAwIBAgIJAI/1cFcdOeykMA0GCSqGSIb3DQEBBQ
>UAMIGZMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5p
>YTERMA8GA1UEBxMITWlscGl0YXMTJDE3GDS9DYEDLO9EWS6Fx=
>.
>.
>.
>----END CERTIFICATE-----
>
>"
Prerequisites
l Operator or Admin access
where:
l chainName is a unique name for the CA chain. This is the name you specify
when you mount the secure WebDAV share. The name must begin with a
letter or number. The remaining characters in the name can be letters,
numbers, periods (.), dashes (-), and underscores (_).
l pemChainString is the chain of PEM strings.
The brief option displays only the chain names. The detail option displays all
available certificate attributes.
Format Requirements
The PEM string must be formatted in the following order:
If a comment is added, it must follow the final double quotation marks and be on the same
line. Any commentary outside the BEGIN and END delimiter strings is ignored.
The following is an example PEM string (with a truncated ASCII block):
>"
>>----BEGIN CERTIFICATE-----
>MIIEujCCA6KgAwIBAgIJAI/1cFcdOeykMA0GCSqGSIb3DQEBBQ
>UAMIGZMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5p
>YTERMA8GA1UEBxMITWlscGl0YXMTJDE3GDS9DYEDLO9EWS6Fx=
>.
>.
>.
>----END CERTIFICATE-----
>
>"
Examples
Configuring a Certificate Chain
The following example configures a SharePoint CA certificate chain that includes the root
certificate, two intermediate certificates, and the SharePoint server certificate.
hostname (config) # crypto certificate sharepoint ca-chain chain-name acme_
Cert-Dec2017_share "
>
> -----BEGIN CERTIFICATE-----
> MIID2jJUAsKgAwIBAgIBBjANBgkqhkiG8g0BAQUFADCBsDELMAkGA1UEBhMCVVMx
> FjAUB+NVBAgTNT1hc3NhY2h1c2V0dHMxFDASBgNVBAcTC1dlc3Rib3JvdWdoMRsw
> GQYDVQQKExJUYWxsIE1hcGxlIFN5c3RlbXMx/DAOBgNVBAsTB3Rtkq1lbmcxHjAc
> BgNVBAMTFW9jdGFnb24udGFsbG1hcGxlLmNvbTEkMCIGCSqGSIb3DQEJARYVc2xh
...
> -----END CERTIFICATE-------
> -----BEGIN CERTIFICATE-----
> HUE457jJheR86GJD3Iye987cdIYuP238DCBsDELMAkGA1UEBhMCVVMxh32Aq0iF7
> V75TYoiuY368pW+Bd8A8345Oc3PIUB4uw0821NMQaq9YEw397Ne409NCDE987c9u
> VE397gi/yTMNXd84Tuq0pie4n451r0oieRxcsWe70abcie$529omE2wXyrwR3784
> NTTdi239csUEi7dgOp391VCWetrnEp983Yr4B14Dw9URwo7NVC3xaY7vA2Aq874=
...
> -----END CERTIFICATE-------
> -----BEGIN CERTIFICATE-----
> n4Qw21ou4VeTe8BE29780dv7APR2rc92g4ublselcisla5do3tGBy9873cslIExu
> v38csf8bu/w9UjeRcsltsiv3u23kd+abiY6TRB5596aqin3h4Jh423jc0oWqnr3m
> cAy65Lku53eCsD9Uo0pKmE235Dcwiyti754TDlOUnrd3677903dwr456mHjyDew7
> he3T58ET86udaUOi328VEw78Texpuy457swQmRe7ck3yswo8dmvhts52vBdl43==
...
> -----END CERTIFICATE-------
> -----BEGIN CERTIFICATE-----
> 49JysE20gjaasfaMKTSIKEdycTe84mbnn4Qw21ou4Vejt4W9j6e37APR2rc92vde
> g4ublselcisla5do3tGBy9873cslI/xun471sWeid873RiuvY67Wf3873NywpYUm
> ges98R3kc+asdf7683lc09TNTD7utB2894Htdm0982JeubJyiRWe98Ldkey1slfo
> n35De89adkj;298jkgkk38GESlgisU6e3T8UBd2TIu7B184hK3rp98c1rW398vlr
...
> -----END CERTIFICATE-------
>
> " cert-comment "Acme HR SharePoint Server"
Prerequisites
l Operator or Admin access
l Web UI method: chain.pem file stored on your local machine
NOTE: The VX Series appliance has a CLI, but it does not have a Web UI. The
recommended method for this configuration on a VX Series appliance is through
the managing Central Management appliance Web UI.
1. Click the Settings tab on all appliances except the HX Series. On the HX Series
appliance, select Appliance Settings from the Admin menu.
1. Click the Settings tab on all appliances except the HX Series. On the HX Series
appliance, select Appliance Settings from the Admin menu.
where:
l chainName is a unique name for the CA chain. The name must begin with a
letter or number. The remaining characters in the name can be letters,
numbers, periods (.), dashes (-), and underscores (_).
l pemChainString is the chain of PEM strings.
1. Go to CLI enable mode:
hostname > enable
The brief option displays only the chain names. The detail option displays all
available certificate attributes.
1. Go to CLI configuration mode:
hostname > enable
hostname # configure terminal
Format Requirements
The PEM string must be formatted in the following order:
If a comment is added, it must follow the final double quotation marks and be on the same
line. Any commentary outside the BEGIN and END delimiter strings is ignored.
The following is an example PEM string (with a truncated ASCII block):
>"
>>----BEGIN CERTIFICATE-----
>MIIEujCCA6KgAwIBAgIJAI/1cFcdOeykMA0GCSqGSIb3DQEBBQ
>UAMIGZMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5p
>YTERMA8GA1UEBxMITWlscGl0YXMTJDE3GDS9DYEDLO9EWS6Fx=
>.
>.
>.
>----END CERTIFICATE-----
>
>"
Examples
Configuring a Certificate Chain
The following example configures the "apache03" Web server CA certificate chain that
includes two intermediate CAs and the root certificate.
hostname (config) # crypto certificate ca-chain chain-name web-server pem-
bundle apache03 "
>
> -----BEGIN CERTIFICATE-----
> MIID2jJUAsKgAwIBAgIBBjANBgkqhkiG8g0BAQUFADCBsDELMAkGA1UEBhMCVVMx
> FjAUB+NVBAgTNT1hc3NhY2h1c2V0dHMxFDASBgNVBAcTC1dlc3Rib3JvdWdoMRsw
> GQYDVQQKExJUYWxsIE1hcGxlIFN5c3RlbXMx/DAOBgNVBAsTB3Rtkq1lbmcxHjAc
> BgNVBAMTFW9jdGFnb24udGFsbG1hcGxlLmNvbTEkMCIGCSqGSIb3DQEJARYVc2xh
...
> -----END CERTIFICATE-------
> -----BEGIN CERTIFICATE-----
> HUE457jJheR86GJD3Iye987cdIYuP238DCBsDELMAkGA1UEBhMCVVMxh32Aq0iF7
> V75TYoiuY368pW+Bd8A8345Oc3PIUB4uw0821NMQaq9YEw397Ne409NCDE987c9u
> VE397gi/yTMNXd84Tuq0pie4n451r0oieRxcsWe70abcie$529omE2wXyrwR3784
> NTTdi239csUEi7dgOp391VCWetrnEp983Yr4B14Dw9URwo7NVC3xaY7vA2Aq874=
...
> -----END CERTIFICATE-------
> -----BEGIN CERTIFICATE-----
> 49JysE20gjaasfaMKTSIKEdycTe84mbnn4Qw21ou4Vejt4W9j6e37APR2rc92vde
> g4ublselcisla5do3tGBy9873cslI/xun471sWeid873RiuvY67Wf3873NywpYUm
> ges98R3kc+asdf7683lc09TNTD7utB2894Htdm0982JeubJyiRWe98Ldkey1slfo
> n35De89adkj;298jkgkk38GESlgisU6e3T8UBd2TIu7B184hK3rp98c1rW398vlr
...
> -----END CERTIFICATE-------
>
> "
Validity:
...
Subject:
Issuer:
Common Name: xxx-intermediate
...
Validity:
...
Subject:
Common Name: xxx-intermediate
...
Issuer:
Common Name: xxx-root-ca
...
Validity:
...
Subject:
Common Name: xxx-root-ca
...
Issuer:
Common Name: xxx-root-ca
...
where:
l chainName is a unique name for the CA certificate chain. The name must
begin with a letter or number. The remaining characters in the name can be
letters, numbers, periods (.), dashes (-), and underscores (_).
3. Verify your change:
hostname (config) # show web
1. Go to CLI configuration mode:
hostname > enable
hostname # configure terminal
Example
The following example activates the "apache01" certificate chain.
hostname (config) # web server ssl ca-chain apache01
l Root certificate: The certificate is self-signed and the Subject type=CA field is in its
Basic Constraints section.
Verification will fail if the certificate cannot find its issuer certificate or if the issuer
certificate is not trusted by the system.
For example, each endpoint and intermediate CA in a Web server certificate chain obtains
its authority from its issuer certificate, which is the next CA in the chain. The certificates
are installed in a bundle, and must be ordered from the intermediate CA that issued the
endpoint certificate, the other intermediate certificates, and finally through to the root CA (if
any). However, because the issuer certificates are not yet in the supplemental CA list, each
intermediate CA will fail the initial verification check as it is added to the certificate
database. After you add the issuer certificates to the supplemental CA list, you can
manually verify the certificate chain.
This topic describes how to manually verify a certificate chain, an individual certificate, or
a certificate bundle after the issuer certificates are installed and added to the supplemental
CA list.
Prerequisites
l Operator or Admin access
Example
The following example installs the "apache02" Web server CA certificate chain. It shows
that the "apache02-1" and "apache02-2" intermediate certificates failed verification, and the
"apache02-3" self-signed root certificate passed verification. It then adds the two issuer
certificates (apache02-03 and apache02-02) to the supplemental CA list, and manually
verifies the chain.
ex-04 (config) # crypto certificate ca-chain chain-name web-server pem-bundle
apache02 "
>
>-----BEGIN CERTIFICATE---
...
>-----END CERTIFICATE-----
>-----BEGIN CERTIFICATE---
...
>-----END CERTIFICATE-----
>-----BEGIN CERTIFICATE---
...
>-----END CERTIFICATE-----
>
> "
Certificate notice: certificate name apache02-1, ID 6xxxxxx could not be
verified: unable to get issuer certificate
l Increase the size of the keys to increases the strength of their signatures.
l Specify that only secure hash signature algorithms (sha256WithRSAEncryption,
sha384WithRSAEncryption, or sha512WithRSAEncryption) be used. Certificates
with the sha1WithRSAEncryption signature algorithm will be removed from the
default CA list, and from the Web server and MTA.
You can also modify the minimum Transport Layer Security (TLS) version that should be
used.
Prerequisites
l Operator or Admin access
1. Go to CLI configuration mode:
hostname > enable
hostname # configure terminal
1. Go to CLI configuration mode:
hostname > enable
hostname # configure terminal
NOTE: To remove the requirement for secure hashes, use the no crypto
certificate secure-hashes-only command.
If you have HX Series 3.3 or later installed, the Web TLS version also applies to
ports 443 and 6800 (in addition to port 3000 for the Web UI). If you need to verify
this, use an external network mapping and auditing tool such as Qualys or
Nmap.
Web preferences:
Global alerts auto refresh enabled: yes
HTTPS client minimum protocol version: TLSv1
HTTPS client cipher list: compatible
The HTTPS minimum protocol version line shows the minimum version
requirement for TLS for the appliance.
The contents of the log file that mention tls will be displayed. For example:
Apr 3 09:29:31 <hostname> mgmtd[5598]: [211771.546] [mgmtd.INFO]:
Forking then execing binary /usr/bin/python with argc 14,argv
"/usr/bin/python /opt/fireeye/share/sfserver/scripts/nginx_
configurator.py --ssl_min_version tls1.2 --is_dmz 0 --prov_cert_enabled
1
where:
l <value> is tls1 (TLS v1), tls1.1 (TLS v1.1), or tls1.2 (TLS v1.2). The
default is tls1.2.
3. Verify your change:
hostname (config) # show web
1. Go to CLI configuration mode:
hostname > enable
hostname # configure terminal
2. Reset the minimum TLS version requirement to the default (TLS v1.2):
hostname (config) # no web server ssl min-version
Example
The following example sets the minimum TLS version requirement to TLS v1.2.
hostname (config) # web server ssl min-version tls1.2
Prerequisites
l Operator or Admin access
CLI
Attribute Web UI Field Description
Keyword
CLI
Attribute Web UI Field Description
Keyword
Time Days before days-valid The number of days until the certificate
Remaining expiration will expire.
Expire Date Expire Date — The date and time the certificate will
expire.
Serial Number Serial Number serial-num A unique number that the issuer
assigned to the certificate.
CLI
Attribute Web UI Field Description
Keyword
Private Key — Private Key Whether a matching private key for the
certificate is present.
Subject Public Public Key Subject The general type of public key
Key Algorithm Algorithm Public Key algorithms that are allowed. Valid
Algorithm values are id-ecPublicKey (unrestricted
elliptical curve algorithms, defined in
RFC 5480) and rsaEncrytion (RSA
encryption algorithms, defined in RFC
2437).
Prerequisites
l Operator or Admin access
1. Go to CLI configuration mode:
hostname > enable
hostname # configure terminal
3. Repeat the previous step for each attribute you want to change.
4. Save your changes.
hostname (config) # write memory
Example
This example changes the organizational unit to Information Technology. It then
regenerates the web-cert certificate to apply the updated attribute value, and displays the
certificate to verify the change.
hostname (config) # crypto certificate generation default org-unit
"Information Technology"
l You want to use a named certificate with a private key as the Web server certificate.
Because the Web server requires a certificate with the reserved name of web-cert, you
must rename it before activating it.
l Reusing a certificate name for convenience.
l Saving an older certificate with another name as a backup.
Each certificate name must be unique, so the renaming operation fails if a certificate with
the same name already exists.
Prerequisites
l Operator or Admin access
1. Go to CLI configuration mode:
hostname > enable
hostname # configure terminal
Example
The following example renames the "server" certificate to "web-cert" so it can be activated
for the Web server, and then activates it.
hostname (config) # crypto certificate name server rename web-cert
hostname (config) # web server certificate name web-cert
OIDC Clients
To be accessible to your IAM organization, a product must be registered under your IAM
organization as an OIDC client and provide information about itself to the FireEye IAM
authentication server. End users who enroll in the FireEye IAM service can authenticate to
OIDC clients to gain access to their services. OIDC clients can verify the identity of an end
user based on the authentication performed by the FireEye IAM authentication and
authorization server in the FireEye public cloud. Authenticated users have specific access
privileges on specific resource types based on product-specific roles assigned to their
accounts.
l IAM Admin―This role enables the user to configure the IAM organization, access
control policies, and user accounts. See IAM Admin Role on page 412.
l Helix―These roles give the user full access to the incident detection and resolution
tracking console. This is described in Entitlements for Helix Roles on page 426.
l FireEye appliances―These roles gives the user full access to all FireEye appliances
and services in the IAM organization. This is described in Entitlements for the
FireEye Appliance Roles on page 494.
Before you can use FireEye IAM authentication and authorization services, the IAM
organization administrator must log in to the IAM Web UI and configure the organization
and provision user access. The default user credentials were provided to you by FireEye.
For additional login information, see FireEye IAM Web UI Access on page 285. Minimum
configuration steps are described in FireEye IAM Initial Configuration Task List on
page 290.
NOTE: The default organization administrator can create IAM Admin users and
delegate to them the task of creating the other user accounts.
Roles
FireEye IAM uses roles to control what users can see and do on the products (the
services and applications) in an IAM organization. A role specifies permissions for
accessing a product type (FireEye appliances or Helix). To allow a user to have certain
access permissions on a certain product type, an administrator assigns a role to the
user account.
A set of system-defined roles, called global roles grant capabilities that correspond to
the set of roles used to control access to FireEye appliances and services through their
local user accounts. Global roles are also provided for accessing supported FireEye
appliances, for accessing Helix, and also for accessing the FireEye IAM Web UI.
If other combinations of permissions are required for accessing the FireEye IAM
Web UI or Helix, you can create your own custom roles that are internal to your own
IAM organization.
Entitlements
FireEye IAM uses entitlements to map roles to user access permissions. Entitlements
are system-defined entities that map a product type to one or many specific access
permissions.
The FireEye IAM Web UI and Helix (previously known as the Threat Analytics
Platform, or TAP) have entitlements that each represents an individual, fine-grained
user access privilege. Thus the global roles for these products map to multiple
entitlements. For details, see Entitlements for the FireEye IAM Web UI Roles on
page 411 and Entitlements for Helix Roles on page 426.
Each role for a FireEye appliance maps to a single entitlement that represents multiple
access privileges. For details, see Entitlements for the FireEye Appliance Roles on
page 494.
User Accounts
The FireEye IAM organization administrator creates user accounts to allow network
security staff to access the FireEye IAM Web UI, Helix, and supported FireEye
appliances. A user account contains information such as email address, group
memberships, and entitlements that grant access to a single product type or multiple
product types. For more information, see FireEye IAM User Accounts on page 333.
Before a user can log in to a new account, the account must be enrolled in the IAM
organization at a self-service enrollment Web site. For details, see Managing Your Own
FireEye IAM User Account on page 293.
User Groups
To grant the same access privileges a set of user accounts, an IAM Admin can create a
user group. A user group grants its members the combined access privileges specified
by multiple sources:
l Roles assigned to each user account that is assigned to the user group
Terms of Service
The FireEye end user license agreement (EULA) governs the use of FireEye products. After
logging in to the IAM Web UI, users must read and accept the EULA if the previously
accepted agreement is older than the current version. User acceptance of the EULA is
logged as a IAM audit event.
You can view the current terms of service at any time in the Legal Terms & Conditions page
of the FireEye corporate website:
https://www.fireeye.com/company/legal.html
NOTE: The enrollment process for new IAM accounts includes initial login to the
IAM Web UI. See Enrolling Your New FireEye IAM User Account on page 295.
1. In a browser, go to the FireEye IAM login page for your geographical location:
l https://console.us.fireeye.com
l https://console.eu.fireeye.com
2. Enter your IAM account user name (your email address) and password.
In the following example, the user is entering a one-time passcode that was sent in
an SMS text message.
For information about logging in to the IAM Web UI when 2FA is enabled, see the
following topics under Managing Your Own FireEye IAM User Account on
page 293:
l About Two-Factor Authentication on page 306
l Setting Up a Smartphone as a Two-Factor Authentication Device on page 307
l Resetting Two-Factor Authentication on Your Smartphone on page 309
l Generating Two-Factor Authentication Codes in Advance on page 310
4. If the Terms and Conditions For FireEye Offerings appears, you can click the
Expand icon ( ) next to the document update date to open the FireEye Legal Terms
& Conditions in a separate browser tab.
1. Click your avatar (or the default avatar) in the upper right corner of any page.
2. Select Logout.
Task Description
View global View the global (system-defined) IAM roles and their entitlements.
roles System-defined roles provided by FireEye IAM correspond to the capabilities
granted by the roles implemented on FireEye Central Management, Email
Security — Server Edition, Network Security, and Endpoint Security
appliances and on cloud-based Helix. Global roles are designed to support
the functions that your information security team already performs using
those products.
Add custom (Optional) If you need different groupings of entitlements for IAM Web UI
roles roles or Helix roles, create IAM custom roles.
See FireEye IAM Roles on page 321.
Task Description
Provision Users
Create user Create an IAM account for every user that needs access to OIDC clients.
accounts l Specify the user's email address.
l Configure access controls by assigning roles and optional groups.
l Invite the user to enroll.
Create user (Optional) To manage multiple users at once, create an IAM user group and
groups assign roles to the user group.
If you add to the user group a user account that has other roles that were
assigned directly, those roles are added to the user group implicitly.
See FireEye IAM User Groups on page 359.
The tasks described in this section of the guide require only IAM User access. Other tasks
that require only IAM User access are described in other parts of the guide:
Account Enrollment
When your FireEye IAM account is created, you receive an email message that provides a
link to a self-service enrollment Web site. Your user access privileges are managed by your
IAM organization administrator. At the enrollment site, you configure additional account
information:
l Account password
You can update this information at any time. See Changing the Password for Your IAM
User Account on page 305 and Setting User Information and Preferences for Your IAM
Account on page 299.
Phone Number
Your user preferences include your phone number. If two-factor authentication is enabled
for your IAM organization, you must enter a one-time use verification code as a part of
your login process. FireEye IAM sends verification codes to this phone number through
SMS text messages or voice calls.
If you install the Google Authenticator mobile app on your SmartPhone, the app generates
verification codes for your IAM user account. The app generates verification codes even if
your smartphone has no phone or data connectivity
The enrollment link is single-use only, and you need to complete your enrollment in a
single session. If you lose your enrollment link, or if your link is no longer valid, contact an
IAM organization administrator and request a re-enrollment link.
NOTE: The link to the enrollment site is tied to your IAM account, and it cannot be
used to enroll another user account.
At the self-enrollment site, you create a password, enter a nickname, select a job title, enter
a phone number, and set your language and local time zone.
Be sure to enter the phone number to which you want IAM to send verification codes for
two-factor authentication. When you configure or change this phone number, IAM sends a
test message to the device so you can verify the number you configured. If 2FA is enabled,
the enrollment process prompts you to generate a set of ten verification codes as a backup
measure.
Finally, to verify your account credentials, the enrollment process prompts you to log in to
the FireEye IAM Web UI using your email address (the address to which the enrollment
invitation was sent) and the password you just created.
Prerequisites
l You have received an invitation to enroll in your FireEye IAM organization.
l You have your phone with you so that you can verify the number.
1. Open the email containing the invitation to enroll in the IAM organization.
2. Click Enroll.
3. Enter your email address―the email address that received the enrollment
invitation―and click Next.
In the following example, the message at the bottom of the dialog box informs you
that 2FA is enabled for your IAM organization.
a. Click Confirm your SMS text code. A verification code is sent to the phone
number you entered in the previous step.
b. When you are prompted, enter the verification code that was sent to your
phone, and then click Next. A list of verification codes appears.
c. Click Download, save the verification codes, and then click Next.
7. Click Next.
8. Log in to the IAM Web UI. For details, see FireEye IAM Web UI Access on page 285.
The following table describes the panels and fields in the User Information view:
Panel and Fields Description
User Information
Nickname (Optional)
Job Title (Optional)
Panel and Fields Description
Contacts
Prerequisites
l IAM Admin or IAM User access to the FireEye IAM Web UI.
To set user information and preferences for your FireEye IAM account:
1. Select My Settings > Profile to go to the Manage User Information and Preferences
page.
2. Click Edit to change from view to edit mode.
3. To upload or update your avatar, click the upload icon and select the avatar file
from your local drive.
4. To change your nickname, click the Enter Nickname field and enter a new
nickname.
5. To change your job title, click Enter Job Title field and enter or select a new job title.
6. To change your time zone, select a new time zone from the Select Time Zone field.
7. To change your Preferred Notification Method, select a method from the list.
8. To change your Preferred Language, select English or Japanese from the list.
NOTE: Selecting Japanese causes sections of the Helix Web UI to be
displayed in Japanese. To see the change take effect, log out of Helix and
then log in again.
If you did not receive the email message, or if the link expired, click Re-send.
13. To change the primary phone number on your account, select the Primary option for
that number.
14. To delete a phone number from your account, click the settings icon for that phone
number, and then click Remove.
d. Enter the password in the SMS Text Authentication dialog box, and then click
Verify.
If you did not receive the SMS text message, or if the code expired, click
Resend Verification.
Prerequisites
l You are able to log in to your IAM organization
The page displays the login history information for your user account. The following
information is provided about each login:
l IP Address
l Date & Time (UTC)
Prerequisites
l IAM Admin or IAM User access to the FireEye IAM Web UI.
Two-Factor Authentication
Two-factor authentication (2FA) is an optional second layer of security for logging in to
FireEye IAM user accounts in an IAM organization. If 2FA is enabled and enforced, even if
someone manages to steal your password, your user name and password credentials are
not sufficient to log in to your account. Two-factor authentication requires a user to provide
an additional verification that only the user can obtain using their smartphone.
When you log in to a FireEye IAM user account that is secured with 2FA, you begin by
entering your user name and password (knowledge factor) as you would normally. The
login page prompts you to enter a single-use verification code (possession factor). The code
is sent to your mobile device by SMS text message or voice call.
After you enter the verification code, you are authenticated and you are logged in to your
account.
Prerequisites
l A supported mobile device. Refer to the FireEye IAM Release Notes.
l A Google account.
l IAM Admin or IAM User access to the FireEye IAM Web UI.
7. Follow the instructions in the Google Account Help page "Install Google
Authenticator" for installing and configuring the Google Authenticator app on your
device.
Prerequisites
l A supported mobile device. Refer to the FireEye IAM Release Notes.
l IAM Admin or IAM User access to the FireEye IAM Web UI.
6. Click Reset.
7. Scan the QR code into your smartphone, and then click Next.
a. Click Enter code from your smartphone. A verification code is sent to the
phone number configured for your account.
b. When you are prompted, enter the verification code that was sent to your
phone, and then click Verify.
Prerequisites
l IAM Admin or IAM User access to the FireEye IAM Web UI.
5. Click Generate Backup Codes. Each code will allow you log in to your FireEye IAM
account one time.
Single-Factor Authentication
A FireEye IAM account is always secured using the account user name specified by the
administrator, combined with the password created by the user during self-enrollment in
the organization.
Two-Factor Authentication
If the IAM organization is additionally secured by a two-factor authentication (2FA) policy,
a user establishes identity by providing the user name and password followed by up to
three one-time passcodes. By default, all three two-factor authentication options are
Not Enabled, meaning that the IAM organization does not use 2FA.
FireEye IAM supports Google 2-Step Verification. With a smartphone enrolled as a Google
two-factor authentication device, the user obtains a one-time-use password from the Google
Authenticator mobile app, an SMS text message, a voice call, or some combination of the
three. If the Google Authenticator mobile app is installed on the user's phone, passwords
can be generated even when no Internet connection or mobile service is available. In case
the authentication device is not available, the user can use a one-time-use password from a
set of backup codes that was generated and stored ahead of time.
The following table describes the configurable fields in the Organization Settings page:
Field Description
Allowed email domains (Optional) A comma-separated list of email domains allowed for
user accounts.
Default: No domains are specified (all email domains are
allowed).
Authentication Policy
Minimum policies (Optional) The minimum number of user identity factors required,
including the mandatory knowledge factor (the user password).
Increment this value for each possession factor in your policy.
Range: 1–4
Default: 1 (Single-factor authentication only)
Field Description
(Optional) Override the default value of any of the two-factor authentication (2FA) settings.
2FA is disabled by default. All 2FA options are Not Enabled and Minimum Policies is 1.
If any 2FA options are Mandatory, users must provide those knowledge factors to
authenticate. If two or more 2FA options are Enabled, users can provide any one of the
knowledge factors.
One-Time Password The policy for using one-time-use passwords generated by the
Google Authenticator app on an Android, Blackberry, or iPhone
device:
l Mandatory
l Enabled
l Not enabled (default)
Text Message The policy for using one-time-use passwords sent by SMS message:
l Mandatory
l Enabled
l Not enabled (default)
Voice Call The policy for using one-time-use passwords sent by voice call:
l Mandatory
l Enabled
l Not enabled (default)
Field Description
Password Policy
Expiration Details
(Optional) Override the default value of any of the following expiration times. Specify
expiration times in units of seconds, minutes, hours, days, or years by appending the
letter s, m, h, d, or y.
Prerequisites
l You have read and understand Security in a FireEye IAM Organization on page 313
and FireEye IAM Organization Settings on page 315.
l You have chosen values for the organization settings listed at the beginning of this
procedure.
l You have IAM Admin access to the FireEye IAM Web UI.
6. (Optional) Use the Set the options for two-factor authentication section of the page
to configure options for two-factor authentication. Refer to the table in FireEye IAM
Organization Settings on page 315.
a. In the Minimum Policies field, select the total number of user identity factors
required.
b. Configure the options requiring users to enter a one-time password (OTP).
Google OTPs can be obtained through different devices.
Configure the two-factor authentication policy by setting the values for the
device options:
l To forego two-factor authentication, leave all of the 2FA options
Not-Enabled and leave the Minimum Policies value set to 1. This is
not recommended.
l To require users to enter a password obtained through a particular
type of authentication device, set that option to Mandatory and
increment the Minimum Policies value.
l To allow users to enter a password obtain through an authentication
device of their choice, set those two or three options to Enabled
7. (Optional) Customize the user password complexity policy by selecting only the
requirements you want enforced. The default FireEye Policy specifies that all of the
requirements must be enforced.
Configure the password policy for users in your organization. Refer to the table in
FireEye IAM Organization Settings on page 315.
8. (Optional) Customize the following expiration times, as described in the table that
begins at FireEye IAM Organization Settings on page 315.
l Web UI session tokens
l User enrollment links
l API key
9. Click Update Organization.
About Roles
Role-based access controls determine what users can see and do on OIDC clients in the
IAM organization. A role associates a product-specific job function with the product-
specific access privileges needed to perform that job. On an Email Security — Server
Edition appliance, for example, the Analyst role grants users the privileges necessary to
perform email malware analysis tasks.
User accounts can be assigned roles for more than one product type, and they typically are.
A user can be assigned multiple roles for accessing the FireEye Web UI or Helix Web UI.
For access to FireEye appliances, a user is typically assigned a role for each product type in
the IAM organization.
Global Roles
FireEye IAM provides a comprehensive set of system-defined roles, called global roles, for
granting user access to its own Web UI and also to the products that integrate with IAM:
Helix and supported FireEye products. Global roles grant product-specific user access
permissions that are geared toward a job function pertaining to that product. The IAM
global roles and the permissions they grant are described in FireEye IAM Entitlements on
page 409.
Global roles are created automatically when FireEye creates an IAM organization, and they
cannot be modified or deleted.
Custom Roles
For the IAM Web UI roles and Helix, if none of the global roles match your workflow
needs, a FireEye IAM administrator can create custom roles for the IAM organization. For
more information, see Creating a Custom Role on page 326.
FireEye IAM does not support custom roles for FireEye appliances.
Fallback Roles
The IAM roles for FireEye appliances include six roles that grant access privileges needed
to perform a specific job function: Admin, Analyst, Auditor, Monitor, Operator, or Reject.
These job-specific roles are product-agnostic rather than product-specific. Each role grants
job-specific access privileges for all supported FireEye appliance types: CM Series,
EX Series, NX Series, and HX Series appliances. The roles act as "fallback roles" because a
FireEye appliance will apply a fallback role only for users that are not assigned any
appliance-specfic roles.
For details, see Fallback Roles for FireEye Appliances on page 504.
About Entitlements
Each role is associated with one or more entitlements. An entitlement specifies that a
service (such as the FireEye IAM Web UI) or an application (such as a Central
Management appliance) can access a particular resource or feature to perform a particular
action.
NOTE: Each application or service that integrates with FireEye IAM has its own
set of entitlements.
For more information, see Entitlements for the FireEye IAM Web UI Roles on page 411
and Entitlements for Helix Roles on page 426.
<service>.role.<action>
Each role for a FireEye appliance maps to a single entitlement that represents multiple
access privileges. Examples:
l cms.role.analyst―Analyst privileges on a Central Management appliance.
l appliance.role.auditor―Auditor fallback privileges on all FireEye appliances.
For more information, see Entitlements for the FireEye Appliance Roles on page 494.
The column labeled "# of Entitlements" shows that the FireEye appliance roles have only
one entitlement each. Each entitlement is a collection of user access permissions. By
contrast, the FireEye Appliance Org Admin role, the IAM Web UI roles, and Helix roles
have multiple entitlements.
Field Description
Name The name of a global or custom role defined in your IAM organization.
You can sort and filter the list on this field. Filtering is case-sensitive,
and it does not match wild card characters.
Product The type of product to which this role applies.
# of Entitlements The number of entitlements assigned to the role. Each FireEye appliance
role is associated with only one entitlement which in turn maps to a
collection of user access privileges.
Options Click the Options icon and select an operation to view, edit, or delete.
Prerequisites
l IAM Admin or IAM User access to the FireEye IAM Web UI.
3. (Optional) Sort and filter the list on the Name field or the Description field.
Field Description
Available Entitlements
Assigned Entitlements
Prerequisites
l IAM Admin access to the FireEye IAM Web UI.
3. (Optional) Sort and filter the list on the Name field or the Description field. Filtering
is case-sensitive, and it does not match wild card characters.
4. Click the name of the role you want to view. The Edit Roles page shows you which
entitlements are assigned to the selected role.
The entitlements assigned to a global role are specific to the product for which the
role grants user access. Custom roles can have entitlements for one or more
products.
TIP: If the organization will have a large number of custom roles, use a
naming convention that enables you to filter and sort on the Name field or the
Description field to quickly find a group in the main view of the Roles page.
Prerequisites
l IAM Admin access to the FireEye IAM Web UI.
3. Click Add.
4. Enter a name and a description for the role and click Next.
5. Select a product type for the role, and then click Next.
6. Assign entitlements to the role. Repeat the following steps for each entitlement you
want to assign the custom role.
a. In the Available Entitlements list on the left, locate the entitlement you want
to assign.
b. In the Access column for that entry, click Grant.
The entitlement moves from the Available Entitlements list to the Assigned
Entitlements list on the right.
In the following example, browse, edit, read, and add entitlements are about to be
assigned to a new custom role.
NOTE: You cannot edit or delete global roles, and you cannot change the product
type of a custom role.
NOTE: If you change a role while an affected user is logged in, the user is forcibly
logged out. When the user logs in again, the user has the capabilities provided by
the new definition of the role.
Prerequisites
l IAM Admin access to the FireEye IAM Web UI.
3. (Optional) Sort and filter the list on the Name field or the Description field.
4. Click the name of the custom role you want to edit. The Edit Role view shows
details about the selected role.
5. To change the name or description of a custom role, enter new text in the Name or
Description fields.
6. To add an entitlement to the custom role, do the following:
a. In the Available Entitlements list, find the entitlement you want to add.
b. Go to the Options column and click Grant.
7. To remove an entitlement from the custom role, do the following:
a. In the Assigned Entitlements list, find the entitlement you want to remove.
b. Go to the Options column and click Remove.
8. Verify that the entitlement names are updated in the Available Entitlements list and
in the Assigned Entitlements list.
9. Click Update Role.
NOTE: You cannot edit or delete global roles, and you cannot change the product
type of a custom role.
Prerequisites
l IAM Admin access to the FireEye IAM Web UI.
3. (Optional) Sort and filter the list on the Name field or the Description field. Filtering
is case-sensitive, and it does not match wild card characters.
b. Click OK.
b. Click Remove.
c. Click OK.
The organization administrator is responsible for provisioning other FireEye IAM user
accounts in the organization.
NOTE: The default organization administrator can create IAM Admin users and
delegate to them the task of creating the other user accounts.
l You cannot re-enroll an external user. This must be done from the user's primary
organization.
l You cannot reset the password for an external user. This must be done from the
user's primary organization.
l Deleting an external user account removes the account from the list of External
Users in this IAM organization. The account remains intact in its primary
organization.
The following table describes the columns in the lists on the Users page:
Field Description
Field Description
Prerequisites
l IAM Admin or IAM User access to the FireEye IAM Web UI.
3. (Optional) Sort and filter the list on the Email field, the Nickname, field, or the
Phone Number field.
Roles directly assigned to a user account are listed in the Assigned Products list on right.
The Assigned Products list does not show the roles that the user is assigned indirectly
through membership in a FireEye IAM user group. To see those privileges, you must know
the user account's user group memberships. See FireEye IAM User Groups on page 359.
The following table describes the fields in lists in the Edit User view:
Field Description
Email (Read-only) The user's email address. In FireEye IAM, the account user
name is an email address.
If this is an internal user account, this the email address that was used
to enroll the account in this organization (the user's primary
organization).
If this is an external user account, this is the email address that was
used to enroll the account in a different organization (the user's
primary organization).
External user (In the External Users list only) The name of the external user's
organization primary organization.
Available Products
Products (Read-only) A product type for which the user is not assigned roles.
Assign Roles If you want to assign the user roles for a product type in this list, click
Grant in this column.
Assigned Products
Products Assigned (Read-only) The products for which the user has roles assigned.
Roles (Read-only) Roles for this product type that are assigned to the user.
Options Click the Options icon and select an operation to perform on this role:
l Configure―Assign or remove individual roles for this product.
l Remove―Remove all assigned roles for this product.
Prerequisites
l IAM Admin access to the FireEye IAM Web UI.
In the following example, the user is assigned four roles from three products.
Until the user enrolls, the account has a Status value of Invited. After the user completes
the enrollment process, the account has a Status value of Active. For details about the user
account enrollment process, see the instructions in Enrolling Your New FireEye IAM User
Account on page 295. Also see Viewing the Lists of User Accounts on page 336 and
Viewing the Roles Assigned to a User Account on page 338.
To create a new user account, you start at the Users page. The main view of the Users page
lists internal users and external users separately. After the user account is created, it
appears in the Internal Users panel.
Field Description
Email Enter the user's email address. In FireEye IAM, the account user name
is an email address.
l If you are creating a new user account in this organization, enter
the email address that will be used to enroll the account in this
organization (the user's primary organization).
l If you are adding a user account that is defined in an external
organization, enter the email address that was used to enroll the
account in the that organization (the user's primary organization).
NOTE: When you view the lists of all user accounts, the Internal Users
list and the External Users list can be sorted and filtered on the Email
column.
External user (Only if you are adding an external user account) Enter the name of the
organization external user's primary organization.
Available Products
Products A product type for which the user currently is not assigned roles.
Assign Roles If you want to assign the user roles for a product in this list, click
Grant in this column.
Field Description
Assigned Products
Products Assigned A product type for which roles are assigned to the user.
Roles The roles that the user is currently assigned for this product type.
Prerequisites
l IAM Admin access to the FireEye IAM Web UI.
l The email address by which the user will be enrolled in the organization.
NOTE: Later, during the self-enrollment process, the user can create a password and
specify a nickname, phone number, and other information.
5. Find the product type in the Available Products list and click Grant.
6. In the Roles tab, select checkboxes for the roles you want to assign the user.
7. Click Assign.
8. To assign the user roles for another product type, repeat steps 5 through 7.
9. After all roles have been assigned, click Invite. The user is sent a link to the FireEye
IAM enrollment portal.
The user account appears in Internal Users panel of the Users main view. The
Status value Invited. After the user completes the self-enrollment process, the Status
value changes to Active.
NOTE: By default, FireEye Customer Support can access your IAM organization
through the external user groups that are automatically added to your
organization when it is created: FireEye Support - Level 1 and
FireEye Support - Levels 2 & 3. Unlike an external user account, an external user
group accesses the resources in your organization with privileges controlled by its
owning organization. See About Internal User Groups on page 359.
To give the external user account access to your IAM organization, you need to know the
name of the user's primary organization (the organization where the account is defined
and enrolled) and the email address for that user account. To specify the access privileges
granted to the external user, you assign the account one or more roles for each product the
user is allowed to access in your organization. User accounts can be assigned roles for
more than one product type, and they typically are. A user can be assigned multiple roles
for accessing the FireEye Web UI or Helix Web UI. For access to FireEye appliances, a user
is typically assigned a role for each product type in the IAM organization.
An external user account retains the access privileges granted in your organization until
you edit the account's role assignments or remove the account from the list of external
users in your organization.
To add an external user account, you start at the Users page. The main view of the Users
page lists internal users and external users separately. After the external user account is
added, it appears in the External Users panel.
The following table describes the fields in the Invite User view (used to create a new
internal user account) and the Add User view (used to add a user account from another
organization):
Field Description
Email Enter the user's email address. In FireEye IAM, the account user name
is an email address.
l If you are creating a new user account in this organization, enter
the email address that will be used to enroll the account in this
organization (the user's primary organization).
l If you are adding a user account that is defined in an external
organization, enter the email address that was used to enroll the
account in the that organization (the user's primary organization).
NOTE: When you view the lists of all user accounts, the Internal Users
list and the External Users list can be sorted and filtered on the Email
column.
External user (Only if you are adding an external user account) Enter the name of the
organization external user's primary organization.
Field Description
Available Products
Products A product type for which the user currently is not assigned roles.
Assign Roles If you want to assign the user roles for a product in this list, click
Grant in this column.
Assigned Products
Products Assigned A product type for which roles are assigned to the user.
Roles The roles that the user is currently assigned for this product type.
Prerequisites
l IAM Admin access to the FireEye IAM Web UI.
l The email address by which the user is enrolled in the other IAM organization.
l The name of the external user's primary organization.
5. Select the name of the external user's primary organization and click Next.
6. In the Available Products list, locate the product type and click Grant.
7. In the Roles tab of the Assign Access for Product dialog box, select the check box for
each product-specific role you want to assign the user.
8. Click Assign.
9. To assign the external user roles for another product type, repeat steps 7 through 9.
10. After all roles have been assigned, click Add. The user account appears in the
External Users panel of the Users main view.
Changes to a user's role assignments are made product by product. First you select a
product type, then you change the user's role assignments for that product.
To change a user's role assignments, use the Edit User view of the Users page and the
Roles tab of the Assign Access for Product dialog box.
The following table describes the fields in lists in the Edit User view:
Field Description
Email (Read-only) The user's email address. In FireEye IAM, the account user
name is an email address.
If this is an internal user account, this the email address that was used
to enroll the account in this organization (the user's primary
organization).
If this is an external user account, this is the email address that was
used to enroll the account in a different organization (the user's
primary organization).
External user (In the External Users list only) The name of the external user's
organization primary organization.
Field Description
Available Products
Products (Read-only) A product type for which the user is not assigned roles.
Assign Roles If you want to assign the user roles for a product type in this list, click
Grant in this column.
Assigned Products
Products Assigned (Read-only) The products for which the user has roles assigned.
Roles (Read-only) Roles for this product type that are assigned to the user.
Options Click the Options icon and select an operation to perform on this role:
l Configure―Assign or remove individual roles for this product.
l Remove―Remove all assigned roles for this product.
From the Add User view or the Edit User view, there are two ways to open the Assign
Access for Product dialog box for a product type:
l While creating a new user account―Go to the Available Roles list and click Grant
for the product type.
l While editing an existing user account―Go to the Assigned Roles list, click the
Options icon for the product type, and select Configure.
The following table describes the fields in the Roles tab of the Assign Access for Product
dialog box.
Field Description
(Checkbox or Select roles to assign to the user, and then click Assign.
radio button)
Role The name of a FireEye IAM role for the selected product.
# of Permissions The number of permissions granted by the role. Hover over the number
in this column to view the list of permissions associated with the role.
Prerequisites
l IAM Admin access to the FireEye IAM Web UI.
3. Click the user account you want to edit and click Edit.
The Available Products panel on the left side of the page lists product types that
currently have no roles assigned to the user.
The Assigned Products panel on the right side of the page lists the product types
that currently have roles assigned to the user. The Roles column shows the roles the
user is assigned for each product in this list.
4. In the Assigned products list, find the product type whose roles you want removed.
6. Click Save.
7. To change more role assignments for the user, go back to step 3.
3. Click the name of the user account you want to edit and click Edit.
The Available Products panel on the left side of the page lists product types that
currently have no roles assigned to the user.
The Assigned Products panel on the right side of the page lists the product types
that currently have roles assigned to the user. The Roles column shows the roles the
user is assigned for each product in this list.
4. Open the Assign Access for Product dialog box for the product type for which you
want to assign or remove a role.
l If you want to assign a role for a product type that currently has no roles
assigned to the user, click Grant in the Assign Roles column for that product.
l If you want to assign or remove a role for a product type that currently has
roles assigned to the user, click the Options icon and select Configure.
The Assign Access for Product dialog box opens for the selected product type.
5. Select or clear the checkbox for each role you want to assign or remove from the user
account.
6. Click Assign.
7. To change more role assignments for the user account, repeat steps 9 through 11.
8. Click Save.
To reset the password of a local user account, use the Users page.
Prerequisites
l IAM Admin access to the FireEye IAM Web UI.
3. (Optional) Sort and filter the list on the Email field, the Nickname, field, or the
Phone Number field.
4. Find the user account that needs the password reset.
5. Click the Options icon for that user account and select Reset Password.
6. Click OK.
FireEye IAM automatically sends the user a link to a password reset page for that
account.
7. (Optional) To copy the link to the password reset page, click Copy Links near the
top of the page and click the Copy icon.
Save the link. If the user did not receive the automated email message, you can send
the link again using your own email account.
Prerequisites
l IAM Admin access to the FireEye IAM Web UI.
3. (Optional) Sort and filter the list on the Email field, the Nickname, field, or the
Phone Number field.
4. Find the user account you need to re-enroll.
5. Click the Options icon for that user account and select Re-Enroll.
6. Click OK.
FireEye IAM automatically sends the user a re-enrollment link.
7. (Optional) To copy the re-enrollment link, click Copy Links near the top of the page
and click the Copy icon.
Save the link. If the user did not receive the automated email message, you can send
the link again using your own email account.
To delete user accounts from your FireEye IAM organization, use the Users page.
Prerequisites
l IAM Admin access to the FireEye IAM Web UI.
a. Click the Options icon for the user you want to delete, and select Remove.
b. Click OK.
b. Click Remove.
c. Click OK.
To disable or enable user accounts from your FireEye IAM organization, use the Users
page.
Prerequisites
l IAM Admin access to the FireEye IAM Web UI.
a. Click the Options icon for the user you want to disable, and select Disable.
b. Click OK.
a. Click the Options icon for the user you want to enable, and select Enable.
b. Click OK.
reduce the group's access privileges if the user's directly assigned roles grant privileges
that the group does not have through other sources.
NOTE: Deleting a user group removes access privileges that other users received
through their membership in that group.
You cannot view the list of users in an external user group, and you cannot modify or
delete an external user group.
External user groups―groups that are defined in a different IAM organization and can
access your IAM organization―are listed in two pages of the FireEye IAM Web UI:
l Organization Settings
l User Groups.
When FireEye created your IAM organization, they automatically added the following
FireEye Customer Support internal user groups as external user groups in you IAM
organization:
The Web UI does not list the members of an external user group. You cannot modify or
delete an external user group.
l User Groups―This panel lists user groups that are defined in your IAM
organization. Access privileges granted to the members of an internal user group are
applicable within your IAM organization only.
A user group that is listed in the External User Groups panel for your IAM organization can
access your IAM organization as allowed by the roles assigned to that user group in its
owning organization. From the perspective of the owning organization, that same user group
is listed with a Scope value of External in the User Groups panel (list of internal user
groups).
The following table describes the columns in the User Groups page.
Field Description
Name The name of a group defined in your IAM organization. You can sort and
filter the list on this field.
Options Click the icon and select an operation to perform on the user group:
l View/Edit
l Remove
External User Groups — Externally created groups that have access to your organization
Name The name of a group defined in an external organization but whose user
credentials and privileges in the owning organization are accessible to this
organization. You can sort and filter the list on this field.
Owning The name of the external IAM organization where this group is defined.
Organization
NOTE: A user group that appears in this list also appears in the owning
Name
organization's User Groups list with a Scope value of External.
Prerequisites
l IAM Admin or IAM User access to the FireEye IAM Web UI.
3. (Optional) Sort and filter either of the lists on the Name field. Filtering is case-
sensitive, and it does not match wild card characters.
The following table describes the fields in the Edit User Group view.
Field Description
Name The name of the user group. You can edit the text in this field.
Description A brief description of the user group. You can edit the text in this field.
Available Roles
Access To add a role to the group, click Grant in this column. The role name moves
to the Assigned Roles list to the right.
Assigned Roles
Access To remove a role from the group, click Remove in this column. The role name
moves to the Available Roles list to the left.
Available Users
Email The email address of a primary or external user that is not assigned to the
group.
You can sort and filter the list on this field. Filtering is case-sensitive, and it
does not match wild card characters.
Access To add a user to the group, click Grant in this column. The group name
moves to the Assigned Users list to the right.
Field Description
Assigned Users
Email The email address of a primary or external user that is assigned to the group.
You can sort and filter the list on this field. Filtering is case-sensitive, and it
does not match wild card characters.
User Type (External groups only) Select the user's membership type in this group:
l User―Has read-only privileges on the user group.
l Owner―Has read-only privileges and receives notifications about
changes made to the group
NOTE: An external group must have one or more owners.
Access To remove a user from the group, click Remove in this column. The group
name moves to the Available Users list to the left.
Prerequisites
l IAM Admin access to the FireEye IAM Web UI.
3. (Optional) Sort and filter either of the lists on the Name field. Filtering is case-
sensitive, and it does not match wild card characters.
4. Select the role you want to view. Use either of the following methods:
l Click the role name in the first column.
l Click the Options icon and select View/Edit.
The Edit User Group view appears, and the Assigned Roles panel lists the roles
assigned directly to the user group.
The Internal User Groups list (the list of all groups defined in this IAM organization) and
the External User Groups list (the list of externally defined groups accessible by this IAM
organization) can be sorted and filtered on the Description column. The fields in this page
are described in Viewing the Lists of Internal and External User Groups on page 362.
The following table describes the fields in the Add User Group view of the User Groups
page.
Field Description
Field Description
Available Roles
Access To add a role to the group, click Grant in this column. The role name moves
to the Assigned Roles list to the right.
Assigned Roles
Access To remove a role from the group, click Remove in this column. The role name
moves to the Available Roles list to the left.
Available Users
Email The email address of a primary or external user that is not assigned to the
group.
You can sort and filter the list on this field. Filtering is case-sensitive, and it
does not match wild card characters.
Access To add a user to the group, click Grant in this column. The group name
moves to the Assigned Users list to the right.
Field Description
Assigned Users
Email The email address of a primary or external user that is assigned to the group.
You can sort and filter the list on this field. Filtering is case-sensitive, and it
does not match wild card characters.
User Type (External groups only) Select the user's group member type:
l User―Has read-only privileges on the user group.
l Owner―Has read-only privileges and receives notifications about
changes made to the group
An external group must have one or more owners.
Access To remove a user from the group, click Remove in this column. The group
name moves to the Available Users list to the left.
Prerequisites
l IAM Admin access to the FireEye IAM Web UI.
5. Click Next to view the panels that enable you to assign roles to the group.
6. To assign a role to the user group, find the role in Name column of the Available
Roles list and click Grant in the Options column. The role name moves from the
Available Roles list to the Assigned Roles list on the right.
7. Click Next to view the panels that enable you to assign users to the group.
In the Available Users panel, the entry for your own user account displays You
Cannot Grant in the Access column.
8. To assign a user account to the user group, find the user account in the Available
Users list on the left side of the page, and then click Grant in the Options column.
The user name moves from the Available Users list to the Assigned Users list to the
right.
9. Click Add User Group.
The name of the new group appears in the User Groups panel of the User Groups
main view.
NOTE: Removing a user account from a user group will reduce the group's
access privileges if the user's directly assigned roles grant privileges that the
group does not have through other sources. A user group derives its access
privileges though the roles directly assigned to it and through the roles directly
assigned to its members.
Prerequisites
l IAM Admin access to the FireEye IAM Web UI.
3. Click the name of the user group you want to edit. The Edit User Group view shows
details about the selected group.
NOTE: Deleting a user group revokes all access privileges that users received
through their membership in that group. The affected users retain the access
privileges granted through any roles directly assigned to their account.
Prerequisites
l IAM Admin access to the FireEye IAM Web UI.
b. Click OK.
b. Click Delete.
c. Click OK.
Prerequisites
l IAM Admin access to the FireEye IAM Web UI.
The following table describes the columns in the list of API keys:
Field Description
Created On Date and time that the API key was created.
Options Click the Options icon and select an operation to perform on the API key:
l View/Edit
l Revoke
Prerequisites
l IAM Admin or IAM User access to the FireEye IAM Web UI.
The following table describes the panels and fields in the Create API Key dialog box:
Field Description
API Key with If selected, the access privileges of this API Key will be based upon
entitlements manually selected entitlements.
Field Description
API Key with If selected, the access privileges of this API Key will be based upon
groups the associated groups and will be applicable to all organizations
with which the groups are linked. Any modifications made to the
associated groups will dynamically affect the access privileges of
the API key.
Created On Date and time that the API key was created.
Depending on the programmatic changes you are enabling, you will need to assign the API
key the product and product-specific entitlements needed to make those changes.
For example, suppose the API key will be used to create IAM organization user accounts
that need particular access privileges on Helix. The API key used to make these changes
must be assigned Product “IAM” and “Threat Analytic Platform” and you grant the
necessary set of entitlements under each product.
Prerequisites
l IAM Admin or IAM User access to the FireEye IAM Web UI.
9. From the Available Entitlements list, select the product-specific entitlements to grant
access rights to the API key.
l To grant all entitlements in the list, click Grant All.
l To grant individual entitlements, click Grant for each entry.
10. Click Create API Key.
The following table describes the columns in the list of API keys:
Field Description
Created On Date and time that the API key was created.
Options Click the Options icon and select an operation to perform on the API key:
l View/Edit
l Revoke
Prerequisites
l IAM Admin or IAM User access to the FireEye IAM Web UI.
.
The following table describes the columns in the list of API keys:
Field Description
Created On Date and time that the API key was created.
Options Click the Options icon and select an operation to perform on the API key:
l View/Edit
l Revoke
Prerequisites
l IAM Admin or IAM User access to the FireEye IAM Web UI.
a. Select the checkboxes for the API keys you want to revoke.
If you want to see the entitlements for an API key, click the linked text in the
Descriptions column. Click the browser Back button to return to the list of API
keys.
b. Click Revoke.
c. Click OK.
APPENDIX A: Capabilities of
FireEye Appliance Local Roles
This section covers the following information:
Capability Categories
The capabilities associated with the roles are divided into five categories: System
Administration, Malware Analysis, Auditing, All Users, and Web Services API. The
following tables list the capabilities in each category and show which roles have access to
the functionality granted by the capabilities.
System Administration
The following table lists the System Administration capabilities and associated roles.
Authentication (AAA) X
Authentication (AAA) (view) X X X
CM Series X X
CM Series (view) X X X
CM Series Proxy X
CM Series Client (LMS) X X
Crypto X X
Crypto (view) X X X
Detection X X
Detection (view) X X X X
Diagnostics X X
Health (view) X X X X
Licenses X X
Licenses (view) X X X
Network X X
Network (view) X X X
Stats X X
Stats (view) X X X
System Admin X
System X X
System (view) X X X
System Logs X X X
Malware Analysis
The following table lists the Malware Analysis capabilities and associated roles.
Alerts X X X
Alerts (view) X X X
Analysis X X
Analysis (view) X X X
Monitor Legacy X X
Notifications X X
Notifications (view) X X X X
Reports X X X
Reports (view) X X X
Auditing
The following table lists Auditing capabilities and associated roles.
Audit Logs X X X
All Users
The following table lists the capabilities available to all roles (except API Analyst and
API Monitor).
All Users X X X X X
Alerts X X
Alerts Create X
Alerts View X X X
All Users X X X
Analysis X X
Analysis View X X X
Email Analysis X X
File Analysis X
Reports View X X X
Capability Descriptions
The following table describes the functionality provided by each capability.
Capability Description
All Users Commands and functionality available to users in all roles (except
API Analyst and API Monitor).
Audit Logs Ability to view audit logs, but not system logs.
Capability Description
Diagnostics Access to diagnostic tools such as debug dumps (sysdumps), ping, and
traceroute.
Capability Description
Manage Own Ability to change one's own local account password and to manage
Account local SSH client functionality (authorized keys, identities, and known
hosts) for one's own local account.
Monitor Functionality that the "monitor" capability had prior to the introduction
Legacy of roles, which is not permitted according to the strict interpretation of
the "monitor" role.
System Admin Both general system administration functions and sensitive functions
that require a higher level of authorization.
System (view) Read-only access to the "System" and "System Admin" functionality.
System Logs Ability to read system logs, but not audit logs.
Access Messages
The functionality that is available to a user depends on the user's role, which includes a
set of capabilities.
Authorized
Capability Description
AAA Roles
Authorized
Capability Description
AAA Roles
Agent Manage agent configuration settings and deploy them admin (Web
Configurations to the agents UI)
api_admin
(API)
operator
(Web UI
partial)
Authorized
Capability Description
AAA Roles
Authorized
Capability Description
AAA Roles
Authorized
Capability Description
AAA Roles
Manage Own Change the password for the specific user account admin
Account analyst
analyst_sr
auditor
investigator
monitor
operator
Authorized
Capability Description
AAA Roles
Admin Role
On an Endpoint Security appliance, Administrators (users assigned the admin role) have
full access to all Endpoint Security Web UI and CLI product functionality, except for the
Web UI My Account Settings page. Administrators do not have access to the API.
Administrators do not change their passwords on the My Account Settings page. Use the
User Account Settings page to change administrator passwords.
Analyst Role
On an Endpoint Security appliance, Analysts (users assigned the analyst role) can perform
most Endpoint Security appliance functions, with the following exceptions.
Analysts change their passwords on the My Account Settings page. To access the My
Account Settings page, select Change My Password on the Hi, <user name> menu.
l They have read-only access to DTI settings and do not have access to other
Endpoint Security appliance or agent configuration settings.
l They cannot view or maintain user accounts.
l They cannot view or manage statistics.
l They cannot run or view agent diagnostics.
l They can only run CLI show commands.
l They have no access to the API.
l They have read-only access to the appliance Health Check page and appliance
updates.
Senior analysts change their passwords on the My Account Settings page. To access the
My Account Settings page, select Change My Password on the Hi, <user name> menu.
API Admin Role
Users assigned the api_admin role have no access to Endpoint Security appliance
functionality via the Web UI. They have basic and extended API authorization for
Endpoint Security appliance features. The extended authorization allows them to maintain
custom policy channels and to contain hosts. (Custom policy channels can be used to
distribute custom configuration files to agents running on hosts in specified host sets.)
API Administrators cannot run CLI commands or change their passwords. An Endpoint
Security appliance administrator (user role Admin) must change their passwords, if
necessary.
See the Endpoint Security REST API Guide.
API Analyst Role
On an Endpoint Security appliance, users assigned the api_analyst role have no access to
Endpoint Security appliance functionality via the Web UI. They only have basic API
authorization for Endpoint Security appliance features. API Analysts cannot run
CLI commands or change their passwords. An Endpoint Security appliance administrator
(user role Admin) must change their passwords, if necessary.
See the HX Series REST API Guide.
Auditor Role
On the Endpoint Security appliance, Auditors (users assigned the auditor role) only have
access to Endpoint Security appliance log management functions. They can run CLI show
commands and change their passwords on the My Account Settings page. They have no
access to other product features.
To access the My Account Settings page, select Appliance Settings at the top of the page.
fe_services User
On an Endpoint Security appliance, the fe_services user has no access to Endpoint
Security appliance functionality via the Web UI.
You cannot use the fe_services user or create additional fe_services users unless you have
an MD_ACCESS license. In addition, the password for the fe_services user cannot be
changed.
Investigator Role
On an Endpoint Security appliance, Investigators (users assigned the investigator role) can
perform all Endpoint Security appliance functions, with the following exceptions.
Investigators change their passwords on the My Account Settings page. To access the My
Account Settings page, select Change My Password on the Hi, <user name> menu.
Monitor Role
On an Endpoint Security appliance, Monitors (users assigned the monitor role) have read
access to Endpoint Security appliance settings, user accounts, the Health Check page, and
the Appliance Update page, but cannot take action.
Monitors change their passwords on the My Account Settings page. To access the My
Account Settings page, select Change My Password on the Hi, <user name> menu.
Operator Role
On an Endpoint Security appliance, Operators (users assigned the operator role) have little
access to regular Endpoint Security product functionality, but they can perform some
administrative functions.
l They can search for a host on the Hosts page. They cannot perform other host,
indicator, acquisition, or investigative functions.
l They can maintain host sets, agent version lists, and the server address list for
agents.
l They can perform agent upgrades.
l They can adjust DTI, network, certificate and key, license, and login banner settings.
l They can view, but not maintain, user accounts.
l They can obtain appliance health checks, manage appliance logs, and perform
appliance updates.
Operators change their passwords on the My Account Settings page. To access the My
Account Settings page, select Change My Password on the Hi, <user name> menu.
Access Messages
If an Endpoint Security appliance user attempts an action that is outside the capabilities
assigned their role, the system responds with a message.
l If a user does not have access to a page or control in the Web UI, either it is not
shown, or the user's action is ignored and a message is displayed.
l If a user has limited access to a CLI command and enters the command with
unauthorized parameters, the message % Insufficient authorization... is
displayed.
l If an admin user enters a CLI command that displays data that should not be
shown (such as plain-text passwords), asterisks (***) are displayed to mask the data.
Unlike the FireEye Super Admin role, the IAM Admin role does not grant visibility or
access to OIDC clients, IAM audit events, or other IAM organizations.
Requirements
l IAM Admin or IAM User access to the FireEye IAM Web UI.
2. Select Organization Settings > Roles. The Roles page lists the IAM global roles and
custom roles in your IAM organization.
3. Filter the list on the Description column, specifying the match string IAM in all
uppercase letters. (The filter is case-sensitive.) The list refreshes and shows only the
roles that grant access to the IAM Web UI.
The Assigned Entitlements panel lists the entitlements assigned to the role.
List of Entitlements
The entitlements granted by the IAM Admin role are described in the following table.
These entitlements are a superset of the entitlements granted by the IAM User role.
Shaded entries in the table indicate entitlements that are not granted by the IAM User role.
Entitlement Description
API Keys
Entitlement Description
IAM Entitlements
User Groups
Data Policies
Entitlement Description
Products
Roles
Settings
Unlike the IAM Admin role, the IAM User role is limited to read-only access to IAM
organization settings, user access control policies, user groups, and other user accounts.
The IAM User role has no visibility to API keys created by other accounts, OIDC clients,
IAM audit events, or other IAM organizations.
Requirements
l IAM Admin or IAM User access to the FireEye IAM Web UI.
2. Select Organization Settings > Roles. The Roles page lists the IAM global roles and
custom roles in your IAM organization.
3. Filter the list on the Description column, specifying the match string IAM in all
uppercase letters. (The filter is case-sensitive.) The list refreshes and shows only the
roles that grant access to the IAM Web UI.
The Assigned Entitlements panel lists the entitlements assigned to the role.
List of Entitlements
The entitlements granted by the IAM User role are described in the following table. These
entitlements are a subset of the entitlements granted by the IAM Admin role.
Entitlement Description
API Keys
IAM Entitlements
User Groups
Entitlement Description
Data Policies
Products
Roles
IAM Settings
User Accounts
Requirements
l IAM Admin or IAM User access to the FireEye IAM Web UI.
To view the entitlements associated with the FireEye Super Admin role:
2. Select Organization Settings > Roles. The Roles page lists the IAM global roles and
custom roles in your IAM organization.
3. Filter the list on the Description column, specifying the match string IAM in all
uppercase letters. (The filter is case-sensitive.) The list refreshes and shows only the
roles that grant access to the IAM Web UI.
The Assigned Entitlements panel lists the entitlements assigned to the role.
List of Entitlements
The following table describes the entitlements granted by the FireEye Super Admin role for
the IAM Web UI.
The FireEye Super Admin role grants the user a super-set of the entitlements granted by
the IAM Admin role. The shaded table entries indicate entitlements that are not granted by
the Admin role.
Entitlement Description
iam.apikeys.edit Edit the settings for any IAM API keys in the organization
iam.apikeys.read View the settings for any IAM API keys in the organization
IAM Entitlements
Entitlement Description
User Groups
OIDC Clients
Entitlement Description
Data Policies
Products
Roles
IAM Settings
Entitlement Description
SCIM Admin Role
SCIM Admin access gives the user full API access to the FireEye System for Cross-Domain
Management (SCIM) services. FireEye IAM uses SCIM services to facilitate migration of
ETP user profiles to FireEye IAM. Only FireEye Customer Support staff can assign this role.
Requirements
l IAM Admin or IAM User access to the FireEye IAM Web UI.
2. Select Organization Settings > Roles. The Roles page lists the IAM global roles and
custom roles in your IAM organization.
3. Filter the list on the Description column, specifying the match string IAM in all
uppercase letters. (The filter is case-sensitive.) The list refreshes and shows only the
roles that grant access to the IAM Web UI.
The Assigned Entitlements panel lists the entitlements assigned to the role.
List of Entitlements
The IAM SCIM Admin role grants the entitlements listed in the following table.
The shaded table entries indicate entitlements that are not granted by any other role for the
FireEye IAM Web UI.
Entitlement Description
Alerts
tap.alerts.add Whether a user can create new alerts
tap.alerts.read Whether a user can view all individual alerts and their notes
Alerts—Federated
tap.federated.alerts.add Whether a user can create new federated alerts
tap.federated.alerts.browse Whether a user can browse all alerts aggregated from child
organizations
tap.federated.alerts.edit Whether a user can edit federated alerts and their notes
tap.federated.alerts.read Whether a user can view all individual federated alerts and their
notes
Alert Suppressions
tap.alert.suppressions.add Whether a user can create new alert suppressions
Alert Suppressions—Federated
tap.federated.alert.suppressions.add Whether a user can create new federated alert suppressions
tap.federated.alert.suppressions.browse Whether a user can browse all alert suppressions across child
organizations
Analytics
tap.analytics.browse Whether a user can browse all analytical advisories
Appliance Groups
tap.appliances.groups.add Whether a user can add appliance groups
tap.appliances.intel_feeds.read Whether a user can view individual appliance intel feed data
Appliance Management
tap.appliance.management Whether a user can access appliance actions and configurations
Appliances
tap.appliances.add Whether a user can add appliances
Archive Searches
tap.archivesearch.add Whether a user can create new archive searches
Archive Searches—Federated
tap.federated.archivesearch.add Whether a user can create new federated archive searches
Assets
tap.assets.add Whether a user can add assets
Cases—Federated
tap.federarated.cases.add Whether a user can added federated cases
Dashboards
tap.dashboards.add Whether a user can create a new dashboard
Dashboards—Federated
tap.federated.dashboards.add Whether a user can create a new federated dashboard
Events
tap.events.browse Whether a user can browse all events on alerts and incidents
Incidents
tap.incidents.add Whether a user can create a new incident
tap.incidents.read Whether a user can view all individual incidents and their notes
Indicators
tap.indicators.add Whether a user can create a new indicator
Intel Feeds—Federated
tap.federated.intel_feeds.add Whether a user can create new federated intel feeds or observables
tap.federated.intel_feeds.read Whether a user can view all individual federated intel feeds or
observables
Lists
tap.lists.add Whether a user can create a new customer list
Policies
tap.rbac.policy.add Whether a user can create new data policies
tap.rbac.policy.user.browse Whether a user can view all users assigned to individual data
policies
Reports
tap.reports.add Whether a user can create new reports
Reports—Federated
tap.federated.reports.add Whether a user can create new federated reports
Rule Packs
tap.rulepacks.add Whether a user can create new rule packs
Rules
tap.rules.add Whether a user can create a new rule
tap.rules.read Whether a user can view individual rules and their notes
Saved Searches
tap.savedsearch.admin Whether a user can modify other users' saved searches
Scheduled Searches
tap.scheduledsearch.add Whether a user can create new scheduled searches
Scheduled Searches—Federated
tap.scheduledsearch.add Whether a user can create new federated scheduled searches
Searches
tap.search.browse Whether a user can execute a search
Security Orchestrator
tap.security_ Whether a user can browse Security Orchestrator playbook details
orchestrator.playbook.browse and execution results
Sensors
tap.sensors.add Whether a user can add sensors
Threats
tap.threats.browse Whether a user can browse all threats
tap.threats.read Whether a user can view all individual threats and notes
Users
tap.rbac.user.add Whether a user can create new users
tap.rbac.user.constraint.browse Whether a user can view all role constraints for individual users
tap.rbac.user.permission.browse Whether a user can view all permissions for individual users
tap.rbac.user.policy.browse Whether a user can view all data policies for individual users
tap.rbac.user.policy.delete Whether a user can revoke data policies for individual users
Widgets
tap.widgets.add Whether a user can create a new widget
Widgets—Federated
tap.federated.widgets.add Whether a user can create a new federated widget
Requirements
l IAM Admin or IAM User access to the FireEye IAM Web UI.
2. Select Organization Settings > Roles. The Roles page lists the IAM global roles and
custom roles in your IAM organization.
3. Filter the list on the Name column, specifying the match string FaaS in all
uppercase letters. (The search is case-sensitive.)
List of Entitlements
The Helix entitlements granted by the global FaaS Analyst role follow. These entitlements
allow the user to manage hidden content within specific Helix resources.
l tap.alerts.hidden l tap.rules.hidden
l tap.archivesearch.hidden l tap.scheduledsearch.hidden
l tap.dashboards.hidden l tap.search.hidden
l tap.lists.hidden l tap.widgets.hidden
l tap.rulepacks.hidden
Requirements
l IAM Admin or IAM User access to the FireEye IAM Web UI.
2. Select Organization Settings > Roles. The Roles page lists the IAM global roles and
custom roles in your IAM organization.
3. Filter the list on the Name column, specifying the match string TAP in all uppercase
letters. (The search is case-sensitive.) The list refreshes and shows only the roles that
grant access to Helix.
List of Entitlements
The Helix entitlements granted by the global TAP Analyst role are described in the
following tables.
Alert Suppressions
tap.alert.suppressions.add Whether a user can create new alert suppressions
Alerts
tap.alerts.add Whether a user can create new alerts
tap.alerts.read Whether a user can view all individual alerts and their notes
Analytics
tap.analytics.browse Whether a user can browse all analytical advisories
Appliance Groups
tap.appliances.groups.add Whether a user can add appliance groups
tap.appliances.intel_feeds.read Whether a user can view individual appliance intel feed data
Appliance Management
tap.appliance.management Whether a user can access appliance actions and configurations
Appliances
tap.appliances.add Whether a user can add appliances
Archive Searches
tap.archivesearch.add Whether a user can create new archive searches
Assets
tap.assets.add Whether a user can add assets
Dashboards
tap.dashboards.add Whether a user can create a new dashboard
Events
tap.events.browse Whether a user can browse all events on alerts and incidents
Incidents
tap.incidents.add Whether a user can create a new incident
tap.incidents.read Whether a user can view all individual incidents and their notes
Indicators
tap.indicators.add Whether a user can create a new indicator
Lists
tap.lists.add Whether a user can create a new customer list
Reports
tap.reports.add Whether a user can create new reports
Rule Packs
tap.rulepacks.add Whether a user can create new rule packs
Rules
tap.rules.add Whether a user can create a new rule
tap.rules.read Whether a user can view individual rules and their notes
Scheduled Searches
tap.scheduledsearch.add Whether a user can create new scheduled searches
Searches
tap.search.browse Whether a user can execute a search
Security Orchestrator
tap.security_ Whether a user can browse Security Orchestrator playbook details
orchestrator.playbook.browse and execution results
Sensors
tap.sensors.add Whether a user can add sensors
Threats
tap.threats.browse Whether a user can browse all threats
tap.threats.read Whether a user can view all individual threats and notes
Widgets
tap.widgets.add Whether a user can create a new widget
Requirements
l IAM Admin or IAM User access to the FireEye IAM Web UI.
2. Select Organization Settings > Roles. The Roles page lists the IAM global roles and
custom roles in your IAM organization.
3. Filter the list on the Name column, specifying the match string TAP in all uppercase
letters. (The search is case-sensitive.) The list refreshes and shows only the roles that
grant access to Helix.
List of Entitlements
The Helix entitlements granted by the global TAP Analyst Limited role are described in the
following tables.
Alert Suppressions
tap.alert.suppressions.add Whether a user can create new alert suppressions
Alerts
tap.alerts.add Whether a user can create new alerts
tap.alerts.read Whether a user can view all individual alerts and their notes
Analytics
tap.analytics.browse Whether a user can browse all analytical advisories
Appliance Management
tap.appliance.management Whether a user can access appliance actions and configurations
Appliances
tap.appliances.add Whether a user can add appliances
Appliance Groups
tap.appliances.groups.add Whether a user can add appliance groups
tap.appliances.intel_feeds.read Whether a user can view individual appliance intel feed data
Archive Searches
tap.archivesearch.add Whether a user can create new archive searches
Assets
tap.assets.add Whether a user can add assets
Dashboards
tap.dashboards.add Whether a user can create a new dashboard
Events
tap.events.browse Whether a user can browse all events on alerts and incidents
Incidents
tap.incidents.add Whether a user can create a new incident
tap.incidents.read Whether a user can view all individual incidents and their notes
Indicators
tap.indicators.add Whether a user can create a new indicator
Lists
tap.lists.add Whether a user can create a new customer list
Reports
tap.reports.add Whether a user can create new reports
Rule Packs
tap.rulepacks.add Whether a user can create new rule packs
Rules
tap.rules.add Whether a user can create a new rule
tap.rules.read Whether a user can view individual rules and their notes
Scheduled Searches
tap.scheduledsearch.add Whether a user can create new scheduled searches
Searches
tap.search.browse Whether a user can execute a search
Security Orchestrator
tap.security_ Whether a user can browse Security Orchestrator playbook details
orchestrator.playbook.browse and execution results
Sensors
tap.sensors.add Whether a user can add sensors
Threats
tap.threats.browse Whether a user can browse all threats
tap.threats.read Whether a user can view all individual threats and notes
Widgets
tap.widgets.add Whether a user can create a new widget
Requirements
l IAM Admin or IAM User access to the FireEye IAM Web UI.
2. Select Organization Settings > Roles. The Roles page lists the IAM global roles and
custom roles in your IAM organization.
3. Filter the list on the Name column, specifying the match string TAP in all uppercase
letters. (The search is case-sensitive.) The list refreshes and shows only the roles that
grant access to Helix.
List of Entitlements
The Helix entitlements granted by the global TAP Cloud Collector role are described in the
following tables.
Requirements
l IAM Admin or IAM User access to the FireEye IAM Web UI.
2. Select Organization Settings > Roles. The Roles page lists the IAM global roles and
custom roles in your IAM organization.
3. Filter the list on the Name column, specifying the match string TAP in all uppercase
letters. (The search is case-sensitive.) The list refreshes and shows only the roles that
grant access to Helix.
List of Entitlements
The TAP Content Limited role has no entitlements.
Requirements
l IAM Admin or IAM User access to the FireEye IAM Web UI.
2. Select Organization Settings > Roles. The Roles page lists the IAM global roles and
custom roles in your IAM organization.
3. Filter the list on the Name column, specifying the match string TAP in all uppercase
letters. (The search is case-sensitive.) The list refreshes and shows only the roles that
grant access to Helix.
List of Entitlements
The Helix entitlements granted by the global TAP Federated Analyst role are described in
the following tables.
Alerts
tap.alerts.add Whether a user can create new alerts
tap.alerts.read Whether a user can view all individual alerts and their notes
Alert Suppressions
tap.alert.suppressions.add Whether a user can create new alert suppressions
Analytics
tap.analytics.browse Whether a user can browse all analytical advisories
Appliance Management
tap.appliance.management Whether a user can access appliance actions and configurations
Appliances
tap.appliances.add Whether a user can add appliances
Appliance Groups
tap.appliances.groups.add Whether a user can add appliance groups
tap.appliances.intel_feeds.read Whether a user can view individual appliance intel feed data
Archive Searches
tap.archivesearch.add Whether a user can create new archive searches
Assets
tap.assets.add Whether a user can add assets
Cases—Federated
tap.federarated.cases.add Whether a user can added federated cases
Dashboards
tap.dashboards.add Whether a user can create a new dashboard
Dashboards—Federated
tap.federated.dashboards.add Whether a user can create a new federated dashboard
Events
tap.events.browse Whether a user can browse all events on alerts and incidents
Incidents
tap.incidents.add Whether a user can create a new incident
tap.incidents.read Whether a user can view all individual incidents and their notes
Indicators
tap.indicators.add Whether a user can create a new indicator
Intel Feeds—Federated
tap.federated.intel_feeds.add Whether a user can create new federated intel feeds or observables
tap.federated.intel_feeds.read Whether a user can view all individual federated intel feeds or
observables
Lists
tap.lists.add Whether a user can create a new customer list
Reports
tap.reports.add Whether a user can create new reports
Reports—Federated
tap.federated.reports.add Whether a user can create new federated reports
Rules
tap.rules.add Whether a user can create a new rule
tap.rules.read Whether a user can view individual rules and their notes
Rule Packs
tap.rulepacks.add Whether a user can create new rule packs
Scheduled Searches
tap.scheduledsearch.add Whether a user can create new scheduled searches
Searches
tap.search.browse Whether a user can execute a search
Security Orchestrator
tap.security_ Whether a user can browse Security Orchestrator playbook details
orchestrator.playbook.browse and execution results
Sensors
tap.sensors.add Whether a user can add sensors
Threats
tap.threats.browse Whether a user can browse all threats
tap.threats.read Whether a user can view all individual threats and notes
Widgets
tap.widgets.add Whether a user can create a new widget
Widgets—Federated
tap.federated.widgets.add Whether a user can create a new federated widget
Requirements
l IAM Admin or IAM User access to the FireEye IAM Web UI.
To view the entitlements associated with the TAP Federated Analyst Limited role:
2. Select Organization Settings > Roles. The Roles page lists the IAM global roles and
custom roles in your IAM organization.
3. Filter the list on the Name column, specifying the match string TAP in all uppercase
letters. (The search is case-sensitive.) The list refreshes and shows only the roles that
grant access to Helix.
List of Entitlements
The Helix entitlements granted by the global TAP Federated Analyst Limited role are
described in the following tables.
Alerts
tap.alerts.add Whether a user can create new alerts
tap.alerts.read Whether a user can view all individual alerts and their notes
Alerts—Federated
tap.federated.alerts.add Whether a user can create new federated alerts
tap.federated.alerts.browse Whether a user can browse all alerts aggregated from child
organizations
tap.federated.alerts.edit Whether a user can edit federated alerts and their notes
tap.federated.alerts.read Whether a user can view all individual federated alerts and their
notes
Alert Suppressions
tap.alert.suppressions.add Whether a user can create new alert suppressions
Alert Suppressions—Federated
tap.federated.alert.suppressions.add Whether a user can create new federated alert suppressions
tap.federated.alert.suppressions.browse Whether a user can browse all alert suppressions across child
organizations
Analytics
tap.analytics.browse Whether a user can browse all analytical advisories
Appliance Management
tap.appliance.management Whether a user can access appliance actions and configurations
Appliances
tap.appliances.add Whether a user can add appliances
Appliance Groups
tap.appliances.groups.add Whether a user can add appliance groups
tap.appliances.intel_feeds.read Whether a user can view individual appliance intel feed data
Archive Searches
tap.archivesearch.add Whether a user can create new archive searches
Archive Searches—Federated
tap.federated.archivesearch.add Whether a user can create new federated archive searches
Assets
tap.assets.add Whether a user can add assets
Cases—Federated
tap.federarated.cases.add Whether a user can added federated cases
Dashboards
tap.dashboards.add Whether a user can create a new dashboard
Dashboards—Federated
tap.federated.dashboards.add Whether a user can create a new federated dashboard
Events
tap.events.browse Whether a user can browse all events on alerts and incidents
Incidents
tap.incidents.add Whether a user can create a new incident
tap.incidents.read Whether a user can view all individual incidents and their notes
Indicators
tap.indicators.add Whether a user can create a new indicator
Intel Feeds—Federated
tap.federated.intel_feeds.add Whether a user can create new federated intel feeds or observables
tap.federated.intel_feeds.read Whether a user can view all individual federated intel feeds or
observables
Lists
tap.lists.add Whether a user can create a new customer list
Policies
tap.rbac.policy.add Whether a user can create new data policies
tap.rbac.policy.user.browse Whether a user can view all users assigned to individual data
policies
Reports
tap.reports.add Whether a user can create new reports
Reports—Federated
tap.federated.reports.add Whether a user can create new federated reports
Rules
tap.rules.add Whether a user can create a new rule
tap.rules.read Whether a user can view individual rules and their notes
Rule Packs
tap.rulepacks.add Whether a user can create new rule packs
Scheduled Searches
tap.scheduledsearch.add Whether a user can create new scheduled searches
Scheduled Searches—Federated
tap.scheduledsearch.add Whether a user can create new federated scheduled searches
Searches
tap.search.browse Whether a user can execute a search
Searches—Federated
tap.federated.search.browse Whether a user can execute a search across child organizations
Security Orchestrator
tap.security_ Whether a user can browse Security Orchestrator playbook details
orchestrator.playbook.browse and execution results
Security Orchestrator
tap.security_ Whether a user can read a Security Orchestrator device
orchestrator.playbook.config.read configuration
Sensors
tap.sensors.add Whether a user can add sensors
Threats
tap.threats.browse Whether a user can browse all threats
tap.threats.read Whether a user can view all individual threats and notes
Widgets
tap.widgets.add Whether a user can create a new widget
Widgets—Federated
tap.federated.widgets.add Whether a user can create a new federated widget
Requirements
l IAM Admin or IAM User access to the FireEye IAM Web UI.
2. Select Organization Settings > Roles. The Roles page lists the IAM global roles and
custom roles in your IAM organization.
3. Filter the list on the Name column, specifying the match string TAP in all uppercase
letters. (The search is case-sensitive.) The list refreshes and shows only the roles that
grant access to Helix.
List of Entitlements
The entitlements granted by the TAP Federated Organization Admin role are described in
the following tables.
Alerts
tap.alerts.add Whether a user can create new alerts
tap.alerts.read Whether a user can view all individual alerts and their notes
Alerts—Federated
tap.federated.alerts.add Whether a user can create new federated alerts
tap.federated.alerts.browse Whether a user can browse all alerts aggregated from child
organizations
tap.federated.alerts.edit Whether a user can edit federated alerts and their notes
tap.federated.alerts.read Whether a user can view all individual federated alerts and their
notes
Alert Suppressions
tap.alert.suppressions.add Whether a user can create new alert suppressions
Alert Suppressions—Federated
tap.federated.alert.suppressions.add Whether a user can create new federated alert suppressions
tap.federated.alert.suppressions.browse Whether a user can browse all alert suppressions across child
organizations
Analytics
tap.analytics.browse Whether a user can browse all analytical advisories
Appliance Management
tap.appliance.management Whether a user can access appliance actions and configurations
Appliances
tap.appliances.add Whether a user can add appliances
Appliance Groups
tap.appliances.groups.add Whether a user can add appliance groups
tap.appliances.intel_feeds.read Whether a user can view individual appliance intel feed data
Archive Searches
tap.archivesearch.add Whether a user can create new archive searches
Archive Searches—Federated
tap.federated.archivesearch.add Whether a user can create new federated archive searches
Assets
tap.assets.add Whether a user can add assets
Cases—Federated
tap.federarated.cases.add Whether a user can added federated cases
Dashboards
tap.dashboards.add Whether a user can create a new dashboard
Dashboards—Federated
tap.federated.dashboards.add Whether a user can create a new federated dashboard
Events
tap.events.browse Whether a user can browse all events on alerts and incidents
Incidents
tap.incidents.add Whether a user can create a new incident
tap.incidents.read Whether a user can view all individual incidents and their notes
Indicators
tap.indicators.add Whether a user can create a new indicator
Intel Feeds—Federated
tap.federated.intel_feeds.add Whether a user can create new federated intel feeds or observables
tap.federated.intel_feeds.read Whether a user can view all individual federated intel feeds or
observables
Lists
tap.lists.add Whether a user can create a new customer list
Policies
tap.rbac.policy.add Whether a user can create new data policies
tap.rbac.policy.user.browse Whether a user can view all users assigned to individual data
policies
Reports
tap.reports.add Whether a user can create new reports
Reports—Federated
tap.federated.reports.add Whether a user can create new federated reports
Rules
tap.rules.add Whether a user can create a new rule
tap.rules.read Whether a user can view individual rules and their notes
Rule Packs
tap.rulepacks.add Whether a user can create new rule packs
Saved Searches
tap.savedsearch.admin Whether a user can modify other users' saved searches
Scheduled Searches
tap.scheduledsearch.add Whether a user can create new scheduled searches
Searches
tap.search.browse Whether a user can execute a search
Searches—Federated
tap.federated.search.browse Whether a user can execute a search across child organization
tap.federated.search.regex Whether a user can execute a regular expression search across child
organizations
Security Orchestrator
tap.security_ Whether a user can browse Security Orchestrator playbook details
orchestrator.playbook.browse and execution results
Sensors
tap.sensors.add Whether a user can add sensors
Threats
tap.threats.browse Whether a user can browse all threats
tap.threats.read Whether a user can view all individual threats and notes
Users
tap.rbac.user.add Whether a user can create new users
tap.rbac.user.constraint.browse Whether a user can view all role constraints for individual users
tap.rbac.user.permission.browse Whether a user can view all permissions for individual users
tap.rbac.user.policy.browse Whether a user can view all data policies for individual users
tap.rbac.user.policy.delete Whether a user can revoke data policies for individual users
Widgets
tap.widgets.add Whether a user can create a new widget
Widgets—Federated
tap.federated.widgets.add Whether a user can create a new federated widget
Requirements
l IAM Admin or IAM User access to the FireEye IAM Web UI.
2. Select Organization Settings > Roles. The Roles page lists the IAM global roles and
custom roles in your IAM organization.
3. Filter the list on the Name column, specifying the match string TAP in all uppercase
letters. (The search is case-sensitive.) The list refreshes and shows only the roles that
grant access to Helix.
List of Entitlements
The Helix entitlements granted by the global TAP Organization Administrator role are
described in the following tables.
Alerts
tap.alerts.add Whether a user can create new alerts
tap.alerts.read Whether a user can view all individual alerts and their notes
Alert Suppressions
tap.alert.suppressions.add Whether a user can create new alert suppressions
Analytics
tap.analytics.browse Whether a user can browse all analytical advisories
Appliance Management
tap.appliance.management Whether a user can access appliance actions and configurations
Appliances
tap.appliances.add Whether a user can add appliances
Appliance Groups
tap.appliances.groups.add Whether a user can add appliance groups
tap.appliances.intel_feeds.read Whether a user can view individual appliance intel feed data
Archive Searches
tap.archivesearch.add Whether a user can create new archive searches
Assets
tap.assets.add Whether a user can add assets
Dashboards
tap.dashboards.add Whether a user can create a new dashboard
Events
tap.events.browse Whether a user can browse all events on alerts and incidents
Incidents
tap.incidents.add Whether a user can create a new incident
tap.incidents.read Whether a user can view all individual incidents and their notes
Indicators
tap.indicators.add Whether a user can create a new indicator
Lists
tap.lists.add Whether a user can create a new customer list
Policies
tap.rbac.policy.add Whether a user can create new data policies
tap.rbac.policy.user.browse Whether a user can view all users assigned to individual data
policies
Reports
tap.reports.add Whether a user can create new reports
Rules
tap.rules.add Whether a user can create a new rule
tap.rules.read Whether a user can view individual rules and their notes
Rule Packs
tap.rulepacks.add Whether a user can create new rule packs
Saved Searches
tap.savedsearch.admin Whether a user can modify other users' saved searches
Scheduled Searches
tap.scheduledsearch.add Whether a user can create new scheduled searches
Searches
tap.search.browse Whether a user can execute a search
Security Orchestrator
tap.security_ Whether a user can browse Security Orchestrator playbook details
orchestrator.playbook.browse and execution results
Security Orchestrator
tap.security_ Whether a user can read a Security Orchestrator device
orchestrator.playbook.config.read configuration
Sensors
tap.sensors.add Whether a user can add sensors
Threats
tap.threats.browse Whether a user can browse all threats
tap.threats.read Whether a user can view all individual threats and notes
Users
tap.rbac.user.add Whether a user can create new users
tap.rbac.user.constraint.browse Whether a user can view all role constraints for individual users
tap.rbac.user.permission.browse Whether a user can view all permissions for individual users
tap.rbac.user.policy.browse Whether a user can view all data policies for individual users
tap.rbac.user.policy.delete Whether a user can revoke data policies for individual users
Widgets
tap.widgets.add Whether a user can create a new widget
Requirements
l IAM Admin or IAM User access to the FireEye IAM Web UI.
To view the entitlements associated with the FireEye Threat Intelligence—Included role:
2. Select Organization Settings > Roles. The Roles page lists the IAM global roles and
custom roles in your IAM organization.
3. Filter the list on the Description column, specifying the match string INTEL in all
uppercase letters. (The search is case-sensitive.) The list refreshes and shows only
the roles that grant access to FireEye Threat Intelligence.
List of Entitlements
Users assigned the FireEye Threat Intelligence—Included role have access to the FireEye
iSIGHT Intelligence Portal (FIIP) directly from the Helix Web UI.
The entitlements granted by the Included role are described in the following table.
Entitlement Description
intel.rbi.operational Whether a user can access the FireEye iSIGHT Intelligence Portal (FIIP) from the Helix
Web UI.
intel.report.show Whether a user can view a FIIP report from the Helix Web UI.
intel.tmh Whether a user can access Threat Media Highlights from the Helix Web UI.
intel.tools.analysis Whether a user can access FIIP analysis tools from the Helix Web UI.
l About IAM Global Roles for FireEye Appliances on the facing page
The following table summarizes the IAM global roles for FireEye appliances.
Appliance
Role Central Email Security — Server Network Endpoint
Management Edition Security Security
Admin ✔ ✔ ✔ ✔
Analyst ✔ ✔ ✔ ✔
Analyst SR ― ― ― ✔
API Admin ― ― ― ✔
API Analyst ― ― ― ✔
Auditor ✔ ✔ ✔ ✔
FE Service ― ― ― ✔
Investigator ― ― ― ✔
Monitor ✔ ✔ ✔ ✔
Operator ✔ ✔ ✔ ✔
Reject ✔ ✔ ✔ ✔
l Admin―This is a "super user" role for each appliance type. The primary function of
this role is to configure the system.
l Monitor―This role has read-only access to some of the Admin role capabilities for
the appliance type, and it has access to some appliance-specific malware analysis
functions.
l Operator―This role has a subset of the Admin role capabilities for the appliance
type. Its primary function is configuring and monitoring the system.
l Org Admin
This is a "super user" role for all appliance types. The primary function of this role
is to configure the system.
l Reject―This role is denied access of any kind to the appliance type.
The following FireEye IAM global roles are provided for HX Series appliances only:
l API Admin―This role grants basic and extended API authorization for HX Series
appliance features. The extended authorization allows a user to maintain custom
policy channels and to contain hosts.
l API Analyst―This role grants only basic API authorization for HX Series appliance
features.
l Analyst SR―This role is the same as the Analyst role, except the Analyst SR role
can also request file acquisitions. An Analyst SR cannot approve containment
requests or stop containment of host endpoints.
l FE Services―This role is for a FireEye as a Service (FAAS) analyst on HX Series
appliances that have an MD_ACCESS license. The role does allow the user to create
additional FE Services users unless an MD_ACCESS license is installed.
l Investigator―This role is the same as the Analyst SR role for HX Series appliances,
but the Investigator can also stop containment of host endpoints.
Requirements
l IAM Admin or IAM User access to the FireEye IAM Web UI.
2. Filter the list on the Name column, specifying the match the string CM in all capital
letters. (The filter is case-sensitive.) The list refreshes and shows only the roles that
grant access to Central Management appliances.
The global roles for Central Management appliances each map to a single
entitlement that represents multiple access privileges.
To view the list of IAM roles for FireEye Central Management appliances:
2. Filter the list on the Name column, specifying the match the string NX in all capital
letters. (The filter is case-sensitive.) The list refreshes and shows only the roles that
grant access to Central Management appliances.
The global roles for Central Management appliances each map to a single
entitlement that represents multiple access privileges.
List of Entitlements
The IAM global roles for Central Management appliances have the following entitlements:
FireEye
Central Management Appliance Entitlement Description
Role
Requirements
l IAM Admin or IAM User access to the FireEye IAM Web UI.
To view the list of IAM roles for FireEye Email Security — Server Edition appliances:
2. Filter the list on the Name column, specifying the match the string EX in all capital
letters. (The filter is case-sensitive.) The list refreshes and shows only the roles that
grant access to Email Security — Server Edition appliances.
The global roles for Email Security — Server Edition appliances each map to a
single entitlement that represents multiple access privileges.
List of Entitlements
The IAM global roles for Email Security — Server Edition appliances have the following
entitlements:
FireEye
Email Security Appliance Entitlement Description
Role
Requirements
l IAM Admin or IAM User access to the FireEye IAM Web UI.
To view the list of IAM roles for FireEye Network Security appliances:
2. Filter the list on the Name column, specifying the match the string NX in all capital
letters. (The filter is case-sensitive.) The list refreshes and shows only the roles that
grant access to Network Security appliances.
The global roles for Network Security appliances each map to a single entitlement
that represents multiple access privileges.
List of Entitlements
The IAM global roles for Network Security appliances have the following entitlements:
FireEye
Network Security Appliance Entitlement Description
Role
Requirements
l IAM Admin or IAM User access to the FireEye IAM Web UI.
To view the list of IAM roles for FireEye Endpoint Security appliances:
2. Filter the list on the Name column, specifying the match the string HX in all capital
letters. (The filter is case-sensitive.) The list refreshes and shows only the roles that
grant access to HX Series appliances.
The global roles for Endpoint Security appliances each map to a single entitlement
that represents multiple access privileges.
List of Entitlements
The IAM roles for Endpoint Security appliances have the following entitlements:
Entitlement Description
l FireEye Admin
l FireEye Analyst
l FireEye Auditor
l FireEye Monitor
l FireEye Operator
l FireEye Reject
These job-specific roles are product-agnostic rather than product-specific. Each role grants
job-specific access privileges for all supported FireEye appliance types: CM Series,
EX Series, NX Series, and HX Series appliances. The roles act as "fallback roles" because a
FireEye appliance will apply a fallback role only for users that are not assigned any
appliance-specfic roles.
As an example, the FireEye Auditor role grants permissions typically needed by Auditors
on CM Series, EX Series, NX Series, and HX Seriesappliances.
If a user account is not assigned any HX Series appliance roles, then HX Series appliance
local role capabilities are used for these roles.
Requirements
l IAM Admin or IAM User access to the FireEye IAM Web UI.
The list refreshes and shows only the six fallback roles for FireEye appliances, plus
the FireEye Appliance Org Admin role.
Each global fallback role maps to a single entitlement that represents a collection of
individual access privileges for a specific role for any appliance type.
List of Entitlements
For each type of FireEye appliance fallback role―Admin, Analyst, Auditor, Monitor,
Operator, and Reject―there is a single entitlement that grants role-specific (not appliance-
specific) privileges for all of the FireEye appliance types:
Entitlement Description
appliance.role.admin The fallback Admin permissions for any type of FireEye appliance
appliance.role.analyst The fallback Analyst permissions for any type of FireEye appliance
appliance.role.auditor The fallback Auditor permissions for any type of FireEye appliance
appliance.role.monitor The fallback Monitor permissions for any type of FireEye appliance
Entitlement Description
appliance.role.operator The fallback Operator permissions for any type of FireEye appliance
appliance.role.reject The fallback Reject permissions for any type of FireEye appliance
Requirements
l IAM Admin or IAM User access to the FireEye IAM Web UI.
To view the list of IAM roles for the FireEye appliance fallback roles:
The list refreshes and shows only the six fallback roles for FireEye appliances, plus
the FireEye Appliance Org Admin role.
The FireEye Appliance Org Administrator role combines all of the IAM global roles
for FireEye appliances with the six FireEye appliance fallback roles.
3. Click FireEye Appliance Org Admin in the Name column.
The Assigned Entitlements panel lists the entitlements assigned to the role.
List of Entitlements
The FireEye Appliance Organization Administrator role has the following 41 entitlements:
Entitlement Description
Entitlement Description
Entitlement Description
Documentation
Documentation for all FireEye products is available on the FireEye Documentation Portal
(login required):
https://docs.fireeye.com/
© 2021 FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye, Inc. All other brands,
products, or service names are or may be trademarks or service marks of their respective owners.