Professional Documents
Culture Documents
PART I: Planning 9
PART V: Configuration 59
PART I: Planning
In this guide, you will see the Endpoint Security server and DMZ server referred to
as an Endpoint Security appliance or HXD appliance, respectively. These terms refer
to the same products.
Using Endpoint Security servers, you can continuously monitor endpoints for advanced
malware and indicators of compromise (IOCs) that routinely bypass signature-based and
defense-in-depth security systems. The Endpoint Security servers and DMZ servers allow
you to:
You can optionally install DMZ servers and connect them to a single Endpoint Security
server. DMZ servers are installed in public or Internet-facing network locations and are
used to maintain connectivity with externally connected host endpoints. Installation and
setup steps for DMZ servers are the same as for an Endpoint Security server. Requests
from agents to a DMZ server are proxied to the Endpoint Security server.
A single Endpoint Security ecosystem, which includes the Endpoint Security server
and its attached DMZ servers, can support up to 100,000 agents.
Your Endpoint Security (and DMZ) servers must run the same version of Endpoint
Security software. If they use different versions, communication between them will
fail.
You must identify the servers that will be your provisioning servers before you
download and deploy the FireEye Endpoint Security Agent installation software to
your host endpoints. When agent installation software is downloaded, the IP
addresses or DNS names of the provisioning Endpoint Security servers are
identified in the agent download package. See Setting up Provisioning on page 71.
The Central Management platform can be used to upgrade and manage Endpoint Security
(and DMZ) servers. See Integrating Central Management Appliances and Endpoint
Security Servers on page 85 for important details.
Appliance Addressing
Your enterprise can use IP addresses or domain names (DNS) when configuring
hostnames for agent communications with Endpoint Security servers.
l Configure a single DNS address that resolves to the Endpoint Security server and
DMZ server (also known as a split DNS). This option is the most flexible
arrangement. It allows you to move and renumber appliances without reconfiguring
agents and eliminates unnecessary agent connection attempts to unreachable
appliances. However, this solution requires a more complex DNS configuration. It
may be challenging to execute consistently in large networks. See also Designating
Provisioning Servers Using a Split DNS in the Web UI on page 75.
l Configure a unique DNS address for each Endpoint Security server and
DMZ server. This option allows you to move or renumber appliances without
reconfiguring agents. However, this option requires consistent internal DNS
resolution of the appliance name and may cause extra connection attempts by
external endpoints to internal appliances that they cannot reach.
l Configure a unique IP address for each Endpoint Security server and DMZ server.
This option provides the most reliable connections from endpoints and does not
require consistent internal DNS configuration throughout a large enterprise.
However, this option is the least flexible option. If you move or renumber
appliances, you may have to reinstall agents.
CHAPTER 2: System
Requirements
Before you deploy an Endpoint Security server, make sure the following requirements are
met.
This guide does not provide information about appliance throughput, performance,
or capacity. For information on this, see your FireEye representative.
Maximum
Model Supported Endpoint
Type Number of
Number Security Software Versions
Endpoints
Cloud Endpoint Security server models are initially deployed by Trellix. Thereafter, you are
responsible for maintaining them. Cloud servers can be maintained in the same manner as
other Endpoint Security servers.
Cloud Endpoint Security servers have better performance than physical, on-premises,
Endpoint Security servers due to their storage configurations, which are based on SSD
volumes that are designed to deliver guaranteed performance.
l Hyper-V cluster storage mode is not supported for use with virtual Endpoint
Security instances.
You can also host an Endpoint Security instance in your AWS account. For details, see
AWS on page 43.
Network Requirements
Connectivity with FireEye's Dynamic Threat Intelligence (DTI) network (one-way or two-
way sharing) is required.
Endpoint Security appliances can download software updates (security content and system
images) from the FireEye Dynamic Threat Intelligence (DTI) network. With a two-way
content license, the appliance can also upload threat intelligence information to the DTI
network. By default, Central Management-managed appliances receive software updates
from the DTI network through the Central Management appliance.
l DNS (UDP/53)
l HTTPS (TCP/443)
Management interface ether1 requires a static IP address or reserved DHCP address and
subnet mask.
l Use DNS names instead of IP addresses in the firewall rules. The firewall rules will
be automatically applied to the correct IP addresses as appropriate for
avupdate.fireeye.com.
FireEye Endpoint Security uses HTTP over port 80 to deliver antivirus (AV) content.
This allows you to use a caching proxy to distribute the contents of your download
across your endpoints. The manifest for the content is signed with a 2048-bit RSA
private key to prevent tampering. If the content is altered, validation of the content
on the endpoint agent will fail and the content is discarded.
Software Requirements
l Endpoint Security version software supported by the server type. See Supported
Appliance Models on page 15.
l Central Management version 8.0.1 or later.
l FireEye Endpoint Security Agents supported by the Endpoint Security software
version. See Endpoint Security Agent and Server Compatibility below.
product functionality. It also identifies, at a high level, the operating system environments
supported by each agent version. For details about operating system support, see
"Operating System Requirements" in the Endpoint Security Agent Administration Guide.
Operating System
Endpoint Security Agent Minimum Endpoint Security Environments
Version Version
Windows macOS Linux
NOTE: Trellix recommends that you upgrade and deploy your Endpoint Security
server software before you upgrade and deploy your Endpoint Security Agent
software.
Licensing Requirements
The following table shows the licenses that can be installed for Endpoint Security servers.
Server Required?2
Form
License Description
Factors Server DMZ
1 Server
FIREEYE_ Required to register your server and use the All Yes Yes
APPLIANCE product features.
FIREEYE_ Allows your system to receive software image All Yes Yes
SUPPORT updates.
Server Required?2
Form
License Description
Factors Server DMZ
1 Server
Ensure that you perform regular backups of your cloud Endpoint Security, using the
instructions found in "Backing up the Database" in the Endpoint Security User Guide.
Maintain a current copy of your PKI certificates using the instructions in "Managing
HX Series PKI Certificates" in the Endpoint Security System Administration Guide.
Endpoint Security Servers are rated up to 100,000 agents. Cloud Endpoint Security Servers
have better performance than physical, on-premises, Endpoint Security servers due to their
storage configurations, which are based on SSD volumes that are designed to deliver
guaranteed performance. Virtual Endpoint Security performance will vary, depending on
the hardware resources you have selected for the server.
For more information about specific Endpoint Security models, see Supported
Appliance Models on page 15.
If you need to migrate your agents or server settings from an existing on-premises
Endpoint Security server to a cloud server, see Migrating Between On-Premises Endpoint
Security Appliances and Cloud Endpoint Security Servers on page 133.
In a new cloud Endpoint Security environment, the server and associated DMZ server
instances (if a DMZ is used) are attached for you. If you migrate an on-premises HX server
to a cloud server, the cloud server and any DMZ server will be detached and reattached
during the migration.
Prerequisites
l Deployment of an Endpoint Security in the cloud is supported for Endpoint Security
3.6.0 and later versions.
Task Instructions
1. Configure other See the FireEye System Security Guide and the Endpoint Security System
system Administration Guide.
administration
features such as
AAA, SSL
certificates, and
SNMP data
access.
Task Instructions
4. Obtain the If your Endpoint Security server is connected to the DTI, the most
agent installation recent Windows, macOS, and Linux agent images are automatically
package. downloaded to the server after the DTI connection is established.
If your Endpoint Security is not connected to the DTI or if you need
an older agent image than the ones that have been downloaded, you
will need to manually download the agent image you need.
See the appropriate version of the Endpoint Security Agent Deployment
Guide.
5. Install the See the appropriate version of the Endpoint Security Agent Deployment
agent software on Guide.
your host
endpoints. A single cloud Endpoint Security ecosystem can support up
to 100,000 agents.
6. Optionally, After you have deployed your cloud ecosystem and installed the
connect your agent software on your endpoints, the cloud Endpoint Security
Endpoint Security ecosystem can be integrated with Helix. This integration is set up for
server to Helix. you by Trellix.
If you connect your Endpoint Security server to Helix, see the Helix
Getting Started Guide for information on how to get started with
Helix. See also the FireEye System Security Guide for information on
Helix's Identity Access Management (IAM) and single sign-on (SSO)
authentication.
In Helix, Central Management of a cloud Endpoint Security is set up
using the Central Management Web UI. (Errors result for attempts to
set up server management using the Central Management CLI.) See
the appendix "Configuring a Managed Appliance" in the FireEye
System Security Guide.
7. Optionally, After you have deployed your cloud Endpoint Security ecosystem
connect your and installed the agent software on your endpoints, you can
Endpoint Security integrate the cloud ecosystem with a cloud Central Management
server to a appliance. For more information, see Integrating Central
Central Management Appliances and Endpoint Security Servers on page 85.
Management Additional information for managing your Endpoint Security
Series appliance. Servers through the Central Management appliance is provided in
the Endpoint Security System Administration Guide.
NOTE: The VM specifications are displayed when you make your selection in the
Azure portal.
NOTE: This document provides the basic steps for launching virtual Trellix
appliances, and assumes familiarity with launching virtual machines in Azure. For
comprehensive information, see the Azure documentation provided by Microsoft.
Task Description
2. Obtain the Endpoint Security blob The file is provided through your Azure
.vhd file from Trellix. account.
3. Create an image file from the .vhd file. Creating an Image File from an Azure Blob
File on the next page
6. Stop the virtual machine and attach the Attaching Network Interfaces to the Virtual
network interfaces. Machine on page 38
Task Description
7. Start the virtual machine and perform Performing the Endpoint Security Initial
the initial configuration of the appliance. Configuration on Microsoft Azure on
page 39
IMPORTANT: The navigation instructions and user interface may vary based on
the Azure portal version that is running when you create your virtual appliance.
These procedures show only one way to navigate to resources in the Azure portal.
NOTE: These procedures cover the required settings for a virtual Endpoint Security
appliance. You can accept the default values for the other settings, or specify values
that are appropriate for your environment.
1. In the Azure portal, select All services, and then click Images under Compute.
2. Click Add. The Create image page opens.
3. Enter a Name for the image.
4. Make sure the correct Subscription is selected.
5. Select your Resource group.
6. Make sure the correct region (Location) is selected.
7. Select Linux as the OS type.
8. For Storage blob, click Browse and navigate to and select the .vhd file.
9. Click Create.
on monitoring interfaces to ensure that all network traffic reaches the Endpoint Security
appliance.
To create a network interface:
1. In the Azure portal, select All services, and then click Network interfaces under
Networking.
2. Click Add. The Create network interface page opens.
3. Make sure the correct Subscription is selected.
4. Select the correct Resource group.
5. Enter a meaningful Name for the interface.
6. Make sure the correct Region, Virtual network, and Subnet are selected.
IMPORTANT: Each interface must be in a separate subnet.
1. In the Azure portal, select All services, and then select Images under Compute.
2. Select the image you created in Creating an Image File from an Azure Blob File on
the previous page.
3. Click Create VM.
4. Select the tabs at the top of the Create a virtual machine page, and configure
settings as described in the following sections.
NOTE: Settings that are not required for an Endpoint Security virtual
appliance are not covered in these sections. You can accept the default
values for the other settings, or specify values that are appropriate for your
environment.
Basics
The Basics page contains the following sections.
Project details
l Make sure the correct Subscription and Resource group are selected.
Instance details
l Enter a Virtual machine name.
l Make sure the correct Region is selected.
l Make sure the correct Image is selected.
l Select the virtual machine Size based on your requirements. The specifications are
displayed when you make your selection.
NOTE: For a list of the sizes supported for an Endpoint Security virtual
machine, see Endpoint Security Models and Sizes on page 31.
Administrator account
You can use this section to configure an SSH key to authenticate the initial admin user in
the appliance CLI.
IMPORTANT: You must select the SSH public key option for Authentication Type.
l The Username you provide is ignored during the first CLI login attempt, because
the first login user is always "admin." You can create additional admin user
accounts later from the appliance Web UI or CLI.
l If you enter a Password, it cannot be used when you initially log in to the virtual
appliance from the Azure console or an SSH session. You must log in to the Azure
console using "admin" as the username, and then immediately change the
password. You can then log in to the virtual appliance CLI in an SSH session, and
run the configuration jump-start wizard. You can optionally change the password
again in the wizard. You can then configure SSH public keys from the virtual
appliance Web UI or CLI.
l If you enter an SSH public key, you will be unable to log into the Azure console, but
you can use the key to log in to the virtual appliance CLI in an SSH session. After
you run the configuration jump-start wizard and set a password, you can use that
password to log in to the Azure console.
IMPORTANT: You cannot change the SSH key from the Azure portal after the
virtual machine is created. You must use the virtual appliance Web UI or CLI to
change it.
Networking
l Make sure the correct Virtual network and Subnet are selected.
l Accept the default Public IP, unless you plan to deploy the virtual machine in a
VPN or behind a NAT device.
l Click Advanced for NIC network security group.
l Select the correct security group for Configure network security group.
l Make sure Accelerated networking is Off.
Tags
l Define name and value pairs for the tags to apply to the virtual machine.
Review + create
l Click Create after the validation passes and you confirm the information on the
page.
NOTE: Performing this process is especially applicable for the 4502 model, since you
cannot increase the disk size when you create the virtual machine.
IMPORTANT: Attach the interfaces in numeric order. For example, attach ether2,
pether3, and then pether4.
To attach an interface:
Step Response
Enter activation code? Enter the activation code for the appliance.
Enable remote access Enter yes to enable the administrator to log in to the appliance
for 'admin' user? remotely. Enter no to disable remote access.
Step Response
Use DHCP on ether1 Enter yes to use Dynamic Host Configuration Protocol (DHCP)
interface? to configure the appliance IP address and other network
parameters. If you enter yes, the ether1 interface will obtain its
IP address from the default Azure ether1 interface. (If you enter
yes, the zeroconf and static IP addressing steps are skipped.)
Enter no to manually configure your IP address and network
settings.
Use zeroconf on ether1 Enter yes to use zero-configuration (zeroconf) networking. Enter
interface? no to specify a static IP address and network mask. (If you
specify yes, the next step is skipped.) NOTE: Do not use
zeroconf on the primary interface.
Primary IP address Enter the IP address for the management interface in A.B.C.D
and masklen? format and enter the network mask (for example, 1.1.1.2 /24).
IMPORTANT: Enter the IP address that Azure assigned to the
ether1 interface.
Default gateway? Enter the gateway IP address for the management interface.
Domain name? Enter the domain for the management interface (for example,
it.acme.com).
Enable Incident Enter no. These features are not supported in Azure
Response or deployments.
Compromise
Assessment?
Enable fenet license Enter yes to enable the licensing service to automatically
update service? download your licenses from the DTI network and install
them. (If licenses are downloaded and installed successfully,
the wizard skips the step that prompts for the product license
key and the step that prompts for the security-content updates
key.)
Sync appliance time Enter yes to synchronize the appliance time with the
with fenet? DTI server time. If you enabled the licensing service,
synchronization prevents a feature from being temporarily
unlicensed due to a time gap. The wizard makes three attempts
to perform this step before it gives up and moves to the next
step.
Step Response
Update licenses from Enter yes to download and install your licenses. The wizard
fenet? makes three attempts to perform this step before it gives up
and moves to the next step.
Enable NTP? Enter yes to enable automatic time synchronization with one or
more Network Time Protocol (NTP) servers. Enter no to
manually set the time and date on the appliance. (This step is
skipped if you entered yes in the "Sync appliance time with
fenet?" or "Enable Incident Response or Compromise
Assessment" step.) If you enter no, specify the time and date in
subsequent steps.
Enable FaaS VPN? Enter yes to enable the appliance to connect to FireEye as a
Service over the Internet using a secure SSL VPN connection.
(This step is skipped if no MD_ACCESS license is installed.
This step is performed automatically if you entered yes in the
"Enable Incident Response or Compromise Assessment?" step.
Set time Enter the appliance time in Greenwich Mean Time (GMT)
(<hh>:<mm>:<ss>)? (UTC+0). (This step and the next step are skipped if you
entered yes in the "Sync appliance time with fenet?" or "Enable
NTP?" step.
Set date Enter the appliance date in Greenwich Mean Time (GMT)
(<yyyy>/<mm>/<dd>)? (UTC+0).
Enable IPv6? Enter yes to enable IPv6 protocol, which changes network
IP routing from IPv4 to IPv6. (This step and the next two steps
are skipped if you entered yes in the "Enable Incident Response
or Compromise Assessment?" step. This step and the next two
steps will be automatically performed if you entered yes in the
"Enable FaaS VPN" step.)
Enable IPv6 autoconfig Enter yes to enable IPv6 autoconfig on the ether1 (management
(SLAAC) on ether1 interface) port. (This step is skipped if you entered no in the
interface? "Enable IPv6?" step.)
Enable DHCPv6 on Enter yes to use DHCPv6 to configure IPv6 hosts with IP
ether1 interface? addresses. (This step is skipped if you entered no in the "Use
DHCP on ether1 interface?" or "Enable IPv6?" step.)
Step Response
Use DHCP on <name> Enter yes to use Dynamic Host Configuration Protocol (DHCP)
interface? to configure the submission interface IP address and other
network parameters. Enter no to manually configure the
IP address and network settings. (If you enter yes, the static
IP addressing steps are skipped.)
Product license key? Enter the product license key you obtained from Trellix, or
press Enter to install a 15-day evaluation license. (This step
and the next step are skipped if you entered yes in the "Enable
fenet license update service?" step and if licenses were
successfully installed as a result.)
Security-content Enter the security-content license key you obtained from Trellix,
updates key? or press Enter to skip this step and install the license later.
l Trellix AMIs in the US West region are copied to My AMIs in your region.
l Access to the AWS Management Console.
l Items from your AWS administrator, such as the network, subnet, and IP addresses
for the instance, and key pairs and security groups to secure the instance.
l Items from Trellix, such as the activation code and licenses for your instance.
NOTE: This document provides the basic steps for launching Trellix virtual
appliances, and assumes familiarity with launching virtual machines in AWS. For
comprehensive information, see the AWS documentation provided by Amazon.
Task Description
3. (Optional) Apply the activation code and See Performing the Initial Configuration
configure the initial admin password for the of Endpoint Security Instance on page 53
appliance.
4. Perform the initial configuration of the See Performing the Initial Configuration
appliance. of Endpoint Security Instance on page 53
IMPORTANT: The navigation instructions and user interface may vary based
on the AWS Management Console version that is running when you deploy
your appliances.
NOTE: This procedure covers the required settings for a Trellix virtual
appliance. You can accept the default values for the other settings, or specify
values that are appropriate for your environment.
1. Go to the AWS login page and log in using your AWS ID.
2. On the Profile page, select your AWS role and then click AWS Console URL.
3. On the next page, click AWS Console login. The AWS Management Console opens.
4. In the navigation bar at the top of the console, select the region for the instance.
5. In the AWS services section, select EC2.
6. Click Launch Instance in the Create Instance section.
7. To select the appropriate AMI, do the following on the Choose an Amazon Machine
Image (AMI) page:
a. Click My AMIs in the left pane.
b. To view AMIs that are shared with you, click Shared with me in the left
pane.
c. Click the appropriate Endpoint Security AMI and then click Select.
8. On the Choose an Instance Type page, select an instance type that is compatible
with the AMI that you have chosen (see AWS Specifications on page 47 to select the
appropriate instance type). Then click Next: Configure Instance Details.
9. On the Configure Instance Details page, select your VPC network and IP range
from the Network and Subnet drop-down lists respectively, and specify other
settings provided by your network administrator. Click Next: Add Storage.
10. On the Add Storage page, change the Volume Type from gpg2 to gpg3, and then
click Next: Add Tags.
11. (If required by your AWS administrator) On the Add Tags page, provide key and value
combinations. Then click Next: Configure Security Group.
12. On the Configure Security Group page, select or create the security group that
defines firewall rules that control traffic to your Endpoint Security instance. These
rules specify which incoming network traffic is delivered to your instance.
15. In the Select an existing key pair or create a new key pair dialog box:
a. Select an existing pair or create a new one. To use the key pair you created
when you were set up to use Amazon EC2, click Choose an existing key
pair, and then select that key.
IMPORTANT: Store the name of the key pair and the private key in a
secure location.
To perform initial configuration of the Endpoint Security instance, see Performing the
Initial Configuration of Endpoint Security Instance on the facing page.
IMPORTANT: This procedure is optional. If you skip this procedure, you will be
prompted to enter the activation code and change the password when you log into
the initial SSH session to perform the initial configuration of the appliance.
5. Copy and paste the following script in the User Data field. Replace <code> with
the activation code for the instance that was included in the onboarding email
from Trellix and replace <password> with the new password for the initial admin
user.
{ "va_bootstrap": {
"activation_code": "<code>",
"reset_admin_password": "<password>"
}
}
6. Click Save.
7. Right-click the instance, and select Instance State > Start.
NOTE: Trellix recommends that you clear the user data field after the virtual
appliance is deployed.
Step Response
Enter activation code? Enter the activation code for the appliance.
Enable remote access Enter yes to enable the administrator to log in to the
for 'admin' user? appliance remotely. Enter no to disable remote access.
Use DHCP on ether1 Enter yes to use Dynamic Host Configuration Protocol
interface? (DHCP) to configure the appliance IP address and other
network parameters. If you enter yes, the ether1 interface
will obtain its IP address from the default AWS ether1
interface. (If you enter yes, the zeroconf and static
IP addressing steps are skipped.) Enter no to manually
configure your IP address and network settings.
Domain name? Enter the domain for the management interface (for
example, it.acme.com).
Enable Incident Enter no. These features are not supported in AWS
Response or deployments.
Compromise
Assessment?
Step Response
Enable fenet license Enter yes to enable the licensing service to automatically
update service? download your licenses from the DTI network and
install them. (If licenses are downloaded and installed
successfully, the wizard skips the step that prompts for
the product license key and the step that prompts for the
security-content updates key.)
Sync appliance time Enter yes to synchronize the appliance time with the
with fenet? DTI server time. If you enabled the licensing service,
synchronization prevents a feature from being
temporarily unlicensed due to a time gap. The wizard
makes three attempts to perform this step before it gives
up and moves to the next step.
Update licenses from Enter yes to download and install your licenses. The
fenet? wizard makes three attempts to perform this step before
it gives up and moves to the next step.
Enable FaaS VPN? Enter yes to enable the appliance to connect to Managed
Defense (formerly called FireEye as a Service) over the
Internet using a secure SSL VPN connection. (This step
is skipped if no MD_ACCESS license is installed. This
step is performed automatically if you entered yes in the
"Enable Incident Response or Compromise
Assessment?" step.
Step Response
Enable IPv6 autoconfig Enter yes to enable IPv6 autoconfig on the ether1
(SLAAC) on ether1 (management interface) port. (This step is skipped if you
interface? entered no in the "Enable IPv6?" step.)
Enable DHCPv6 on Enter yes to use DHCPv6 to configure IPv6 hosts with
ether1 interface? IP addresses. (This step is skipped if you entered no in
the "Use DHCP on ether1 interface?" or "Enable
IPv6?" step.)
Use DHCP on <name> Enter yes to use Dynamic Host Configuration Protocol
interface? (DHCP) to configure the submission interface IP address
and other network parameters. Enter no to manually
configure the IP address and network settings. (If you
enter yes, the static IP addressing steps are skipped.)
Product license key? Enter the product license key you obtained from Trellix,
or press Enter to install a 15-day evaluation license.
(This step and the next step are skipped if you entered
yes in the "Enable fenet license update service?" step
and if licenses were successfully installed as a result.)
Step Response
Browser Support
Use one of the following browsers to access the Endpoint Security Web UI:
Prerequisites
l Before the default Admin user can log in to the appliance Web UI and create other
user accounts, the manufacturing default password (admin) must be changed to a
new password that is 8 to 32 characters long. This step is included in "Initial
Configuration" in the Endpoint Security System Administration Guide.
l If you are using single sign-on, refer to your welcome email for instructions to log in
to your Cloud IAM instance.
1. Open a Web browser and enter https://<appliance> in the address line, where
appliance is the IP address or hostname of the appliance. For example, if the
configured IP address of the appliance is 10.1.0.1, enter https://10.1.0.1.
2. In the appliance Web UI login page, enter the local username and password for this
appliance as provided by your administrator.
Prerequisites
l Operator or Admin access
l Access to the DTI network
1. If the About tab is not visible, select Appliance Settings from the Admin menu.
2. Click the About tab.
3. Click Health Check on the upper left side.
4. Locate the Dynamic Threat Intelligence Cloud section.
Address :
Username :
User-agent :
Request Session:
Timeout : 30
Retries : 0
Speed Time : 60
Max Time : 14400
Rate Limit :
Speed Limit : 1
Dynamic Threat Intelligence Lockdown:
Enabled : no
Locked : no
Lock After : 5 failed attempts
UPDATES
Enabled Notify Scheduled Last Updated At
------- ------ -------------- ---------------
Security contents: yes no every 2020/12/03
11:40:00
Stats contents : yes none 2020/12/07
06:13:00
The address order is set by the order in which you add the servers to the
server address list. The first server added is the first one in the list. The
second server added is the second in the list.
l Provisioning Server
HX and HXD Series (Endpoint Security) releases before version 3.0 support the use
of a single provisioning appliance, identified as the primary appliance. HX Series
version 3.0 and later support the use of multiple provisioning appliances for
endpoints running FireEye Endpoint Agent software version 20 or later and a single
provisioning appliance for endpoints running FireEye Endpoint Agent software
version 11 or earlier. FireEye Endpoint Security Agents use provisioning servers to
connect and complete their installation by establishing their cryptographic agent
identity. Any Endpoint Security server, including a DMZ server, can be enabled to
do provisioning. Endpoint Security provisioning servers must be accessible by
agents within your company's network. DMZ provisioning servers must be
accessible inside and outside your company's network.
l Primary Server
If the endpoints in your environment have agent software versions earlier than
version 20 installed, a single Endpoint Security server must be designated as the
primary appliance. This appliance must be accessible within the network by all
agents when they are initially installed on hosts. The primary server manages the
initial provisioning of the agents. You can use either your internal Endpoint Security
server or a DMZ server as your primary server.
Endpoint Security server administrators and operators can add or remove servers on the
server address list.
Prerequisites
l Admin or Operator access
l The Endpoint Security server is physically installed on the network for agent access
5. In the Enter server address of appliance text box on the Server Addresses tab, enter
the hostname or the IP address of the Endpoint Security server, and click Add.
All available servers appear in the list shown in the Enable Provisioning section of
the page.
6. In the Enable Provisioning section, indicate which Endpoint Security server will be
the provisioning server by selecting the Enable Provisioning checkbox in the row
containing the server name or IP address. At least one server must be designated as
a provisioning server. See Designating Provisioning Servers on page 72.
(Optional) If the endpoints in your environment have agent software versions earlier
than version 20 installed, select the Set as primary checkbox in the row containing
the server name or IP address if the added server will be doing provisioning. This
specifies the server as the primary server for your network. Primary servers are used
to provision agents older than version 20. Only a single server can be designated as
a primary server. See Designating Provisioning Servers on page 72.
7. Click Save.
l Removing a Server from the Server Address List Using the Web UI
4. Click Save.
You must identify the servers that will be your provisioning servers before you
download the FireEye Endpoint Security Agent installation software to your host
endpoints. When agent installation software is downloaded, the IP addresses or
DNS names of the provisioning Endpoint Security servers are identified in the agent
download package.
To set up provisioning:
1. Enable provisioning on the servers you might want to use for provisioning. See
Enabling Servers for Provisioning on the next page.
Prerequisites
l Admin or fe_services access
Prerequisites
l Admin or Operator access
The provisioning server address can be a split DNS that resolves differently depending on
whether an agent is operating inside or outside your company’s internal network. When
the agent is inside the network, the DNS resolves to the primary Endpoint Security server;
when the agent is outside the network, the DNS resolves to the DMZ server.
This section covers the following topics:
Prerequisites
l Admin or Operator access
To designate the primary Endpoint Security server as a provisioning server using the
Web UI:
7. If the endpoints in your environment have agent software versions earlier than
version 20 installed, select Set as Primary to designate the DMZ server as the
provisioning server. This will deselect any other server on the Server Addresses tab
as the primary server.
If the endpoints in your environment have agent software version 20 or later
installed, select Enable Provisioning to designate the DMZ server as a provisioning
server.
8. Click Save.
To use the Endpoint Security server CLI to enable provisioning for a DMZ server:
where <dmz-ip> is the IP address of the DMZ server for which you are enabling
provisioning.
3. Save your changes.
hostname (config) # write memory
The server configuration should show an attached DMZ server with provisioning
enabled:
Appliance Role: master
Prerequisites
l Admin or fe_services access
l A split DNS set up to resolve to your internal Endpoint Security server when the
agent is inside the network and to the DMZ server when the agent is outside the
network.
1. Using the Web UI, enable both your primary Endpoint Security server and your
DMZ server for provisioning. See Designating the Endpoint Security Server as a
Provisioning Server Using the Web UI on page 73 and Designating and Enabling a
DMZ Server as a Provisioning Server on page 74.
2. In the Web UI, select Settings on the FireEye menu. The Agent Versions page
appears.
3. Select the Server Addresses tab.
4. Enter the DNS name and click Add.
5. If the endpoints in your environment have agent software versions earlier than
version 20 installed, select Set as Primary to designate the DNS as the provisioning
server. This will deselect any other appliance on the Server Addresses page as the
primary server.
If the endpoints in your environment have agent software version 20 or later
installed, select Enable Provisioning to designate the DNS server as a provisioning
server.
6. Click Save.
l Canceling the Primary Endpoint Security Server as a Provisioning Server Using the
Web UI on the facing page
l Canceling a DMZ Server as a Provisioning Server Using the Web UI on the facing
page
Prerequisites
l Admin or Operator access
To cancel the Endpoint Security server as a provisioning server using the Web UI:
4. Locate the DMZ server in the Enable Provisioning section of the page.
For agents earlier than version 20, locate another server in the list of servers and
select Primary Server to designate it as the provisioning server. This will cancel the
DMZ server as the provisioning server.
For agents version 20 or later, deselect Enable Provisioning to cancel the DMZ
server as a provisioning appliance.
5. Click Save.
l How FireEye Appliance Alerts Become Endpoint Security Alerts and Central
Management Badges on page 81
l Integrating Central Management Appliances and Endpoint Security Servers on
page 85
l Integrating Network Security Appliances and Endpoint Security Servers Directly on
page 97
l SNMP Data on page 99
l Forwarding CEF Logs to Helix and SIEM Solutions on page 107
1. A FireEye appliance triggers an alert for a web infection, malware object, or malware
callback.
2. The FireEye appliance reports the alert to the Central Management appliance.
3. The Central Management appliance determines if an IOC for the Endpoint Security
server should be created and, if so, publishes it.
4. The Endpoint Security server transforms the Central Management indicator into an
Endpoint Security IOC and publishes it for the Endpoint Security agents.
5. The Endpoint Security agents search their hosts for any indicator of compromise. If
a match is found, the agent reports back to the Endpoint Security server. The
Endpoint Security server creates an alert, which is aggregated to the Central
Management appliance if that alert was based upon an IOC from a managed
appliance.
6. The Central Management appliance correlates the Endpoint Security alert with the
managed appliance alerts and creates badges for the appropriate alerts. Network
Security alerts will have an endpoint compromised badge. Email Security — Server
Edition alerts will have a related endpoint badge.
l Not all FireEye appliance alerts provide the kind of data from which an Endpoint
Security indicator can be created.
l Only alerts originating from FireEye appliance IOCs are aggregated to the Central
Management appliance.
l By default, only alerts that are classified as major severity alerts or higher are sent to
the Endpoint Security server, resulting in only high-fidelity endpoint alerts.
Errors result if you attempt to use the Central Management CLI to set up
management of an Endpoint Security server. Use the Web UI only.
If your Endpoint Security server and other FireEye appliances are managed by a Central
Management appliance, the Endpoint Security server automatically receives indicators
from the other FireEye appliances. The Central Management appliance streamlines
management of multiple appliances and enhances detection by correlating indicators. See
How FireEye Appliance Alerts Become Endpoint Security Alerts and Central Management
Badges on page 81.
The Central Management platform can be used to upgrade and manage an Endpoint
Security DMZ server, with the following caveats.
l Indicator updates from the Central Management appliance or from the DTI
(Dynamic Threat Intelligence) Cloud to the DMZ server must be configured
separately. See Configuring a Central Management-Managed DMZ Server to Get
Updates from DTI on page 88. If these steps are not performed, indicator updates are
acquired from the Central Management appliance and the DTI by the Endpoint
Security server and transferred to the DMZ server.
l If you have problems connecting your Central Management appliance to your
DMZ server, consider the firewalls your organization has in place. In some
circumstances, the DMZ server is not accessible to the Central Management
appliance because a firewall is blocking the connection.
Central Management releases earlier than Release 7.6 do not support integration with
Endpoint Security servers. Endpoint Security releases earlier than Release 2.6 do not
support integration with Central Management appliances. If you are running a Central
Management release earlier than Release 7.6, see Integrating Network Security Appliances
and Endpoint Security Servers Directly on page 97.
The configuration of your Endpoint Security server with the Central Management
appliance happens automatically after they are both installed. Use the instructions in this
section to ensure the settings on each appliance are correct.
When you remove a managed appliance from the Central Management platform,
all data (including alert information) associated with the appliance is removed. If
you add the appliance again later, the data is restored, but all alerts generated by
the appliance are assigned new IDs. Because the alerts have new IDs, Endpoint
Security links for alerts will break if the alerts were generated by the appliance
before it was removed from the Central Management platform.
To configure Central Management 7.6 or later and Endpoint Security server integration:
The output from this command lists log file entries that include the CM Series alert
ID.
Mar 16 18:02:51 FireEye_CM notifyd[9696]: tid 5175: [notifyd.INFO]:
[inform_fireeye_hx] processing alert id=5762 infection-id=2291
infection-type=malware-object began at:2017-03-17 01:02:51, finish
at:2017-03-17 01:02:51 time cost:0 micro-seconds sequence-
id=140655883976776
3. Review the log file and choose a CM Series alert ID. The Endpoint Security server
will start collecting CM Series IOC data for this alert ID after the server attaches to
the Central Management appliance.
In Endpoint Security, the CM Series alert ID is called a bookmark.
4. On your Endpoint Security server, enable CLI configuration mode.
hostname > enable
hostname # configure terminal
where <CM-alert ID> is the starting CM Series alert ID you chose earlier in these
steps. The default is 0 (zero), which downloads all of the CM Series alerts to the
Endpoint Security server after the products are integrated.
For more information about Central Management requirements for integration with the
Endpoint Security server, see the Central Management Administration Guide.
Overview
When an Endpoint Security server is managed by a Central Management appliance, the
Central Management appliance sends a notification of the latest Alert ID to the Endpoint
Security server. The Endpoint Security server then polls the Central Management appliance
for the Alert ID and retrieves Indicators Of Compromise (IOC) details for the specified alert.
The Endpoint Security server then updates the Bookmark ID to identify the next Alert ID to
use when polling the Central Management appliance.
A newly manufactured Endpoint Security server has a Bookmark ID equal to zero. When
the Endpoint Security server is attached to the Central Management appliance, the Central
Management appliance will send the latest Alert ID to the Endpoint Security server. The
Endpoint Security server will then poll the Central Management appliance for all the Alert
IDs from zero through to the latest Alert ID. The delta between the Endpoint Security server
Bookmark ID and the Central Management appliance latest Alert ID can be in the
thousands, resulting in a performance impact on the Endpoint Security server as it gathers
all the IOCs.
Replacement scenarios
The following scenarios are explained in detail.
with a large history of alerts: In this scenario, a large delta may accrue for all of the
historic and incoming alerts on the FireEye detection devices.
2. New Central Management appliance, existing Endpoint Security server, existing
Network Security/Email Security — Server Edition/File Protect/Malware Analysis
with a high volume of alerts: In this scenario, a large delta may accrue while the
Central Management appliance is offline with a large influx of alerts.
3. New Central Management appliance, existing Endpoint Security server, existing
Network Security/Email Security — Server Edition/File Protect/Malware Analysis
with a low volume of alerts: The Bookmark ID may be greater than the actual latest
Alert ID which can potentially result in missed alert IOCs.
4. Existing Central Management appliance, New Endpoint Security server, existing
Network Security/Email Security — Server Edition/File Protect/Malware Analysis
with a large history of alerts: A large delta may accrue for all of the historic and
incoming alerts on the FireEye detection devices.
The Central Management appliance will aggregate all of the existing alert data and send
notifications for all of the Alert IDs to the managed Endpoint Security server. The Endpoint
Security server will poll the Central Management appliance for all of the alerts between
zero and the latest Alert ID. This could result in a large delta and could impact the
performance of the Endpoint Security server. The process of the Endpoint Security server
Bookmark ID catching up to the latest Alert ID can take many hours or days depending on
the amount of alert data present on the Central Management appliance. This can result in
a signification delay in the Endpoint Security server receiving the latest, most relevant
IOCs, causing missed malware detection on the endpoints. To prevent this, advance the
Endpoint Security server Bookmark ID to a recent Alert ID (see steps below) before
attaching the Endpoint Security server to the Central Management appliance.
The Central Management appliance will aggregate all of the existing alert data and send
notifications for all of the Alert IDs to the managed Endpoint Security server. The Endpoint
Security server will poll the Central Management appliance for all of the alerts between the
last Bookmark ID and the latest Alert ID. For a high-volume alert environment, this delta
can be large depending upon how long the Central Management appliance is offline and
the rate of alert influx. This could result in a large delta and could impact the performance
of the Endpoint Security server. The process of the Endpoint Security server Bookmark ID
catching up to the latest Alert ID can take several hours depending on the amount of alert
data. This can result in a delay in the Endpoint Security server receiving the latest, most
relevant IOCs.
The Central Management appliance will aggregate all of the existing alert data and send
notifications for all of the Alert IDs to the managed Endpoint Security server. In rare cases,
the Endpoint Security server Bookmark ID could be greater than the latest Central
Management appliance Alert ID. The Endpoint Security server will poll the Central
Management appliance for the larger Bookmark ID and will not receive an IOC from the
Central Management appliance until the Central Management appliance Alert ID
advances to equal the Bookmark ID. This could result in missing IOCs from alerts with
Alert IDs below the Endpoint Security server Bookmark ID, as well as missing malware
detection on the endpoints. You can modify the Endpoint Security server Bookmark ID to
equal a recent Alert ID (see steps below) before attaching the Endpoint Security server to
the Central Management appliance to prevent this.
The Central Management appliance will send notifications for all of the Alert IDs to the
managed Endpoint Security server. The Endpoint Security server will poll the Central
Management appliance for all of the alerts between zero and the latest Alert ID. This could
result in a large delta and could impact the performance of the Endpoint Security server.
The process of the Endpoint Security server Bookmark ID catching up to the latest Alert ID
can take many hours (or days) depending on the amount of alert data present on the
Central Management appliance. This can result in a signification delay in the Endpoint
Security server receiving the latest, most relevant IOCs, causing missed malware detection
on the endpoints. To prevent this, you should advance the Endpoint Security server
Bookmark ID to a recent Alert ID (see steps below) before attaching the Endpoint Security
server to the Central Management appliance.
In the example below, the Endpoint Security server Bookmark ID can be set to '5071' to
receive the latest IOC from the Central Management appliance. However, depending on the
scenario, the Endpoint Security server could have a large delta or could be missing out on
recent IOCs. To get a better Bookmark ID starting point, log into the Central Management
appliance UI, navigate to the Alerts/Alerts page, set the inline filter Date Range to 'Past 1
Week' (or any desired time-frame), and apply the filter. The total number of alerts for this
time-frame can be found in the upper left-hand corner of the alerts display. Subtract this
number from the most recent Alert ID and set the Endpoint Security server Bookmark ID to
this number to gather the past weeks IOCs. For instance, if the Central Management
appliance displays 50 alerts for the selected date range, the Bookmark ID can be set to
'5021'. The Endpoint Security server should be added to the Central Management
appliance. The Endpoint Security server will begin to gather the IOCs from the alerts from
5021 through the current Central Management appliance Alert ID as soon as it receives the
first Alert notification of the most current Alert ID from the Central Management appliance.
Example
dresden # sh log matching \bnotifyd\b.*\bdone_notify_alerts\b
Jul 11 12:51:51 dresden notifyd[28468]: tid 28468: [notifyd.INFO]: SQL:select
* from done_notify_alerts('{5069} ')
Jul 11 12:53:21 dresden notifyd[28468]: tid 28468: [notifyd.INFO]: SQL:select
* from done_notify_alerts('{5070} ')
Jul 11 12:54:22 dresden notifyd[28468]: tid 28468: [notifyd.INFO]: SQL:select
* from done_notify_alerts('{5071} ')
Do not use this procedure if you have already integrated your Endpoint Security
server with a Central Management appliance (see Integrating Central
Management Appliances and Endpoint Security Servers on page 85). Using both
types of integration will cause errors in the Central Management integration.
Alerts can only be sent from Malware Analysis or Email Security — Server
Edition appliance to the Endpoint Security server through a Central Management
appliance. Attempts to send Malware Analysis or Email Security — Server Edition
alerts to the Endpoint Security server using the direct connection set up between a
Network Security appliance and the server will fail. FireEye only provides the
direct connection between Network Security and Endpoint Security. Use the
Central Management appliance connection with the Endpoint Security server for
Malware Analysis and Email Security — Server Edition alerts.
2. Enable FireEye legacy appliance support for the Endpoint Security server:
hostname (config) # hx server detection legacy enable
4. Log in to the Web UI of the Network Security appliance and then click Settings. (On
a Central Management appliance, click CMS Settings).
5. Click Notifications in the left navigation pane.
6. Verify that all HTTP event types are selected for the appliance.
7. Click the http table heading to access HTTP notification configuration fields. These
fields allow you to define the HTTP connection with your Endpoint Security
appliance.
8. Type a name for the Network Security appliance's direct connection to the Endpoint
Security appliance in the Name box and then click Add HTTP Server.
9. Enter the Endpoint Security URL in the Server Url box:
https://<DNS-name-or-Endpoint-Security-IP>/alerts
Retrieving SNMP Data
This section describes how to retrieve SNMP information from the Endpoint Security
appliance.
A Management Information Base (MIB) is a text file written in a specific format in which
all of the manageable features of a device are arranged in a tree. Each branch of the tree
contains a number and a name, and the complete path from the top of the tree down to the
point of interest forms the Object Identifier, or OID. The OID is a string of values separated
by periods, such as .1.3.6.1.2.1.1.3.0.
You can send requests for data on an object using the OID, but it can be simpler to use the
symbolic name for the object instead. A MIB allows SNMP tools to translate the symbolic
names into OIDs before sending the requests to the managed device. Symbolic names for
objects in the Trellix MIB include feSerialNumber.0, feHardwareModel.0,
feProductLicenseActive0, feFanIsHealthy.1, and so on.
The Trellix MIB, named FE-FIREEYE-MIB, needs to be downloaded from the Endpoint
Security appliance to the SNMP manager so it can be loaded into an SNMP browser or
other tool. A typical SNMP browser can retrieve the values the appliance supports, and
then display them in a hierarchy so you can navigate to the value you need to include in
the request.
This section contains the following topics:
Prerequisites
l Operator or Admin access
1. Go to CLI configuration mode:
hostname > enable
hostname # configure terminal
If the output shows SNMP enabled: no, enter the snmp-server enable command.
3. SNMP v3: Specify the SNMP user and password:
hostname (config) # snmp-server user <username> v3 enable
hostname (config) # snmp-server user <username> v3 auth sha <password>
Prerequisites
l Analyst, Operator, or Admin access
7. Load the MIB into an SNMP browser or tool, or open the MIB file:
vi FE-FIREEYE-MIB.txt
1. Copy the MIB file from the appliance using the OpenSSH client:
scp -r admin@<appliance><applianceIPAddress>:/usr/share/snmp/mibs
/usr/<userDirectoryName>
4. Load the MIB into an SNMP browser or tool, or open the MIB file:
vi FE-FIREEYE-MIB.txt
4. Load the MIB into an SNMP browser or tool, or open the MIB file:
vi FE-FIREEYE-MIB.txt
Prerequisites
l Operator or Admin access
l The MIB file must be downloaded. See Downloading the MIB on page 100.
1. Go to CLI configuration mode:
hostname > enable
hostname # configure terminal
If the output shows SNMP enabled: no, enter the snmp-server enable command.
3. Enable the appliance to send notifications to the SNMP manager:
hostname (config) # snmp-server enable notify
5. Enable SNMP communities:
hostname (config) # snmp-server enable communities
where <community> is the string needed by the SNMP server to query the appliance.
The default community string is public.
7. Limit SNMP access to the listen interface called ether1:
hostname (config) # snmp-server listen interface ether1
Examples of basic commands that retrieve SNMP data follow. The commands are entered
from the SNMP manager application. The IP address in the commands is the appliance
IP address.
SNMP v3 commands:
snmpmgr # snmpget -m +FE-FIREEYE-MIB -v 3 -u myname -a MD5 -A mypassword -l
authNoPriv 172.0.0.0 feTemperatureValue.0
snmpmgr # snmpwalk -m +FE-FIREEYE-MIB -v 3 -u myname -a MD5 -A mypassword -l
authNoPriv 172.0.0.0 enterprises.25597
SNMP v2c commands:
snmpmgr # snmpget -m +FE-FIREEYE-MIB -v 2c -c public 172.0.0.0
feSupportLicenseActive.0
snmpmgr # snmpwalk -m +FE-FIREEYE-MIB -v 2c -c public 172.0.0.0 fireeye
snmpmgr # snmpwalk -v 2c -c public 172.0.0.0 enterprises.25597
To retrieve license expiration dates formatted in a table, use a command similar to the
following (different commands are required by different SNMP manager applications):
snmpmgr # snmptable -c public -Of -v 2c localhost feLicenseFeatureTable
Check the number of days in the rightmost column. If the value is less than 30, contact
your system administrator.
Sending Traps
This section describes how to configure basic SNMP support on the Endpoint Security
appliance, enable and configure traps, and set up trap logging. For detailed information
about SNMP commands and options for more advanced configurations, see the Trellix CLI
Command Reference.
Prerequisites
l Operator or Admin access
1. Go to CLI configuration mode:
hostname > enable
hostname # configure terminal
If the output shows SNMP enabled: no, enter the snmp-server enable command.
2. Disable an event:
hostname (config) # no snmp-server notify event <event>
For example, the following command stops a trap from being sent when the
temperature of the appliance is normal:
hostname (config) # no snmp-server notify event normal-temperature
3. Enable an event:
hostname (config) # snmp-server notify event <event>
For example, the following command enables the appliance to send a trap when
there is a change in an interface link:
hostname (config) # snmp-server notify event if-link-change
l You can send common event format (CEF) logs from the Endpoint Security server to
one or more remote SIEMs. This includes hits (referred to as alerts), containment
state events, and triage status. For more information, see Configuring CEF Logging
for Endpoint Events on the next page. For information on the data that is logged, see
"CEF Logs and Output" in the Endpoint Security Server User Guide.
l You can perform two-way communications with SIEM solutions, such as acquiring
triage collections.
l With SIEM solutions, you can execute analyst actions initiated in a URL context.
Specifically, you can:
o Listen for traffic from SIEMs that initiate analyst actions via URL requests.
o Parse the arguments in these requests.
o Format and execute commands.
The integration between the Endpoint Security server and most SIEM solutions can be
accomplished using an external integration connector and an API Analyst user account.
See "Roles for Local User Accounts" in the System Security Guide. For an example of setting
up an integration connector with a SIEM solution, see SIEM Example: Setting Up an
Endpoint Security Integration Connector with ArcSight on page 111.
An integration connector can only be used for communications from the SIEM
solution to the Endpoint Security server, not from the Endpoint Security server to the
SIEM solution.
Similar integration can be accomplished using the Endpoint Security API. See the
Endpoint Security REST API Guide.
Descriptions of the collected CEF log data can be found in "CEF Logs and Output" in the
Endpoint Security Server User Guide.
Prerequisites
l Admin or fe_services access
l To forward CEF logs to Helix, a FireEye Cloud Collector or Comm Broker must be
installed. See the Cloud Collector Installation Guide or the Unmanaged Communications
Broker Installation Guide for details.
In this example, CEF logging is actually disabled because the Override for class
cef setting is not set to info. All CEF logging occurs for messages logged at the
info system log level. If this level is set to anything other than info, CEF logging
will not occur. See Enabling Local CEF Logging on page 111.
Adding a Destination
Define a Cloud Collector or Comm Broker destination to forward CEF log messages to
Helix. Define a remote syslog server destination to integrate Endpoint Security with your
SIEM solution.
To add a destination:
where <IP-address> is the IP address of the Cloud Collector or the remote syslog
server destination.
3. Save your settings:
hostname # write mem
Removing a Destination
To remove a destination:
where <IP-address> is the IP address of the Cloud Collector or the remote syslog
server destination.
3. Save your settings:
hostname # write mem
2. Enable CEF logging:
hostname # logging local override class cef priority info
All CEF logging occurs for messages logged at the info system log level. If you set
this to any other system log level, CEF logging will not occur.
3. Save your settings:
hostname # write mem
2. Disable CEF logging:
hostname # logging local override class cef priority none
This guide refers to ArcSight and its ESM manager or console as examples of SIEM
integration methods and objectives. For example, analysts can use the ArcSight ESM
console's Integration Command menu or rules to automate the process of requesting
acquisitions for a SIEM event. Your ArcSight vendor can provide information about
creating and using ArcSight integration commands. FireEye Support can provide you with
information about using the integration connector with other SIEM solutions.
FireEye supports the use of the ArcSight Smart Connector type 10.0.5. The ArcSight
to Endpoint Security connector port must be 3000 (TCP). The Endpoint Security to
ArcSight syslog port is configurable.
FireEye recommends that you use Java 7 or later with ArcSight and that your Java
class path is updated to point to this Java version. If you use an earlier version of
Java, SSL errors may occur.
Prerequisites
l Administrative permissions to the machine on which you are installing the
integration connector.
l An Endpoint Security Admin or Operator account.
l An Endpoint Security API Analyst account you have created specifically for the
connector.
l A copy of the integration connector installation package
(FireEye\ArcSight\Connector\Install\10.0.5.zip available on SFDC).
l Either of the following types of certificates:
o A self-signed development certificate created using OpenSSL (according to the
procedure described in Creating a Self-Signed Development Certificate).
o A valid certificate that you have purchased from your chosen provider.
The certificate must be in .pem format, and it must match the hostname of the
Endpoint Security server.
1. On a machine on which you have installed OpenSSL, enter the following command:
C:\OpenSSL\bin> openssl req -x509 -nodes -newkey rsa:2048 -keyout
key.pem -out cert.pem -days 3000
2. At the end of each line, enter the appropriate information for your enterprise in the
format indicated. For example:
Country Name (2 letter code) [XX]: US
State or Province Name (full name) []: Virginia
Locality Name (e.g., city) [Default City]: Bristol
Organization Name (e.g., company) [Default Company Ltd]: FireEye
Organizational Unit Name (e.g., section) []: IT
Common Name (e.g., your name or your server's hostname) []: dti-hx-dev
Email Address []: abc@fireeye.com
OpenSSL generates two files: a self-signed certificate (named cert.pem) and a key
(named key.pem).
3. Download and save the certificate and key files.
1. On the machine where you are installing the connector, extract the files from the HX
Connector Installer .zip package to a local folder.
2. Copy the certificate and key files that you generated, or the ones supplied by your
chosen provider into the same folder as the installer files.
3. Rename the certificate: certname.pem.
4. Log in to the server Web UI as an administrator.
5. On the Admin menu, select Appliance Settings.
6. Select Certificates on the sidebar. The Certificate Management page appears.
7. On the Certificate Management page, install the certificate:
l To install the self-signed certificate that you created in Creating a Self-Signed
Development Certificate, upload the Certificate and Private Key.
l To install a certificate provided by your chosen provider, upload the
Certificate, Private Key, and CA Certificate.
8. Click Update.
You are logged out of the Endpoint Security server, and the login screen reloads
with the following message:
1 notice
l The Web Server is currently restarting
l Please wait for about 20 seconds and try again
l If this condition persists, please Contact FireEye Support
9. On the machine where you installed the connector, edit the fireeye-
connector.properties file, and enter the appropriate parameters for the Endpoint
Security target:
appliance HX
cert certname.pem
The hostname you enter must match the hostname in the certificate.
If the hostname you enter is not registered in the DNS, then you must connect
the hostname and IP address in your operating system's host file on the
machine where you are installing the connector.
Record the full path of the directory and folder that you use for this
installation. You will need it later. If your enterprise will be using more than
one ArcSight SmartConnector, make sure to choose a unique folder name.
d. Import the certificate, navigate to the certificate file, and then save the
keystore.
15. Return to the ArcSight SmartConnector Configuration Wizard.
16. In the Configuration File box, enter HXFlexConnector, and then click Next.
17. Finish performing the steps in the ArcSight SmartConnector Configuration Wizard,
choosing default settings or customizing for your enterprise's SIEM solution, as
appropriate.
If you want the SmartConnector to run as a service, choose the following options:
l Select Yes to start the service automatically when you restart the server on
which it is running.
l Enter unique names for Service Internal Name and Service Display Name, if
your enterprise will have more than one SmartConnector on the server where
you are installing this Connector.
If you want to run the SmartConnector service before the server restarts, you
must start the service manually.
You can validate the success of the installation by using your SIEM console to view events
or perform other actions, such as requesting a triage collection.
Prerequisites
l Admin or fe_services access
The following snippet represents the quiesce information from the output of this
show command:
Quiesce Mode:
App Proc: enabled
Message Bus: enabled
You can review the complete quiesce mode status of an Endpoint Security server or the
separate quiesce mode status for the server application processor and message bus using
the CLI.
To review the quiesce mode status of an Endpoint Security server:
The following snippet from the output of this command shows that quiesce mode is
enabled for both the application processor and the message bus.
Quiesce Mode:
App Proc: enabled
Message Bus: enabled
The following output from this command displays when quiesce mode enabling is
in process for the application processor:
HX App Proc Configuration:
The following output from this command displays when the application processor
is fully quiesced:
HX App Proc Configuration:
The following output from this command displays when quiesce mode disabling is
in process for the application processor:
HX App Proc Configuration:
The following output from this command displays when the application processor
is not in quiesce mode:
HX App Proc Configuration:
The following sample output from this command shows that quiesce mode is
disabled for the appliance message bus:
HX Message Bus Configuration:
Prerequisites
l Admin or fe_services access
Prefix: <prefix>
Agent CA days: 7300
Agent CA key bits: 2048
Agent cert days: 1825
Server CA days: 7300
Server cert key bits: 2048
Server cert days: 1825
Server CRL days: 30
CA: comms
valid from: <timestamp> to <timestamp>
subject: <subject>
fingerprint: <fingerprint>
CA: distro
valid from: <timestamp> to <timestamp>
subject: <subject>
fingerprint: <fingerprint>
CA: agent
valid from: <timestamp> to <timestamp>
subject: <subject>
fingerprint: <fingerprint>
CRL: comms
issued: <timestamp> and expires on <timestamp>
number: <comms_CRL_number>
fingerprint: <fingerprint>
CRL: distro
issued: <timestamp> and expires on <timestamp>
number: <distro_CRL_number>
fingerprint: <fingerprint>
host: <HX_appliance_hostname>
role: ca
last ping: <timestamp>
Exporting Certificates
You can export Endpoint Security public key infrastructure (PKI) certificates to a file. This
is recommended before you upgrade the Endpoint Security server.
To export Endpoint Security PKI certificates:
For example:
hostname (config) # hx pki export file scp://user@host/path/to/file
passphrase abc123
Importing Certificates
You can import Endpoint Security public key infrastructure (PKI) certificates from a backup
file. If there were any problems upgrading your appliance that required you to reimage it or
to fully reinstall the software, import the Endpoint Security certificates you exported earlier
so you do not have to reinstall all of your agents.
To import Endpoint Security PKI certificates:
2. Import the certificates from the file containing your exported certificates, identified
by <fileURL>:
hostname (config) # hx pki import file <fileURL> passphrase
<passphrase>
For example:
hostname (config) # hx pki import file scp://user@host/path/to/file
passphrase abc123
Regenerating Certificates
You can reset the FireEye Endpoint Security Agent and Endpoint Security communications
server public key infrastructure (PKI), including a certificate authorities (CA).
Regenerating certificates automatically detaches any DMZ server from the Endpoint
Security server. You need to reattach them after the certificates are regenerated. See
the Endpoint Security Server Deployment Guide.
where <days> is the number of days that the agent CA remains active. Valid values
range from 0 and 65535 days. The default is 7300 days.
To set the duration back to the default, use the no form of this command:
hostname (config) # no hx pki agent ca-days
where <bits> is the number of bits for the agent certificates. Valid values range
from 1024 and 4096 bits. The default is 2048 bits.
To set the length back to the default, use the no form of this command:
hostname (config) # no hx pki agent cert-bits
where <days> is the number of days that the agent certificate remains active. Valid
values range from 0and 65535 days. The default is 1825 days (5 years).
To set the duration back to the default, use the no form of this command:
hostname (config) # no hx pki agent cert-days
where <days> is the number of days that the Endpoint Security CA remains active.
Valid values range from 0 and 65535 days. The default is 7300 days.
To set the duration back to the default, use the no form of this command:
hostname (config) # no hx pki server ca-days
where <bits> is the number of bits for the Endpoint Security certificates. Valid
values range from 1024 and 4096 bits. The default is 2048 bits.
To set the length back to the default, use the no form of this command:
hostname (config) # no hx pki server cert-bits
where <days> is the number of days that the Endpoint Security certificate remains
active. Valid values range from 0 and 65535days. The default is 1825 days (5 years).
To set the duration back to the default, use the no form of this command:
hostname (config) # no hx pki server cert-days
where <days> is the number of days that the Endpoint Security CRL remains active.
Valid values range from 0 and 65535days. The default is 30 days.
To set the duration back to the default, use the no form of this command:
hostname (config) # no hx pki server crl-days
where <url> is the URL from which the CRL should be uploaded.
For example:
hostname (config) # hx pki server crl-upload distro
https://10.42.138.20
An invalid CRL should correct itself automatically within 30 minutes of the date or
time discrepancy. This command forces the correction to occur immediately.
Using this command detaches any DMZ server from the Endpoint Security server.
You need to reattach them after running this command.
Using this command detaches any DMZ server from the Endpoint Security server.
You need to reattach them after running this command.
NOTE: Trellix does not recommend that you simply change the domain
name server (DNS) record of the on-premises appliance to point to the
cloud server. While this can be done, the migration cut-over time may
be uncertain due to long delays between DNS cache updates. This delay
can make it difficult to diagnose migration problems.
A cloud Endpoint Security server is an instance of the Endpoint Security system image
deployed in the Amazon Web Services (AWS) cloud. A single cloud Endpoint Security
environment includes an Endpoint Security (master) server in the AWS cloud. The cloud
Endpoint Security server is the provisioning appliance in a cloud Endpoint Security
environment and all agent communication is with this server.
Prerequisites
l Administrator access
l The on-premises Endpoint Security appliance and cloud Endpoint Security servers
must both be the primary appliances in your Endpoint environment. When you run
the show hx ecosystem command on each appliance, the output must include this
line: Appliance Role: master.
l All Endpoint Security controllers should be running the same operating system.
Migration Steps
Follow these steps to migrate your agents from an on-premises Endpoint Security
appliance to a cloud Endpoint Security server.
Task Instructions
1. Remediate all contained Resolve all containment issues and uncontain all host
hosts in your environment endpoints before performing any further migration steps.
and stop containing them.
Contained host endpoints are blocked from communicating
with other host endpoints and can only communicate with
the Endpoint Security server that manages them.
Consequently, any contained hosts managed by your on-
premises Endpoint Security appliance will not be able to
communicate with the cloud Endpoint Security appliance if
you migrate your agents without resolving the issues that
required the hosts to be contained.
See "Containing Host Endpoints" in the Endpoint Security
Server User Guide for more information about containment.
Task Instructions
3. Verify that the on- Verify that the versions of the Endpoint Security software
premises and cloud installed on your on-premises and cloud appliances are the
appliances are running same.
the same versions of
For each appliance, use the procedure described in
Endpoint Security
Identifying the Endpoint Security Software Version on an
software.
Appliance on page 138 to identify the installed Endpoint
Security software versions.
If the on-premises and cloud appliances are not running the
same versions of Endpoint Security software, upgrade the
appliance running the older version of the Endpoint
Security software. See "Upgrading the FireEye Software" in
the Endpoint Security System Administration Guide.
4. Enable quiesce mode for The on-premises appliance must be put into quiesce mode.
the on-premises Endpoint Enabling quiesce mode causes the Endpoint Security
Security Series appliance. appliance to stop generating tasks and aborts any queued
tasks that have not yet completed on the agent, including
file, data, and triage acquisitions and it stops the appliance
from accepting new alerts. See Enabling and Disabling
Endpoint Security Server Quiesce Mode on page 119.
5. Ensure that all agents After putting the on-premises Endpoint Security appliance
have completed or aborted into quiesce mode, you must ensure that all of the agents
any outgoing jobs to the have completed or aborted any ongoing jobs to the
appliance. appliance. You can verify that the show hx app-proc
command states the appliance is running quiesced and
verify that the show hx messagebus command states that
Quiesce mode is enabled.
Task Instructions
7. Detach any on-premises If all of your host endpoints can communicate directly with
HXD (DMZ) appliances or the on-premises Endpoint Security appliance, detach your
convert the HXD on-premises HXD appliances. See Detaching On-Premises
appliances to TCP relays. HXD Appliances on page 141.
If this is not possible, convert your on-premises HXD
appliances into TCP relays to the on-premises Endpoint
Security appliance. See Converting an On-Premises
HXD Appliance Into a TCP Relay on page 142.
NOTE: FireEye recommends that you detach your on-
premises HXD appliances, rather than use them as
TCP relays.
8. Create a full backup of Create a full backup of the on-premises Endpoint Security
the on-premises Endpoint appliance. If you use the CLI, use the backup profile full
Security appliance. to local command. Verify you have enough disk space
before attempting the backup.
See "Backing Up the Database" in the Endpoint Security
System Administration Guide.
9. Create a full backup of Create a full backup of the cloud Endpoint Security
the cloud Endpoint (primary) server in your cloud Endpoint Security ecosystem.
Security (primary) server This will ensure your system can be restored to its original
the cloud ecosystem. state if a problem in the migration should occur.
See "Backing Up the Database" in the Endpoint Security
System Administration Guide.
10. (Optional) Download Download the full backup of the on-premises appliance you
the full backup of the on- created in Step 8.
premises Endpoint
See "Downloading Backup Files" in the Endpoint Security
Security appliance.
System Administration Guide.
11. (Optional) Upload the Upload the full backup of the on-premises Endpoint
backup of the on-premises Security appliance onto the cloud Endpoint Security server
Endpoint Security using either the Web UI or the CLI.
appliance onto the cloud
Trellix recommends using the CLI restore profile full
Endpoint Security server.
from local backup <backup file name> command so
any problems that occur are more easily identified.
See "Restoring the Database from a Backup File" in the
Endpoint Security System Administration Guide.
Task Instructions
12. (Mandatory if you Restore the configuration from the Cloud Endpoint Security
performed steps 10 and full backup to restore cloud specific configuration. You can
11) Restore your original use the command restore profile config from local
cloud configuration. backup <backup file name> to restore the configuration.
13. (Optional) Reset the Reset the cloud Endpoint Security server password. It was
password of the cloud set to the password of the on-premises appliance when you
Endpoint Security server uploaded the backup in Step 11. See "Authentication" in the
System Security Guide.
14. Verify the defined Verify the cloud Endpoint Security server users and user
users and user roles are role (AAA) settings. These were overwritten with the on-
set appropriately for the premises appliance AAA settings when you uploaded the
cloud Endpoint Security backup in Step 11. See Authorization" in the System Security
server. Guide.
15. Set up the server Using the cloud Endpoint Security Web UI, set up the server
address list in the cloud address list for the cloud Endpoint Security ecosystem. See
Endpoint Security Setting Up the Server Address List for the Cloud
ecosystem Endpoint Security Ecosystem on page 142.
16. Restore the cloud Restore the cloud Endpoint Security ecosystem certificates
ecosystem certificates. that you downloaded in Downloading the Root and
Intermediate CA Certificates of the Cloud Endpoint Security
Ecosystem on page 141. See "Certificates" in the System
Security Guide.
17. Disable quiesce mode The cloud Endpoint Security server entered quiesced state
for the cloud Endpoint when the on-premises Endpoint Security backup was
Security appliance. uploaded to it in Step 11. Disable quiesce mode for the
cloud server. See Enabling and Disabling Endpoint Security
Server Quiesce Mode on page 119.
18. Convert the on- Convert the on-premises Endpoint Security appliance into a
premises Endpoint TCP relay for the cloud Endpoint Security server. See
Security appliance to a Converting the On-Premises Endpoint Security Appliance
TCP relay for the cloud Into a TCP Relay on page 143.
Endpoint Security server.
When you complete these steps, the agents will initially connect to the on-premises
Endpoint Security appliance, but will be relayed to the cloud Endpoint Security server. In
time, the cloud server will send the agents a new configuration file that includes
provisioning information for the cloud Endpoint Security server. After the agents receive
the new configuration file, they will connect directly to the cloud Endpoint Security server.
When all agents are connected directly to the cloud Endpoint Security server, the on-
premises Endpoint Security appliance will no longer be needed and can be shut down.
1. Log in to the on-premises Endpoint Security appliance using the SSH protocol and
the IP address or hostname of the appliance's management interface.
2. Enable CLI configuration mode.
hostname > enable
hostname # configure terminal
1. Log in to the Endpoint Security server using the SSH protocol and the IP address or
host name of the server's management interface.
2. Enable CLI configuration mode.
hostname > enable
hostname # configure terminal
3. Run the following command to view the version of Endpoint Security software:
hostname # show version
The version number is shown in the Product release line of the command output.
1. Log in to the cloud Endpoint Security server using the SSH protocol and the
IP address or host name of the server's management interface.
2. Enable CLI configuration mode.
hostname > enable
hostname # configure terminal
The server address list is listed in the Server section at the end of the output from
this command:
HX Endpoint Agent Configuration:
Server 0
Hostname: <host name>
Provisioning: enabled
Legacy Primary: enabled
4. Record the host name or IP address of the server shown in this list that has
provisioning enabled.
1. Log in to the on-premise Endpoint Security appliance using the SSH protocol and
the IP address or host name of the appliance's management interface.
2. Enable CLI configuration mode.
hostname > enable
hostname # configure terminal
The list of current HX ecosystem configuration roles should not contain any
HXD appliances.
l View the PKI settings:
hostname (config) # show hx pki
The response should not include information about any HXD appliances.
5. If any HXD appliances are listed in the output of these commands, repeat Steps 3
and 4 until no HXD appliances appear.
When the on-premises HXD appliances are detached from the Endpoint Security
appliance, the agents will revert to using the on-premises Endpoint Security appliance.
Converting an On-Premises
HXD Appliance Into a TCP Relay
To convert an on-premises HXD appliance into a TCP relay for the on-premises
HX appliance using the CLI:
1. Log in to the on-premises HXD appliance using the SSH protocol and the IP address
or host name of the appliance's management interface.
2. Enable CLI configuration mode.
hostname > enable
hostname # configure terminal
3. Convert the on-premises HXD appliance into a TCP relay to the on-premises HX
appliance:
hostname # hx rproxy relay <ip address>
If the HXD appliance is in relay mode when it is upgraded, relay mode must be
reenabled after the upgrade completes.
To set up the server address list for the cloud Endpoint Security ecosystem:
1. Log in to the on-premises Endpoint Security appliance using the SSH protocol and
the IP address or host name of the appliance's management interface.
2. Enable CLI configuration mode.
hostname > enable
hostname # configure terminal
3. Convert the on-premises Endpoint Security appliance into a TCP relay to the cloud
Endpoint Security server:
hostname # hx rproxy relay <ip-address-or-host-name>
If the Endpoint Security appliance is in relay mode when it is upgraded, relay mode
must be re-enabled after the upgrade completes.
Documentation
Documentation for all Trellix products is available on the Trellix Documentation Portal
(login required):
https://docs.fireeye.com/
© 2022 FireEye Security Holdings US LLC. All rights reserved.Trellix, FireEye, and Skyhigh Security are the trademarks or
registered trademarks of Musarubra US LLC, FireEye Security Holdings US LLC, and their affiliates in the US and/or other
countries.