HX DG C 5.3.0 PDF

ENDPOINT SECURITY
SERVER DEPLOYMENT GUIDE

RELEASE 5.3
Cloud Servers
Trellix, FireEye, and Skyhigh Security are the trademarks or registered trademarks of
Musarubra US LLC, FireEye Security Holdings US LLC, and their affiliates in the US
and/or other countries. McAfee is the trademark or registered trademark of McAfee
LLC or its subsidiaries in the US and/or other countries. Other names and brands are
the property of these companies or may be claimed as the property of others.
FireEye Security Holdings US LLC assumes no responsibility for any inaccuracies in
this document. FireEye Security Holdings US LLC reserves the right to change, modify,
transfer, or otherwise revise this publication without notice.
Copyright © 2022 FireEye Security Holdings US LLC. All rights reserved.

Endpoint Security Server Deployment Guide
Cloud Servers
Software Release 5.3.0
Cloud Release 5.3.0
Revision 1
Trellix Contact Information:

Website: www.trellix.com
Technical Support: https://www.trellix.com/en-us/support.html
Phone (US):
1.408.321.6300
1.877.347.3393
Contents
PART I: Planning 9
CHAPTER 1: About the Endpoint Security Server 11

Server Roles and Order 12
Appliance Addressing 12
CHAPTER 2: System Requirements 15

Supported Appliance Models 15
Endpoint Security Cloud Server Features 16
Network Requirements 16
Standalone Endpoint Security Appliances That Receive DTI Updates 16
Environments That Restrict Outbound Access to Certain IP Addresses 17
Domain-Based Proxy ACL Rules 17
FireEye Endpoint Security Malware Definitions 17
Software Requirements 18
Endpoint Security Agent and Server Compatibility 18
Licensing Requirements 19
© 2022 FireEye Security Holdings US LLC 3

Contents
PART II: Cloud Server Deployment 21
CHAPTER 3: Cloud Server Overview 23
CHAPTER 4: Cloud Server Deployment Steps 25
PART III: Azure 29
CHAPTER 5: Azure Specifications 31

Endpoint Security Models and Sizes 31
CHAPTER 6: Deploying Virtual Endpoint Security Appliances in Microsoft

Azure 33
Creating an Image File from an Azure Blob File 34
Creating Endpoint Security Network Interfaces 34
Creating an Endpoint Security Virtual Machine 35
Increasing the Disk Space on a Virtual Machine 38
Attaching Network Interfaces to the Virtual Machine 38
Performing the Endpoint Security Initial Configuration on Microsoft Azure 39
PART IV: AWS 43
CHAPTER 7: AWS Requirements 45
CHAPTER 8: AWS Specifications 47
CHAPTER 9: Deploying Virtual Endpoint Security Appliances on Amazon

Web Services (AWS) 49
Launching an Endpoint Security Instance on AWS 50
Configuring the Activation Code and Initial Admin Password 52
Performing the Initial Configuration of Endpoint Security Instance 53
4 © 2022 FireEye Security Holdings US LLC

Contents
PART V: Configuration 59
CHAPTER 10: The Endpoint Security Server Web UI 61

Browser Support 61
Screen Resolution Requirements 61
Logging In to the Endpoint Security Web UI 62
CHAPTER 11: Validating DTI Access 63

Validating DTI Access Using the Web UI 63
Validating DTI Access Using the CLI 64
CHAPTER 12: Configuring the Server Address List 67

Adding a Server to the Server Address List 68
Adding a Server to the Server Address List Using the Web UI 68
Removing a Server From the Server Address List 69
Removing a Server from the Server Address List Using the Web UI 69
CHAPTER 13: Setting up Provisioning 71

Enabling Servers for Provisioning 72
Designating Provisioning Servers 72
Designating the Endpoint Security Server as a Provisioning Server Using
the Web UI 73
Designating and Enabling a DMZ Server as a Provisioning Server 74
Designating Provisioning Servers Using a Split DNS in the Web UI 75
Canceling Provisioning Servers 76
Canceling the Primary Endpoint Security Server as a Provisioning Server Using
the Web UI 77
Canceling a DMZ Server as a Provisioning Server Using the Web UI 77

Contents
PART VI: Integration 79
CHAPTER 14: How FireEye Appliance Alerts Become Endpoint Security

Alerts and Central Management Badges 81
Endpoint Security and FireEye Appliance Alert Disparity 82
Network Security and Endpoint Security Alert Matches 82
Email Security — Server Edition and Endpoint Security Alert Matches 82
CHAPTER 15: Integrating Central Management Appliances and Endpoint

Security Servers 85
Configuring a Central Management-Managed DMZ Server to Get Updates from DTI 88
CHAPTER 16: Replacing Integrated Central Management Appliances and

Endpoint Security Servers 91
Overview 91
Replacement scenarios 91
Modifying the Endpoint Security server Bookmark ID 94
CHAPTER 17: Integrating Network Security Appliances and Endpoint

Security Servers Directly 97
CHAPTER 18: SNMP Data 99

Retrieving SNMP Data 99
Providing Access to SNMP Data 100
Downloading the MIB 100
Retrieving SNMP Data Using Event OIDs 102
Sending Requests for SNMP Information 103
Sending Traps 103
Enabling and Configuring Traps 103
Logging Trap Messages 105

Contents
CHAPTER 19: Forwarding CEF Logs to Helix and SIEM Solutions 107

Configuring CEF Logging for Endpoint Events 108
Viewing the Current Logging Configuration 109
Adding a Destination 109
Removing a Destination 110
Using TCP for Remote Logging 110
Configuring the Port for a Remote Logging Target 110
Enabling Local CEF Logging 111
Disabling Local CEF Logging 111
SIEM Example: Setting Up an Endpoint Security Integration Connector with
ArcSight 111
Creating a Self-Signed Development Certificate 112
Installing the Integration Connector 113
PART VII: Appendices 117
APPENDIX A: Enabling and Disabling Endpoint Security Server Quiesce

Mode 119
Enabling Quiesce Mode 120
Disabling Quiesce Mode 120
Reviewing Quiesce Mode Status 121
APPENDIX B: Managing Endpoint Security PKI Certificates 123

Reviewing Certificates and Settings 124
Exporting Certificates 125
Importing Certificates 125
Regenerating Certificates 126
Setting the PKI Certificate Prefix 126
Setting Agent Certificate Authority Duration 127
Setting Agent Certificate Length 127
Setting Agent Certificate Duration 128
Setting Endpoint Security Certificate Authority Duration 128

Contents
Setting Endpoint Security Certificate Length 129

Setting Endpoint Security Certificate Duration 129
Setting Endpoint Security CRL Duration 130
Importing an Endpoint Security CRL 130
Regenerating the Endpoint Security CRL 130
Regenerating the Endpoint Security Subordinate PKI 131
Enabling the Provisioning Certificate 132
Disabling the Provisioning Certificate 132
APPENDIX C: Migrating Between On-Premises Endpoint Security

Appliances and Cloud Endpoint Security Servers 133
Migration Steps 134
Testing Connectivity Between the On-Premises Appliances and Cloud Endpoint
Security Servers 138
Identifying the Endpoint Security Software Version on an Appliance 138
Collecting Cloud Server Information and CA Certificates 139
Recording the Server Address List Settings of the Cloud Endpoint Security
Ecosystem 140
Downloading the Root and Intermediate CA Certificates of the Cloud
Endpoint Security Ecosystem 141
Detaching On-Premises HXD Appliances 141
Converting an On-Premises HXD Appliance Into a TCP Relay 142
Setting Up the Server Address List for the Cloud Endpoint Security Ecosystem 142
Converting the On-Premises Endpoint Security Appliance Into a TCP Relay 143
Technical Support 145

Documentation 145

EndPoint Security Series Cloud Appliance Deployment Guide
PART I: Planning
l About the Endpoint Security Server on page 11

l System Requirements on page 15

EndPoint Security Series Cloud Appliance Deployment Guide PART I: Planning

CHAPTER 1: About the Endpoint

Security Server
Adaptive security requires monitoring of all threat vectors, including fast, accurate
assessments of potential cyber attacks tracked to endpoint activity. The FireEye endpoint
security products allow you to detect, analyze, and respond to targeted cyber attacks and
zero-day exploits on the endpoint.
In this guide, you will see the Endpoint Security server and DMZ server referred to
as an Endpoint Security appliance or HXD appliance, respectively. These terms refer
to the same products.
Using Endpoint Security servers, you can continuously monitor endpoints for advanced
malware and indicators of compromise (IOCs) that routinely bypass signature-based and
defense-in-depth security systems. The Endpoint Security servers and DMZ servers allow
you to:
l Search for advanced attackers and advanced persistent threats (APTs)

l Investigate alerts from network devices, automatically creating IOCs and alerting
users
l Extend FireEye detection services seamlessly to your endpoints
l Use Agent Anywhere technology to analyze remote endpoints outside the corporate
network, regardless of their Internet connection type
l Acquire files, data, and triage collections from endpoints and analyze these
collections
l Confirm whether alerts seen on the network actually compromise endpoints
l Contain endpoints, isolating devices when they become compromised
This chapter covers the following topics:
l Server Roles and Order on the next page

l Appliance Addressing on the next page

EndPoint Security Series Cloud Appliance Deployment Guide CHAPTER 1: About the Endpoint Security Server
Server Roles and Order

Endpoint Security software can be deployed on the following appliance forms:
l on-premises (physical) appliances

l virtual servers (VMware ESXi or Windows Hyper-V)
l cloud servers
You can optionally install DMZ servers and connect them to a single Endpoint Security
server. DMZ servers are installed in public or Internet-facing network locations and are
used to maintain connectivity with externally connected host endpoints. Installation and
setup steps for DMZ servers are the same as for an Endpoint Security server. Requests
from agents to a DMZ server are proxied to the Endpoint Security server.
A single Endpoint Security ecosystem, which includes the Endpoint Security server
and its attached DMZ servers, can support up to 100,000 agents.
Your Endpoint Security (and DMZ) servers must run the same version of Endpoint
Security software. If they use different versions, communication between them will
fail.
In each Endpoint Security ecosystem, provisioning and primary servers must be identified.

Provisioning serversare the servers to which FireEye Endpoint Security Agents connect to
provision and establish their cryptographic agent identity. FireEye Endpoint Security
Agents with version numbers less than 20 can only provision against the primary server.
Agents with version numbers of 20 or later can provision against multiple servers,
including a DMZ server.
You must identify the servers that will be your provisioning servers before you
download and deploy the FireEye Endpoint Security Agent installation software to
your host endpoints. When agent installation software is downloaded, the IP
addresses or DNS names of the provisioning Endpoint Security servers are
identified in the agent download package. See Setting up Provisioning on page 71.
The Central Management platform can be used to upgrade and manage Endpoint Security
(and DMZ) servers. See Integrating Central Management Appliances and Endpoint
Security Servers on page 85 for important details.
Appliance Addressing
Your enterprise can use IP addresses or domain names (DNS) when configuring
hostnames for agent communications with Endpoint Security servers.

Appliance Addressing
l Configure a single DNS address that resolves to the Endpoint Security server and
DMZ server (also known as a split DNS). This option is the most flexible
arrangement. It allows you to move and renumber appliances without reconfiguring
agents and eliminates unnecessary agent connection attempts to unreachable
appliances. However, this solution requires a more complex DNS configuration. It
may be challenging to execute consistently in large networks. See also Designating
Provisioning Servers Using a Split DNS in the Web UI on page 75.
l Configure a unique DNS address for each Endpoint Security server and
DMZ server. This option allows you to move or renumber appliances without
reconfiguring agents. However, this option requires consistent internal DNS
resolution of the appliance name and may cause extra connection attempts by
external endpoints to internal appliances that they cannot reach.
l Configure a unique IP address for each Endpoint Security server and DMZ server.
This option provides the most reliable connections from endpoints and does not
require consistent internal DNS configuration throughout a large enterprise.
However, this option is the least flexible option. If you move or renumber
appliances, you may have to reinstall agents.
IMPORTANT: You must decide which appliances will be your

provisioning appliances before you download the installation software for your
agents. When agent installation software is downloaded, the IP addresses or DNS
names of the provisioning Endpoint Security servers are identified in the agent
download package. See Designating Provisioning Servers on page 72.

EndPoint Security Series Cloud Appliance Deployment Guide CHAPTER 1: About the Endpoint Security Server

EndPoint Security Series Cloud Appliance Deployment Guide Supported Appliance Models
CHAPTER 2: System
Requirements
Before you deploy an Endpoint Security server, make sure the following requirements are
met.
This guide does not provide information about appliance throughput, performance,
or capacity. For information on this, see your FireEye representative.
Supported Appliance Models

You can use the following server models with Endpoint Security software. The "Maximum
Number of Endpoints" column lists the maximum number of endpoints that can be
supported by the server model.
Maximum
Model Supported Endpoint
Type Number of
Number Security Software Versions
Endpoints
HX 2500DV Virtual DMZ server 3.5 and later 15,000 endpoints

(DMZ)
HX 2502V Virtual or cloud 3.5 and later 15,000 endpoints

Endpoint Security
server
HX 4500DV Virtual HXD (DMZ) 4.0 and later 100,000

(DMZ) server endpoints
HX 4502V Virtual or cloud HX 4.0 and later 100,000

server endpoints
Cloud Endpoint Security server models are initially deployed by Trellix. Thereafter, you are
responsible for maintaining them. Cloud servers can be maintained in the same manner as
other Endpoint Security servers.

EndPoint Security Series Cloud Appliance Deployment Guide CHAPTER 2: System Requirements
Cloud Endpoint Security servers have better performance than physical, on-premises,
Endpoint Security servers due to their storage configurations, which are based on SSD
volumes that are designed to deliver guaranteed performance.
l Hyper-V cluster storage mode is not supported for use with virtual Endpoint
Security instances.
Endpoint Security Cloud Server Features

Endpoint Security cloud appliance models meet the following specifications when they are
deployed for you.
Model Type Memory Disk Space
HX 2500DV AWS-EC2 DMZ 16 GB 512 GB
HX 4500DV AWS-EC2 DMZ 64 GB 1200 GB
HX 4502V AWS-EC2 Regular 64 GB 3600 GB
You can also host an Endpoint Security instance in your AWS account. For details, see
AWS on page 43.
Network Requirements
Connectivity with FireEye's Dynamic Threat Intelligence (DTI) network (one-way or two-
way sharing) is required.
Endpoint Security appliances can download software updates (security content and system
images) from the FireEye Dynamic Threat Intelligence (DTI) network. With a two-way
content license, the appliance can also upload threat intelligence information to the DTI
network. By default, Central Management-managed appliances receive software updates
from the DTI network through the Central Management appliance.
Standalone Endpoint Security Appliances That Receive

DTI Updates
The Central Management appliance and standalone (not managed by Central
Management) appliances use the ether1 port to communicate directly with the DTI
network. In the default configuration, where you receive updates from the DTI network
(cloud.fireeye.com), allow outbound access to all IP addresses on the following ports:
l DNS (UDP/53)
l HTTPS (TCP/443)

Network Requirements
Management interface ether1 requires a static IP address or reserved DHCP address and
subnet mask.
Environments That Restrict Outbound Access to Certain

IP Addresses
If your security policy requires that you restrict outbound access to certain IP addresses,
you cannot use the DTI network. Instead, point to staticcloud.fireeye.com for DTI updates,
and allow access to the *incapdns.net domain.
To configure and access staticcloud.fireeye.com:
1. Enable CLI configuration mode.

hostname > enable
hostname # configure terminal
2. Enter the following command from the appliance CLI:

hostname (config) # fenet dti source default DTI
3. Save your configuration.

hostname (config) # write mem
4. Add the following block of IP addresses to the firewall:

l 199.16.196.0/22
To allow access to *incapdns.net:
1. Add the block of IP addresses found at https://incapsula.zendesk.com/hc/en-

us/articles/200627570-Restricting-direct-access-to-your-website-Incapsula-s-IP-
addresses-to the firewall.
2. Allow access to the *.incapdns.net domain at the proxy device.
Domain-Based Proxy ACL Rules

If your configuration includes domain-based proxy ACL rules, allow access to
*.fireeye.com.
FireEye Endpoint Security Malware Definitions

The malware protection provided with HX Series 4.0 and FireEye Endpoint Agent 26.21
(and later versions) use malware definitions to detect and identify files infected by
malware. These malware definitions are downloaded by FireEye's Dynamic Threat
Intelligence (DTI) cloud and the Endpoint Security server from avupdate.fireeye.com.
However, if your security policy makes use of a firewall to restrict access to certain IP and
web addresses, you need to configure your firewall rules to allow access to

avupdate.fireeye.com. The IP addresses associated with avupdate.fireeye.com vary

based on your environment. The following are some possible solutions.
l Use DNS names instead of IP addresses in the firewall rules. The firewall rules will
be automatically applied to the correct IP addresses as appropriate for
avupdate.fireeye.com.
l Do a DNS reverse lookup to identify the IP addresses used by

avupdate.fireeye.com in your environment and then use those IP addresses in the
firewall rules.
l Use a caching proxy server to obtain the malware definition updates from
avupdate.fireeye.com. Be sure your firewall rules allow access to *.fireeye.com.
FireEye Endpoint Security uses HTTP over port 80 to deliver antivirus (AV) content.
This allows you to use a caching proxy to distribute the contents of your download
across your endpoints. The manifest for the content is signed with a 2048-bit RSA
private key to prevent tampering. If the content is altered, validation of the content
on the endpoint agent will fail and the content is discarded.
Software Requirements
l Endpoint Security version software supported by the server type. See Supported
Appliance Models on page 15.
l Central Management version 8.0.1 or later.
l FireEye Endpoint Security Agents supported by the Endpoint Security software
version. See Endpoint Security Agent and Server Compatibility below.
Endpoint Security Agent and Server

Compatibility
Some Endpoint Security server features require specific minimum versions of the FireEye
Endpoint Security Agent. These minimum versions are described in the documentation for
each feature in the Endpoint Security Agent Administration Guide and in the Endpoint Security
Server User Guide.
Agents can provision with on-premises, virtual, or cloud Endpoint Security servers. For
more information about these different Endpoint Security server form factors, see other
section of this guide.
The following compatibility table shows the minimum versions of Endpoint Security
server software required by Endpoint Security Agent software version 31.28.0 to obtain full

Licensing Requirements
product functionality. It also identifies, at a high level, the operating system environments
supported by each agent version. For details about operating system support, see
"Operating System Requirements" in the Endpoint Security Agent Administration Guide.
Operating System
Endpoint Security Agent Minimum Endpoint Security Environments
Version Version
Windows macOS Linux
31 5.3 Yes Yes Yes
NOTE: Trellix recommends that you upgrade and deploy your Endpoint Security
server software before you upgrade and deploy your Endpoint Security Agent
software.
Licensing Requirements
The following table shows the licenses that can be installed for Endpoint Security servers.
Server Required?2
Form
License Description
Factors Server DMZ
1 Server
FIREEYE_ Required to register your server and use the All Yes Yes
APPLIANCE product features.
FIREEYE_ Allows your system to receive software image All Yes Yes
SUPPORT updates.
CONTENT_ Allows your system to access the Dynamic All Yes No

UPDATES Threat Intelligence (DTI) network.
HX_ Provides access to Endpoint Security All No No

ADVANCED exhaustive Enterprise Search requests, data
acquisition requests, and bulk acquisition
endpoint requests via the API.
This license is optional. Without it, you have
no access to the features listed above. Your
DMZ servers do not need an HX_
ADVANCED license if the Endpoint Security
server associated with the DMZ server
already has one.

Server Required?2
Form
License Description
Factors Server DMZ
1 Server
MD_ Allows FireEye products to connect to the All No No

ACCESS Managed Defense VPN. Without this license,
Managed Defense cannot manage the
appliance.
This license is optional.
1Server form factors include on-premises, virtual (VMware ESXi and Windows Hyper-
V), and cloud Endpoint Security servers
2 Cloud Endpoint Security servers are DMZ servers.

PART II: Cloud Server Deployment
l Cloud Server Overview on page 23

l Cloud Server Deployment Steps on page 25

EndPoint Security Series Cloud Appliance Deployment Guide PART II: Cloud Server Deployment

CHAPTER 3: Cloud Server

Overview
A cloud Endpoint Security server is an instance of the Endpoint Security system image
deployed in the Amazon Web Services (AWS) cloud. The Endpoint Security server is the
provisioning server in a cloud Endpoint Security environment. All agent communication is
with the this server.
Cloud Endpoint Security servers are initially deployed for you by Trellix in AWS, with
appropriate Trellix licenses already established. Verify that you have access to the server,
using the information provided by Trellix. After your cloud Endpoint Security Servers are
deployed, you are responsible for maintenance. The cloud Endpoint Security Servers can be
maintained in the same manner as virtual or on-premises Endpoint Security Servers.
Ensure that you perform regular backups of your cloud Endpoint Security, using the
instructions found in "Backing up the Database" in the Endpoint Security User Guide.
Maintain a current copy of your PKI certificates using the instructions in "Managing
HX Series PKI Certificates" in the Endpoint Security System Administration Guide.
Endpoint Security Servers are rated up to 100,000 agents. Cloud Endpoint Security Servers
have better performance than physical, on-premises, Endpoint Security servers due to their
storage configurations, which are based on SSD volumes that are designed to deliver
guaranteed performance. Virtual Endpoint Security performance will vary, depending on
the hardware resources you have selected for the server.
For more information about specific Endpoint Security models, see Supported
Appliance Models on page 15.
If you need to migrate your agents or server settings from an existing on-premises
Endpoint Security server to a cloud server, see Migrating Between On-Premises Endpoint
Security Appliances and Cloud Endpoint Security Servers on page 133.
In a new cloud Endpoint Security environment, the server and associated DMZ server
instances (if a DMZ is used) are attached for you. If you migrate an on-premises HX server
to a cloud server, the cloud server and any DMZ server will be detached and reattached
during the migration.

EndPoint Security Series Cloud Appliance Deployment Guide CHAPTER 3: Cloud Server Overview
In Helix, cloud Endpoint Security Servers can be managed by Central Management.

Central Management of a cloud Endpoint Security is set up using the Central
Management Web UI. (Errors result for attempts to set up Endpoint Security
management using the Central Management CLI.) See the appendix "Configuring a
Managed Appliance" in the FireEye System Security Guide.
Prerequisites
l Deployment of an Endpoint Security in the cloud is supported for Endpoint Security
3.6.0 and later versions.

CHAPTER 4: Cloud Server

Deployment Steps
Cloud Endpoint Security servers are initially deployed for you by Trellix, with appropriate
Trellix licenses already established. Verify that you have access to the server, using the
information provided when the server was set up for you.
When a new cloud Endpoint Security environment is initially established, it includes
licenses, basic authorization roles, and the server address list for the cloud Endpoint
Security ecosystem.
If you need to migrate your agents or server settings from an existing server to a cloud
server, see Migrating Between On-Premises Endpoint Security Appliances and Cloud
Endpoint Security Servers on page 133.
Complete the following steps to tailor your new cloud Endpoint Security environment.
Task Instructions
1. Configure other See the FireEye System Security Guide and the Endpoint Security System
system Administration Guide.
administration
features such as
AAA, SSL
certificates, and
SNMP data
access.
2. Verify that the See Validating DTI Access on page 63.

Endpoint Security
If the validation fails, verify that the DTI configuration is set up
server is
correctly. See the Endpoint Security System Administration Guide.
connected to
Trellix's Dynamic
Threat
Intelligence (DTI)
cloud.

EndPoint Security Series Cloud Appliance Deployment Guide CHAPTER 4: Cloud Server Deployment Steps
Task Instructions
3. Review the In a cloud Endpoint Security environment, the primary server

server address deployed for you in the AWS cloud should appear in the server
list. address list.
See Configuring the Server Address List on page 67.
4. Obtain the If your Endpoint Security server is connected to the DTI, the most
agent installation recent Windows, macOS, and Linux agent images are automatically
package. downloaded to the server after the DTI connection is established.
If your Endpoint Security is not connected to the DTI or if you need
an older agent image than the ones that have been downloaded, you
will need to manually download the agent image you need.
See the appropriate version of the Endpoint Security Agent Deployment
Guide.
5. Install the See the appropriate version of the Endpoint Security Agent Deployment
agent software on Guide.
your host
endpoints. A single cloud Endpoint Security ecosystem can support up
to 100,000 agents.
6. Optionally, After you have deployed your cloud ecosystem and installed the
connect your agent software on your endpoints, the cloud Endpoint Security
Endpoint Security ecosystem can be integrated with Helix. This integration is set up for
server to Helix. you by Trellix.
If you connect your Endpoint Security server to Helix, see the Helix
Getting Started Guide for information on how to get started with
Helix. See also the FireEye System Security Guide for information on
Helix's Identity Access Management (IAM) and single sign-on (SSO)
authentication.
In Helix, Central Management of a cloud Endpoint Security is set up
using the Central Management Web UI. (Errors result for attempts to
set up server management using the Central Management CLI.) See
the appendix "Configuring a Managed Appliance" in the FireEye
System Security Guide.

Task Instructions
7. Optionally, After you have deployed your cloud Endpoint Security ecosystem
connect your and installed the agent software on your endpoints, you can
Endpoint Security integrate the cloud ecosystem with a cloud Central Management
server to a appliance. For more information, see Integrating Central
Central Management Appliances and Endpoint Security Servers on page 85.
Management Additional information for managing your Endpoint Security
Series appliance. Servers through the Central Management appliance is provided in
the Endpoint Security System Administration Guide.

EndPoint Security Series Cloud Appliance Deployment Guide CHAPTER 4: Cloud Server Deployment Steps

PART III: Azure
l Azure Specifications on page 31

l Deploying Virtual Endpoint Security Appliances in Microsoft Azure on page 33

EndPoint Security Series Cloud Appliance Deployment Guide PART III: Azure

Endpoint Security Models and Sizes
CHAPTER 5: Azure Specifications

This section shows the models and supported virtual machine (VM) sizes for Endpoint
Security virtual machines deployed on Microsoft Azure.
NOTE: The VM specifications are displayed when you make your selection in the
Azure portal.
Endpoint Security Models and Sizes

The following table shows the supported Endpoint Security models, their specifications,
and the supported virtual machines (VM) that can be deployed on Microsoft Azure.
Model vCPUs RAM Disk Space Supported Instance Type
HX 2502Vaz 4 16 GB 1200 GB Standard_D4_v3
HX 2502Vaz 4 16 GB 1200 GB Standard_D4s_v3
HX 4502Vaz 8 64 GB 3600 GB Standard_L8s_v2
HX 4502Vaz 8 64 GB 3600 GB Standard_E8_v3
HX 4502Vaz 8 64 GB 3600 GB Standard_E8s_v3

EndPoint Security Series Cloud Appliance Deployment Guide CHAPTER 5: Azure Specifications

CHAPTER 6: Deploying Virtual
Endpoint Security Appliances in
Microsoft Azure
A Microsoft .vhd (Virtual Hard Disk) blob file is a disk image file format for storing the
complete contents of a hard drive. The .vhd file contains the software configuration
needed to deploy a virtual Endpoint Security appliance, known as a virtual machine in
Azure. The software configuration includes the operating system, application server, and
applications that are needed to create the virtual machine.
You must create an image file from the .vhd file. The image file serves as a template from
which you can deploy multiple virtual machines.
The following table summarizes the steps to create an Endpoint Security virtual machine
in Microsoft Azure.
NOTE: This document provides the basic steps for launching virtual Trellix
appliances, and assumes familiarity with launching virtual machines in Azure. For
comprehensive information, see the Azure documentation provided by Microsoft.
Task Description
1. Ensure that the required resources are Azure Specifications on page 31

created for your subscription.
2. Obtain the Endpoint Security blob The file is provided through your Azure
.vhd file from Trellix. account.
3. Create an image file from the .vhd file. Creating an Image File from an Azure Blob
File on the next page
4. Create network interfaces to attach to Creating Endpoint Security Network

the virtual machine you will deploy. Interfaces on the next page
5. Create the virtual machine. Creating an Endpoint Security Virtual

Machine on page 35
6. Stop the virtual machine and attach the Attaching Network Interfaces to the Virtual
network interfaces. Machine on page 38

EndPoint Security Series Cloud Appliance CHAPTER 6: Deploying Virtual Endpoint Security Appliances in
Deployment Guide Microsoft Azure
Task Description
7. Start the virtual machine and perform Performing the Endpoint Security Initial
the initial configuration of the appliance. Configuration on Microsoft Azure on
page 39
IMPORTANT: The navigation instructions and user interface may vary based on
the Azure portal version that is running when you create your virtual appliance.
These procedures show only one way to navigate to resources in the Azure portal.
NOTE: These procedures cover the required settings for a virtual Endpoint Security
appliance. You can accept the default values for the other settings, or specify values
that are appropriate for your environment.
Creating an Image File from an Azure

Blob File
This section describes how to create an image file from a .vhd blob file.
To create an image file:
1. In the Azure portal, select All services, and then click Images under Compute.
2. Click Add. The Create image page opens.
3. Enter a Name for the image.
4. Make sure the correct Subscription is selected.
5. Select your Resource group.
6. Make sure the correct region (Location) is selected.
7. Select Linux as the OS type.
8. For Storage blob, click Browse and navigate to and select the .vhd file.
9. Click Create.
Creating Endpoint Security Network

Interfaces
The ether1 interface on the Endpoint Security virtual machine is the only interface that
Azure creates by default. You must create the optional submission interface (ether2), and
then attach the network interfaces to the virtual machine. IP forwarding must be enabled

Creating an Endpoint Security Virtual Machine
on monitoring interfaces to ensure that all network traffic reaches the Endpoint Security
appliance.
To create a network interface:
1. In the Azure portal, select All services, and then click Network interfaces under
Networking.
2. Click Add. The Create network interface page opens.
3. Make sure the correct Subscription is selected.
4. Select the correct Resource group.
5. Enter a meaningful Name for the interface.
6. Make sure the correct Region, Virtual network, and Subnet are selected.
IMPORTANT: Each interface must be in a separate subnet.
7. Recommended: Click Static and enter a static IP address to assign to the interface.

Otherwise, select Dynamic.
8. Select the correct Network security group.
9. Select the Private IP address (IPv6) check box if the subnet uses IPv6 addresses.
10. Click Next: Add tags and specify name and value pairs for the tags to apply to the
network interface.
11. Click Review + create.
12. Click Create after the validation passes and you confirm the information on the
page.
Creating an Endpoint Security Virtual

Machine
This topic describes how to create an Endpoint Security virtual machine in Azure.
To create an Endpoint Security virtual machine:
1. In the Azure portal, select All services, and then select Images under Compute.
2. Select the image you created in Creating an Image File from an Azure Blob File on
the previous page.
3. Click Create VM.

4. Select the tabs at the top of the Create a virtual machine page, and configure
settings as described in the following sections.
NOTE: Settings that are not required for an Endpoint Security virtual
appliance are not covered in these sections. You can accept the default
values for the other settings, or specify values that are appropriate for your
environment.
Basics
The Basics page contains the following sections.
Project details
l Make sure the correct Subscription and Resource group are selected.
Instance details
l Enter a Virtual machine name.
l Make sure the correct Region is selected.
l Make sure the correct Image is selected.
l Select the virtual machine Size based on your requirements. The specifications are
displayed when you make your selection.
NOTE: For a list of the sizes supported for an Endpoint Security virtual
machine, see Endpoint Security Models and Sizes on page 31.
Administrator account
You can use this section to configure an SSH key to authenticate the initial admin user in
the appliance CLI.
IMPORTANT: You must select the SSH public key option for Authentication Type.
l The Username you provide is ignored during the first CLI login attempt, because
the first login user is always "admin." You can create additional admin user
accounts later from the appliance Web UI or CLI.

Creating an Endpoint Security Virtual Machine
l If you enter a Password, it cannot be used when you initially log in to the virtual
appliance from the Azure console or an SSH session. You must log in to the Azure
console using "admin" as the username, and then immediately change the
password. You can then log in to the virtual appliance CLI in an SSH session, and
run the configuration jump-start wizard. You can optionally change the password
again in the wizard. You can then configure SSH public keys from the virtual
appliance Web UI or CLI.
l If you enter an SSH public key, you will be unable to log into the Azure console, but
you can use the key to log in to the virtual appliance CLI in an SSH session. After
you run the configuration jump-start wizard and set a password, you can use that
password to log in to the Azure console.
IMPORTANT: You cannot change the SSH key from the Azure portal after the
virtual machine is created. You must use the virtual appliance Web UI or CLI to
change it.
Inbound port rules

l Select Allow selected ports for Public inbound ports.
l Select HTTPS (443) and SSH (22) for Select inbound ports.
Networking
l Make sure the correct Virtual network and Subnet are selected.
l Accept the default Public IP, unless you plan to deploy the virtual machine in a
VPN or behind a NAT device.
l Click Advanced for NIC network security group.
l Select the correct security group for Configure network security group.
l Make sure Accelerated networking is Off.
Tags
l Define name and value pairs for the tags to apply to the virtual machine.
Review + create
l Click Create after the validation passes and you confirm the information on the
page.

Increasing the Disk Space on a Virtual

Machine
Use these steps to increase the disk space on the virtual machine you are using.
NOTE: Performing this process is especially applicable for the 4502 model, since you
cannot increase the disk size when you create the virtual machine.
To increase the disk space on a virtual machine:
1. In the Azure portal, select All services > Virtual Machines.

2. Select the virtual machine.
3. If the virtual machine is running, click Stop.
4. Under Settings, select Disks.
5. Click the OS Disk name.
6. Under Settings, select Configuration.
7. In the Size field, enter the disk size appropriate to meet the requirements of the
machine. For example, 4502Vaz machines require 3600 GB of disk space.
8. Click Save.
Attaching Network Interfaces to the

Virtual Machine
You must attach network interfaces you create in Azure to the Endpoint Security virtual
machine.
IMPORTANT: Attach the interfaces in numeric order. For example, attach ether2,
pether3, and then pether4.
To attach an interface:
1. Select All services > Virtual Machines.

2. Select the virtual machine.
3. If the virtual machine is running, click Stop.
4. Select Networking under Settings.
5. Click Attach network interface.
6. Select the first network interface and click OK.

Performing the Endpoint Security Initial Configuration on Microsoft Azure
7. Repeat the previous step for each network interface.

8. Select the virtual machine and click Run.
Performing the Endpoint Security Initial

Configuration on Microsoft Azure
The management interface is the port through which the virtual appliance is managed and
administered. It is also the port through which integration of the Central Management
appliance and a managed appliance is managed. With the single-port address type, the
management interface is also the port through which a managed appliance requests and
downloads software updates from the DTI network.
Initial settings need to be configured to set up the management interface and to allow
access to the network, and so on.
To perform the initial configuration of a virtual Endpoint Security appliance:
1. Log in to the appliance using SSH public key authentication:

a. Open an SSH client.
b. Log in using the SSH public key. For example, ssh -i <SSH key> admin@<IP
address>.
2. Accept the license agreement. The configuration jump-start wizard starts.

3. Answer the wizard questions as described in the following table
Step Response
Enter activation code? Enter the activation code for the appliance.
Hostname? Enter the hostname for the appliance.
Admin password? (Optional) Enter a new administrator password.
Confirm admin Re-enter the new administrator password.

password?
Enable remote access Enter yes to enable the administrator to log in to the appliance
for 'admin' user? remotely. Enter no to disable remote access.

Step Response
Use DHCP on ether1 Enter yes to use Dynamic Host Configuration Protocol (DHCP)
interface? to configure the appliance IP address and other network
parameters. If you enter yes, the ether1 interface will obtain its
IP address from the default Azure ether1 interface. (If you enter
yes, the zeroconf and static IP addressing steps are skipped.)
Enter no to manually configure your IP address and network
settings.
Use zeroconf on ether1 Enter yes to use zero-configuration (zeroconf) networking. Enter
interface? no to specify a static IP address and network mask. (If you
specify yes, the next step is skipped.) NOTE: Do not use
zeroconf on the primary interface.
Primary IP address Enter the IP address for the management interface in A.B.C.D
and masklen? format and enter the network mask (for example, 1.1.1.2 /24).
IMPORTANT: Enter the IP address that Azure assigned to the
ether1 interface.
Default gateway? Enter the gateway IP address for the management interface.
Primary DNS server? Enter the IP address of the DNS server.
Domain name? Enter the domain for the management interface (for example,
it.acme.com).
Enable Incident Enter no. These features are not supported in Azure
Response or deployments.
Compromise
Assessment?
Enable fenet service? Enter yes to enable access to the DTI network.
Enable fenet license Enter yes to enable the licensing service to automatically
update service? download your licenses from the DTI network and install
them. (If licenses are downloaded and installed successfully,
the wizard skips the step that prompts for the product license
key and the step that prompts for the security-content updates
key.)
Sync appliance time Enter yes to synchronize the appliance time with the
with fenet? DTI server time. If you enabled the licensing service,
synchronization prevents a feature from being temporarily
unlicensed due to a time gap. The wizard makes three attempts
to perform this step before it gives up and moves to the next
step.

Performing the Endpoint Security Initial Configuration on Microsoft Azure
Step Response
Update licenses from Enter yes to download and install your licenses. The wizard
fenet? makes three attempts to perform this step before it gives up
and moves to the next step.
Enable NTP? Enter yes to enable automatic time synchronization with one or
more Network Time Protocol (NTP) servers. Enter no to
manually set the time and date on the appliance. (This step is
skipped if you entered yes in the "Sync appliance time with
fenet?" or "Enable Incident Response or Compromise
Assessment" step.) If you enter no, specify the time and date in
subsequent steps.
Enable FaaS VPN? Enter yes to enable the appliance to connect to FireEye as a
Service over the Internet using a secure SSL VPN connection.
(This step is skipped if no MD_ACCESS license is installed.
This step is performed automatically if you entered yes in the
"Enable Incident Response or Compromise Assessment?" step.
Set time Enter the appliance time in Greenwich Mean Time (GMT)
(<hh>:<mm>:<ss>)? (UTC+0). (This step and the next step are skipped if you
entered yes in the "Sync appliance time with fenet?" or "Enable
NTP?" step.
Set date Enter the appliance date in Greenwich Mean Time (GMT)
(<yyyy>/<mm>/<dd>)? (UTC+0).
Enable IPv6? Enter yes to enable IPv6 protocol, which changes network
IP routing from IPv4 to IPv6. (This step and the next two steps
are skipped if you entered yes in the "Enable Incident Response
or Compromise Assessment?" step. This step and the next two
steps will be automatically performed if you entered yes in the
"Enable FaaS VPN" step.)
Enable IPv6 autoconfig Enter yes to enable IPv6 autoconfig on the ether1 (management
(SLAAC) on ether1 interface) port. (This step is skipped if you entered no in the
interface? "Enable IPv6?" step.)
Enable DHCPv6 on Enter yes to use DHCPv6 to configure IPv6 hosts with IP
ether1 interface? addresses. (This step is skipped if you entered no in the "Use
DHCP on ether1 interface?" or "Enable IPv6?" step.)

Step Response
Submission: Interface? Press Enter to accept ether1 as the interface through which

sensors and brokers communicate. Otherwise, enter the name
of the other interface. (If you accept ether1, the next three steps
are skipped.) NOTE: To keep management and data traffic
separate, Trellix recommends that you use another
management interface, such as ether2, and not a monitoring
interface.
Use DHCP on <name> Enter yes to use Dynamic Host Configuration Protocol (DHCP)
interface? to configure the submission interface IP address and other
network parameters. Enter no to manually configure the
IP address and network settings. (If you enter yes, the static
IP addressing steps are skipped.)
Submission: IP address Enter the IP address for the submission interface in A.B.C.D

and masklen? format and enter the network mask (for example, 10.1.1.1 /24).
Submission: Default Enter the gateway IP address for the submission interface.

IPv4 gateway?
Product license key? Enter the product license key you obtained from Trellix, or
press Enter to install a 15-day evaluation license. (This step
and the next step are skipped if you entered yes in the "Enable
fenet license update service?" step and if licenses were
successfully installed as a result.)
Security-content Enter the security-content license key you obtained from Trellix,
updates key? or press Enter to skip this step and install the license later.

PART IV: AWS
l AWS Requirements on page 45

l AWS Specifications on page 47
l Deploying Virtual Endpoint Security Appliances on Amazon Web Services (AWS)
on page 49

EndPoint Security Series Cloud Appliance Deployment Guide PART IV: AWS

CHAPTER 7: AWS Requirements
The following resources are required for deploying an Endpoint Security instance in AWS:
l Trellix AMIs in the US West region are copied to My AMIs in your region.
l Access to the AWS Management Console.
l Items from your AWS administrator, such as the network, subnet, and IP addresses
for the instance, and key pairs and security groups to secure the instance.
l Items from Trellix, such as the activation code and licenses for your instance.

EndPoint Security Series Cloud Appliance Deployment Guide CHAPTER 7: AWS Requirements

CHAPTER 8: AWS Specifications
This section shows the models and supported virtual machine (VM) sizes for Endpoint
Security virtual machines deployed on AWS.
Model Memory vCPUs Disk Space Supported Instance Type
FireEyeHX2500Vec2 16 GB 4 512 GB m4.xlarge
FireEyeHX2502Vec2 16 GB 4 1200 GB m4.xlarge
FireEyeHX4500Vec2 61 GB 8 1200 GB r4.2xlarge
FireEyeHX4502Vec2 61 GB 8 3600 GB r4.2xlarge

EndPoint Security Series Cloud Appliance Deployment Guide CHAPTER 8: AWS Specifications

CHAPTER 9: Deploying Virtual

Endpoint Security Appliances on
Amazon Web Services (AWS)
An AMI (Amazon Machine Image) is a template that contains the software configuration
needed to deploy a virtual Endpoint Security appliance (known as an instance in AWS).
The software configuration includes the operating system, application server, and
applications that are needed to launch the instance.
The following table summarizes the steps to launch an Endpoint Security instance in
Amazon Web Services (AWS).
NOTE: This document provides the basic steps for launching Trellix virtual
appliances, and assumes familiarity with launching virtual machines in AWS. For
comprehensive information, see the AWS documentation provided by Amazon.
Task Description
1. Ensure that requirements are met. See AWS Requirements on page 45
2. Launch the instance. For instructions, see Launching an

Endpoint Security Instance on AWS on
the next page
3. (Optional) Apply the activation code and See Performing the Initial Configuration
configure the initial admin password for the of Endpoint Security Instance on page 53
appliance.
4. Perform the initial configuration of the See Performing the Initial Configuration
appliance. of Endpoint Security Instance on page 53

EndPoint Security Series Cloud Appliance CHAPTER 9: Deploying Virtual Endpoint Security Appliances on
Deployment Guide Amazon Web Services (AWS)
Launching an Endpoint Security Instance

on AWS
This topic describes how to launch an Endpoint Security instance on AWS.
IMPORTANT: The navigation instructions and user interface may vary based
on the AWS Management Console version that is running when you deploy
your appliances.
NOTE: This procedure covers the required settings for a Trellix virtual
appliance. You can accept the default values for the other settings, or specify
values that are appropriate for your environment.
To launch an Endpoint Security instance on AWS:
1. Go to the AWS login page and log in using your AWS ID.
2. On the Profile page, select your AWS role and then click AWS Console URL.
3. On the next page, click AWS Console login. The AWS Management Console opens.
4. In the navigation bar at the top of the console, select the region for the instance.
5. In the AWS services section, select EC2.
6. Click Launch Instance in the Create Instance section.
7. To select the appropriate AMI, do the following on the Choose an Amazon Machine
Image (AMI) page:
a. Click My AMIs in the left pane.
b. To view AMIs that are shared with you, click Shared with me in the left
pane.
NOTE: The Cloud Delivery Enablement Service enables you to obtain

the Endpoint Security AMI from FireEye. For instructions on how to
obtain the Endpoint Security AMI, see this community article.
c. Click the appropriate Endpoint Security AMI and then click Select.
8. On the Choose an Instance Type page, select an instance type that is compatible
with the AMI that you have chosen (see AWS Specifications on page 47 to select the
appropriate instance type). Then click Next: Configure Instance Details.
9. On the Configure Instance Details page, select your VPC network and IP range
from the Network and Subnet drop-down lists respectively, and specify other
settings provided by your network administrator. Click Next: Add Storage.
10. On the Add Storage page, change the Volume Type from gpg2 to gpg3, and then
click Next: Add Tags.

Launching an Endpoint Security Instance on AWS
11. (If required by your AWS administrator) On the Add Tags page, provide key and value
combinations. Then click Next: Configure Security Group.
12. On the Configure Security Group page, select or create the security group that
defines firewall rules that control traffic to your Endpoint Security instance. These
rules specify which incoming network traffic is delivered to your instance.
IMPORTANT: Trellix recommends using a security group applicable to your

organization instead of using the default security group, which is less secure.
(Optional) To create a new security group:

a. Click Create a new security group.
b. Enter a name for the security group and provide a description.
c. To add rules for the security group, click Add Rule. For Type, select the
traffic type. For Protocol, select the protocol to open to network traffic, and
then specify the source.
TIP: Select My IP from the Source list to add your computer's public
IP address.
Add the seven inbound rules outlined in the following table:

Inbound Rules
Type Protocol Port Range Source Description-Optional
HTTP TCP 80 0.0.0.0/0 —
HTTP TCP 80 ::/0 —
SSH TCP 22 0.0.0.0/0 —
Custom TCP TCP 3000 0.0.0.0/0 —
Custom TCP TCP 3000 ::/0 —
HTTPS TCP 443 0.0.0.0/0 —
HTTPS TCP 443 ::/0 —
13. Click Review and Launch.

14. On the Review Instance Launch page, review the details about your instance. Click
the appropriate Edit link if you need to make changes. When you are satisfied with
the details, click Launch.

15. In the Select an existing key pair or create a new key pair dialog box:
a. Select an existing pair or create a new one. To use the key pair you created
when you were set up to use Amazon EC2, click Choose an existing key
pair, and then select that key.
IMPORTANT: Store the name of the key pair and the private key in a
secure location.
b. Select the checkbox to confirm that you agree to the acknowledgment

statement, and then click Launch Instances.
To perform initial configuration of the Endpoint Security instance, see Performing the
Initial Configuration of Endpoint Security Instance on the facing page.
Configuring the Activation Code and

Initial Admin Password
This topic describes how to apply the activation code to the virtual appliance instance and
configure a password for the initial admin user.
IMPORTANT: This procedure is optional. If you skip this procedure, you will be
prompted to enter the activation code and change the password when you log into
the initial SSH session to perform the initial configuration of the appliance.
To apply the activation code to the instance:
1. Open the EC2 Management Console.

2. Select Instances > Instances in the left pane.
3. Right-click the instance, and select Instance State > Stop.
4. Right-click the instance, and select Instance Settings > View/Change User Data.

Performing the Initial Configuration of Endpoint Security Instance
5. Copy and paste the following script in the User Data field. Replace <code> with
the activation code for the instance that was included in the onboarding email
from Trellix and replace <password> with the new password for the initial admin
user.
{ "va_bootstrap": {
"activation_code": "<code>",
"reset_admin_password": "<password>"
}
}
IMPORTANT: The syntax (including the indentation) must match what is

shown in this step. Otherwise, you will be unable to establish a password-
authenticated SSH session with the instance.
6. Click Save.
7. Right-click the instance, and select Instance State > Start.
NOTE: Trellix recommends that you clear the user data field after the virtual
appliance is deployed.
Performing the Initial Configuration of

Endpoint Security Instance
Initial settings need to be configured to set up the management interface and to allow
access to the network, change the default admin password, and so on.
The management interface is the port through which the Endpoint Security instance is
managed and administered. The management interface is also the port through which a
managed appliance requests and downloads software updates from the DTI network.
To perform the initial configuration of an Endpoint Security instance:
1. Log in to the appliance using SSH public key authentication:

a. Open an SSH client.
b. Log in using the SSH public key. For example, ssh -i <SSH key> admin@<IP
address>.

2. Accept the license agreement. The configuration jump-start wizard begins.

3. Answer the wizard questions as described in the following table.
Step Response
Enter activation code? Enter the activation code for the appliance.
Hostname? Enter the hostname for the appliance.
Admin password? (Optional) Enter a new administrator password.
Confirm admin Re-enter the new administrator password.

password?
Enable remote access Enter yes to enable the administrator to log in to the
for 'admin' user? appliance remotely. Enter no to disable remote access.
Use DHCP on ether1 Enter yes to use Dynamic Host Configuration Protocol
interface? (DHCP) to configure the appliance IP address and other
network parameters. If you enter yes, the ether1 interface
will obtain its IP address from the default AWS ether1
interface. (If you enter yes, the zeroconf and static
IP addressing steps are skipped.) Enter no to manually
configure your IP address and network settings.
Use zeroconf on ether1 Enter yes to use zero-configuration (zeroconf)

interface? networking. Enter no to specify a static IP address and
network mask. (If you specify yes, the next step is
skipped.) NOTE: Do not use zeroconf on the primary
interface.
Primary IP address Enter the IP address for the management interface in

and masklen? A.B.C.D format and enter the network mask (for
example, 1.1.1.2 /24). IMPORTANT: Enter the
IP address that AWS assigned to the ether1 interface.
Default gateway? Enter the gateway IP address for the management

interface.
Primary DNS server? Enter the IP address of the DNS server.
Domain name? Enter the domain for the management interface (for
example, it.acme.com).
Enable Incident Enter no. These features are not supported in AWS
Response or deployments.
Compromise
Assessment?

Step Response
Enable fenet service? Enter yes to enable access to the DTI network.
Enable fenet license Enter yes to enable the licensing service to automatically
update service? download your licenses from the DTI network and
install them. (If licenses are downloaded and installed
successfully, the wizard skips the step that prompts for
the product license key and the step that prompts for the
security-content updates key.)
Sync appliance time Enter yes to synchronize the appliance time with the
with fenet? DTI server time. If you enabled the licensing service,
synchronization prevents a feature from being
temporarily unlicensed due to a time gap. The wizard
makes three attempts to perform this step before it gives
up and moves to the next step.
Update licenses from Enter yes to download and install your licenses. The
fenet? wizard makes three attempts to perform this step before
it gives up and moves to the next step.
Enable NTP? Enter yes to enable automatic time synchronization with

one or more Network Time Protocol (NTP) servers. Enter
no to manually set the time and date on the appliance.
(This step is skipped if you entered yes in the "Sync
appliance time with fenet?" or "Enable Incident
Response or Compromise Assessment" step.) If you enter
no, specify the time and date in subsequent steps.
Enable FaaS VPN? Enter yes to enable the appliance to connect to Managed
Defense (formerly called FireEye as a Service) over the
Internet using a secure SSL VPN connection. (This step
is skipped if no MD_ACCESS license is installed. This
step is performed automatically if you entered yes in the
"Enable Incident Response or Compromise
Assessment?" step.
Set time Enter the appliance time in Greenwich Mean Time

(<hh>:<mm>:<ss>)? (GMT) (UTC+0). (This step and the next step are skipped
if you entered yes in the "Sync appliance time with
fenet?" or "Enable NTP?" step.
Set date Enter the appliance date in Greenwich Mean Time

(<yyyy>/<mm>/<dd>)? (GMT) (UTC+0).

Step Response
Enable IPv6? Enter yes to enable IPv6 protocol, which changes

network IP routing from IPv4 to IPv6. (This step and the
next two steps are skipped if you entered yes in the
"Enable Incident Response or Compromise
Assessment?" step. This step and the next two steps will
be automatically performed if you entered yes in the
"Enable FaaS VPN" step.)
Enable IPv6 autoconfig Enter yes to enable IPv6 autoconfig on the ether1
(SLAAC) on ether1 (management interface) port. (This step is skipped if you
interface? entered no in the "Enable IPv6?" step.)
Enable DHCPv6 on Enter yes to use DHCPv6 to configure IPv6 hosts with
ether1 interface? IP addresses. (This step is skipped if you entered no in
the "Use DHCP on ether1 interface?" or "Enable
IPv6?" step.)
Submission: Interface? Press Enter to accept ether1 as the interface through

which sensors and brokers communicate. Otherwise,
enter the name of the other interface. (If you accept
ether1, the next three steps are skipped.) NOTE: To keep
management and data traffic separate, Trellix
recommends that you use another management
interface, such as ether2, and not a monitoring interface.
Use DHCP on <name> Enter yes to use Dynamic Host Configuration Protocol
interface? (DHCP) to configure the submission interface IP address
and other network parameters. Enter no to manually
configure the IP address and network settings. (If you
enter yes, the static IP addressing steps are skipped.)
Submission: IP address Enter the IP address for the submission interface in

and masklen? A.B.C.D format and enter the network mask (for
example, 10.1.1.1 /24).
Submission: Default Enter the gateway IP address for the submission

IPv4 gateway? interface.
Product license key? Enter the product license key you obtained from Trellix,
or press Enter to install a 15-day evaluation license.
(This step and the next step are skipped if you entered
yes in the "Enable fenet license update service?" step
and if licenses were successfully installed as a result.)

Step Response
Security-content Enter the security-content license key you obtained from

updates key? Trellix, or press Enter to skip this step and install the
license later.

PART V: Configuration
l Validating DTI Access on page 63

l Configuring the Server Address List on page 67
l Setting up Provisioning on page 71

EndPoint Security Series Cloud Appliance Deployment Guide PART V: Configuration

Browser Support
CHAPTER 10: The Endpoint

Security Server Web UI
The Endpoint Security Web UI uses HTTPS to provide a secure connection for configuring
the server. The Web UI functions you have access to depend on the privileges granted by
your role.
You access the Endpoint Security Web UI by directing a browser to the management port's
IP address or hostname using HTTPS. The IP address and hostname are set during the
initial configuration of the server. The hostname must be resolved by a DNS server if you
use it to access the Web UI.
The Endpoint Security Web UI includes controls for logging in and out using local,
appliance-specific credentials.
Browser Support
Use one of the following browsers to access the Endpoint Security Web UI:
l Internet Explorer 11.0 or higher and Microsoft Edge on supported versions of

Windows
l Firefox 51 or higher on supported versions of Windows
l Google Chrome 13.0 or higher on supported versions of Windows
Screen Resolution Requirements

The Endpoint Security Web UI supports the following screen resolutions:
1152 x 864 pixels 1440 x 900 pixels

1280 x 800 pixels 1600 x 900 pixels
1280 x 1024 pixels 1680 x 1050 pixels
1360 x 768 pixels 1920 x 1080 pixels
1366 x 768 pixels 1920 x 1200 pixels

EndPoint Security Series Cloud Appliance Deployment Guide CHAPTER 10: The Endpoint Security Server Web UI
Logging In to the Endpoint Security Web

UI
To log in to the Endpoint Security Web UI, you need the server IP address or hostname,
and you need the username and password that the server administrator created for you.
Prerequisites
l Before the default Admin user can log in to the appliance Web UI and create other
user accounts, the manufacturing default password (admin) must be changed to a
new password that is 8 to 32 characters long. This step is included in "Initial
Configuration" in the Endpoint Security System Administration Guide.
l If you are using single sign-on, refer to your welcome email for instructions to log in
to your Cloud IAM instance.
To log in to the Endpoint Security appliance Web UI:
1. Open a Web browser and enter https://<appliance> in the address line, where
appliance is the IP address or hostname of the appliance. For example, if the
configured IP address of the appliance is 10.1.0.1, enter https://10.1.0.1.
2. In the appliance Web UI login page, enter the local username and password for this
appliance as provided by your administrator.
NOTE: On Endpoint Security servers with single sign-on enabled, you

may be directed to the Cloud IAM login screen. Your login experience
depends on the authentication mode set for the appliance. For more
information, see "Single Sign-On Authentication" in the System Security
Guide.

EndPoint Security Series Cloud Appliance Deployment Guide Validating DTI Access Using the Web UI
CHAPTER 11: Validating

DTI Access
Before using the features associated with the DTI network, you must establish
communication between the appliance and the DTI network. Use the following procedures
to verify this communication.
Prerequisites
l Operator or Admin access
l Access to the DTI network
Validating DTI Access Using the Web UI

Use the FireEye System Information page to validate DTI cloud communication.
To validate DTI access:
1. If the About tab is not visible, select Appliance Settings from the Admin menu.
2. Click the About tab.
3. Click Health Check on the upper left side.
4. Locate the Dynamic Threat Intelligence Cloud section.
5. Verify that the DTI Client field is Enabled.

EndPoint Security Series Cloud Appliance Deployment Guide CHAPTER 11: Validating DTI Access
Validating DTI Access Using the CLI

Use the commands in this topic to verify DTI communication.
To validate DTI access:
1. Go to CLI configuration mode.

hostname > enable
2. Check the status of the DTI service.

hostname (config) # show fenet status
Dynamic Threat Intelligence Service:
Update source : <online>

Enabled : yes
Download : DTIUser@cloud.fireeye.com
Upload : DTIUser@up-cloud.fireeye.com
Mil : DTIUser@mil-cloud.fireeye.com
HTTP Proxy:
Address :
Username :
User-agent :
Request Session:
Timeout : 30
Retries : 0
Speed Time : 60
Max Time : 14400
Rate Limit :
Speed Limit : 1
Dynamic Threat Intelligence Lockdown:
Enabled : no
Locked : no
Lock After : 5 failed attempts
UPDATES
Enabled Notify Scheduled Last Updated At
------- ------ -------------- ---------------
Security contents: yes no every 2020/12/03
11:40:00
Stats contents : yes none 2020/12/07
06:13:00

Validating DTI Access Using the CLI
3. Confirm the following information:

l Update source is online.
l DTI service is enabled.
l DTI service username is the name provided with DTI subscription license.
l DTI service address is one of the following:
l cloud.fireeye.com.
l The IP address of the managing Central Management appliance.
NOTE: In rare cases, your DTI service address could be a variant of

cloud.fireeye.com.

EndPoint Security Series Cloud Appliance Deployment Guide CHAPTER 11: Validating DTI Access

CHAPTER 12: Configuring the

Server Address List
The server address list is a list of Endpoint Security (primary and DMZ) servers installed
in your enterprise. If your enterprise deploys both primary and DMZ servers on the
network, you need to consider the deployment topology when you configure agent
communication. For example, if a host endpoint will be used outside the enterprise
network and its agent is expected to communicate with a DMZ server, the DMZ server’s
address must be included in the server address list. FireEye recommends that the first
server in the server address list be the most accessible to the largest number of hosts.
l Server Address Order

Agents attempt to connect to the first Endpoint Security server listed in the server
address list. If the first server is unavailable, the agent then attempts to reach the
second server, and so on.
The address order is set by the order in which you add the servers to the
server address list. The first server added is the first one in the list. The
second server added is the second in the list.
l Provisioning Server
HX and HXD Series (Endpoint Security) releases before version 3.0 support the use
of a single provisioning appliance, identified as the primary appliance. HX Series
version 3.0 and later support the use of multiple provisioning appliances for
endpoints running FireEye Endpoint Agent software version 20 or later and a single
provisioning appliance for endpoints running FireEye Endpoint Agent software
version 11 or earlier. FireEye Endpoint Security Agents use provisioning servers to
connect and complete their installation by establishing their cryptographic agent
identity. Any Endpoint Security server, including a DMZ server, can be enabled to
do provisioning. Endpoint Security provisioning servers must be accessible by
agents within your company's network. DMZ provisioning servers must be
accessible inside and outside your company's network.

EndPoint Security Series Cloud Appliance Deployment Guide CHAPTER 12: Configuring the Server Address List
l Primary Server
If the endpoints in your environment have agent software versions earlier than
version 20 installed, a single Endpoint Security server must be designated as the
primary appliance. This appliance must be accessible within the network by all
agents when they are initially installed on hosts. The primary server manages the
initial provisioning of the agents. You can use either your internal Endpoint Security
server or a DMZ server as your primary server.
Endpoint Security server administrators and operators can add or remove servers on the
server address list.
l Adding a Server to the Server Address List Using the Web UI

l Removing a Server from the Server Address List Using the Web UI
Prerequisites
l Admin or Operator access
l The Endpoint Security server is physically installed on the network for agent access
Adding a Server to the Server Address

List
You can add an Endpoint Security server to the server address list using the Web UI.
l Adding a Server to the Server Address List Using the Web UI
Adding a Server to the Server Address List Using the Web

UI
To add a server to the server address list using the Web UI:
1. Log into the Web UI as an administrator or an operator.

2. Select Policies on the Admin menu.
3. Click Agent Default policy.
The Edit Policy page opens.
4. Select the Server Addresses tab.

Removing a Server From the Server Address List
5. In the Enter server address of appliance text box on the Server Addresses tab, enter
the hostname or the IP address of the Endpoint Security server, and click Add.
All available servers appear in the list shown in the Enable Provisioning section of
the page.
6. In the Enable Provisioning section, indicate which Endpoint Security server will be
the provisioning server by selecting the Enable Provisioning checkbox in the row
containing the server name or IP address. At least one server must be designated as
a provisioning server. See Designating Provisioning Servers on page 72.
(Optional) If the endpoints in your environment have agent software versions earlier
than version 20 installed, select the Set as primary checkbox in the row containing
the server name or IP address if the added server will be doing provisioning. This
specifies the server as the primary server for your network. Primary servers are used
to provision agents older than version 20. Only a single server can be designated as
a primary server. See Designating Provisioning Servers on page 72.
7. Click Save.
Removing a Server From the Server

Address List
You can remove an Endpoint Security server from the server address list using the Web UI.
l Removing a Server from the Server Address List Using the Web UI
Removing a Server from the Server Address List Using the

Web UI
To delete a server from the server address list using the Web UI:
1. Log into the Web UI as an administrator or an operator.

2. Select Policies on the Admin menu, and then select the Server Addresses tab.
3. Select the remove icon next to the IP address or host to delete.
4. Click Save.

EndPoint Security Series Cloud Appliance Deployment Guide CHAPTER 12: Configuring the Server Address List

CHAPTER 13: Setting up

Provisioning
Provisioning establishes unique cryptographic identities for the agents installed on your
host endpoints. To complete the FireEye Endpoint Security Agent installation on a host
endpoint, the agent connects to a provisioning Endpoint security server that then
determines the cryptographic identity for the agent. When provisioning does not occur, the
server does not know about and cannot collect data from the host endpoint on which the
agent is installed.
Any Endpoint Security server, including a DMZ server, can be enabled to do provisioning.
If the endpoints in your environment have agent software versions earlier than version 20
installed, they can only provision against a single Endpoint Security server, identified as
the primary server. By default, the provisioning server is the first server listed in the agent
server address list, which is usually your internal (non-DMZ) server.
If the endpoints in your environment have agent software version 20 or later installed, they
can provision against multiple Endpoint Security servers. By default, your internal
Endpoint Security server is a provisioning server.
Provisioning Endpoint Security servers must be accessible by agents within your
company's internal network. Provisioning DMZ servers must be accessible by agents
inside and outside your company's network.
You must identify the servers that will be your provisioning servers before you
download the FireEye Endpoint Security Agent installation software to your host
endpoints. When agent installation software is downloaded, the IP addresses or
DNS names of the provisioning Endpoint Security servers are identified in the agent
download package.
To set up provisioning:
1. Enable provisioning on the servers you might want to use for provisioning. See
Enabling Servers for Provisioning on the next page.

EndPoint Security Series Cloud Appliance Deployment Guide CHAPTER 13: Setting up Provisioning
2. Designate which provisioning-enabled server you want to use. See Designating

Provisioning Servers below. This must be done before you download agent software
to your host endpoints.
You can cancel a server as a provisioning server. See Canceling Provisioning
Servers on page 76.
Prerequisites
l Admin or fe_services access
Enabling Servers for Provisioning

Before you can designate a server as a provisioning server in your environment, you must
enable the server to do provisioning.
Prerequisites
To enable a server for provisioning:
1. Log in to the Endpoint Security Server Web UI.

2. From the Admin menu, select Agent Versions.
3. In the upper right corner of the page, select Assign Server Addresses to open the
Policies page.
4. From the Policies table, click the Agent Default policy link.
6. From the Enable Provisioning section, locate the server you want to use for
provisioning.
7. Select the Enable Provisioning checkbox associated with the server you identified in
step 6.
8. Click Save.
Designating Provisioning Servers

After enabling provisioning on a server, you must designate it to do provisioning.

The provisioning server address can be a split DNS that resolves differently depending on
whether an agent is operating inside or outside your company’s internal network. When
the agent is inside the network, the DNS resolves to the primary Endpoint Security server;
when the agent is outside the network, the DNS resolves to the DMZ server.
This section covers the following topics:
l Designating the Endpoint Security Server as a Provisioning Server Using the Web UI

below
l Designating and Enabling a DMZ Server as a Provisioning Server on the next page
l Designating Provisioning Servers Using a Split DNS in the Web UI on page 75
Prerequisites
Designating the Endpoint Security Server as a

Provisioning Server Using the Web UI
For agents version 20 or later, the primary (non-DMZ) Endpoint Security server is
designated as a provisioning server by default. It cannot be canceled as a
provisioning server.
For agents earlier than version 20, you must manually designate the primary
Endpoint Security server for provisioning.
To designate the primary Endpoint Security server as a provisioning server using the
Web UI:
1. Log in to the Endpoint Security Server Web UI.

3. In the upper right corner of the page, select Assign Server Addresses to open the
Policies page.
6. From the Enable Provisioning section, locate the server that you want to use for
provisioning.

7. If endpoints in your environment have agent software versions 20 or later installed,

select Set as Primary to designate the Endpoint Security server as the primary
server.
If endpoints in your environment have agent software version 20 or later installed,
select Enable Provisioning to designate the Endpoint Security server as a
provisioning server. At least one server must be designated as a provisioning
server.
If your environment includes endpoints with agent software versions both earlier
and later than version 20 installed, select Set as Primary and Enable Provisioning
for the provisioning server. Only one server can be designated the primary server.
8. Click Save.
Designating and Enabling a DMZ Server as a Provisioning

Server
When you use the Web UI to enable provisioning on your DMZ server, your Endpoint
Security agents receive the new configuration setting but the provisioning server does not
start on your DMZ server. To start the provisioning server on your DMZ server, you must
also enable provisioning on your DMZ server through the CLI or provisioning will fail.
To designate a DMZ server as a provisioning server using the Web UI:
NOTE: After you use the Web UI to designate the DMZ server as a

provisioning server, you must also enable provisioning for the DMZ server in
the CLI.
1. Log in to the Web UI for your DMZ server.

3. In the upper right corner of the page, select Assign Server Addresses to go to the
Policies page.
6. From the Enable Provisioning section, locate the DMZ server that you want to use
for provisioning.

7. If the endpoints in your environment have agent software versions earlier than
version 20 installed, select Set as Primary to designate the DMZ server as the
provisioning server. This will deselect any other server on the Server Addresses tab
as the primary server.
If the endpoints in your environment have agent software version 20 or later
installed, select Enable Provisioning to designate the DMZ server as a provisioning
server.
8. Click Save.
To use the Endpoint Security server CLI to enable provisioning for a DMZ server:
1. On your Endpoint Security appliance, enable CLI configuration mode.

hostname > enable
2. Enable provisioning on your DMZ server:

hostname (config) # hx ecosystem dmz <dmz-ip> provisioning-enabled
where <dmz-ip> is the IP address of the DMZ server for which you are enabling
provisioning.
3. Save your changes.
hostname (config) # write memory
4. Verify that the DMZ server is a provisioning appliance.

hostname (config) # show hx ecosystem
The server configuration should show an attached DMZ server with provisioning
enabled:
Appliance Role: master
DMZ Appliance: {<IP address> or <domain name of DMZ appliance>}

Provisioning: enabled
Designating Provisioning Servers Using a Split DNS in the

Web UI
The provisioning server address can be a split DNS that resolves differently depending on
whether the host on which the agent is installed is operating inside or outside your
company’s internal network. When the agent is inside the network, the DNS resolves to the
internal Endpoint Security server; when the agent is outside the network, the DNS resolves
to the DMZ server.

Prerequisites
l A split DNS set up to resolve to your internal Endpoint Security server when the
agent is inside the network and to the DMZ server when the agent is outside the
network.
To designate the provisioning server using a split DNS name:
1. Using the Web UI, enable both your primary Endpoint Security server and your
DMZ server for provisioning. See Designating the Endpoint Security Server as a
Provisioning Server Using the Web UI on page 73 and Designating and Enabling a
DMZ Server as a Provisioning Server on page 74.
2. In the Web UI, select Settings on the FireEye menu. The Agent Versions page
appears.
4. Enter the DNS name and click Add.
5. If the endpoints in your environment have agent software versions earlier than
version 20 installed, select Set as Primary to designate the DNS as the provisioning
server. This will deselect any other appliance on the Server Addresses page as the
primary server.
If the endpoints in your environment have agent software version 20 or later
installed, select Enable Provisioning to designate the DNS server as a provisioning
server.
6. Click Save.
Canceling Provisioning Servers

You can cancel a server as the provisioning server.
You must have at least one provisioning server.
This section covers the following topics:
l Canceling the Primary Endpoint Security Server as a Provisioning Server Using the
Web UI on the facing page
l Canceling a DMZ Server as a Provisioning Server Using the Web UI on the facing
page

Canceling Provisioning Servers
Prerequisites
Canceling the Primary Endpoint Security Server as a

Provisioning Server Using the Web UI
For agents version 20 or later, the Endpoint Security server is designated as a
provisioning server by default. You cannot cancel it as a provisioning server.
For agents earlier than version 20, you can cancel the Endpoint Security server as a
provisioning server.
To cancel the Endpoint Security server as a provisioning server using the Web UI:
1. In the Web UI, select Agent Versions on the Admin menu.

The Agent Versions page appears.
2. Select Assign Server Addresses in the upper right corner of the page.
The Edit Policy page for the Agent Default policy appears.
3. Select the Server Address tab.
4. Locate your server in the server list in the Enable Provisioning section of the page.
5. For agents earlier than version 20, locate another server in the list of servers and
select Set as Primary to designate it as the provisioning server. This will cancel the
primary Endpoint Security server as the provisioning server.
You cannot cancel the primary Endpoint Security server as a provisioning server for
version 20 or later agents.
6. Click Save.
Canceling a DMZ Server as a Provisioning Server Using

the Web UI
To cancel a DMZ server as a provisioning server using the Web UI:
1. In the Web UI, select Agent Versions on the Admin menu.

The Agent Versions page appears.
2. Select Assign Server Addresses.
The Edit Policy page for the Agent Default policy appears.
3. Select the Server Address tab.

4. Locate the DMZ server in the Enable Provisioning section of the page.
For agents earlier than version 20, locate another server in the list of servers and
select Primary Server to designate it as the provisioning server. This will cancel the
DMZ server as the provisioning server.
For agents version 20 or later, deselect Enable Provisioning to cancel the DMZ
server as a provisioning appliance.
5. Click Save.

PART VI: Integration
l How FireEye Appliance Alerts Become Endpoint Security Alerts and Central
Management Badges on page 81
l Integrating Central Management Appliances and Endpoint Security Servers on
page 85
l Integrating Network Security Appliances and Endpoint Security Servers Directly on
page 97
l SNMP Data on page 99
l Forwarding CEF Logs to Helix and SIEM Solutions on page 107

EndPoint Security Series Cloud Appliance Deployment Guide PART VI: Integration

CHAPTER 14: How FireEye

Appliance Alerts Become
Endpoint Security Alerts and
Central Management Badges
The Endpoint Security server generates endpoint alerts based on indicators of compromise
(IOCs). It uses the following types of IOCs: Mandiant intelligence, FireEye appliance alerts,
and custom intelligence. The Central Management appliance does not aggregate all of the
Endpoint Security alerts, but only Endpoint Security alerts that are generated from a
FireEye appliance IOC.
The following steps describe the process by which a FireEye appliance alert becomes an
Endpoint Security alert and a Central Management badge:
1. A FireEye appliance triggers an alert for a web infection, malware object, or malware
callback.
2. The FireEye appliance reports the alert to the Central Management appliance.
3. The Central Management appliance determines if an IOC for the Endpoint Security
server should be created and, if so, publishes it.
4. The Endpoint Security server transforms the Central Management indicator into an
Endpoint Security IOC and publishes it for the Endpoint Security agents.
5. The Endpoint Security agents search their hosts for any indicator of compromise. If
a match is found, the agent reports back to the Endpoint Security server. The
Endpoint Security server creates an alert, which is aggregated to the Central
Management appliance if that alert was based upon an IOC from a managed
appliance.
6. The Central Management appliance correlates the Endpoint Security alert with the
managed appliance alerts and creates badges for the appropriate alerts. Network
Security alerts will have an endpoint compromised badge. Email Security — Server
Edition alerts will have a related endpoint badge.

EndPoint Security Series Cloud Appliance CHAPTER 14: How FireEye Appliance Alerts Become Endpoint Security
Deployment Guide Alerts and Central Management Badges
Endpoint Security and FireEye Appliance Alert Disparity

There is rarely a one-to-one relationship between Endpoint Security alerts and other FireEye
appliance alerts.
Indicators that are passed to the Endpoint Security server may not produce alerts if the
FireEye appliance blocks the malware download, if the combination of platform and
application version do not expose the required vulnerability, or if the endpoint is no longer
present in the network.
Network appliances evaluate possible infections within the network rather than actual
infections. If a user accesses an infected website but the browser and system are not
vulnerable to that infection, no infections are downloaded to their endpoint. But the
network appliance still fully evaluates the infected site, running various browsers and
versions to do so. It will likely generate multiple alerts for the infected site even though
none of the infections occurred on the actual endpoint host and no Endpoint Security alerts
have been generated.
Here are some other reasons why Endpoint Security and the other FireEye appliance alert
counts differ:
l Not all FireEye appliance alerts provide the kind of data from which an Endpoint
Security indicator can be created.
l Only alerts originating from FireEye appliance IOCs are aggregated to the Central
Management appliance.
l By default, only alerts that are classified as major severity alerts or higher are sent to
the Endpoint Security server, resulting in only high-fidelity endpoint alerts.
Network Security and Endpoint Security Alert Matches

Network Security malware object and malware callback alerts are translated into Endpoint
Security IOCs. An Endpoint Security alert is generated when an IOC condition is detected
on an endpoint host. The Central Management appliance then aggregates the Endpoint
Security alert and badges the original Network Security alert as endpoint compromised. It
matches the endpoint host IP address with the Network Security alert source IP address
and malware artifacts, confirming that evidence of the malware that triggered the Network
Security alert was found on the endpoint host.
Email Security — Server Edition and Endpoint Security

Alert Matches
Email Security — Server Edition malware object and malware callback alerts are translated
into Endpoint Security IOCs. An Endpoint Security alert is generated when an IOC
condition is detected on an endpoint host. The Central Management appliance then
aggregates the Endpoint Security alert and badges the original Email Security — Server

Edition alert as a related endpoint. It matches endpoint host malware artifacts with the
Email Security — Server Edition alert malware artifacts, confirming that evidence of the
malware that triggered the Email Security — Server Edition alert was found on the
endpoint host.
Email Security — Server Edition alerts do not contain a source IP address that can be
matched directly to the endpoint host IP address. The Central Management badge indicates
the most probable source of origin of the compromise.

EndPoint Security Series Cloud Appliance CHAPTER 14: How FireEye Appliance Alerts Become Endpoint Security
Deployment Guide Alerts and Central Management Badges

CHAPTER 15: Integrating Central

Management Appliances and
Endpoint Security Servers
FireEye recommends that you use a Central Management appliance to manage your
Endpoint Security server to ensure that your server receives the highest-fidelity indicators
available. Central Management of an Endpoint Security server can be set up using the
Central Management Web UI. See the appendix "Configuring a Managed Appliance" in the
FireEye System Security Guide.
Errors result if you attempt to use the Central Management CLI to set up
management of an Endpoint Security server. Use the Web UI only.
If your Endpoint Security server and other FireEye appliances are managed by a Central
Management appliance, the Endpoint Security server automatically receives indicators
from the other FireEye appliances. The Central Management appliance streamlines
management of multiple appliances and enhances detection by correlating indicators. See
How FireEye Appliance Alerts Become Endpoint Security Alerts and Central Management
Badges on page 81.
The Central Management platform can be used to upgrade and manage an Endpoint
Security DMZ server, with the following caveats.
l Indicator updates from the Central Management appliance or from the DTI
(Dynamic Threat Intelligence) Cloud to the DMZ server must be configured
separately. See Configuring a Central Management-Managed DMZ Server to Get
Updates from DTI on page 88. If these steps are not performed, indicator updates are
acquired from the Central Management appliance and the DTI by the Endpoint
Security server and transferred to the DMZ server.
l If you have problems connecting your Central Management appliance to your
DMZ server, consider the firewalls your organization has in place. In some
circumstances, the DMZ server is not accessible to the Central Management
appliance because a firewall is blocking the connection.

EndPoint Security Series Cloud Appliance CHAPTER 15: Integrating Central Management Appliances and
Deployment Guide Endpoint Security Servers
Central Management releases earlier than Release 7.6 do not support integration with
Endpoint Security servers. Endpoint Security releases earlier than Release 2.6 do not
support integration with Central Management appliances. If you are running a Central
Management release earlier than Release 7.6, see Integrating Network Security Appliances
and Endpoint Security Servers Directly on page 97.
Do not attempt to integrate your Endpoint Security server with a Central

Management appliance if you have already integrated with other FireEye appliances
as described in Integrating Network Security Appliances and Endpoint Security
Servers Directly on page 97. Using both types of integration will cause errors in the
Central Management integration.
The configuration of your Endpoint Security server with the Central Management
appliance happens automatically after they are both installed. Use the instructions in this
section to ensure the settings on each appliance are correct.
When you remove a managed appliance from the Central Management platform,
all data (including alert information) associated with the appliance is removed. If
you add the appliance again later, the data is restored, but all alerts generated by
the appliance are assigned new IDs. Because the alerts have new IDs, Endpoint
Security links for alerts will break if the alerts were generated by the appliance
before it was removed from the Central Management platform.
To configure Central Management 7.6 or later and Endpoint Security server integration:
1. On your Central Management appliance, enable CLI configuration mode.

hostname > enable
2. Determine the latest alert ID on the Central Management appliance.

hostname (config) # show log matching "alert id"
The output from this command lists log file entries that include the CM Series alert
ID.
Mar 16 18:02:51 FireEye_CM notifyd[9696]: tid 5175: [notifyd.INFO]:
[inform_fireeye_hx] processing alert id=5762 infection-id=2291
infection-type=malware-object began at:2017-03-17 01:02:51, finish
at:2017-03-17 01:02:51 time cost:0 micro-seconds sequence-
id=140655883976776
3. Review the log file and choose a CM Series alert ID. The Endpoint Security server
will start collecting CM Series IOC data for this alert ID after the server attaches to
the Central Management appliance.
In Endpoint Security, the CM Series alert ID is called a bookmark.
4. On your Endpoint Security server, enable CLI configuration mode.
hostname > enable

5. Set the starting CM Series alert ID for the integration.
hostname (config) # hx server detection inbound bookmark <CM-alert ID>
where <CM-alert ID> is the starting CM Series alert ID you chose earlier in these
steps. The default is 0 (zero), which downloads all of the CM Series alerts to the
Endpoint Security server after the products are integrated.
FireEye does not recommend selecting a CM Series alert ID of 0 because of

the performance impact this may have on your Endpoint Security server after
the initial integration with the Central Management appliance.
If you accidentally set the CM Series alert ID to 0 and you want to delete all
or many of the IOCs downloaded from the Central Management appliance,
temporarily change the Endpoint Security indicator and alert aging threshold
in the Web UI to just a few days. The Endpoint Security server will
automatically delete IOCs that exceed this threshold. See "Managing Real-
Time Indicator Detection" in the Endpoint Security Agent Administration Guide.
Alternatively, you can manually remove the IOCs from the Endpoint Security
server using the Indicators page in the Endpoint Security Web UI.
6. View detection-related settings for the Endpoint Security server:

hostname (config) # show hx server detection
Sample output from this command is shown below:

HX Server Detection Configuration:
Generated Indicator Aging: enabled
Generated Indicator Aging Period: 14 days
Alert Aging Period: 30 days
False Positive Alert Aging Period: 1 day
Intel Matching: enabled
Legacy notification listener active: no
Malicious.URL Indicator Generation (legacy): yes
Suspicious (noisy) Indicator Generation (legacy): no
Inbound alert poll interval: 5 minutes
Inbound alert minimum severity: majr
No ignored alert types.
Last bookmark ID: 5762
If the Legacy notification listener active field is set to no, Central

Management integration with the Endpoint Security server is operational and no
further steps are necessary. This is the default configuration for Endpoint Security
2.6 and later appliances.
If the Legacy notification listener active setting is not set to no, proceed with
the remaining steps in this procedure.

7. Disable FireEye legacy appliance support:

hostname (config) # no hx server detection legacy enable
Do not attempt to integrate your Endpoint Security server with a Central

Management appliance if you have already integrated with other FireEye
appliances as described in Integrating Network Security Appliances and
Endpoint Security Servers Directly on page 97. Using both types of
integration will cause errors in the Central Management integration.
8. Save your changes:

hostname (config # write mem
9. Log in to the Central Management Web UI and select CMS Settings.

10. Select Notifications in the left navigation pane.
11. Click the http table heading to access HTTP notification configuration fields. These
fields allow you to access the HTTP connection definitions set up for your FireEye
appliance.
12. If an Endpoint Security server HTTP connection has been defined, disable HTTP
notifications to the Endpoint Security appliance by clearing the checkbox in the
Enabled column of the Endpoint Security connection definition.
For more information about Central Management requirements for integration with the
Endpoint Security server, see the Central Management Administration Guide.
Configuring a Central Management-

Managed DMZ Server to Get Updates
from DTI
You can configure a Central Management-managed DMZ server to obtain updates from
DTI rather than from the Central Management.
To configure a Central Management-managed DMZ server to get update from DTI:
1. On the DMZ server, go to CLI configuration mode:

hostname > enable
2. Override the downloads from the Central Management:

hostname (config) # fenet dti source override enable
3. Apply a custom DTI source:

hostname (config) # fenet dti source default CDN

Configuring a Central Management-Managed DMZ Server to Get Updates from DTI
4. Verify the configuration:

hostname (config) # show fenet dti configuration
5. When the configuration is correct, save your changes:



Overview
CHAPTER 16: Replacing

Integrated Central Management
Appliances and Endpoint Security
Servers
To successfully replace an integrated Central Management appliance or Endpoint Security
server, you must manually configure the Endpoint Security server Bookmark ID. This
manual configuration ensures retrieval of relevant IOCs in a timely manner from the
Central Management appliance.
Overview
When an Endpoint Security server is managed by a Central Management appliance, the
Central Management appliance sends a notification of the latest Alert ID to the Endpoint
Security server. The Endpoint Security server then polls the Central Management appliance
for the Alert ID and retrieves Indicators Of Compromise (IOC) details for the specified alert.
The Endpoint Security server then updates the Bookmark ID to identify the next Alert ID to
use when polling the Central Management appliance.
A newly manufactured Endpoint Security server has a Bookmark ID equal to zero. When
the Endpoint Security server is attached to the Central Management appliance, the Central
Management appliance will send the latest Alert ID to the Endpoint Security server. The
Endpoint Security server will then poll the Central Management appliance for all the Alert
IDs from zero through to the latest Alert ID. The delta between the Endpoint Security server
Bookmark ID and the Central Management appliance latest Alert ID can be in the
thousands, resulting in a performance impact on the Endpoint Security server as it gathers
all the IOCs.
Replacement scenarios
The following scenarios are explained in detail.
1. New Central Management appliance, New Endpoint Security server, existing

Network Security/Email Security — Server Edition/File Protect/Malware Analysis

EndPoint Security Series Cloud Appliance CHAPTER 16: Replacing Integrated Central Management Appliances and
with a large history of alerts: In this scenario, a large delta may accrue for all of the
historic and incoming alerts on the FireEye detection devices.
2. New Central Management appliance, existing Endpoint Security server, existing
with a high volume of alerts: In this scenario, a large delta may accrue while the
Central Management appliance is offline with a large influx of alerts.
3. New Central Management appliance, existing Endpoint Security server, existing
with a low volume of alerts: The Bookmark ID may be greater than the actual latest
Alert ID which can potentially result in missed alert IOCs.
4. Existing Central Management appliance, New Endpoint Security server, existing
with a large history of alerts: A large delta may accrue for all of the historic and
incoming alerts on the FireEye detection devices.
Replacement scenario 1: New Central Management

appliance, New Endpoint Security server, existing
Network Security/Email Security — Server Edition/File
Protect/Malware Analysis with a large history of alerts
When a customer installs a new Central Management appliance (new purchase, model
upgrade or RMA) and a new Endpoint Security server (new purchase, model upgrade or
RMA) in an existing Network Security/Email Security — Server Edition/File
Protect/Malware Analysis environment:
l The Central Management appliance Alert ID is zero

l The Endpoint Security server Bookmark ID zero
l The Network Security/Email Security — Server Edition/File Protect/Malware
Analysis latest alert ID is a large number
The Central Management appliance will aggregate all of the existing alert data and send
notifications for all of the Alert IDs to the managed Endpoint Security server. The Endpoint
Security server will poll the Central Management appliance for all of the alerts between
zero and the latest Alert ID. This could result in a large delta and could impact the
performance of the Endpoint Security server. The process of the Endpoint Security server
Bookmark ID catching up to the latest Alert ID can take many hours or days depending on
the amount of alert data present on the Central Management appliance. This can result in
a signification delay in the Endpoint Security server receiving the latest, most relevant
IOCs, causing missed malware detection on the endpoints. To prevent this, advance the
Endpoint Security server Bookmark ID to a recent Alert ID (see steps below) before
attaching the Endpoint Security server to the Central Management appliance.


appliance, existing Endpoint Security server, existing
Protect/Malware Analysis with a high volume of alerts
upgrade or RMA) in an existing Endpoint Security server and Network Security/Email
Security — Server Edition/File Protect/Malware Analysis high volume environment:

l The Endpoint Security server Bookmark ID is a large number
Analysis latest alert ID is a larger number
notifications for all of the Alert IDs to the managed Endpoint Security server. The Endpoint
Security server will poll the Central Management appliance for all of the alerts between the
last Bookmark ID and the latest Alert ID. For a high-volume alert environment, this delta
can be large depending upon how long the Central Management appliance is offline and
the rate of alert influx. This could result in a large delta and could impact the performance
of the Endpoint Security server. The process of the Endpoint Security server Bookmark ID
catching up to the latest Alert ID can take several hours depending on the amount of alert
data. This can result in a delay in the Endpoint Security server receiving the latest, most
relevant IOCs.

appliance, existing Endpoint Security server, existing
Protect/Malware Analysis with a low volume of alerts
upgrade or RMA) in an existing Endpoint Security server and Network Security/Email
Security — Server Edition/File Protect/Malware Analysis low volume environment:

l The Endpoint Security server Bookmark ID is a larger number
notifications for all of the Alert IDs to the managed Endpoint Security server. In rare cases,
the Endpoint Security server Bookmark ID could be greater than the latest Central

Management appliance Alert ID. The Endpoint Security server will poll the Central
Management appliance for the larger Bookmark ID and will not receive an IOC from the
Central Management appliance until the Central Management appliance Alert ID
advances to equal the Bookmark ID. This could result in missing IOCs from alerts with
Alert IDs below the Endpoint Security server Bookmark ID, as well as missing malware
detection on the endpoints. You can modify the Endpoint Security server Bookmark ID to
equal a recent Alert ID (see steps below) before attaching the Endpoint Security server to
the Central Management appliance to prevent this.
Replacement scenario 4: Existing Central Management

appliance, New Endpoint Security server, existing
Protect/Malware Analysis with a large history of alerts
When a customer installs a new Endpoint Security server (new purchase, model upgrade
or RMA) in an existing Central Management appliance and Network Security/Email
Security — Server Edition/File Protect/Malware Analysis environment:
l The Central Management appliance latest Alert ID is a large number

l The Endpoint Security server Bookmark ID zero
The Central Management appliance will send notifications for all of the Alert IDs to the
managed Endpoint Security server. The Endpoint Security server will poll the Central
Management appliance for all of the alerts between zero and the latest Alert ID. This could
result in a large delta and could impact the performance of the Endpoint Security server.
The process of the Endpoint Security server Bookmark ID catching up to the latest Alert ID
can take many hours (or days) depending on the amount of alert data present on the
Central Management appliance. This can result in a signification delay in the Endpoint
Security server receiving the latest, most relevant IOCs, causing missed malware detection
on the endpoints. To prevent this, you should advance the Endpoint Security server
Bookmark ID to a recent Alert ID (see steps below) before attaching the Endpoint Security
server to the Central Management appliance.
Modifying the Endpoint Security server Bookmark ID

For Scenarios 1,3 and 4, the Endpoint Security server Bookmark ID should be set to a recent
Central Management appliance Alert ID before adding the Endpoint Security server to the
Central Management appliance. To determine the most recent Alert ID on the Central
Management appliance, run the following CLI Command:
l sh log matching \bnotifyd\b.*\bdone_notify_alerts\b

In the example below, the Endpoint Security server Bookmark ID can be set to '5071' to
receive the latest IOC from the Central Management appliance. However, depending on the
scenario, the Endpoint Security server could have a large delta or could be missing out on
recent IOCs. To get a better Bookmark ID starting point, log into the Central Management
appliance UI, navigate to the Alerts/Alerts page, set the inline filter Date Range to 'Past 1
Week' (or any desired time-frame), and apply the filter. The total number of alerts for this
time-frame can be found in the upper left-hand corner of the alerts display. Subtract this
number from the most recent Alert ID and set the Endpoint Security server Bookmark ID to
this number to gather the past weeks IOCs. For instance, if the Central Management
appliance displays 50 alerts for the selected date range, the Bookmark ID can be set to
'5021'. The Endpoint Security server should be added to the Central Management
appliance. The Endpoint Security server will begin to gather the IOCs from the alerts from
5021 through the current Central Management appliance Alert ID as soon as it receives the
first Alert notification of the most current Alert ID from the Central Management appliance.
Example
dresden # sh log matching \bnotifyd\b.*\bdone_notify_alerts\b
Jul 11 12:51:51 dresden notifyd[28468]: tid 28468: [notifyd.INFO]: SQL:select
* from done_notify_alerts('{5069} ')


CHAPTER 17: Integrating

Network Security Appliances and
Endpoint Security Servers Directly
If your Endpoint Security server is not managed by a Central Management appliance, you
must configure the Network Security appliance to communicate with the Endpoint Security
server.
The procedure described in this section is for Endpoint Security version 2.6 or later servers.
If you upgrade to Endpoint Security 2.6 or later without upgrading to Central Management
7.6 or later, you need to perform these steps.
Do not use this procedure if you have already integrated your Endpoint Security
server with a Central Management appliance (see Integrating Central
Management Appliances and Endpoint Security Servers on page 85). Using both
types of integration will cause errors in the Central Management integration.
Alerts can only be sent from Malware Analysis or Email Security — Server
Edition appliance to the Endpoint Security server through a Central Management
appliance. Attempts to send Malware Analysis or Email Security — Server Edition
alerts to the Endpoint Security server using the direct connection set up between a
Network Security appliance and the server will fail. FireEye only provides the
direct connection between Network Security and Endpoint Security. Use the
Central Management appliance connection with the Endpoint Security server for
Malware Analysis and Email Security — Server Edition alerts.
To configure Endpoint Security integration with Network Security appliances directly

when the Endpoint Security server is not managed by a Central Management appliance:
1. On your Endpoint Security server, enable CLI configuration mode.

hostname > enable
2. Enable FireEye legacy appliance support for the Endpoint Security server:
hostname (config) # hx server detection legacy enable

EndPoint Security Series Cloud Appliance CHAPTER 17: Integrating Network Security Appliances and Endpoint
Deployment Guide Security Servers Directly

hostname (config) # write mem
4. Log in to the Web UI of the Network Security appliance and then click Settings. (On
a Central Management appliance, click CMS Settings).
5. Click Notifications in the left navigation pane.
6. Verify that all HTTP event types are selected for the appliance.
7. Click the http table heading to access HTTP notification configuration fields. These
fields allow you to define the HTTP connection with your Endpoint Security
appliance.
8. Type a name for the Network Security appliance's direct connection to the Endpoint
Security appliance in the Name box and then click Add HTTP Server.
9. Enter the Endpoint Security URL in the Server Url box:
https://<DNS-name-or-Endpoint-Security-IP>/alerts
For example: https://123.456.78.90/alerts

10. Select the check box in the Enabled column for the Endpoint Security server
connection. This enables HTTP notifications between the Network Security
appliance and the Endpoint Security server.
11. Leave the Username and Password boxes for the Endpoint Security server
connection empty.
12. Select All Events from the list in the Notifications column for the Endpoint Security
server connection.
13. In the Delivery list for the Endpoint Security server connection, select Per Event.
14. Select the SSL Enable box. Do not select the SSL Verify box for the Endpoint
Security server connection.
15. In the Default Provider list, select Generic.
16. In the Message Format list, select JSON Extended.
17. Click Update to save the Endpoint Security server connection.

EndPoint Security Series Cloud Appliance Deployment Guide Retrieving SNMP Data
CHAPTER 18: SNMP Data

Trellix appliances send Simple Network Management Protocol (SNMP) data to convey
abnormal conditions to administrative computers that monitor and control them. The
administrative computers are called SNMP managers.
SNMP data includes the following:
l Information that is retrieved (pulled) by the SNMP manager. This information is

sent in response to requests the SNMP manager sends to the appliance. See
Retrieving SNMP Data below.
l Events (known as traps) that are sent (pushed) by the appliance to the
SNMP manager. Traps typically report alarm conditions such as a disk failure or
excessive temperature. They are unsolicited; that is, they are not sent in response to
requests from the SNMP manager. See Sending Traps on page 103.
Retrieving SNMP Data
This section describes how to retrieve SNMP information from the Endpoint Security
appliance.
A Management Information Base (MIB) is a text file written in a specific format in which
all of the manageable features of a device are arranged in a tree. Each branch of the tree
contains a number and a name, and the complete path from the top of the tree down to the
point of interest forms the Object Identifier, or OID. The OID is a string of values separated
by periods, such as .1.3.6.1.2.1.1.3.0.
You can send requests for data on an object using the OID, but it can be simpler to use the
symbolic name for the object instead. A MIB allows SNMP tools to translate the symbolic
names into OIDs before sending the requests to the managed device. Symbolic names for
objects in the Trellix MIB include feSerialNumber.0, feHardwareModel.0,
feProductLicenseActive0, feFanIsHealthy.1, and so on.
The Trellix MIB, named FE-FIREEYE-MIB, needs to be downloaded from the Endpoint
Security appliance to the SNMP manager so it can be loaded into an SNMP browser or
other tool. A typical SNMP browser can retrieve the values the appliance supports, and

EndPoint Security Series Cloud Appliance Deployment Guide CHAPTER 18: SNMP Data
then display them in a hierarchy so you can navigate to the value you need to include in
the request.
This section contains the following topics:
l Providing Access to SNMP Data below

l Downloading the MIB below
l Retrieving SNMP Data Using Event OIDs on page 102
l Sending Requests for SNMP Information on page 103
Providing Access to SNMP Data

To allow access to SNMP v3 data, configure a username and password.
Prerequisites
To enable access to SNMP data:
1. Go to CLI configuration mode:
hostname > enable
2. Verify that SNMP is enabled:

hostname (config) # show snmp
If the output shows SNMP enabled: no, enter the snmp-server enable command.
3. SNMP v3: Specify the SNMP user and password:
hostname (config) # snmp-server user <username> v3 enable
hostname (config) # snmp-server user <username> v3 auth sha <password>

Downloading the MIB

You can download the MIB from the command prompt.
This section describes how to download the FE-FIREEYE-MIB to SNMP managers that run
on Microsoft Windows, Linux, and Apple devices. The MIB file is retrieved using a
program that connects using port 22, which is normally used for protocols such as SSH,
SCP, and PSCP. Because file-level access is denied by policy, the direct path to the MIB file
needs to be specified.

Retrieving SNMP Data
Prerequisites
l Analyst, Operator, or Admin access
To download the FireEye MIB to Windows devices:
1. Download the pscp.exe tool (available from PuTTY download page).

2. Navigate to a command prompt window.
3. Change to the directory in which you downloaded the pscp.exe tool:
cd Downloads
4. Copy the MIB file from the appliance:

pscp.exe -r -scp
admin@<appliance><applianceIPAddress>:/usr/share/snmp/mibs \Temp\mibs\
5. When prompted for the password, enter admin.

The files are copied to the \Temp\mibs directory on the Windows device.
6. Change to the mibs directory:
cd C:\Temp\mib
7. Load the MIB into an SNMP browser or tool, or open the MIB file:
vi FE-FIREEYE-MIB.txt
To download the FireEye MIB to Linux devices:
1. Copy the MIB file from the appliance using the OpenSSH client:
scp -r admin@<appliance><applianceIPAddress>:/usr/share/snmp/mibs
/usr/<userDirectoryName>
2. When prompted for the password, type admin.

The files are copied to the mibs directory that resides in the
/usr/<userDirectoryName> directory.
3. Change to the mibs directory:

cd mibs
To download the FireEye MIB to Apple devices:
1. Navigate to the terminal emulator.

2. Copy the MIB files from the appliance:
scp -r admin@<applianceIPAddress>:/usr/share/snmp/mibs ~/
3. When prompted for the password, type admin.

The files are copied to the mibs directory that resides in the user directory.

Retrieving SNMP Data Using Event OIDs

You can retrieve SNMP data using event object IDs (OIDs) after the MIB file has been
downloaded.
Prerequisites
l The MIB file must be downloaded. See Downloading the MIB on page 100.
To retrieve SNMP data using event OIDs:
hostname > enable
2. SNMP is enabled by default. Verify that it is enabled:

3. Enable the appliance to send notifications to the SNMP manager:
hostname (config) # snmp-server enable notify
4. Specify the IP address of the SNMP manager:

hostname (config) # snmp-server host <IPAddress> traps public
5. Enable SNMP communities:
hostname (config) # snmp-server enable communities
6. Add an SNMP community:

hostname (config) # snmp-server community <community>
where <community> is the string needed by the SNMP server to query the appliance.
The default community string is public.
7. Limit SNMP access to the listen interface called ether1:
hostname (config) # snmp-server listen interface ether1
8. Enable access to the listen interface:

hostname (config) # snmp-server listen enable


Sending Traps
Sending Requests for SNMP Information

This topic describes two ways to retrieve SNMP information.
l The snmpget command retrieves the value of a specific object.

l The snmpwalk command walks through the object hierarchy, automatically
retrieving the values of objects for the subtree or node that you specified.
Examples of basic commands that retrieve SNMP data follow. The commands are entered
from the SNMP manager application. The IP address in the commands is the appliance
IP address.
SNMP v3 commands:
snmpmgr # snmpget -m +FE-FIREEYE-MIB -v 3 -u myname -a MD5 -A mypassword -l
authNoPriv 172.0.0.0 feTemperatureValue.0
snmpmgr # snmpwalk -m +FE-FIREEYE-MIB -v 3 -u myname -a MD5 -A mypassword -l
authNoPriv 172.0.0.0 enterprises.25597
SNMP v2c commands:
snmpmgr # snmpget -m +FE-FIREEYE-MIB -v 2c -c public 172.0.0.0
feSupportLicenseActive.0
snmpmgr # snmpwalk -m +FE-FIREEYE-MIB -v 2c -c public 172.0.0.0 fireeye
snmpmgr # snmpwalk -v 2c -c public 172.0.0.0 enterprises.25597
To retrieve license expiration dates formatted in a table, use a command similar to the
following (different commands are required by different SNMP manager applications):
snmpmgr # snmptable -c public -Of -v 2c localhost feLicenseFeatureTable
Check the number of days in the rightmost column. If the value is less than 30, contact
your system administrator.
Sending Traps
This section describes how to configure basic SNMP support on the Endpoint Security
appliance, enable and configure traps, and set up trap logging. For detailed information
about SNMP commands and options for more advanced configurations, see the Trellix CLI
Command Reference.
Enabling and Configuring Traps

Various events can trigger the appliance to send traps to the SNMP manager. Most of the
events are enabled by default. This topic describes how to enable the appliance to send
traps, configure the IP address of the SNMP manager that receives the traps, and disable
and enable individual events.

Prerequisites
To enable traps and events:
hostname > enable
2. SNMP is enabled by default. Verify that it is enabled:

3. Enable the appliance to send notifications to the SNMP manager:

hostname (config) # snmp-server enable notify
4. Specify the IP address of the SNMP manager:

hostname (config) # snmp-server host <IPAddress> traps public
5. Save your changes

To view the events that can be enabled or are currently enabled:

hostname > enable
2. View a list of all events that can be enabled:

hostname (config) # snmp-server notify event ?
3. View the events that are currently enabled:

hostname (config) # show snmp events
To disable or enable specific events:

hostname > enable
2. Disable an event:
hostname (config) # no snmp-server notify event <event>
For example, the following command stops a trap from being sent when the
temperature of the appliance is normal:
hostname (config) # no snmp-server notify event normal-temperature

Sending Traps
3. Enable an event:
hostname (config) # snmp-server notify event <event>
For example, the following command enables the appliance to send a trap when
there is a change in an interface link:
hostname (config) # snmp-server notify event if-link-change

4.
Logging Trap Messages

The snmptrapd service receives and logs trap messages.
To set up trap logging:
1. Log into the SNMP manager application.

2. Enable the snmptrapd service:
snmptrapd
3. Specify the log location:

/var/log/snmptrapd.log


CHAPTER 19: Forwarding

CEF Logs to Helix and SIEM
Solutions
You can forward CEF logs from on-premises or virtual Endpoint Security servers to Helix
using a Cloud Collector or Communications Broker (Comm Broker). This allows you to
view, but not manage, on-premises and virtual Endpoint Security log data in Helix.
In addition, the Endpoint Security server can be integrated with a variety of Security
Information and Event Management (SIEM) solutions to exchange requests and
information automatically, reducing time spent navigating between product interfaces. For
example, integrating these products helps you perform the following actions.
l You can send common event format (CEF) logs from the Endpoint Security server to
one or more remote SIEMs. This includes hits (referred to as alerts), containment
state events, and triage status. For more information, see Configuring CEF Logging
for Endpoint Events on the next page. For information on the data that is logged, see
"CEF Logs and Output" in the Endpoint Security Server User Guide.
l You can perform two-way communications with SIEM solutions, such as acquiring
triage collections.
l With SIEM solutions, you can execute analyst actions initiated in a URL context.
Specifically, you can:
o Listen for traffic from SIEMs that initiate analyst actions via URL requests.
o Parse the arguments in these requests.
o Format and execute commands.
The integration between the Endpoint Security server and most SIEM solutions can be
accomplished using an external integration connector and an API Analyst user account.
See "Roles for Local User Accounts" in the System Security Guide. For an example of setting
up an integration connector with a SIEM solution, see SIEM Example: Setting Up an
Endpoint Security Integration Connector with ArcSight on page 111.

EndPoint Security Series Cloud Appliance Deployment CHAPTER 19: Forwarding CEF Logs to Helix and SIEM
Guide Solutions
An integration connector can only be used for communications from the SIEM
solution to the Endpoint Security server, not from the Endpoint Security server to the
SIEM solution.
Similar integration can be accomplished using the Endpoint Security API. See the
Endpoint Security REST API Guide.
Configuring CEF Logging for Endpoint

Events
Use the CLI commands in this topic to configure logging for CEF-formatted log messages
for endpoint events. These CEF log messages can be sent from the Endpoint Security
appliance to your Helix environment or Security Information and Event Management
(SIEM) solution.
To forward logs to Helix, create a destination for the Cloud Collector or Communications
Broker (Comm Broker). The Cloud Collector or Comm Broker will aggregate and forward
Endpoint Security CEF logs to Helix.
To integrate with a SIEM solution, create a destination for the remote syslog server.
l Viewing the Current Logging Configuration on the facing page

l Adding a Destination on the facing page
l Removing a Destination on page 110
l Using TCP for Remote Logging on page 110
l Configuring the Port for a Remote Logging Target on page 110
l Enabling Local CEF Logging on page 111
l Disabling Local CEF Logging on page 111
Descriptions of the collected CEF log data can be found in "CEF Logs and Output" in the
Endpoint Security Server User Guide.
Prerequisites
l To forward CEF logs to Helix, a FireEye Cloud Collector or Comm Broker must be
installed. See the Cloud Collector Installation Guide or the Unmanaged Communications
Broker Installation Guide for details.

Configuring CEF Logging for Endpoint Events
Viewing the Current Logging Configuration

To view the current logging configuration:
1. Enable the CLI configuration mode:

hostname > enable
2. View the configuration:

hostname # show logging
Here is sample output from this command:

Local logging level: notice (OVERRIDES DISABLED)
Override for class cef: none
Remote syslog default level: notice
No remote syslog servers configured.
Receive remote messages via UDP: no
Receive remote messages via TCP: no
Receive remote messages via TLS: no
Log file rotation:
Log rotation size threshold: 256 megabytes
Archived log files to keep: 40
Log format:
Subsecond timestamp field: disabled
Secure channel logs: yes
In this example, CEF logging is actually disabled because the Override for class
cef setting is not set to info. All CEF logging occurs for messages logged at the
info system log level. If this level is set to anything other than info, CEF logging
will not occur. See Enabling Local CEF Logging on page 111.
Adding a Destination
Define a Cloud Collector or Comm Broker destination to forward CEF log messages to
Helix. Define a remote syslog server destination to integrate Endpoint Security with your
SIEM solution.
To add a destination:

hostname > enable
2. Add the destination:

hostname # logging <IP-address> trap none
hostname # logging <IP-address> trap override class cef priority info
where <IP-address> is the IP address of the Cloud Collector or the remote syslog
server destination.
3. Save your settings:
hostname # write mem

Guide Solutions
Removing a Destination
To remove a destination:

hostname > enable
2. Remove a remote syslog server destination:

hostname # no logging <IP-address>
where <IP-address> is the IP address of the Cloud Collector or the remote syslog
server destination.
Using TCP for Remote Logging

To use TCP for remote logging instead of UDP:

hostname > enable
2. Request TCP instead of UDP for a remote logging target:

hostname # logging <remote-IP-address> protocol tcp

Configuring the Port for a Remote Logging Target

To change the port for a remote logging target from port 514:

hostname > enable
2. Change the port number:

hostname # logging <remote-IP-address> port <new-port-number>


SIEM Example: Setting Up an Endpoint Security Integration Connector with ArcSight
Enabling Local CEF Logging

To enable local CEF logging:

hostname > enable
2. Enable CEF logging:
hostname # logging local override class cef priority info
All CEF logging occurs for messages logged at the info system log level. If you set
this to any other system log level, CEF logging will not occur.
Disabling Local CEF Logging

To disable local CEF logging:

hostname > enable
2. Disable CEF logging:
hostname # logging local override class cef priority none

SIEM Example: Setting Up an Endpoint

Security Integration Connector with
ArcSight
The SIEM example in this section describes how to integrate the Trellix Endpoint Security-
specific integration connector with ArcSight's Flex CounterACT SDK (SmartConnector).
After this integration has been established, it can be used for communication from the
ArcSight Security Information and Event Management (SIEM) solution to the Endpoint
Security appliance.
Follow the steps below, along with your vendor documentation, to install and configure
the integration connector. If you need help setting up an integration connector with your
SIEM, contact Fire Customer Support.

Guide Solutions
This guide refers to ArcSight and its ESM manager or console as examples of SIEM
integration methods and objectives. For example, analysts can use the ArcSight ESM
console's Integration Command menu or rules to automate the process of requesting
acquisitions for a SIEM event. Your ArcSight vendor can provide information about
creating and using ArcSight integration commands. FireEye Support can provide you with
information about using the integration connector with other SIEM solutions.
FireEye supports the use of the ArcSight Smart Connector type 10.0.5. The ArcSight
to Endpoint Security connector port must be 3000 (TCP). The Endpoint Security to
ArcSight syslog port is configurable.
FireEye recommends that you use Java 7 or later with ArcSight and that your Java
class path is updated to point to this Java version. If you use an earlier version of
Java, SSL errors may occur.
Prerequisites
l Administrative permissions to the machine on which you are installing the
integration connector.
l An Endpoint Security Admin or Operator account.
l An Endpoint Security API Analyst account you have created specifically for the
connector.
l A copy of the integration connector installation package
(FireEye\ArcSight\Connector\Install\10.0.5.zip available on SFDC).
l Either of the following types of certificates:
o A self-signed development certificate created using OpenSSL (according to the
procedure described in Creating a Self-Signed Development Certificate).
o A valid certificate that you have purchased from your chosen provider.
Creating a Self-Signed Development Certificate

Follow these steps to create a self-signed development certificate for installing the
integration connector.
The certificate must be in .pem format, and it must match the hostname of the
Endpoint Security server.

To create a self-signed development certificate:
1. On a machine on which you have installed OpenSSL, enter the following command:
C:\OpenSSL\bin> openssl req -x509 -nodes -newkey rsa:2048 -keyout
key.pem -out cert.pem -days 3000
2. At the end of each line, enter the appropriate information for your enterprise in the
format indicated. For example:
Country Name (2 letter code) [XX]: US
State or Province Name (full name) []: Virginia
Locality Name (e.g., city) [Default City]: Bristol
Organization Name (e.g., company) [Default Company Ltd]: FireEye
Organizational Unit Name (e.g., section) []: IT
Common Name (e.g., your name or your server's hostname) []: dti-hx-dev
Email Address []: abc@fireeye.com
OpenSSL generates two files: a self-signed certificate (named cert.pem) and a key
(named key.pem).
3. Download and save the certificate and key files.
Installing the Integration Connector

Follow these steps to install and configure the integration connector.
To install and configure the integration connector:
1. On the machine where you are installing the connector, extract the files from the HX
Connector Installer .zip package to a local folder.
2. Copy the certificate and key files that you generated, or the ones supplied by your
chosen provider into the same folder as the installer files.
3. Rename the certificate: certname.pem.
4. Log in to the server Web UI as an administrator.
5. On the Admin menu, select Appliance Settings.
6. Select Certificates on the sidebar. The Certificate Management page appears.
7. On the Certificate Management page, install the certificate:
l To install the self-signed certificate that you created in Creating a Self-Signed
Development Certificate, upload the Certificate and Private Key.
l To install a certificate provided by your chosen provider, upload the
Certificate, Private Key, and CA Certificate.
8. Click Update.

Guide Solutions
You are logged out of the Endpoint Security server, and the login screen reloads
with the following message:
1 notice
l The Web Server is currently restarting
l Please wait for about 20 seconds and try again
l If this condition persists, please Contact FireEye Support
9. On the machine where you installed the connector, edit the fireeye-
connector.properties file, and enter the appropriate parameters for the Endpoint
Security target:
appliance HX
hostname The hostname of the Endpoint Security server
username The username of the API Analyst account
password The password of the API Analyst account
cert certname.pem
The hostname you enter must match the hostname in the certificate.
If the hostname you enter is not registered in the DNS, then you must connect
the hostname and IP address in your operating system's host file on the
machine where you are installing the connector.
10. Run the ArcSight SmartConnector installation package installer.
Record the full path of the directory and folder that you use for this
installation. You will need it later. If your enterprise will be using more than
one ArcSight SmartConnector, make sure to choose a unique folder name.
When the installation is complete, the SmartConnector Configuration Wizard

opens.
11. Before you configure the SmartConnector, run the install.bat file located in the
HX Connector Installer package. Enter the full path for the ArcSight SmartConnector
installation folder that you recorded in Step 9.
12. Enter 2, when you are asked which Connector type you are installing.
13. If you are using ArcSight ESM 6, export an ArcSight certificate from your ESM
server and transfer the certificate to the server where the ArcSight SmartConnector is
installed.

14. If you are using ArcSight ESM 6, import the certificate.

a. In Windows environments, run cmd.exe using an account with read/write
access to the directory where you are installing the certificate.
In Linux environments, open a command terminal using an account with
read/write access to the directory where you are installing the certificate.
b. In the SmartConnector's bin directory, execute the appropriate command:
arcsight.bat agent keytoolgui (Windows)
./arcsight agent keytoolgui (Linux)
c. Open the keystore under jre/lib/security/cacerts.
The default password is changeit.
d. Import the certificate, navigate to the certificate file, and then save the
keystore.
15. Return to the ArcSight SmartConnector Configuration Wizard.
16. In the Configuration File box, enter HXFlexConnector, and then click Next.
17. Finish performing the steps in the ArcSight SmartConnector Configuration Wizard,
choosing default settings or customizing for your enterprise's SIEM solution, as
appropriate.
If you want the SmartConnector to run as a service, choose the following options:
l Select Yes to start the service automatically when you restart the server on
which it is running.
l Enter unique names for Service Internal Name and Service Display Name, if
your enterprise will have more than one SmartConnector on the server where
you are installing this Connector.
If you want to run the SmartConnector service before the server restarts, you
must start the service manually.
You can validate the success of the installation by using your SIEM console to view events
or perform other actions, such as requesting a triage collection.

Guide Solutions

PART VII: Appendices
l Enabling and Disabling Endpoint Security Server Quiesce Mode on page 119

l Migrating Between On-Premises Endpoint Security Appliances and Cloud Endpoint
Security Servers on page 133
l Managing Endpoint Security PKI Certificates on page 123

EndPoint Security Series Cloud Appliance Deployment Guide PART VII: Appendices

APPENDIX A: Enabling and

Disabling Endpoint Security Server
Quiesce Mode
If you need to update an operational Endpoint Security environment by adding, removing,
upgrading or restoring a backup to an appliance, enable quiesce mode to make sure you do
not lose any server-generated tasks.
Enabling quiesce mode causes the Endpoint Security server to stop generating tasks and
aborts any queued tasks that have not yet completed on the agent, including file, data, and
triage acquisitions. It also stops the server from accepting new alerts. Enabling quiesce
mode improves the speed of a server upgrade and is most useful for rollbacks and
restoring an appliance from a backup.
After quiesce mode is enabled, the Endpoint Security server enters a quiescing state first,
during which it aborts tasks and processes the output of tasks that have already
completed. When that processing is finished, the server enters a quiesced state.
After updating the Endpoint Security environment, remember to disable quiesce

mode to ensure that the appliance resumes generating tasks and accepting new
alerts.
Enabling and disabling quiesce mode is performed using CLI commands. By default,

quiesce mode is disabled.
l Enabling Quiesce Mode on the next page

l Disabling Quiesce Mode on the next page
l Reviewing Quiesce Mode Status on page 121
Prerequisites

EndPoint Security Series Cloud Appliance APPENDIX A: Enabling and Disabling Endpoint Security Server
Deployment Guide Quiesce Mode
Enabling Quiesce Mode

To enable quiesce mode:

hostname > enable
2. Enable quiesce mode:

hostname (config) # hx server quiesce

4. Check the result:

hostname (config) # show hx server general
The following snippet represents the quiesce information from the output of this
show command:
Quiesce Mode:
App Proc: enabled
Message Bus: enabled
Remember to disable quiesce mode after you finish maintaining Endpoint

Security appliances to ensure they resume generating tasks and accepting
alerts.
Disabling Quiesce Mode

To disable quiesce mode:

hostname > enable
2. Disable quiesce mode:

hostname (config) # no hx server quiesce

4. Check the result:

This is a sample result:

Quiesce Mode:
App Proc: disabled
Message Bus: disabled

Reviewing Quiesce Mode Status
Reviewing Quiesce Mode Status

If an Endpoint Security server is quiesced, the following message appears at the top of the
Web UI.
You can review the complete quiesce mode status of an Endpoint Security server or the
separate quiesce mode status for the server application processor and message bus using
the CLI.
To review the quiesce mode status of an Endpoint Security server:

hostname > enable
2. Review the complete quiesce mode status of the server:

The following snippet from the output of this command shows that quiesce mode is
enabled for both the application processor and the message bus.
Quiesce Mode:
App Proc: enabled
Message Bus: enabled

EndPoint Security Series Cloud Appliance APPENDIX A: Enabling and Disabling Endpoint Security Server
Deployment Guide Quiesce Mode
3. Review the quiesce mode status of the server application processor:

hostname (config) # show hx app-proc
The following output from this command displays when quiesce mode enabling is
in process for the application processor:
HX App Proc Configuration:
Quiesce Mode: enabled

State: quiescing
The following output from this command displays when the application processor
is fully quiesced:
Quiesce Mode: enabled

State: quiesced
The following output from this command displays when quiesce mode disabling is
in process for the application processor:
Quiesce Mode: disabled

State: quiesced
The following output from this command displays when the application processor
is not in quiesce mode:

State: running
4. Review the quiesce mode status of the server message bus:

hostname (config) # show hx messagebus
The following sample output from this command shows that quiesce mode is
disabled for the appliance message bus:
HX Message Bus Configuration:

APPENDIX B: Managing Endpoint

Security PKI Certificates
Endpoint Security public key infrastructure (PKI) certificates are the PKI keys needed to
communicate with the FireEye Endpoint Security Agents.
You can manage Endpoint Security PKI certificates using the CLI.
l Reviewing Certificates and Settings on the next page

l Exporting Certificates on page 125
l Importing Certificates on page 125
l Regenerating Certificates on page 126
l Setting the PKI Certificate Prefix on page 126
l Setting Agent Certificate Authority Duration on page 127
l Setting Agent Certificate Duration on page 128
l Setting Agent Certificate Length on page 127
l Setting Endpoint Security Certificate Authority Duration on page 128
l Setting Endpoint Security Certificate Duration on page 129
l Setting Endpoint Security Certificate Length on page 129
l Setting Endpoint Security CRL Duration on page 130
l Importing an Endpoint Security CRL on page 130
l Regenerating the Endpoint Security CRL on page 130
l Regenerating the Endpoint Security Subordinate PKI on page 131
l Enabling the Provisioning Certificate on page 132
l Disabling the Provisioning Certificate on page 132
Prerequisites

EndPoint Security Series Cloud Appliance Deployment APPENDIX B: Managing Endpoint Security PKI
Guide Certificates
Reviewing Certificates and Settings

To review Endpoint Security certificates and settings:

hostname > enable
2. Review the certificates and certificate settings:

hostname (config) # show hx pki
The following is sample output from this command:

HX PKI Configuration:
Prefix: <prefix>
Agent CA days: 7300
Agent CA key bits: 2048
Agent cert days: 1825
Server CA days: 7300
Server cert key bits: 2048
Server cert days: 1825
Server CRL days: 30
Provisioning cert use enabled: yes
CA: comms
valid from: <timestamp> to <timestamp>
subject: <subject>
fingerprint: <fingerprint>
CA: distro
subject: <subject>
CA: agent
subject: <subject>
CRL: comms
issued: <timestamp> and expires on <timestamp>
number: <comms_CRL_number>
CRL: distro
issued: <timestamp> and expires on <timestamp>
number: <distro_CRL_number>
host: <HX_appliance_hostname>
role: ca
last ping: <timestamp>

Exporting Certificates
Exporting Certificates
You can export Endpoint Security public key infrastructure (PKI) certificates to a file. This
is recommended before you upgrade the Endpoint Security server.
To export Endpoint Security PKI certificates:

hostname > enable
2. Export the certificates to the file identified by <fileURL>:

hostname (config) # hx pki export file <fileURL> passphrase
<passphrase>
For example:
hostname (config) # hx pki export file scp://user@host/path/to/file
passphrase abc123
Importing Certificates
You can import Endpoint Security public key infrastructure (PKI) certificates from a backup
file. If there were any problems upgrading your appliance that required you to reimage it or
to fully reinstall the software, import the Endpoint Security certificates you exported earlier
so you do not have to reinstall all of your agents.
To import Endpoint Security PKI certificates:

hostname > enable
2. Import the certificates from the file containing your exported certificates, identified
by <fileURL>:
hostname (config) # hx pki import file <fileURL> passphrase
<passphrase>
For example:
hostname (config) # hx pki import file scp://user@host/path/to/file
passphrase abc123
Importing certificates automatically detaches any DMZ server from the

Endpoint Security server. You need to reattach them after the certificates are
imported. See the Endpoint Security Server Deployment Guide.

Guide Certificates
Regenerating Certificates
You can reset the FireEye Endpoint Security Agent and Endpoint Security communications
server public key infrastructure (PKI), including a certificate authorities (CA).
Using this command orphans any existing agents connected to the

Endpoint Security PKI.
Regenerating certificates automatically detaches any DMZ server from the Endpoint
Security server. You need to reattach them after the certificates are regenerated. See
the Endpoint Security Server Deployment Guide.
To regenerate the PKI and certificate authorities:

hostname > enable
2. Regenerate the PKI and certificate authorities:

hostname (config) # hx pki regenerate

Setting the PKI Certificate Prefix

You can specify the Endpoint Security PKI certificate prefix.
To specify the PKI certificate prefix:

hostname > enable
2. Import the CRL:

hostname (config) # hx pki subject-prefix <prefix>
where <prefix> is the prefix

For example:
hostname (config) # hx pki subject-prefix companyname


Setting Agent Certificate Authority Duration
Setting Agent Certificate Authority

Duration
To set the duration of the FireEye Endpoint Security Agent certificate authority (CA):

hostname > enable
2. Specify the CA duration, in days:

hostname (config) # hx pki agent ca-days <days>
where <days> is the number of days that the agent CA remains active. Valid values
range from 0 and 65535 days. The default is 7300 days.
To set the duration back to the default, use the no form of this command:
hostname (config) # no hx pki agent ca-days

Setting Agent Certificate Length

To set the length of FireEye Endpoint Security Agent certificates:

hostname > enable
2. Specify the certificate length, in bits:

hostname (config) # hx pki agent cert-bits <bits>
where <bits> is the number of bits for the agent certificates. Valid values range
from 1024 and 4096 bits. The default is 2048 bits.
To set the length back to the default, use the no form of this command:
hostname (config) # no hx pki agent cert-bits


Guide Certificates
Setting Agent Certificate Duration

To set the duration of FireEye Endpoint Security Agent certificates:

hostname > enable
2. Specify the certificate duration, in days:

hostname (config) # hx pki agent cert-days <days>
where <days> is the number of days that the agent certificate remains active. Valid
values range from 0and 65535 days. The default is 1825 days (5 years).
hostname (config) # no hx pki agent cert-days

Setting Endpoint Security Certificate

Authority Duration
To set the duration of the Endpoint Security certificate authority (CA):

hostname > enable
2. Specify the CA duration, in days:

hostname (config) # hx pki server ca-days <days>
where <days> is the number of days that the Endpoint Security CA remains active.
Valid values range from 0 and 65535 days. The default is 7300 days.
hostname (config) # no hx pki server ca-days

hostname (config) # write memor

Setting Endpoint Security Certificate Length

Length
To set the length of Endpoint Security certificates:

hostname > enable
2. Specify the certificate length, in bits:

hostname (config) # hx pki server cert-bits <bits>
where <bits> is the number of bits for the Endpoint Security certificates. Valid
values range from 1024 and 4096 bits. The default is 2048 bits.
To set the length back to the default, use the no form of this command:
hostname (config) # no hx pki server cert-bits


Duration
To set the duration of Endpoint Security certificates:

hostname > enable
2. Specify the certificate duration, in days:

hostname (config) # hx pki server cert-days <days>
where <days> is the number of days that the Endpoint Security certificate remains
active. Valid values range from 0 and 65535days. The default is 1825 days (5 years).
hostname (config) # no hx pki server cert-days


Guide Certificates
Setting Endpoint Security CRL Duration

When the certificate revocation list (CRL) exceeds this duration setting, the CRL expires.
To set the duration of Endpoint Security certficate revocation list (CRL):

hostname > enable
2. Specify the CRL duration, in days:

hostname (config) # hx pki server crl-days <days>
where <days> is the number of days that the Endpoint Security CRL remains active.
Valid values range from 0 and 65535days. The default is 30 days.
hostname (config) # no hx pki server crl-days

Importing an Endpoint Security CRL

You can import an Endpoint Security certificate revocation list (CRL) from a URL.
To import an Endpoint Security certficate revocation list (CRL):

hostname > enable
2. Import the CRL:

hostname (config) # hx pki server crl-upload distro <url>
where <url> is the URL from which the CRL should be uploaded.
For example:
hostname (config) # hx pki server crl-upload distro
https://10.42.138.20

Regenerating the Endpoint Security CRL

You can reset the Endpoint Security communications server revocation list (CRL).

Regenerating the Endpoint Security Subordinate PKI
An invalid CRL should correct itself automatically within 30 minutes of the date or
time discrepancy. This command forces the correction to occur immediately.
Using this command detaches any DMZ server from the Endpoint Security server.
You need to reattach them after running this command.
To regenerate the Endpoint Security CRL:

hostname > enable
2. Regenerate the CRL:

hostname (config) # hx pki regenerate crl

Regenerating the Endpoint Security

Subordinate PKI
You can reset the Endpoint Security communications server subordinate public key
infrastructure (PKI). Do this to resolve a date or configuration discrepancy that causes the
subordinated PKI to become invalid.
Using this command invalidates any existing agent tasks.
Using this command detaches any DMZ server from the Endpoint Security server.
You need to reattach them after running this command.
To regenerate the Endpoint Security subordinate PKI:

hostname > enable
2. Regenerate the subordinate PKI:

hostname (config) # hx pki regenerate subordinate


Guide Certificates
Enabling the Provisioning Certificate

To enable the use of a provisioning certificate:

hostname > enable
2. Enable the use of a provisioning certificate:

hostname (config) # hx pki provisioning enabled

Disabling the Provisioning Certificate

To disable the use of a provisioning certificate:

hostname > enable
2. Disable the use of a provisioning certificate:

hostname (config) # no hx pki provisioning enabled


APPENDIX C: Migrating Between

On-Premises Endpoint Security
Appliances and Cloud Endpoint
Security Servers
If your organization has used an on-premises Endpoint Security appliance and you are
moving to a cloud Endpoint Security server, you need to migrate the agents that have
provisioned with the on-premises appliance to the cloud server. This migration is critical
to ensuring that your agents continue to communicate with an Endpoint Security server.
You may also need to migrate some appliance settings from the on-premises appliance to
the cloud server.
NOTE: Trellix does not recommend that you simply change the domain
name server (DNS) record of the on-premises appliance to point to the
cloud server. While this can be done, the migration cut-over time may
be uncertain due to long delays between DNS cache updates. This delay
can make it difficult to diagnose migration problems.
A cloud Endpoint Security server is an instance of the Endpoint Security system image
deployed in the Amazon Web Services (AWS) cloud. A single cloud Endpoint Security
environment includes an Endpoint Security (master) server in the AWS cloud. The cloud
Endpoint Security server is the provisioning appliance in a cloud Endpoint Security
environment and all agent communication is with this server.

EndPoint Security Series Cloud APPENDIX C: Migrating Between On-Premises Endpoint Security
Appliance Deployment Guide Appliances and Cloud Endpoint Security Servers
Prerequisites
l Administrator access
l The on-premises Endpoint Security appliance and cloud Endpoint Security servers
must both be the primary appliances in your Endpoint environment. When you run
the show hx ecosystem command on each appliance, the output must include this
line: Appliance Role: master.
l All Endpoint Security controllers should be running the same operating system.
Migration Steps
Follow these steps to migrate your agents from an on-premises Endpoint Security
appliance to a cloud Endpoint Security server.
Task Instructions
1. Remediate all contained Resolve all containment issues and uncontain all host
hosts in your environment endpoints before performing any further migration steps.
and stop containing them.
Contained host endpoints are blocked from communicating
with other host endpoints and can only communicate with
the Endpoint Security server that manages them.
Consequently, any contained hosts managed by your on-
premises Endpoint Security appliance will not be able to
communicate with the cloud Endpoint Security appliance if
you migrate your agents without resolving the issues that
required the hosts to be contained.
See "Containing Host Endpoints" in the Endpoint Security
Server User Guide for more information about containment.
2. Confirm connectivity The on-premises Endpoint Security appliance and cloud

between the on-premises Endpoint Security servers must be able to connect to each
Endpoint other.
Security appliances and
Do not attempt the migration if connectivity between the
cloud Endpoint Security
on-premises and cloud appliances cannot be established.
servers.
See Testing Connectivity Between the On-Premises
Appliances and Cloud Endpoint Security Servers on
page 138.

Migration Steps
Task Instructions
3. Verify that the on- Verify that the versions of the Endpoint Security software
premises and cloud installed on your on-premises and cloud appliances are the
appliances are running same.
the same versions of
For each appliance, use the procedure described in
Endpoint Security
Identifying the Endpoint Security Software Version on an
software.
Appliance on page 138 to identify the installed Endpoint
Security software versions.
If the on-premises and cloud appliances are not running the
same versions of Endpoint Security software, upgrade the
appliance running the older version of the Endpoint
Security software. See "Upgrading the FireEye Software" in
the Endpoint Security System Administration Guide.
4. Enable quiesce mode for The on-premises appliance must be put into quiesce mode.
the on-premises Endpoint Enabling quiesce mode causes the Endpoint Security
Security Series appliance. appliance to stop generating tasks and aborts any queued
tasks that have not yet completed on the agent, including
file, data, and triage acquisitions and it stops the appliance
from accepting new alerts. See Enabling and Disabling
Endpoint Security Server Quiesce Mode on page 119.
5. Ensure that all agents After putting the on-premises Endpoint Security appliance
have completed or aborted into quiesce mode, you must ensure that all of the agents
any outgoing jobs to the have completed or aborted any ongoing jobs to the
appliance. appliance. You can verify that the show hx app-proc
command states the appliance is running quiesced and
verify that the show hx messagebus command states that
Quiesce mode is enabled.
6. Collect information and Collect information about the cloud Endpoint

CA certificates for the Security server IP address, the server address list (SAL), and
cloud ecosystem. the CA certificates in your cloud Endpoint Security
ecosystem. See Collecting Cloud Server Information and
CA Certificates on page 139.
You will need to restore these later in this procedure.

Task Instructions
7. Detach any on-premises If all of your host endpoints can communicate directly with
HXD (DMZ) appliances or the on-premises Endpoint Security appliance, detach your
convert the HXD on-premises HXD appliances. See Detaching On-Premises
appliances to TCP relays. HXD Appliances on page 141.
If this is not possible, convert your on-premises HXD
appliances into TCP relays to the on-premises Endpoint
Security appliance. See Converting an On-Premises
HXD Appliance Into a TCP Relay on page 142.
NOTE: FireEye recommends that you detach your on-
premises HXD appliances, rather than use them as
TCP relays.
8. Create a full backup of Create a full backup of the on-premises Endpoint Security
the on-premises Endpoint appliance. If you use the CLI, use the backup profile full
Security appliance. to local command. Verify you have enough disk space
before attempting the backup.
See "Backing Up the Database" in the Endpoint Security
System Administration Guide.
9. Create a full backup of Create a full backup of the cloud Endpoint Security
the cloud Endpoint (primary) server in your cloud Endpoint Security ecosystem.
Security (primary) server This will ensure your system can be restored to its original
the cloud ecosystem. state if a problem in the migration should occur.
See "Backing Up the Database" in the Endpoint Security
10. (Optional) Download Download the full backup of the on-premises appliance you
the full backup of the on- created in Step 8.
premises Endpoint
See "Downloading Backup Files" in the Endpoint Security
Security appliance.
11. (Optional) Upload the Upload the full backup of the on-premises Endpoint
backup of the on-premises Security appliance onto the cloud Endpoint Security server
Endpoint Security using either the Web UI or the CLI.
appliance onto the cloud
Trellix recommends using the CLI restore profile full
from local backup <backup file name> command so
any problems that occur are more easily identified.
See "Restoring the Database from a Backup File" in the
Endpoint Security System Administration Guide.

Migration Steps
Task Instructions
12. (Mandatory if you Restore the configuration from the Cloud Endpoint Security
performed steps 10 and full backup to restore cloud specific configuration. You can
11) Restore your original use the command restore profile config from local
cloud configuration. backup <backup file name> to restore the configuration.
13. (Optional) Reset the Reset the cloud Endpoint Security server password. It was
password of the cloud set to the password of the on-premises appliance when you
Endpoint Security server uploaded the backup in Step 11. See "Authentication" in the
System Security Guide.
You can use the on-premises appliance password,

but bear in mind that cloud passwords should be
stronger passwords due to the number of illegal
attempts to log in to cloud (Amazon Web Services)
servers.
14. Verify the defined Verify the cloud Endpoint Security server users and user
users and user roles are role (AAA) settings. These were overwritten with the on-
set appropriately for the premises appliance AAA settings when you uploaded the
cloud Endpoint Security backup in Step 11. See Authorization" in the System Security
server. Guide.
15. Set up the server Using the cloud Endpoint Security Web UI, set up the server
address list in the cloud address list for the cloud Endpoint Security ecosystem. See
Endpoint Security Setting Up the Server Address List for the Cloud
ecosystem Endpoint Security Ecosystem on page 142.
16. Restore the cloud Restore the cloud Endpoint Security ecosystem certificates
ecosystem certificates. that you downloaded in Downloading the Root and
Intermediate CA Certificates of the Cloud Endpoint Security
Ecosystem on page 141. See "Certificates" in the System
Security Guide.
17. Disable quiesce mode The cloud Endpoint Security server entered quiesced state
for the cloud Endpoint when the on-premises Endpoint Security backup was
Security appliance. uploaded to it in Step 11. Disable quiesce mode for the
cloud server. See Enabling and Disabling Endpoint Security
Server Quiesce Mode on page 119.
18. Convert the on- Convert the on-premises Endpoint Security appliance into a
premises Endpoint TCP relay for the cloud Endpoint Security server. See
Security appliance to a Converting the On-Premises Endpoint Security Appliance
TCP relay for the cloud Into a TCP Relay on page 143.

When you complete these steps, the agents will initially connect to the on-premises
Endpoint Security appliance, but will be relayed to the cloud Endpoint Security server. In
time, the cloud server will send the agents a new configuration file that includes
provisioning information for the cloud Endpoint Security server. After the agents receive
the new configuration file, they will connect directly to the cloud Endpoint Security server.
When all agents are connected directly to the cloud Endpoint Security server, the on-
premises Endpoint Security appliance will no longer be needed and can be shut down.
Testing Connectivity Between the On-

Premises Appliances and Cloud Endpoint
Security Servers
To test connectivity between the on-premises Endpoint Security appliances and
cloud Endpoint Security servers using the CLI:
1. Log in to the on-premises Endpoint Security appliance using the SSH protocol and
the IP address or hostname of the appliance's management interface.
hostname > enable
3. Telnet to the cloud Endpoint Security server on port 80:

hostname # telnet <hostname-or-IPaddress> 80
where <hostname-or-IPaddress> is the host name or public IP address of the cloud

Endpoint Security appliance.
4. In the output from this command, verify that telnet succeeds in making a
connection.
Trying <IPaddress-or-host-name>...
Connected to <IPaddress-or-host-name>.
Escape character is '^]'.
5. Repeat these steps with the on-premises HXD (DMZ) appliance, if there is one.
Identifying the Endpoint Security

Software Version on an Appliance
You can identify the version of Endpoint Security software installed on an Endpoint
Security server using the Web UI or the CLI.

Collecting Cloud Server Information and CA Certificates
Identifying the Endpoint Security Software Version using

the Web UI
To identify the version of Endpoint Security software on an Endpoint Security appliance
using the Web UI:
1. Log in to the Web UI of the Endpoint Security server.

2. Select Appliance Settings on the Admin menu.
3. Click the About button.
The FireEye System Information page appears.
4. Click the Update button.
The Appliance Update page appears. The version of Endpoint Security software
installed on the server is displayed in the Installed Version column of the
Appliance Image row.
Identifying the Endpoint Security Software Version using

the CLI
To identify the version of Endpoint Security software on an Endpoint Security server
using the CLI:
1. Log in to the Endpoint Security server using the SSH protocol and the IP address or
host name of the server's management interface.
hostname > enable
3. Run the following command to view the version of Endpoint Security software:
hostname # show version
The version number is shown in the Product release line of the command output.
Collecting Cloud Server Information and

CA Certificates
Obtain the following cloud information:
l the server address list of the cloud Endpoint Security ecosystem

l the root and intermediate CA certificates of the cloud Endpoint Security ecosystem
This information will be used after the migration is complete.

Recording the Server Address List Settings of the Cloud

Endpoint Security Ecosystem
To list the server address list settings of the cloud Endpoint Security ecosystem using the
CLI:
1. Log in to the cloud Endpoint Security server using the SSH protocol and the
IP address or host name of the server's management interface.
hostname > enable
3. Run the following CLI command:

hostname # show hx agent
The server address list is listed in the Server section at the end of the output from
this command:
HX Endpoint Agent Configuration:
Poll Interval: 10 min

Fast Poll Interval: 1 min
Config Poll Interval: 15 min
Refresh Indicator Interval: 30 min
Real Time Detection: enabled
Real Time Detection Whitelist: disabled

No entries.
Maximum CPU Usage: 100%

Event Buffer Size: 120 MB
Resource Use Exception: disabled

Exception Maximum CPU Usage: 50%
Exception Event Buffer Size: 10 MB
Concurrent Host Exception: disabled

Concurrent Host Limit: 50
Agent Log Exception: disabled

Agent Log Level: INFO
Server 0
Hostname: <host name>
Provisioning: enabled
Legacy Primary: enabled
4. Record the host name or IP address of the server shown in this list that has
provisioning enabled.

Detaching On-Premises HXD Appliances
Downloading the Root and Intermediate CA Certificates

of the Cloud Endpoint Security Ecosystem
To download the root and intermediate CA certifications of the cloud Endpoint Security
ecosystem:
1. Log in to the Web UI of the cloud Endpoint Security server.

2. Select Appliance Settings on the Admin menu.
3. Select the Certificates/Keys tab.
4. Click the Export button for the root and intermediate CA certificates in the
CA Certificates section of the Certificates/Keys tab.
The CA certificates for the cloud Endpoint Security server are downloaded. Save
these files. They will need to be restored later.
Detaching On-Premises HXD Appliances

To detach an on-premises HXD appliance using the CLI:
1. Log in to the on-premise Endpoint Security appliance using the SSH protocol and
the IP address or host name of the appliance's management interface.
hostname > enable
3. Detach an HXD appliance from the Endpoint Security appliance:

hostname # no hx ecosystem dmz <dmz-hostname-or-IP>
where <dmz-hostname-or IP> is the hostname or IP address of an HXD appliance.

Repeat this step for each on premises HXD appliance in your environment.
4. Verify that no HXD appliances are attached to the Endpoint Security appliance:
l View the ecosystem roles:
hostname (config) # show hx ecosystem
The list of current HX ecosystem configuration roles should not contain any
HXD appliances.
l View the PKI settings:
hostname (config) # show hx pki
The response should not include information about any HXD appliances.
5. If any HXD appliances are listed in the output of these commands, repeat Steps 3
and 4 until no HXD appliances appear.

6. Save your changes.

When the on-premises HXD appliances are detached from the Endpoint Security
appliance, the agents will revert to using the on-premises Endpoint Security appliance.
Converting an On-Premises
HXD Appliance Into a TCP Relay
To convert an on-premises HXD appliance into a TCP relay for the on-premises
HX appliance using the CLI:
1. Log in to the on-premises HXD appliance using the SSH protocol and the IP address
or host name of the appliance's management interface.
hostname > enable
3. Convert the on-premises HXD appliance into a TCP relay to the on-premises HX
appliance:
hostname # hx rproxy relay <ip address>
where <ip address> is the public IP address of the on-premises HX appliance.

If the HXD appliance is in relay mode when it is upgraded, relay mode must be
reenabled after the upgrade completes.
Setting Up the Server Address List for

the Cloud Endpoint Security Ecosystem
Agents attempt to connect to the first Endpoint Security server listed in the server address
list. If the first server is unavailable, the agent then attempts to reach the second server,
and so on.
The cloud Endpoint Security server must be the first server listed in the server address list.
The on-premises Endpoint Security appliance must be the second server listed in the server
address list.

Converting the On-Premises Endpoint Security Appliance Into a TCP Relay
To set up the server address list for the cloud Endpoint Security ecosystem:
1. Log in to the Web UI of the Endpoint Security server.

2. Select Policies on the Admin menu. The Policies page appears.
3. Select Agent Default policy in the list.
4. Select the Server Addresses tab on the Agent Default policy page.
5. In the Enter server address of the appliance(s) text box, enter the host name or
IP address of the cloud Endpoint Security server you identified in Recording the
Server Address List Settings of the Cloud Endpoint Security Ecosystem on page 140.
6. Click Add.
The IP address or DNS host name of the cloud Endpoint Security server should be
listed first in the server address list.
7. In the Enable Provisioning section, indicate your provisioning servers and your
primary server by selecting the check box.
8. Click Save in the upper right corner to save the policy changes.
Converting the On-Premises Endpoint

Security Appliance Into a TCP Relay
To convert the on-premises Endpoint Security appliance into a TCP relay for the cloud
Endpoint Security server using the CLI:
1. Log in to the on-premises Endpoint Security appliance using the SSH protocol and
the IP address or host name of the appliance's management interface.
hostname > enable
3. Convert the on-premises Endpoint Security appliance into a TCP relay to the cloud
Endpoint Security server:
hostname # hx rproxy relay <ip-address-or-host-name>
where <ip-address-or-host-name> is the host name or public IP address for the

cloud Endpoint Security ecosystem. You collected this information for the cloud
Endpoint Security ecosystem before the on-premises Endpoint Security appliance
backup was uploaded to the cloud Endpoint Security server. See Recording the
Server Address List Settings of the Cloud Endpoint Security Ecosystem on page 140.

If the Endpoint Security appliance is in relay mode when it is upgraded, relay mode
must be re-enabled after the upgrade completes.

Technical Support
For technical support, contact Trellix through the Support portal:

https://www.trellix.com/en-us/support.html
Documentation
Documentation for all Trellix products is available on the Trellix Documentation Portal
(login required):
https://docs.fireeye.com/

Trellix | 601 McCarthy Blvd. | Milpitas, CA | 1.408.321.6300 | 1.877.347.3393 | www.trellix.com
© 2022 FireEye Security Holdings US LLC. All rights reserved.Trellix, FireEye, and Skyhigh Security are the trademarks or
registered trademarks of Musarubra US LLC, FireEye Security Holdings US LLC, and their affiliates in the US and/or other
countries.

HX DG C 5.3.0 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

HX DG C 5.3.0 PDF

Uploaded by

Copyright:

Available Formats

ENDPOINT SECURITY

SERVER DEPLOYMENT GUIDE

Copyright © 2022 FireEye Security Holdings US LLC. All rights reserved.

Trellix Contact Information:

CHAPTER 1: About the Endpoint Security Server 11

CHAPTER 2: System Requirements 15

© 2022 FireEye Security Holdings US LLC 3

PART II: Cloud Server Deployment 21

CHAPTER 3: Cloud Server Overview 23

CHAPTER 4: Cloud Server Deployment Steps 25

PART III: Azure 29

CHAPTER 5: Azure Specifications 31

CHAPTER 6: Deploying Virtual Endpoint Security Appliances in Microsoft

PART IV: AWS 43

CHAPTER 7: AWS Requirements 45

CHAPTER 8: AWS Specifications 47

CHAPTER 9: Deploying Virtual Endpoint Security Appliances on Amazon

4 © 2022 FireEye Security Holdings US LLC

CHAPTER 10: The Endpoint Security Server Web UI 61

CHAPTER 11: Validating DTI Access 63

CHAPTER 12: Configuring the Server Address List 67

CHAPTER 13: Setting up Provisioning 71

© 2022 FireEye Security Holdings US LLC 5

PART VI: Integration 79

CHAPTER 14: How FireEye Appliance Alerts Become Endpoint Security

CHAPTER 15: Integrating Central Management Appliances and Endpoint

CHAPTER 16: Replacing Integrated Central Management Appliances and

CHAPTER 17: Integrating Network Security Appliances and Endpoint

CHAPTER 18: SNMP Data 99

6 © 2022 FireEye Security Holdings US LLC

CHAPTER 19: Forwarding CEF Logs to Helix and SIEM Solutions 107

PART VII: Appendices 117

APPENDIX A: Enabling and Disabling Endpoint Security Server Quiesce

APPENDIX B: Managing Endpoint Security PKI Certificates 123

© 2022 FireEye Security Holdings US LLC 7

Setting Endpoint Security Certificate Length 129

APPENDIX C: Migrating Between On-Premises Endpoint Security

Technical Support 145

8 © 2022 FireEye Security Holdings US LLC

l About the Endpoint Security Server on page 11

© 2022 FireEye Security Holdings US LLC 9

10 © 2022 FireEye Security Holdings US LLC

CHAPTER 1: About the Endpoint

l Search for advanced attackers and advanced persistent threats (APTs)

This chapter covers the following topics:

l Server Roles and Order on the next page

© 2022 FireEye Security Holdings US LLC 11

Server Roles and Order

l on-premises (physical) appliances

In each Endpoint Security ecosystem, provisioning and primary servers must be identified.

12 © 2022 FireEye Security Holdings US LLC

IMPORTANT: You must decide which appliances will be your

© 2022 FireEye Security Holdings US LLC 13

14 © 2022 FireEye Security Holdings US LLC

Supported Appliance Models

HX 2500DV Virtual DMZ server 3.5 and later 15,000 endpoints

HX 2502V Virtual or cloud 3.5 and later 15,000 endpoints

HX 4500DV Virtual HXD (DMZ) 4.0 and later 100,000

HX 4502V Virtual or cloud HX 4.0 and later 100,000

© 2022 FireEye Security Holdings US LLC 15

Endpoint Security Cloud Server Features

Model Type Memory Disk Space

HX 2500DV AWS-EC2 DMZ 16 GB 512 GB