Professional Documents
Culture Documents
Copyright 2015 - 2022 FireMon, LLC. All rights reserved. This product and related documentation are
protected by copyright and distributed under licensing restricting their use, copying, distribution,
and decompilation. No part of this product or related documentation may be reproduced in any
form or by any means without the written authorization of FireMon, LLC. All right, title, and interest
in the product shall remain with FireMon and its licensors.
This product and related documentation are provided under a license agreement containing
restrictions on use and disclosure and are protected by intellectual property laws.
This product and documentation may provide access to or information on content, products, and
services from third parties. FireMon, LLC is not responsible for and expressly disclaim all warranties
of any kind with respect to third-party content, products, and services. FireMon, LLC will not be
responsible for any loss, costs, or damages incurred due to your access to or use of third-party
content, products, or services.
The information in this document is subject to change without notice and is not warranted to be
error-free. If you find any errors, please report them to us in writing.
FireMon is a registered trademark of FireMon, LLC. All other products or company names
mentioned herein are trademarks or registered trademarks of their respective owners.
Contents
Copyright Notice 2
Cont ent s 3
FM OS Deployment Topics 14
What is FMOS? 14
Why FMOS? 14
Supported Platforms 15
Non-FM Appliance 15
Virtual Machine 15
Cloud-based 16
System Requirements 17
Machine Specifications 17
Full Install 17
DC Only Install 17
FM Appliance Specs 18
Network Topology 18
SIP Ecosystem 20
SIP Roles 20
Deployment Scenarios 20
Single-Server 21
Partially Distributed 21
Fully Distributed 21
Multiple-Database Mode 21
Role Hierarchy 22
Build Variants 24
Distribution Formats 24
Install FMOS 26
Ecosystem Setup 26
Initial Configuration 26
Network Configuration 28
Network Time 29
Organization 29
User 29
Notifications 30
Email Notifications 30
SMTP Settings 30
Deployment Environment 30
Machine Configuration 33
Organization Information 34
Setup UI Administration 38
Organization Information 39
Machine Configuration 40
CFT 41
Microsoft Azure 43
Setup UI Administration 44
Organization Information 45
Prerequisites 47
Network Communication 48
Step 1: Setup 49
Standby Servers 51
Manual Switchover 51
Promote a Standby 51
Recover CA Role 52
Automatic Failover 53
Setting up a Load Balancer when not terminating SSL at the Load Balancer 55
Reprovision an Ecosystem 58
FMOS Users 69
Unprivileged Users 69
Privileged Users 70
FireMon Administrators 70
Backup Operator 70
Delete a User 74
Authentication Servers 76
External Authentication 76
Authorization 76
Authentication 76
LDAP 77
Attribute Mapping 77
Object Filtering 78
Encryption (TLS) 78
Privileged Groups 79
Kerberos 84
Certificates 89
About Certificates 89
Command-Line Interface 89
Example 1 96
Example 2 96
Configuration Commands 99
Playbooks 109
Example 1 114
Example 2 115
Example 115
Example 1 116
Example 2 116
Example 2 117
Recovery 117
Migration 118
Logout 142
Home 144
OS 147
Authentication 149
Backups 151
SecMgr 160
Apache 160
NdExec 160
SecMgr 161
Workflow 161
Enable TCP Syslog 161
Examples 163
Example 164
Troubleshooting 165
Why FMOS?
To ensure all FireMon customers have a consistent experience when using FireMon software, FMOS
does not allow any users, including users with the FMOS Administrator privilege, to make direct
changes to any operating system or application configuration. FMOS provides an extensive set of
configuration options itself, which can be used to customize the FireMon software, the operating
system, and third-party software included in FMOS. The FireMon development team has evaluated
these configuration options and tests them for compatibility in a range of scenarios to identify and
eliminate issues and potential issues.
FMOS manages configuration files, kernel parameters, security options, user accounts, and more.
In addition to ensuring a consistent user experience and helping administrators avoid
misconfiguration, this approach has powerful security benefits. Limiting users’ access to prescribed
operations shrinks the attack surface area of the system dramatically.
Operating system security updates are provided by FireMon as part of our regular software
releases. With each release, the operating system package set is fully tested for compatibility with
our products – quality assurance that an administrator running SIP software on a different Linux
platform would have to do on their own.
As the FireMon Security Intelligence Platform module suite grows and evolves, so does FMOS. Each
release of FMOS includes additional functionality to simplify deployments, increase security, or
solve problems.
Supported Platforms
Regardless of platform type, system resources have to be available at the recommended system
requirements as documented in this guide based on number of devices and load observed on the
system given your specific deployment environment. FMOS follows CentOS 8 supported devices
from drivers perspective.
FireMon provides FMOS distribution options and deployment instructions for the mentioned
platforms. For other systems, standard steps should be used and performed by personnel on given
platform. FMOS can be deployed on mentioned platforms, FireMon Support does provide support
for FMOS but not operation, configuration or troubleshooting of the mentioned platforms unless it
is an FM appliance.
l An FM appliance (at least one for a single deployment, more for distributed deployments).
l Security Intelligence Platform components: application server, database, one or more data
collectors, and a license for SIP.
Non-FM Appliance
An installation consists of:
l A physical or virtual machine in your environment (at least one for a single deployment, more
for distributed deployments).
l Security Intelligence Platform components: application server, database, one or more data
collectors, and a license for SIP.
If you are installing FMOS on a non-FM appliance machine, your hardware must meet or exceed
the system recommendations.
Virtual Machine
Virtual platforms that have been tested and are supported:
l VMware
l A virtual machine in your environment (at least one for a single deployment, more for dis-
tributed deployments).
l Security Intelligence Platform components: application server, database, one or more data
collectors, and a license for SIP.
Cloud-based
Cloud-based platforms that have been tested and are supported:
l Microsoft Azure
System Requirements
Machine Specifications
Recommended system requirements are based on SIP best practices. Failing to meet these
recommendations can lead to possible performance issues.
Not e: We recommend accessing SIP using one of the following supported browsers: Mozilla
Firefox, Google Chrome, Microsoft Edge, and Apple Safari with a minimum screen resolution of
1280 x 800.
When first installing FMOS, the initial configuration wizard will check the local system to ensure it
meets the recommended system requirements. These requirements provide a baseline for all
deployments. When planning the deployment, consider the following guidelines:
l Servers with the database (DB) role will require very large amounts of RAM, especially when
generating reports or running assessments.
l Servers with the application server (AS) role will use a large amount of RAM and CPU time,
and demand will increase as the number of users grows.
l Servers with the data collector (DC) role will use large amounts of RAM and CPU time, and
demand will increase as the number of monitored devices grows.
These are the recommended system requirements, based on FM appliance system specifications. If
you are using your own machine hardware, it is recommended that it has a system equivalent to an
FM appliance.
Machines running the full or cloud variant of FMOS must have at least these specifications:
Machines running the dconly variant of FMOS must have at least these specifications:
FM Appliance Specs
These are the FM Appliances that machine specifications are based on. FireMon offers three
purpose-built Dell machines to run FireMon SIP solutions in your enterprise or MSSP environment.
Whether you’re monitoring 100 devices or 15,000, on one continent or around the world, we offer
an FM appliance with the power and storage capacity to deliver FireMon’s high-performance, highly
scalable firewall management and risk analysis solutions.
2x Intel Xeon Gold 2x Intel Xeon Gold 2x Intel Xeon Gold 6140
Processor
6134 (3.2 GHz) 6128 (3.4 GHz) (2.3 GHz)
4x 600 GB 15K RPM 12 2x 240 GB 6 Gbit/s 2.5” 16x 300 GB 15K RPM 12
Storage
Gbit/s 2.5” SAS HDD SATA SSD Gbit/s 2.5” SAS HDD
Network Topology
When deploying multiple servers, consider the following guidelines for best overall performance:
l All servers holding the application server role must be on the same network segment.
l If the application server and database roles are held by separate servers, those servers
should be on the same network segment, with a very high bandwidth connection between
them.
l Servers holding the data collector role should be located logically near the devices they mon-
itor.
l Application servers must be able to resolve the database server by fully qualified domain
name (FQDN).
l IP protocol 50 (ESP)
l IGMP
l IP protocol 50
* Not e: TCP port 55555 is required for the DB to access the FMOS Control Panel UI but is optional
for AS and DC. If you do not want to open port 55555, you can use CLI commands within the DB.
SIP Ecosystem
SIP Roles
To facilitate the distributed capabilities of the SIP software suite, FMOS provides tools for deploying
multiple servers that communicate with one another. Each server can hold one or more roles,
which define its responsibilities and the components of SIP that it runs.
l Applicat ion Server (AS): Servers with this role run the SecMgr and Workflow services and
expose their HTTP APIs to network consumers. These servers also expose the web-based
user interface applications. An ecosystem must have at least one server with this role.
l Cert ificat e Aut horit y (CA): FMOS uses TLS and IPsec to enable secure communication
between SIP components, including the PostgreSQL database, the Elasticsearch index,
SecMgr, the Data Collector, etc. These protocols use X.509 certificates to authenticate the
communicating parties to one another. FMOS manages an X.509 Certificate Authority to
issue and validate these certificates. Exactly one machine in the FMOS ecosystem must have
this role. Under normal circumstances, the first machine created in the ecosystem will hold
the CA role.
l Dat abase Server (DB): Servers with this role run the PostgreSQL database management
engine, which houses the data used by FireMon Security Manager. Additionally, these servers
store data, such as normalized configuration, in files on the filesystem, which can be shared
with other servers in the ecosystem. An ecosystem can have exactly one server with this role.
l Dat a Collect or (DC): Servers with this role are responsible for communicating with devices
managed by Security Manager, for example to retrieve configuration and process log
messages. An ecosystem must have at least one server with this role.
l Ent erprise Search (ES): Servers with this role run Elasticsearch to provide high-performance
search capability for FireMon Security Manager. There must be at least one machine with this
role in the ecosystem. It is typically held by the same servers that hold the Database Server
(DB) role.
A server may run a combination of roles as well. It is very common for a single server to hold all
three roles. In medium-sized environments, it is likely that there will be one server that holds the AS
and DB roles, and one or more separate servers with the DC role. Very large environments may
have one server with the DB role, and many servers with each of the other roles.
Deployment Scenarios
FMOS supports several deployment scenarios, each with specific strengths. The size of the
deployment will mostly depend on which features (modules) of SIP will be used, how many devices
it will monitor, and many other factors. FMOS cannot make specific recommendations on which
scenario is correct for any specific case. In general, however, the larger deployment scenarios tend
to perform better than the smaller ones.
Single-Server
In a single-server deployment (also called an all-in-one or AIO deployment), a single machine holds all
of the SIP roles. This is very easy to set up, and requires very little maintenance. It also performs
extremely poorly in almost all cases, so its use should be limited to demonstration or evaluation
purposes only.
A partially distributed deployment is one where one machine holds the AS, CA, DB, and ES roles, with
one or more separate machines holding the DC role. This type of deployment is useful in small
environments where the machine serving the HTTP API and Web UI is not able to directly
communicate with the devices Security Manager monitors. Like the single-server deployment,
performance in this type of scenario is generally poor, so its use is discouraged.
In a fully distributed deployment, each SIP role is held by a separate machine. Such a deployment
requires at least three machines: 1 CA+DB+ES, 1 AS, and 1 DC. This type of deployment takes
advantage of the horizontal scalability built into each component of SIP; performance of a
component increases with the number of those components present in the ecosystem.
Not e: This type of deployment, while more difficult to deploy, is strongly encouraged for all use
cases.
In a fully distributed ecosystem, FMOS requires a shared filesystem for AS machines to store non-
relational data (such as normalized configuration files, etc.). In single-database mode, the machine
holding the DB role shares its local filesystem with the AS machines using NFS. In multi-database
mode, the DB machines form a clustered filesystem that replicates its contents to each DB machine.
The AS machines access this cluster using NFS.
By default, FMOS only allows a single machine in the ecosystem to hold the DB and ES roles. To
facilitate rapid disaster recovery scenarios, FMOS can be configured for multi-database mode. In this
mode, additional machines can hold these roles in a standby capacity. The original database
machine operates as a primary server, replicating its changes to the standby machines. In the event
of a failure, one of the standby machines can be promoted to become the primary.
Role Hierarchy
Machines in an FMOS ecosystem are organized hierarchically. The relationship between machines
is described as superior or subordinate. In a typical ecosystem, the machine that holds the DB role
is the superior of all of the machines with the AS role. Thus, the AS machines are subordinates of
the DB machine. Similarly, machines that hold the DC role are subordinates of a machine with the
AS role.
The figure below shows the relationship between roles in a fully distributed ecosystem. The arrows
point to the superior server of each role.
l Will the server holding the DB role be separate from the server holding the AS role?
l Will the servers holding the DC role be separate from the AS roles?
It is a good idea to list each server that will exist within the ecosystem, which roles it will hold, as
well as its host name and network settings before beginning.
Build Variants
Every FMOS version is produced in multiple variants. Each variant is designed to serve a specific
purpose. When installing FMOS on a new machine, be sure to select the proper variant:
l Cloud: This variant is intended to be used for Cloud deployments, such as Microsoft Azure or
Amazon Web Services. It contains all of the Security Intelligence Platform application com-
ponents and all supporting software.
l DC Only: This variant only contains the Data Collector application component for the Secur-
ity Intelligence Platform.
l Full: This is the default variant. It contains all of the Security Intelligence Platform application
components, including the Security Manager server, the data collector, and all supporting
software such as PostgreSQL and elastic search.
Distribution Formats
Each FMOS build variant is distributed in multiple formats. The various formats are designed to
support different deployment environments or scenarios:
l FM OS Dist ribut ion Archive (.t ar.gpg) [all variant s]: This format is used by all FMOS vari-
ants for updating an existing installation of FMOS to a new version. When updating, be sure
to use the Distribution Archive for the same variant that is already installed.
l Virt ual M achine Templat e (.ova) [full, dconly]: This format is used to deploy a new virtual
machine, for example using VMware vSphere, Microsoft Hyper-V, or Oracle VirtualBox.
o If you choose VM Template, it downloads with a limited disk size of 250 GB. You will
need to either edit the disk size and make it the recommended size (500 GB) before
performing the FMOS installation or add a second disk size of 250 GB.
l Virt ual Disk Image (.qcow2) [full, dconly]: This format is used to deploy a new virtual
machine, for example using Linux KVM (with libvirt/QEMU) or OpenStack.
o If you choose Virtual Disk Image, it downloads with a limited disk size of 250 GB. You
will need to either edit the disk size and make it the recommended size (500 GB)
before performing the FMOS installation or add a second disk size of 250 GB.
l Physical Hardware Inst aller (.iso) [full, dconly]: This format is used to install FMOS on a
physical machine.
l Azure Virt ual Disk Image (.vhd.zip) [cloud]: This format is used to create a new Virtual
Machine Image in Microsoft Azure.
l AWS Virt ual Disk Image (.vmdk) [cloud]: This format is used to create a new Amazon
Machine Image in Amazon Web Services.
1. Go to FireMon User Center (https://usercenter.firemon.com) and log in. Your User Center
user name and password were emailed to your organization.
2. Click Downloads.
3. In the SIP Soft ware section, click Click here t o select t he correct download to be directed
to the Art ifact Select ion page.
4. In the Inst all Select ion section, select your deployment type.
5. In the Dist ribut ion Select ion section, select the distribution type based on how your eco-
system is deployed.
6. In the Select File section, verify that the install and distribution types are correct and then
click Select File to be directed to the file download page.
7. Click Download.
8. After downloading the FMOS file, decide if you will install on compatible hardware or to a vir-
tual machine.
Install FMOS
Ecosystem Setup
The FMOS Ecosystem Setup process is done using the fmos ecosystem command. Future
versions of FMOS may support performing the ecosystem setup process from the FMOS Control
Panel browser-based graphical user interfaces, but current versions require using the FMOS
command line (e.g. over SSH).
Initial Configuration
Before deploying a multi-server ecosystem, each machine that will be a member of the ecosystem
needs to finish initial configuration. This is when basic options such as hostname, network
configuration, organization identification, etc. are provided for the machine. As part of this process,
the machine is prepared to join the ecosystem by choosing one of the available deployment
options.
Initial configuration of an FMOS machine is done in one of two ways, depending on where the
machine is hosted: a physical or virtual machine, or a cloud deployment.
When deploying a multi-server ecosystem, choose New Deployment only for the first machine
(the database server, which will hold the CA, DB, and ES roles). For all ot her machines, including
standby database machines (if any), choose Existing Deployment.
After FMOS has been successfully installed on the system, the FireMon FMOSInitial Configuration
Wizard will start automatically on the first boot. This wizard will guide you through setting the
required configuration options in order to use the system.
The FMOS Initial Configuration Wizard has the following deployment options:
l Single-Server Deployment : This server is the only server in the deployment. It will perform
all of the functions of SIP without communicating with other servers.
l Exist ing Deployment : This server will be a part of a SIP deployment that already exists in the
organization. This option is used for all machines in a multi-server ecosystem except the
primary database machine. The specific functions this server will perform will be configured
later.
l New Deployment : This is the first server in a new multi-server SIP deployment. It will provide
the database and application server, unless Dat abase Only is selected.
Be sure to select New Deployment for only the first server in a new ecosystem, and select
Existing Deployment for all other servers.
The configuration wizard is organized into several “pages” which contain groups of related
configuration options that can be set.
This page prompts for basic required information for configuring the machine and connecting it to
the network.
The host name is the single-label name of the server. It can contain only letters, numerals, and
hyphens. It is not typically case-sensitive, but the entered value will be used as-is. The host name
should not be longer than 15 characters.
The domain name is the name of the DNS domain to which the server belongs. In many cases, this
will match the DNS name of an Active Directory domain or Kerberos realm.
Together, the host name and domain name, when combined with a “dot” (.) character, form the
host’s fully-qualified domain name (FQDN). It is extremely important that the FQDN resolve
correctly using DNS, and that the listed address matches the primary IP address of the server. The
FQDN is used for certificate verification, cluster communication, and several other important
network functions.
All of the network interfaces detected by the system are listed under Net work Adapt ers on the
host configuration page. By default, the first detected network adapter is enabled, while all others
are disabled. To enable or disable a network adapter, position the cursor in the check box to the
left of the adapter name and select the space bar or enter key on the keyboard.
Enabled network adapters are automatically configured for DHCP address assignment. To change
this, position the cursor on the Configure button to the right of the network adapter name and
select the space bar or enter key on the keyboard. The network adapter configuration page will be
displayed.
To change the configuration mode for the selected network adapter, position the cursor on the
radio button to the left of the desired configuration mode and select the space bar or enter key on
the keyboard. If the Manual configuration mode is selected, the fields below such as IP Address and
Subnet Mask become available. Enter the appropriate information in these fields. To save the
changes and return to the host configuration page, position the cursor on the Ok button and select
the space bar or enter key on the keyboard. The Cancel button will return to the host configuration
page without saving any changes.
Although the Default Gateway and DNS Server fields appear on the network adapter
configuration page for every network adapter, these are system-wide configuration settings,
and can only have a single value. As such, changing the value on one adapter configuration
page will change it for all adapters as well.
The operation of SIP is very dependent on accurate time information, it is highly recommended to
configure FMOS to synchronize its system clock with a network time source using NTP. FMOS
supports receiving time server information from the DHCP server (if you configured at least one
network adapter for automatic configuration, and your network’s DHCP server provides this
information) or specifying the time servers to use manually.
DHCP configuration of NTP sources is enabled by default. To manually enter one or more NTP
servers, position the cursor on the Use specific t ime servers radio button and select the space bar
or enter key on the keyboard. The Time Servers field will be automatically populated with the
recommended time servers. To specify different servers, position the cursor in the field and select
the backspace or delete keys on the keyboard. You can enter more than one server by separating
their host names or IP addresses with a space.
Organizat ion
FMOS requires identification information about the organization where the machine is deployed.
This information is used to generate X.509 certificates, and helps FireMon support correlate
diagnostic information when troubleshooting multiple machines.
l Unit / Depart ment : (Optional) The name of the department, team, unit, etc.
l Cit y: (Optional) The city/locality of the organization or where the machine is deployed
l St at e/ Province: (Optional) The state or province of the organization or where the machine is
deployed
l Count ry: (Optional) The country of the organization or where the machine is deployed
User
At least one user must be created in order to access the FMOS system normally. Enter the desired
username for the user, and optionally the user’s full name.
Choose a strong password of at least eight (8) characters, containing at least one lowercase letter,
one uppercase letter, one number, and one other symbol (such as !, @, etc.). Repeat the
password to confirm you typed it correctly.
Additional users can be created from the operating system command line after initial configuration
is complete.
Email Notifications
SMTP Settings
Several components of SIP and FMOS itself can send notification messages by email. FMOS
supports several configuration modes for sending these messages:
l Relay Host : If Send email through an SMTP relay delivery method is selected, value indicates
the host name or IP address of the relay server through which all messages will be sent
l Port : The TCP port on which to connect to the SMTP server on the remote host
l Securit y: Selects the security capability to use when communicating with the SMTP relay
server; has no effect on direct email delivery
Only explicit in-band TLS is currently supported. The legacy method of wrapping the entire
SMTP communication in an SSL session, known as “SMTPS” is not available
l Aut hent icat ion: Selects the authentication method to use when communicating with the
SMTP relay server; has no effect on direct email delivery
Only the “plain” authentication mechanism is currently supported. Since this method sends
the username and password in clear text, it should only be used when STARTTLS security is
enabled.
Deployment Environment
FMOS supports several “ecosystem” configurations, consisting of one or more servers performing
different functions. It is extremely important to select the correct deployment option for the
system, as making changes later can be difficult. Be sure to plan ahead and decide how many
servers will be needed and the roles each one will hold.
l Single-Server Deployment : This server is the only server in the organization. It will perform
all of the functions of SIP without communicating with other servers.
l Exist ing Deployment : This server will be a part of a SIP deployment already that already
exists in the organization. The specific functions this server will perform will be configured
later.
l New Deployment : This is the first server in a new multi-server SIP deployment. It will provide
the database and application server, unless Database Only is selected.
Be sure to select New Deployment for only the first server in a new ecosystem, and select
Existing Deployment for all other servers.
The FMOSSetup UI is hosted by the FMOS Control Panel server, and as such is available over TLS on
TCP port 55555.
Not e: The FMOS Control Panel always uses a self-signed certificate initially, so browsers will
present a security warning. This cannot be avoided, because the machine has not yet been
configured and so does not have a host name or access to a trusted certificate authority.
32 |
FMOS v9.8
l Username—The user name for the new user, must be at least 3 characters
l Password—A password for the new user, must comply with the default FMOS password
policy
Machine Configuration
SIP can operate in a self-contained environment on a single server, or as part of a multiple-server
ecosystem. Select one of the values to specify how the server will be deployed.
l Single-Server Deployment : This server is the only server in the deployment. It will perform
all of the functions of SIP without communicating with other servers.
l Exist ing Deployment : This server will be a part of a SIP deployment that already exists in the
organization. This option is used for all machines in a multi-server ecosystem except the
33 |
FMOS v9.8
primary database machine. The specific functions this server will perform will be configured
later.
l New Deployment : This is the first server in a new multi-server SIP deployment. It will
provide the database and application server, unless Dat abase Only is selected.
Organization Information
FMOS requires identification information about the organization where the machine is deployed.
This information is used to generate X.509 certificates, and helps FireMon support correlate
diagnostic information when troubleshooting multiple machines.
l Unit / Depart ment —(Optional) The name of the department, team, unit, etc.
l Cit y—(Optional) The city/locality of the organization or where the machine is deployed
l Count ry—(Optional) The country of the organization or where the machine is deployed
Caut ion! During initial deployment, the FMOS Control Panel server certificate will be replaced.
Browsers will typically warn users when a server’s certificate has changed, so accessing the
FMOS Control Panel after using the FMOS Setup UI may generate such a warning.
34 |
FMOS v9.8
This is a bring your own license (BYOL) AMI, you must already have a SIP license to activate the
subscription.
FMOS can run as an Elastic Compute Cloud (EC2) Instance in Amazon Web Services (AWS). FireMon
has taken the need to manually set up the AMI by providing it as a download using the AWS
Marketplace. There is also an AWS CloudFormation Template available for use.
AMI
CloudFormation Template
35 |
FMOS v9.8
AMI
Step 1: Launch the AMI
FMOS can run as an Elastic Compute Cloud (EC2) Instance in Amazon Web Services (AWS). FireMon
has taken the need to manually set up the AMI by providing it as a download using the AWS
Marketplace.
2. Search for FireM on and select the FireM on Securit y Int elligence Plat form BYOL entry.
4. Click Accept Terms after reviewing FireMon's EULA, and then click Cont inue t o Con-
figurat ion.
Not e: You can continue to launch or you can come back later to complete, starting from To
launch from the EC2 Dashboard
l Region can be set to your preferred location or leave the default region
7. For Launch t his soft ware, in Configurat ion Det ails, click Usage Inst ruct ions to view
important setting information.
8. For Choose Act ion, select the Launch t hrough EC2, and then click Launch.
9. Select Launch from EC2 Dashboard, and then click Launch to open the AMI configuration
settings.
10. Choose Inst ance Type: Select an Inst ance Type from the list of available.
11. Configure Inst ance: Accept default settings or select data to meet your requirements.
12. Add St orage: Click Add New Volume and in the Size field enter at least 600.
36 |
FMOS v9.8
Be sure to click Add New Volume. This step must be done to prevent instance launch failure.
Do not change the Root Volume Type or the Root Volume Size. Modifying root partitions
render the machine unrecoverable.
13. Add Tags: Enter a Key and Value (a tag) for the instance.
14. Configure Securit y Group: The required types, protocols, and ports needed for FMOS are
set.
l HTTPS / TCP / 55555 to access FMOS Control Panel server for initial setup
16. Review: Review that all information entered is correct and click Launch.
17. The Select an exist ing key pair or creat e a new key pair dialog box opens. These keys are
needed for authentication.
18. Select the acknowledgment that you have access to the selected key pair.
20. After the instance launches successfully, you can open a new browser tab to begin the
FMOS initial setup process.
If you did not launch the AMI at the time of subscribing, you can come back to continue to launch
using the EC2 Dashboard.
3. Find FireMon Security Intelligence Platform, and click Launch new inst ance.
37 |
FMOS v9.8
l Region can be set to your preferred location or leave the default region
When FMOS boots for the first time in a cloud environment, it will automatically create the initial
administrative user account. This must be done before you can complete the FMOS Initial Setup
process. The process for creating the user at first boot will be:
l The system will create a new Linux user account. The username will be fmosadmin.
l The system will assign the FMOS Administrator privilege to the account.
l The system will set the password for the new account. The password is the EC2 instance ID,
which is available through the instance metadata service.
Setup UI Administration
Because the administrator must be prompted for the instance ID before being allowed to change
the password for the initial FMOS administrator account, the FMOS Initial Setup must be protected
with authentication. This will ensure that the user provides proper credentials before being allowed
to perform the FMOS Initial Setup process and thereby changing the initial account password. The
authentication procedure will be:
1. Open a web browser to navigate to the host name or IP address of SIP running the
AWS instance. For example, ht t ps:/ / <host name_or_IPaddress>:55555/ set up, replacing
<hostname_or_address> with the host name or IP address of the instance to configure.
2. The UI will display an Aut hent icat ion dialog box before opening the FMOS Initial Setup
form.
38 |
FMOS v9.8
a. Username is fmosadmin.
c. Click Submit .
3. Following successful authentication, the UI will hide the authentication dialog box and display
the FMOS Initial Setup form.
1. The user name is read-only and cannot be changed, but you can update the password.
l Full Name (optional) — The full name of the FMOS admin user
l Password— You can change from the EC2 Instance ID to a new password of your
choice
Organization Information
l Name —The name of your company or organization. The name cannot contain non-
English characters, such as ã, ė , õ, ñ.
l Unit / Depart ment (optional) —The name of the department, team, unit, etc.
l Cit y (Optional) —The location of the organization or where the machine is deployed
39 |
FMOS v9.8
Machine Configuration
l Single-Server Deployment — This server is the only server in the deployment. It will
perform all the functions of SIP without communicating with other servers
l Exist ing Deployment — This server will be part of a deployment that already exists in
the organization. The specific functions this server will perform will be configured later
l New Deployment — This is the first server in a new multi-server deployment. It will
hold the Database and Enterprise Search roles
5. Click Submit .
6. Click the FM OS Cont rol Panel link in the deployment progress message to continue con-
figuration, and log in using your CLI credentials.
During initial deployment, the FMOS Control Panel server certificate will be replaced.
Browsers will typically warn users when a server’s certificate has changed, so accessing the
FMOS Control Panel after using the FMOS Setup UI may generate such a warning. It is safe to
proceed.
7. After the deployment process completes, you can log in to Security Intelligence Platform to
continue setting up your network, such as adding users and devices.
l Password is the MAC address for the instance with colons removed and lower-
case letters. For example, a MAC address of 00:05:95:A1:2B:CC would be
000595a12bcc. This is a one-time password to use at first installation and will
need to be reset after initial login.
l Click Log In
40 |
FMOS v9.8
CFT
Launch the CloudFormation Template
FMOS can run as a CloudFormation Template in Amazon Web Services (AWS).
1. In the Cloud Formation Dashboard, click Creat e St ack (Wit h New Resources).
2. Select Upload a t emplat e file and choose a valid * yaml/ * json file.
3. Click Next .
l VPC ID
l Subnet ID
l Instance Type
l KeyPair Name
l Volume Size
l FMOS username
8. Click Next .
10. A new stack with above Stack Name is created with a status of CREATE_COM PLETE.
12. After the deployment process completes, you can log in to Security Intelligence Platform to
continue setting up your network, such as adding users and devices.
41 |
FMOS v9.8
l Password is the MAC address for the instance with colons removed and lower-
case letters. For example, a MAC address of 00:05:95:A1:2B:CC would be
000595a12bcc. This is a one-time password to use at first installation and will
need to be reset after initial login.
42 |
FMOS v9.8
Microsoft Azure
FMOS can run as a virtual machine on the Microsoft Azure cloud platform. FireMon has taken the
need to manually set up the VMI by providing it as a download using the Azure Marketplace.
This is a bring your own license (BYOL) VMI, you must already have a SIP license to activate the
subscription.
This is a bring your own license (BYOL) VMI, you must already have a SIP license to activate the
subscription.
2. Search for FireM on and select the FireM on Securit y Int elligence Plat form for Azure entry.
4. Click Cont inue to accept terms of use, and to create this app in Azure.
When FMOS boots for the first time in a cloud environment, it will automatically create the initial
administrative user account. This must be done before you can complete the FMOS Initial Setup
process. The process for creating the user at first boot will be:
l The system will copy the OVF metadata from the virtual removeable disc to persistent
storage.
l The system will create a new Linux user account. The username is as specified by the user
during VM creation, which is provided in the OVF metadata.
43 |
FMOS v9.8
l The system will assign the FMOS Administrator privilege to the account.
l The system will set the password for the account. The password is as specified by the user
during VM creation, which is provided in the OVF metadata; if the user specified an SSH key
instead of a password, the password is the first 12 characters of the base64-encoded SHA256
fingerprint of the SSH public key.
Setup UI Administration
Because the administrator must be prompted for the instance ID before being allowed to change
the password for the initial FMOS administrator account, the FMOS Initial Setup must be protected
with authentication. This will ensure that the user provides proper credentials before being allowed
to perform the FMOS Initial Setup process and thereby changing the initial account password. The
authentication procedure will be:
1. Open a web browser to navigate to the host name or IP address of SIP running the Azure VM.
For example, ht t ps:/ / <host name_or_IPaddress>:55555/ set up, replacing <hostname_or_
address> with the host name or IP address of the instance to configure.
2. The UI will display an Aut hent icat ion dialog box before opening the FMOS Initial Setup
form.
c. Click Submit .
3. Following successful authentication, the UI will hide the authentication dialog box and
display the FMOS Initial Setup form.
44 |
FMOS v9.8
Organization Information
l Unit / Depart ment (optional) —The name of the department, team, unit, etc.
l Cit y (Optional) —The location of the organization or where the machine is deployed
l Single-Server Deployment — This server is the only server in the deployment. It will
perform all of the functions of SIP without communicating with other servers
l Exist ing Deployment — This server will be part of a deployment that already exists in
the organization. The specific functions this server will perform will be configured later
l New Deployment — This is the first server in a new multi-server deployment. It will
hold the Database and Enterprise Search roles
5. Click Submit .
6. Click the FM OS Cont rol Panel link in the deployment progress message to continue con-
figuration, and log in using your CLI credentials.
During initial deployment, the FMOS Control Panel server certificate will be replaced.
Browsers will typically warn users when a server’s certificate has changed, so accessing the
FMOS Control Panel after using the FMOS Setup UI may generate such a warning. It is safe to
proceed.
45 |
FMOS v9.8
7. After the deployment process completes, you can log in to Security Intelligence Platform to
continue setting up your network, such as adding users and devices.
l Password is the MAC address for the created VM with colons removed and
lowercase letters. For example, a MAC address of 00:05:95:A1:2B:CC would be
000595a12bcc. This is a one-time password to use at first installation and will
need to be reset after initial login.
l Click Log In
Not e: Refer to the Administration User's Guide (available in the User Center) for information
about device properties and monitoring, and other administrative tasks.
46 |
FMOS v9.8
However, if a terminal emulator is not available to you, you can use Alt+F6 to open a prompt.
FMOS supports deploying multiple database servers within a single ecosystem. This provides a
mechanism for rapid recovery from a failure of the primary database machine by automatically
replicating all data to one or more standby servers.
Prerequisit es
Before beginning the setup process for additional database servers, the ecosystem must be
prepared properly.
Multi-database mode is only available for fully distributed ecosystems. Specifically, there must be
exactly one machine with the CA, database, and enterprise search roles (the primary database
machine), one or more other machines with the database and ES roles (the standby database
machines), and at least one separate machine with the AS role. It is not possible to enable multi-
database mode in partially distributed or single-server deployments; multi-database mode cannot
be enabled if the same machine holds both the DB and AS roles.
Multi-database mode can be enabled when first deploying a new ecosystem, or after an ecosystem
has been fully deployed and is operational. In other words, it is possible to add standby database
machines to the ecosystem before or after application servers.
When first enabling multi-database mode, FMOS needs to reorganize the files stored on the local
filesystem to make them available via the clustered filesystem. The /var volume on the primary
database machine needs to have at least 50% free space before beginning.
Network Communication
Database servers do not need to be deployed on the same network or subnet, however, sufficient
bandwidth must be available between the primary server and each standby to ensure that changes
are replicated as quickly as possible. Replication delay can result in data loss if the primary server
fails before all standby servers have received and committed all changes.
Machines holding the AS role need to be able to resolve all DB machines, including standby servers,
by Fully Qualified Domain Name (FQDN), and must be able to communicate with them using the
following services (IPv4 and IPv6 are both supported):
l ICMP/ICMPv6
l IP protocol 50 (ESP)
The same requirements apply to database machines as well; standby servers must be able to
communicate with the primary server using the same services.
When operating in multi-database mode, the hierarchy of server roles change slightly. The first
appliance created in the ecosystem holds the Certificate Authority (CA) role and becomes the
superior server to all DB and AS machines. The CA role is responsible for issuing security
certificates that are used by the AS, DB, and ES machines to assert their identity to one another and
establish encrypted communication channels.
St ep 1: Set up
Provisioning machines for deployment into an FMOS ecosystem with multiple database servers
follows the same process as for a standard multi-server ecosystem.
1. Boot from FMOS installation media (example: DVD-ROM or USB flash drive) and start the
automatic installer
2. Use the Initial Configuration Wizard to set the host name, network connection settings, and
user credentials.
3. On the machine designated as the primary database server, choose New Deployment and
Dat abase Only on the ecosystem selection screen.
4. On all other machines (including standby database servers, application servers, and data col-
lectors), select Exist ing Deployment .
If any machines in the ecosystem already hold the AS role, they must be placed in maintenance
mode:
Once all AS machines (if any) have successfully entered maintenance mode, multiple-database
mode can be enabled for the ecosystem by executing the following command on the primary
database server:
The tool will adjust the FMOS System Configuration to enable multi-database mode, and then apply
the FMOS Configuration Policy. During this process, FMOS will create a clustered filesystem. Before
the clustered filesystem can be used, at least one other database machine must join the ecosystem.
When FMOS is ready for additional database machines to join the ecosystem it will pause and print
this message: Waiting for clustered filesystem to be initialized.
At this point, the standby database machines can be added to the ecosystem. As with all machines,
this process is handled by the fmos ecosyst em join command. When adding a standby database
machine to the ecosystem, both the DB and ES roles must be added, and no other role can be
added.
Joining the ecosystem may take some time, depending on the size of the database and the amount
of activity within the ecosystem. An initial synchronization with the master is performed, and then
streaming replication is enabled to keep the standby up-to-date. The process will complete once the
standby database becomes consistent with the master.
Not e: When adding multiple standby servers to the ecosystem, be sure the pg_num_
st andby_servers variable is set to the correct value on the primary database server. By
default, it is set to 1, meaning there can only be one standby server.
Once at least one standby database machine has joined the ecosystem, the fmos ecosyst em
enable-mult i-db command will resume on the primary database server. It will finish setting up the
clustered filesystem, and then move the data from the local filesystem. When this is complete, the
AS machines can be brought out of maintenance mode and returned to service.
To bring the application servers back online, use the fmos maint enance end command. This will
mount the shared filesystem and start the Security Manager services.
Standby Servers
In the event of a primary database server failure, one standby server can be promoted to become
the primary. The existing primary will become unusable at this point and must be removed from the
ecosystem. There is no switch-back mechanism.
Promot e a St andby
To promote a standby server to become the primary, execute the following command:
This tool will attempt to connect to the existing primary server and request that it shut down. Doing
so reduces the risk of a “split brain” scenario, where two database servers are operating as the
primary at the same time. If the existing primary cannot be contacted, a warning will be displayed,
but the process can proceed anyway. In most cases, promoting a standby is only done when the
primary has failed, so it may not be possible to shut it down safely.
After a standby server has been promoted to primary, all other standby database machine and all
application server machines will need to be pointed to the new server to become operational again.
This is accomplished by running the fmos ecosyst em swit chover command, passing it the FQDN
of the new primary as a command-line argument. For example:
Not e: The switchover process may fail if the original primary database server is unavailable.
If the fmos ecosystem switchover command fails on an application server, try rebooting the AS
and running the command again.
After switching over an application server following an unexpected failure of the primary database
machine, the application server may be in a partially degraded state. When the shared filesystem
hosted by the original primary DB machine is not available during the switchover process, FMOS
needs to forcefully unmount it in order to mount it again from the newly-promoted database
machine. This forceful unmount prevents the application server machine from communicating with
the original database machine’s IP address, and can cause processes to accumulate. To resolve this
situation, any application server machine that has switched its superior server while its original
superior server is unavailable should be rebooted as soon as possible.
Recover CA Role
Once all application server and database machines have been reconfigured to use the new primary
server, the FMOS ecosystem will be operational again. At this point, however, no new machines can
be added to the ecosystem as there is no longer a machine with the CA role. Thus, the CA role
needs to be recovered onto the newly-promoted database machine.
This process requires a backup of the certificate authority store from the original CA machine. If it is
still accessible, a backup can be created using the fmos ca backup command.
1. Copy the most recent backup of the certificate authority store to the new primary database
machine.
Once a primary server has been shut down, either safely when another server was promoted, or
forcefully, it must be reprovisioned before it can join the ecosystem again. FMOS must be reinstalled
using removable media, and appliance must be configured as a new member of an existing
ecosystem. It can be added as a standby DB server, and optionally promoted to primary again using
the same switchover procedure.
FMOS does not provide a mechanism for automatic failover when the primary database server
becomes unavailable. Organizations should ensure that appropriate monitoring is in place in order
to be notified of communication issues quickly so that a manual switchover can be initiated in a
timely manner.
The Security Manager super-user account must have the default credentials in order to add a
new application server to the ecosystem.
Not e: The MAC addressed used for initial SIP sign on is from the first application server installed.
Not e: When performing an FMOS update, the first application server will run the update scripts
against the database server. Because of this, the first application server may take longer to
update than any others in the deployment.
l Load Balancer M achine: Several third-party vendors offer load balancing solutions with
physical or virtual machines. For large sites, this the recommended option.
l Round-Robin DNS: DNS intrinsically provides simple load balancing, as the order of
returned results is not guaranteed. This solution requires that the TLS certificates used by
the HTTPS server have matching subject names. It also does not provide fail-over or high
availability features.
When using either of these options, the public_host name system configuration variable needs to
be set on all application servers before any data collectors are added to the ecosystem. This
variable should be set to the name the data collectors will use to connect to the application server
cluster, such as the FQDN of the load balancer.
For deployments using multiple application servers in a load balanced configuration, the following
network requirements must be satisfied:
For deployments using different servers with different roles, the application server and the
corresponding DB/ES/CA server must be on the same broadcast domain. We do not support
implementations that fall outside of this scenario.
Set t ing up a Load Balancer when not t erminat ing SSL at t he Load Balancer
Yes. Before adding DCs, this needs to be set to the FQDN assigned to the load balancer.
Do I need to create a new certificate that includes the VIP of the load balancer (and public_
hostname value) then import to both App Servers?
Yes. When not doing TLS termination at the load balancer, all AS appliances need a
server certificate with at least the name the DCs will use. It does not strictly have to be
the same certificate on both appliances. It just needs to include the "virtual" name.
If I have to create a new certificate, does this need to include the AS actual FQDN as alt names?
Not necessarily, but the ` fmos pki gen-csr` command will add it.
Not e: These are steps for setting up load balancing for your FireMon application servers with SSL
termination done at the F5 BIG-IP. There are many customizations that can be made based on
your environment so the below instructions are only guidelines.
1. You will need three virtual servers created on the same IP address.
l Click Syst em > Cert ificat e M anagement > Traffic Cert ificat e M anagement >
SSL Cert ificat e list > Creat e.
l In the Common Name box, type the name of your Virtual Server (example:
firemon.example.com)
l If you want to add Subject Alt ernat ive Names, you can specify them in the
format DNS:firemonha.example.com, DNS:www.exchange.example.com,
DNS:www.example.net.
l Click Finished.
l Name this certificate so you can tell it's your FireMon CA certificate.
g. Build a SSL profile with the example key, example cert, and server-chain.
l Local Traffic > Profiles > SSL > Client > New.
l Fill in your created certificate for certificate and key. Use the FireMon CA
certificate for Chain.
l Click Add.
l Click Finished.
l Port 443, HTTPS monitor (GET /\r\n), Slow Ramp Time of 45 seconds.
l Port 443, HTTP profile, SSL profiles for Client and Server. You can use the default 'serverssl'
profile for your server side. For client SSL profile, use the profile previously set up. If your LTM
is not your default gateway, set up a Source Address Translation. Use some sort of session
persistence. If using cookie, set up source_addr as a fallback. The Data Collector servers will
connect to your Application Servers and will not use cookies.
l The default pool for this should be pointing to your pool with port 443.
l Use all of the same settings as the 443 VS except for this should listen on port 55555 for the
FireMon Server Control Panel. This VS does not need session persistence and users will not
have any reason to access this VS.
l The default pool for this should be pointing to your pool with port 55555.
l This VS should listen on port 80 just to redirect to port 443. It only needs port 80, an HTTP pro-
file, and the irule _sys_https_redirect assigned to it. It does not need a pool.
l Set up virtual servers using TCP and leave SSL profiles blank. Do not put any HTTP profile.
Reprovision an Ecosystem
FMOS does not provide any tools for removing roles from machines that are already members of
an ecosystem. This includes single-server ecosystems, where a single machine holds all FMOS roles.
In some situations, it may be desirable to reprovision an ecosystem where a single server holds
both the application server and database roles by separating these roles onto multiple appliances.
This procedure can result in data loss, so it is important to ensure the steps below are followed
precisely.
The text in the blue boxes are examples only. Do not copy this text into your CLI.
The user performing the reprovisioning must be assigned the Backup Operator role.
Before making any changes to the ecosystem, it is imperative that a backup is made on the
machine that holds the database role.
sftp> cd /home/usernmae
Uploading /var/lib/backup/firemon/fmos-ref8-15_2017-06-23-2030.backup
to /home/username/fmos-ref8-15_2017-06-23-2030.backup
sftp> quit
Not e: If you encounter a Permission Denied error when attempting to copy the backup to a
remote machine, your account does not have the Backup Operator role assigned. See the
FMOSUsers chapter for details.
4. It is important to verify that the copy of the backup stored on the remote server is identical to
the one stored locally and has not been damaged. This can be done by calculating the
SHA256 checksum of both files and visually compare the results.
2abb45c74220534e5407326161cb661d63885c038768ac842b2d76bbe33a5d2c
/var/lib/backup/firemon/fmos-ref8-15_2017-06-23-2030.backup
2abb45c74220534e5407326161cb661d63885c038768ac842b2d76bbe33a5d2c fmos-
ref8-15_2017-06-23-2030.backup
Backing up the server (HTTPS) certificate is required if the machine uses a custom certificate that is
signed by an internal or third-party certificate authority. It is optional, but highly recommended,
even if the default self-signed certificate is used as well.
1. Use the fmos pki export -server-cert command to make a copy of the server certificate.
Export passphrase:
Confirm passphrase:
3. Copy the file to a remote storage location and validate its checksum as well.
St ep 3: Inst all FM OS
Once the data and certificate have been backed up, follow the standard procedure for installing
FMOS from removable media on both of the new machines. Be sure to use the FQDN of the original
server on the machine that will hold the application server role.
On the ecosystem selection screen, choose New Deployment and Dat abase Only for the new
database machine and Exist ing Deployment for the new application server machine.
After FMOS has been installed and configured on the new database appliance, the backup needs to
be restored.
1. Copy the file from the remote storage to the local machine.
sftp> cd /home/username
sftp> quit
...
If the server certificate was backed up, it needs to be imported onto the new application server
machine.
~]$ sftp
SECUREPASSAGE\username@email.com's password:
Connected to fs.securepassage.com.
sftp> quit
Passphrase:
...
St ep 6: Join Ecosyst em as AS
Following the database restore, the new application server can be added to the ecosystem using the
fmos ecosyst em join command.
authority (CA) that is not recognized by this system. This could mean a
man-in-the-middle attack is in progress. To be
35:E5:1B:57:B6:AD:42:49:2A:27:CA:CB:18:26:B8:B3:B5:F3:2A:F7:A4:14:CA:E1
:A8:BC:CC:F7:8E:20:9B:EF
Username:
Password:
* Application Server
...
Not e: If the process fails at “ensure ndexec user exists in secmgr” with an “Unable to authenticate
username/password” error, the SIP super user credentials will need to be temporarily reset to
their default values (firemon/firemon). Log in to the Administration application, navigate to
Access > Users, choose user ID 1, and select Edit from the menu. Set the user name to firemon
and the password to firemon and click Save. Finally, return to the FMOS command line and apply
the configuration policy by running fmos redeploy.
If the server certificate was not backed up, a new self-signed certificate was generated when the
application server joined the ecosystem. This certificate needs to be added to the trust store on all
data collector appliances in the ecosystem. To do this:
1. At the prompt, enter the command: fmos pki export -server-cert ificat e
2. Copy the file to each data collector, and then import it using fmos pki import -ca:
The Data Collector communicates with Security Manager using HTTPS. To ensure the
communication channel is secure from eavesdroppers and man-in-the-middle attacks, the Data
Collector enforces strict validation of the certificate presented by the Security Manager server when
establishing the TLS connection. One of the required validation rules is that the name listed on the
certificate, either in the certificate subject or the subject alternative name, matches the name
specified when the appliance first joins the ecosystem. By default, FMOS generates a certificate for
Security Manager that only includes the FQDN of the server. Thus, the FQDN must also be specified
when joining the ecosystem. If the FQDN cannot be resolved, then that name cannot be used, so
certificate validation will never succeed.
Certificates can include IPv4 and IPv6 addresses in their subject alternative name, but FMOS does
not do this by default. In order for data collectors or other clients to use an IP address to contact
Security Manager, the server certificate will need to be replaced with one that includes the IP
address(es) of the appliance. The fmos pki gen-csr command can be used to create a new Certificate
Signing Request that includes the IP addresses of the appliance on which it was run.
2. At the prompt enter: fmos pki gen-csr --ip-address -K server.key server.csr. IP address of
the machine.
This will generate a new RSA key pair and store it in server.key. It will then create a new CSR
that includes the FQDN of the appliance as well as all of its IP addresses. IPv4 and IPv6
addresses will be included, except for IPv6 link-local addresses.
The command will prompt for an export passphrase. If supplied, this will be used to encrypt
the private key file in server.key for safe keeping. Encrypting the key is optional, and can be
skipped by pressing Enter at the prompts.
To convert the new CSR into a certificate that can be used by Security Manager, it must be signed
by a certificate authority (CA). Which CA signs the certificate will depend on the security policy of
the organization.
l Organizat ion/ Corporat e CA—An internal certificate authority operated by the customer’s
organization. Most organizations operate a CA, and deploy configuration to end user devices
to ensure certificates it signs are trusted, so this should be the preferred option if possible.
l Public CA—Some organizations require that their certificates be signed by one of the public
certificate authorities such as Thawte or VeriSign. It is important to verify that the CA will sign
a certificate that includes an IP address, as many of them will only sign certificates for FQDNs.
Every CA has a different method for submitting a CSR and receiving a signed certificate. If your
organization has an internal CA, the administrator should have documentation specifying how to
use it. For public CAs, the process can normally be found on their websites.
Most public CAs use an intermediate CA certificate to sign certificates, as do some internal CAs. In
this case, be sure to obtain the certificate chain file that includes any necessary intermediate CA
certificates.
St ep 3: Use t he FM OS CA
If you do not have an internal CA, the fmos ca command can be used (on the server that holds the
Certificate Authority role) to sign the CSR and issue a new certificate.
2. Copy the CSR (server.csr) file from the application server to the CA machine, if they are not
the same machine.
3. At the prompt, enter fmos ca sign server.csr server.cer, and then fmos ca export -ca-cert -
-ca server server-chain.crt .
This will produce a file named server.cer that contains the signed server certificate.
Additionally, it will create server-chain.crt, which contains the intermediate CA certificate that
signed the server certificate.
After receiving a signed certificate from the CA, the openssl x509 command can be used to verify that
it does in fact contain the IP address of the Security Manager server.
l At the prompt enter: openssl x509 -in server.cer -noout -t ext -cert opt no_pubkey,no_sig-
dump
If the certificate is correct, it will have a section labeled X509v3 Subject Alternative Name with
one or more IP address entries below it.
After verifying that the new certificate is correct, it can be imported using the fmos pki import-server-
cert command.
2. Copy the newly-signed certificate, as well as the intermediate CA chain file, if any, to the
application server appliance, if necessary.
3. At the prompt enter: fmos pki import -server-cert server.cer server.key --chain server-
chain.crt
This will import the new server certificate and make adjustments to the system configuration
to use it. If the private key file is encrypted, the command will prompt for the passphrase
before making any changes.
St ep 6: Join t he Ecosyst em
After the new certificate has been imported onto the application server, data collectors can now be
added to the ecosystem by specifying its IP address as their superior server.
The command will prompt for initial manual verification as usual, and will proceed in the
same manner as if the FQDN had been used.
Caut ion! It is critical that you have a robust network between the AS and DB. There is significant
traffic between these servers, if you do not have the network to support increased traffic there
will be issues.
Caut ion! You can set up an AS and a DB in separate subnets, however, all application servers
must be in the same subnet.
To set up a database server and application server on different subnets, complete the following
steps.
2. Install the database server as a New Deployment and with a Dat abase Only role.
4. Do not join the application server to the database server at this time. Note the IP address of
the application server.
8. Update the Shared Filesyst em Host s field. Enter one or more of the following (separated by
a space):
12. Run the ecosystem join command on the application server. fmos ecosyst em join <FQDN of
DB server>
Not e: We recommend accessing SIP using one of the following supported web browsers: Firefox,
Google Chrome, Edge, and Safari.
The MAC address of the application server used to access SIP will be used as the password for the
initial SIP sign on. This is a one-time password to use at first installation and will need to be reset
after initial sign on.
l For a VM installation, use the MAC address of the VM used to access SIP
l For a multiple application server deployment, use the MAC address of the first application
server installed
The password is the MAC address of the server with colons removed and lowercase letters used.
For example, a MAC address of 00:05:95:A1:2B:CC would be 000595a12bcc.
FMOS Users
About FMOS Users
Not e: This topic only pertains to FMOS. Users of SIP (Security Manager and other modules) are
discussed in the Administration User Guide.
When you first run the FMOS Initial Configuration Wizard you will create an account granting both
FireMon Administrator and System Administrator privileges.
l System Administrator is used to access the Security Intelligence Platform (SIP). This account is
managed in the Administration module, not in FMOS.
FMOS uses the related practices of the Principle of Least Privilege and Privilege Separation.
Together, these practices help mitigate security risks and trace the origins of attacks that may
occur.
The Principle of Least Privilege states that users and program should never be given the capability
to perform any task outside what is strictly necessary to perform their primary functions. For
example, a program responsible for receiving email messages should not have the ability to reboot
the computer.
Privilege Separation is a practice whereby users can operate in one of two roles:
l Unprivileged—users in this role perform tasks such as web browsing and document editing
which do not require any control over the system beyond accepting keyboard and mouse
input.
l Privileged— users in this role perform tasks such as installing new software or making con-
figuration changes that affect multiple users.
Unprivileged Users
The FMOS operating system is a type of unprivileged user account. All users on an FMOS system
are unprivileged users by default. These users have limited access to system resources and almost
no control over system functions. Most daemon processes run as unprivileged users to reduce the
risk that they may leak sensitive information to unauthorized users or make changes to themselves
or the system.
69 |
FMOS v9.8
Not e: FMOS manages its unprivileged users, you cannot do anything with them. These
unprivileged users have no password. They cannot be used to log in to the system, and are
strictly used for process separation.
Privileged Users
FMOS has two privileged user accounts.
l Users who are members of the fmadmin group hold the FireMon Administrator role.
Not e: The user created by the FMOS Initial Configuration Wizard automatically holds the
FireMon Administrator role, as well as System Administrator.
Backup Operat or
l Users who are responsible for managing and maintaining FMOS backups are known as
Backup Operators. These users are allowed to edit the contents of the backup storage dir-
ectory located in /var/lib/backup/firemon.
l Users who are members of the fmbackup group hold the Backup Operator role.
70 |
FMOS v9.8
Not e: This procedure only creates an FMOS user. To create a SIP user, you'll need to log in to the
Administration module.
Recommendat ion: It is recommended that you create an additional admin user account in
case the password for the initial admin user account is lost.
FMOS includes a utility for managing users and privileges called fmos user. Using this tool, users
with the FireMon Administrator role can create and delete users as well as grant and revoke
privileges.
To create a new user, use the fmos user create command. The program will prompt for some
basic information about the user, including user name, full name, and password. In addition, it will
ask which roles the user should hold.
Username: fmosuser
Select privileges:
Password:
Confirm Password:
Not e: You must replace the example Username and Full Name with one that meets your
user name requirements.
Not e: A FireMon Administrator does not need to be a Backup Operator, nor does a Backup
Operator need to be a FireMon Administrator. The roles can be separate or combined.
Not e: If you have enabled password complexity, you must enter a strong 8-character
password that must contain one lowercase letter, one uppercase letter, one number, and
71 |
FMOS v9.8
one other symbol character. Using a character delimiter, such as \ or . or , can result in the
password not saving correctly.
Recommendat ion: It is recommended that you create an additional admin user account in case
the password for the initial admin user account is lost.
72 |
FMOS v9.8
Not e: Passwords can only be reset for FMOS user accounts that have an associated e-mail
address. If a user did not associate an e-mail address with his or her account he or she will not
be able to reset the password.
The password for an FMOS user can be reset using the CLI, either using the local console or
remotely using SSH. A special user account, resetpassword is used to access the password reset
tool on the CLI.
2. At the Username prompt, type your FMOS username and press Ent er.
3. Launch your e-mail client and check for a new message with the subject FMOS: Password
Reset Request.
5. Return to the FMOS CLI and type or paste the Aut horizat ion Code, then press Ent er.
Not e: The new password must comply with the configured password policy.
7. Type the new password again to confirm it, then press Ent er.
8. After the password has been reset successfully, press Ent er to exit the password reset utility.
For SSH sessions, this will terminate the connection.
Changes to this policy are done using the FMOS Control Panel. On the Password Policy page are
settings to use to set password requirements. Each field has an info icon that explains its use. Some
password policy rules, such as length and complexity, apply when passwords are set. Changes to
those rules will take effect the next time a user changes his or her password. Other rules, including
minimum and maximum age, only apply when the account is created. To change those, the account
must be deleted and recreated.
73 |
FMOS v9.8
Delete a User
Not e: The audit trail works differently in FMOS than in the Administration module. In FMOS you
actually delete a user, whereas in Admin you disable. FMOS does not require the user always
exist in order to resolve audit logs.
The fmos user delete command will not delete a system account with a UID of 1000 or
less.
Not e: This procedure only changes an FMOS user. To change a SIP user, you'll need to log in to
the Administration module.
To grant additional privileges to a user, use the fmos user grant -privileges command. The system
will prompt for the user name and which roles should be granted:
To revoke a privilege from a user, use the fmos user revoke-privileges command:
74 |
FMOS v9.8
Not e: After granting or revoking privileges to an existing user, that user will need to log out and
log back in for the changes to take effect.
75 |
FMOS v9.8
Authentication Servers
External Authentication
FMOS supports authenticating users against several common types of external authentication
servers, including Kerberos and LDAP. As with other features of FMOS, external authentication is
configured by setting the appropriate configuration variables. Ideally, enabling external
authentication is as simple as setting the appropriate type_authn or type_authz variables to true, but
most environments will require additional configuration.
This topic attempts to describe how to best configure FMOS to use one or more external
authentication mechanisms to delegate user credential management to a remote service.
Many authentication settings can be set from the FMOS Control Panel.
Authentication is handled by PAM and authorization by the Name Service Switch. By default, both
phases are performed using local UNIX authentication, with users, groups, and passwords all kept
locally in plain-text files. FMOS requires local UNIX authentication be used for at least one account.
This allows an administrator to log in even in the event of a failure of all external authentication
providers.
FMOS provides several options for both phases, and supports practically any combination of them:
l LDAP
l LDAP
l Kerberos
Not all external authentication mechanisms provide identity mapping (UID lookup and group
membership resolution) capabilities, so they must be used in tandem with ones that do. For
example, it is common to use LDAP for authorization and Kerberos for authentication. Alternatively,
identity mapping can be handled by local UNIX authentication in all cases, even if it is not used for
password verification.
76 |
FMOS v9.8
Not e: When using an external authentication method, FMOS does not enforce any password
policy (such as length and complexity requirements, expiration, etc.), but relies on the external
authentication server to provide this feature. Additionally, FMOS does not support changing of
external passwords.
LDAP
FMOS supports using LDAP for both authentication and authorization. It can be deployed by itself,
or alongside other authentication methods.
In order to connect to remote LDAP servers, FMOS requires a few pieces of information, depending
on the environment:
l Distinguished name of the base object in the directory where searches will be performed
l Distinguished name and password of an account that can bind to the directory service and
search for user identity information
FMOS will attempt to discover as many settings as it can from the environment if they are not
explicitly provided. If bind credentials are not supplied, FMOS will attempt to bind anonymously.
Not e: When using LDAP for authorization (identity mapping), it is common to encounter errors
and warnings once it has been enabled. This is because the system message bus service (D-Bus)
does not detect changes to the Name Service Switch while it is running. To resolve these issues,
reboot the machine.
Attribute Mapping
Many LDAP implementations use different names for attributes that contain user information. By
default, FMOS expects the attribute names uses by Microsoft Active Directory beginning with
Windows Server 2003 R2. For other environments, these may not be appropriate, so FMOS provides
the ability to change the mapping.
To explicitly map attributes, set the ldap_user_at t r_map, ldap_group_at t r_map, and/or ldap_
shadow_at t r_map variables.
The table below describes the values FMOS requires and the attributes it uses by default to find
them.
77 |
FMOS v9.8
User Attributes
Descript ion Value Default At t ribut e
homeDirectory (defaults to
Home Directory homeDirectory
/home/sAMAccountName if unset)
Group Attributes
Descript ion Value Default Value
Group Name cn cn
Object Filtering
FMOS supports filtering objects in the directory to allow for more fine-grained control of which
ones are mapped to system users and groups. Filters can be used, for example, to only consider
objects of a certain class or type, or have a particular value in an attribute. To override the default
filters, simply set the ldap_user_filt er or ldap_group_filt er attributes to a valid LDAP query.
Encryption (TLS)
FMOS supports using LDAP inside a TLS-wrapped connection (LDAPS) as well as TLS message
encryption (STARTTLS). When using LDAP as an authentication source, one of these encryption
methods should be used, as user passwords will be transmitted in clear text otherwise.
To enable TLS-wrapped connections, use the ldaps scheme in LDAP server URIs.
To enable STARTTLS, use the ldap scheme and set ldap_ssl to st art _t ls.
By default, ldap:// URIs will use TCP port 389 while ldaps:// URIs will use port 636.
78 |
FMOS v9.8
Not e:When using the domain controller locator protocol, discovered servers will use the LDAP
URI scheme. To enable TLS communication for these servers, ldap_ssl must be set to start_tls.
It may be necessary to add additional certificate authority certificates to the local trust store in order
to establish TLS communication with remote servers. See Trusted Certificate Authorities for more
information.
Privileged Groups
At this time, there is no way to assign specific FMOS privileges to LDAP groups. To grant LDAP users
elevated permissions, they need to be explicitly added to the local groups. See About FMOS Users
for details.
Not e: Variables listed as critical must be present in the system configuration file when used
during initial deployment for automatic configuration. Variables listed as required must be
present if the server holds one or more of the roles listed in the applies to field.
LDAP Configurations
Command Type Required Default Funct ion
79 |
FMOS v9.8
LDAP Configurations
Command Type Required Default Funct ion
80 |
FMOS v9.8
LDAP Configurations
Command Type Required Default Funct ion
81 |
FMOS v9.8
LDAP Configurations
Command Type Required Default Funct ion
(&(objectClass=user)
ldap_user_fil- The LDAP query used to
String No (objectClass=person)(!
ter select all user objects.
(objectClass=computer)))
82 |
FMOS v9.8
LDAP Configurations
Command Type Required Default Funct ion
83 |
FMOS v9.8
LDAP Configurations
Command Type Required Default Funct ion
Kerberos
FMOS supports using Kerberos as an authentication method only. It is typically coupled with LDAP
for authorization, but can be used on its own. When LDAP is not used, users will need to be
registered locally, though their passwords will be validated using Kerberos. To register a user, use
the useradd command, but do not set a password.
l Realm name
l KDC address(es)
84 |
FMOS v9.8
Not e: Variables listed as critical must be present in the system configuration file when used
during initial deployment (i.e. for automatic configuration). Variables listed as required must be
present if the server holds one or more of the roles listed in the applies to field.
Kerberos Configurations
Command Type Required Default Funct ion
Enable Kerberos
krb5_authn Boolean No False authentication (pass-
word verification).
If specified, authen-
tication will be
attempted against
krb5_auth_realms List of Strings No these Kerberos
realms, in order,
instead of the
default realm.
85 |
FMOS v9.8
Kerberos Configurations
Command Type Required Default Funct ion
A mapping of DNS
suffixes to Kerberos
realms, used when
requesting service
krb5_domain_realm Mapping No
tickets for host
names in other
domains and/or
realms.
86 |
FMOS v9.8
Kerberos Configurations
Command Type Required Default Funct ion
Whether to request
krb5_forwardable Boolean No True forward-able tickets
from the KDC.
Whether or not to
find the canonical
krb5_canonicalize_host- names for services
Boolean No True
name when requesting ser-
vice tickets by using
DNS queries.
Whether or not to
extend canonical
host name res-
olution to include
krb5_rdns Boolean No False reverse address
look-ups. Requires
that all service hosts
have both A and PTR
DNS records.
Manually configures
Kerberos realms. If
krb5_dns_lookup_
kdc is False, this
mapping must con-
tain a key for every
realm this machine
krb5_realms Mapping No
will need to contact.
Each value is also a
mapping of con-
figuration settings
for that domain (e.g.
kdc), see krb5.conf
(5) for details.
87 |
FMOS v9.8
88 |
FMOS v9.8
Certificates
About Certificates
Certificates expire one year from the initial installation date and must be renewed before
expiration. FMOS will send an expiration notification message 30 days prior to expiration.
The X.509 public key infrastructure (PKI) is used by a number of standard protocols for
authentication and key exchange between participants in cryptographic communications.
Specifically, FMOS supports X.509 PKI for TLS-based communication protocols like HTTPS, LDAP,
and SMTP
FMOS includes a managed certificate authority. This certificate authority is used to issue certificates
for secure authentication and communication between members of a multi-server ecosystem. The
certificate authority manager is included with fmos-ut il, which exposes a command-line interface
with the fmos ca command.
FMOS supports integration with existing system infrastructure for various functions, such as
authentication and security.
A PKI issues certificates, enforces certificate policies, and manages the certificate life cycle. The
fmos pki command can be used to view and update the X.509 PKI configuration on machines
running FMOS.
Command-Line Interface
l fmos ca init —Create CA hierarchy and private keys
Not e: FMOS will automatically renew the self-signed certificates it creates when they expire, but
it will not do so for CA-signed certificates.
89 |
FMOS v9.8
Certificates expire one year after installation. Certificate renewal is required before the expiration
date.
There are processes in place to help support handling the expiration on both the application and
database servers.
Items of note:
l Both processes (DB and AS) are required in all multi-server ecosystem deployments.
l This applies to single-server deployments as well, particularly ones with remote data col-
lectors. The process is the same as for a stand-alone database server.
l There is a specific health check that is run in FMOS to verify the status of certificates. These
alerts are displayed on the Server Control Panel dashboard, or in the CLI when running the
command fmos healt h -d.
Within 30 days of the certificate expiring, you can run one of the following commands to “renew” the
certificate.
3. In some cases, the machine may need to be rebooted after renewing the certificate.
When FMOS identifies that certificates are within 30 days of expiring and one of these two
operations take place, it will then automatically renew the certificates for another year.
Within 30 days of the certificate expiring and after the database server's certificates have been
renewed, you will need to do the following.
3. In some cases, the machine may need to be rebooted after renewing the certificate.
This will request new certificates from the database server and renew for another year.
90 |
FMOS v9.8
91 |
FMOS v9.8
This process creates two files, a certificate file to be signed by a certificate authority (CA)—the .csr
file—and a public key—the .key file. These files provide the CA with the details needed to sign the
key. The .csr file represents the identity of the FMOS server and the .key file is the server’s public
key; which is used to provide unique instructions to the CA as to how to encrypt the .csr exclusively
for the FMOS server. No other device will have the same public key, or the private key needed to
decrypt the signed certificate.
You can create a CSR and a public key for your server one of two ways: use OpenSSL or an
FMOS CLI command.
To use OpenSSL, use a similar command as exampled below to create the CSR:
1. Log in to the FMOS server with both an SSH and SCP/SFTP client. Unless you're comfortable
using Linux commands for copying files off and on to the FMOS server.
Or you can use alternative names to access the system using the same certificate by adding
a subject alternative name (SAN) to the CSR. To do so run the command:
92 |
FMOS v9.8
3. When you run the fmos pki command, you will be prompted to enter a passphrase. You
can leave this blank by pressing Ent er to continue on without adding a passphrase, or if you
can set a passphrase.
Not e: If you set a passphrase, you must supply it to the CA to have it signed.
4. Take both files to your company’s certificate authority to have them signed. Follow your
company’s procedure for presenting the CSR and public key to your CA.
5. When you make the request to have the CSR signed, ensure that the complete certificate
chain is there as all certificates from the Root CA to the server CSR need to be included in the
export process.
Certificate authorities use their public key to sign the certificate, it and their identifying
certificate were signed by an authority above them. This is called a certificate chain, at the
top of which is the Root Authority. Root authorities can directly sign identity certificates
however most organizations use intermediate authorities to sign most certificates (so that
the root can be secured). All certificates from the root through intermediates must be
present on a server in order for its newly signed certificate to remain valid.
6. Once you have the certificates, you will need to move them to the FMOS server using WinSCP
or another file transfer tool and then switch back to the FireMon CLI and perform the
following tasks in order.
8. Import the device certificate and key (optionally, include intermediate certificates with these
commands):
93 |
FMOS v9.8
Not e: Replacing <device.cer> and <keyname.key> with the actual file name.
9. Optionally, you can import the same signed certificate used for the application server for the
FMOS Control Panel (https://fmosServerIP:55555) using this command: fmos pki import -cpl-
cert device.cer
10. Reboot the server you are installing the certificates on. A reboot is required.
Place the signed certificate file on each data collector with WinSCP and then run the command:
fmos pki import -ca <cert name>
To include additional certificate authorities to the list of CAs trusted by FMOS, use the following
command:
Software that uses the system trust store, including SIP, will now trust the new CA.
For the change to take effect on an machine running the application server, the service will need to
be restarted using the following command:
fmos restart as
94 |
FMOS v9.8
This command supports certificate and private key files in PEM (base-64), DER (binary) and
PKCS#12 formats. If the private key and certificate are stored in the same file (in PEM or PKCS#12
formats only), they will be separated automatically:
After replacing the server certificate, the changes will be applied automatically. No services need to
be restarted for the changes to take effect.
Not e: FMOS will automatically renew the self-signed certificates it creates when they expire, but
it will not do so for CA-signed certificates.
95 |
FMOS v9.8
This command supports certificate and private key files in PEM (base-64), DER (binary) and PKCS#12
formats. If the private key and certificate are stored in the same file (in PEM or PKCS#12 formats
only), they will be separated automatically:
Not e: After replacing the original self-signed certificate on the application server with a certificate
that is issued and signed by an internal corporate certificate authority, that CA certificate must be
added to each remote data collector's trust store. These are the same steps as outlined in
Trusted Certificate Authorities.
After replacing the server certificate, the changes will be applied automatically. No services need to
be restarted for the changes to take effect.
Not e: FMOS will automatically renew the self-signed certificates it creates when they expire, but it
will not do so for CA-signed certificates.
Example 1
Scenario: Company A would like to use a corporate LDAP server for centralized user management.
The LDAP server accepts TLS connections and it uses a certificate that is issued and signed by the
company's internal certificate authority.
Descript ion: To trust the certificate that is presented by the LDAP server, the Certificate Authority's
certificate is added to the FireMon trust store and the application server is restarted using:
fmos restart as
Example 2
Scenario: Company B maintains its own Certificate Authority (CA). Web browsers automatically trust
certificates issued by this CA due to standard corporate policy. The CA signs web server certificates
with an "intermediate CA certificate" rather than the "root CA certificate". The deployment consists
96 |
FMOS v9.8
of an application/database server and two remote data collectors. The server should utilize a server
certificate signed by the company's CA.
Descript ion: After obtaining a certificate and key from the CA, along with the intermediate and root
CA certificates, the application server's pre-installed, self-signed certificate can be replaced. The
intermediate CA certificate will be sent along with the server certificate in web requests. Therefore,
it must be imported with the --chain argument.
Since the data collectors rely on the HTTPS communication channel with the application server, the
company's ROOT CA certificate must be added to the trust store to validate the new server
certificate and intermediate CA certificate. Add the root CA certificate to each data collector's trust
store and restart the service:
fmos restart dc
The server certificate and intermediate CA certificate can then be updated on the application
server:
If any certificates are within the 30-day renewal window, a warning message will be displayed for
each one.
To see certificate expiration dates using a diagnostic package, you will need to fetch or extract the
following files:
l /etc/pki/tls/certs/fqdn.cer
l /etc/pki/tls/certs/fmos-admin.cer
l /var/lib/pgsql/server.crt
97 |
FMOS v9.8
l /etc/pki/tls/certs/fqdn.cer
l /etc/pki/tls/certs/fmos-admin.cer
l /var/lib/pgsql/.postgresql/postgresql.crt
l /etc/pki/tls/certs/fqdn.cer
l /etc/pki/tls/certs/fmos-admin.cer
l /etc/pki/tls/certs/localhost.crt
You can use the OpenSSL command-line tool to inspect these certificates and view their validity
period:
openssl x509 -noout -text -certopt no_sigdump,no_pubkey -in FILENAME
98 |
FMOS v9.8
Configuration Commands
About the System Configuration File Commands
Not e: The command-line configuration editor will not provide an interactive editing experience.
For interactive editing, the FMOS Control Panel UI should be used.
All customizable options are configured in /etc/firemon/config.yml. This file contains a mapping of
settings in YAML syntax, the native variable definition language used by Ansible. For a basic
overview of this language, see the YAML Syntax section of the Ansible documentation which is
available online at https://docs.ansible.com .
To view a list of available commands, at the command prompt type: fmos -help.
99 |
FMOS v9.8
Added
l fmos fact ory-reset : This command can be used to erase all data and configuration from an
machine and return it to a clean state
Removed
l fmos redeploy
l fmos st at us: Users should use the fmos health command instead
l fmos enable-updat es
l fmos inst all: Removed because the FMOS root file system is immutable
l fmos version: To view the current FMOS version, use cat / et c/ fmos-release
l fmos resizedisk
l fmos config -e
Replaced Commands
The current command-line editor, fmos config --edit has been removed and replaced with new
commands for configuring FMOS from the command line. This replacement for command-line
configuration mechanism borrows the concept of category-based editing from the FMOS Control
Panel. The tool will display only the variables within the specified category.
100 |
FMOS v9.8
fmos config apply <playbook> Apply configuration policy for the specified playbook
Release Improvements
Below are the improvements that were made to FMOS in each supported release:
9.7 Improvement s
l SNMPv3 agent has been added to FMOS to enable or disable the SNMP setting. The SNMP
CLI must be use to add or remove users.
l The command fmos redeploy has been replaced with fmos config apply.
l FMOS will provide native support for copying backups to the following services:
o SSH File Transfer Protocol (SFTP)
o Amazon Simple Storage Service (S3)
o Azure Blob Storage
9.6 Improvement s
l FMOS users will need to confirm an email address to use for password recovery.
l Improved backup performance was implemented. The fmos backup command now uses
multiple threads to compress backup content.
l FMOS now follows the NIST 800-63B recommendation for operating system user passwords.
This new password policy only applies to accounts created after installing FMOS 9.6. User
accounts created on earlier versions of FMOS will retain their existing policy settings. As
always, the password policy can be configured on a per-machine basis.
o Passwords must be at least 8 characters in length.
o Passwords do not need to contain special characters or numbers.
o Passwords do not need to be changed periodically.
l The Initial Deployment process can now be observed using the fmos config apply --watch
command. Additionally, the tasks are logged to /var/log/fmos/deploy.log, as with all other
FMOS Configuration Policy tasks.
101 |
FMOS v9.8
l The Disk Cleanup tool is no longer accessible from the FMOS Control Panel GUI. The fmos
disk-cleanup command remains in place and can be used as before.
9.5 Improvement s
l Added a new command - fmos storage autoexpand - to support increasing the size of the
OS disk or data disk (if any), and adding a (second) data disk.
l TCP Traceroute: Beginning with FMOS 9.5, the -T argument can be used with the
traceroute command.
l If a reboot is needed before the update can be applied, FMOS informs the user with the
following message:
o The system cannot be updated at this time: A previous update has been installed but is
not yet active. Reboot the machine and try again.
Resize Disk
Although the fmos resizedisk command was removed during implementation of Generation III,
new resize functionality has been introduced in release 9.5.
The fmos st orage aut oexpand command supports three options to resize, or any combination
thereof.
Not e: At this time, there is no support for reducing any disk sizes.
102 |
FMOS v9.8
The fmos config command is intended for advanced use cases such as scripts or shell pipelines; it
does not provide a mechanism for interactive editing. For basic, interactive editing of system
configuration variables, please use the FMOS Control Panel.
Like the FMOS Control Panel, the fmos config command operates on a single category at a time. To
view the list of available configuration categories, use the fmos config cat egories command.
To view the current values of the variables in a specific category, use the fmos config get
{cat egory} command, replacing {cat egory} with the path to the category. Example: fmos config
get os/ healt h
Updat e Values
To replace all of the values in a specific category, use the fmos config put {cat egory} {values}
command, replacing {cat egory} with the path to the category, and {values} with the name of a
YAML or JSON document containing the values.
For example,
1. Create a file named proxy.yml (vi proxy.yml) and add the values to it:
http_proxy: http://dev-proxy.securepassage.com:3128
https_proxy: http://dev-proxy.securepassage.com:3128
no_proxy: localhost,securepassage.com
3. Use the fmos config put command to update the configuration using the values specified in
the file:
103 |
FMOS v9.8
Configuration Variables
A list of FMOS configuration settings that are customizable by local administrators.
Not e: Variables listed as critical must be present in the system configuration file when used
during initial deployment (i.e. for automatic configuration). Variables listed as required must be
present if the server holds one or more of the roles listed in the applies to field.
Using the command fmos -help will provide a complete list of available commands.
Not e: Additional configuration variables are included at the end of relevant chapters.
When auto_backup.schedule is
monthly, this defines the day
auto_backup.date Number No 1
of the month on which the
backup will be performed.
104 |
FMOS v9.8
Operating System
Command Type Required Default Funct ion
When auto_backup.schedule is
weekly, this defines the day of
the week on which the backup
auto_backup.weekday Number No 0 will be performed. The number
must be between 0 and 7,
where 0 and 7 are both
Sunday, 1 is Monday, etc.
Whitespace-separated list of
notify_recipients String No
email addresses to whom sys-
105 |
FMOS v9.8
Operating System
Command Type Required Default Funct ion
network.interfaces[ ].d-
Mapping No DHCPv6 options.
hcp6v
network.interfaces[ ].d-
Boolean No False Use DHCPv6 in stateless mode.
hcpv6.stateless
network.interfaces[ ].d-
Boolean No False Request a temporary address.
hcpv6.temporary
106 |
FMOS v9.8
Operating System
Command Type Required Default Funct ion
List of Map-
ntp.keys No NTP authentication keys.
pings
107 |
FMOS v9.8
Operating System
Command Type Required Default Funct ion
Communication protocol to
remote_syslog[].mode String No UDP use to connect to the host.
Not e: If a configuration change requires additional packages to be installed, FMOS redploy may
fail. This is typically only the case when FMOS was installed using custom settings and the new
configuration activates an additional Security Manager role. In these cases, only FMOS update can
be used.
1. Log in to the FMOS console as a user with the FMOS Administrator privilege.
This will apply any configuration changes that affect SIP, as the command runs the
secmgr.yml playbook by default. To apply changes to other system features, such as
health monitoring or network time, another playbook may need to be run instead. To
specify a different playbook, specify its name on the command line.
108 |
FMOS v9.8
Caut ion! Currently, if you run the FMOS redeploy from /etc/firemon it will fail. The solution is to
run the redeploy from /home/user.
Playbooks
The FMOS-autodeploy package includes several playbooks, each responsible for managing
different aspects of the system:
l secmgr.yml—this playbook is responsible for deploying the configuration for the four
FireMon Security Manager roles: Application Server (AS), Database (DB), Data Collector (DC),
and Normalization Worker (ND).
l init ial-set up.yml—this playbook is run in the very early stage of the first boot of a new
FMOS installation, before the fmos.yml playbook. It deploys critical host configuration such
as hostname, network settings, user accounts, etc. A reboot is typically required after run-
ning this playbook.
Caut ion! DO NOT apply this playbook if the value of the FQND variable in the
System Configuration File is different than the current FQDN of the machine!
Doing so will change the hostname of the machine, which will most likely break
communication with other machines in the FMOS ecosystem.
l net config.yml—this playbook is used to apply network configuration changes to the system.
Specifically, changes to members of the network mapping (such as network.dns1, net-
work.gateway, network.interfaces, etc.) are applied when this playbook is run.
109 |
FMOS v9.8
SMTP Commands
A list of SMTP configuration settings that are customizable by local administrators.
Not e: Variables listed as critical must be present in the system configuration file when used
during initial deployment (for example, automatic configuration). Variables listed as required
must be present if the server holds one or more of the roles listed in the applies to field.
SMTP Configurations
Command Type Required Default Funct ion
110 |
FMOS v9.8
The average size of a backup with a fresh install (no devices) is about 200 MB, each device, report
and configuration will increase this size. The retention policy set in the FMOS Control Panel (55555,
interface) will determine how often the system will be backed up and how much will be retained.
Prerequisit e: A Backup Operator must be assigned as an FMOS privileged user before a backup
can be performed.
FMOS provides utilities to create and restore backups of data created and used by FireMon
applications. These used can be accessed from the FMOS command-line interface with the fmos
backup and fmos restore commands. Keeping up-to-date backups is an important part of
maintaining a FireMon deployment.
Backup Contents
FMOS uses a custom file format for backups. Backup files consist of three parts:
Additionally, backup files include a checksum, which is used to verify their integrity when restoring.
Creating Backups
Scheduled Backup
By default, FMOS machines that hold the database or the data collector role automatically create
backups on a daily basis. These backups are stored in a special directory,
/ var/ lib/ backup/ firemon, which is on a separate, dedicated storage volume. As this volume is only
used to store backups, as many backups as will fit on the volume are kept. Thus, the most points in
time for recovery are always available. When a new scheduled backup is created, one or more
111 |
FMOS v9.8
backups are removed, or “pruned,” from the storage directory in order to make enough space
available for the new backup.
The auto_backup system configuration variable can be used to control how and when scheduled
backups are created. See Schedule an Automatic Backup.
When a backup is run, the file that is created is saved to / var/ lib/ backup/ firemon/ by default. The
file will be named HOSTNAM E_DATE.backup, and will be readable only by the group fmbackup.
The backup file that is created will contain the FMOS system configuration, PostgreSQL database
dump, and the file system archive.
On-Demand Backup
The fmos backup command can be used to create a backup on demand. By default, when run
without any command-line arguments, this command will create a new backup, named with the
current date and time, in the default location (/var/lib/backup/firemon). To create a file in a different
location or with a different name, pass the desired path as a positional argument, for example:
If only a filename is given, without the full path, the file will be created in the current working
directory.
When creating an on-demand backup in the default location, it may be necessary to remove old
backup files in order to make room. To facilitate this, the fmos backup command accepts a --
prune argument. When this argument is supplied, the command will remove backup files from the
destination directory, starting with the oldest, until there is enough space to create a new backup. If
enough space cannot be freed while keeping at least one existing backup, the command will abort
and no new backup will be created.
Not e: You must also include a new file name when you specify a location for the backup to be
saved.
By default, the backup is stored in the following location: var/ lib/ backup/ firemon
3. You can use SFTP to move the backup "off box" to be stored on another server.
112 |
FMOS v9.8
The fmos backup command will automatically delete old backup files when it estimates that there
is not sufficient free space in the destination directory to store another backup file. By default,
when pruning old backups, FMOS will remove as many files as necessary to make enough space
available, but it will keep at least one file. This helps ensure that there is always at least one good
backup. If enough space cannot be freed without deleting the last backup, the command will abort
and will not create a new backup.
To change the minimum number of backups that must be kept, pass a number after the --prune
argument, for example:
This will ensure that at least three backups are kept in the destination directory.
In most cases, only one or two existing backup files need to be deleted.
To avoid deleting any backup files, pass the --no-prune argument, for example:
If there is insufficient space to create a new backup, the fmos backup command will abort with an
error.
Not e: It is perfectly normal for the /var/lib/firemon directory to be very nearly full at all
times. This is by design: since the only files that can ever be stored there are backups, leaving
free space available on this filesystem would provide no benefit.
Actions can be configured to run after a successful backup or after a backup fails. Multiple actions
can be configured; they will be run sequentially if more than one is defined.
Post-Backup Actions are configured in the FMOS System Configuration File. They can be defined
using the fmos config command or the FMOS Control Panel GUI.
113 |
FMOS v9.8
storage services, and more. FMOS supports public-key and password authentication. Remote host
key verification is supported using a pre-configured public key.
To enable public-key authentication for SFTP post-backup actions, simply omit the password
configuration option. FMOS will attempt to authenticate to the remote host using a pre-generated
private key. This key cannot be changed or replaced. The public key is stored in the
/etc/firemon/fmbackup.pubkey file. It is currently only accessible using the FMOS command-
line interface:
cat /etc/firemon/fmbackup.pubkey
The ssh-rsa type is used by default; set the key_type option to ed25519 to use the stronger, faster
ssh-ed25519 key.
To enable SSH host key validation, enter the full host key of the remote server. If the server does not
present a matching key during the initial handshake, the connection will fail. If the remote server
has multiple keys of different types, only one will be checked. Only the first key type from this list
that the server supports will be checked:
l ecdsa-sha2-nistp256
l ecdsa-sha2-nistp384
l ecdsa-sha2-nistp521
l rsa-sha2-512
l rsa-sha2-256
l ssh-rsa
l ssh-dss
l ssh-ed25519
Host key verification will fail if the provided key is of a type lower in the list than another type of key
that the server supports.
Example 1
This example uses password-based authentication and does not enable remote host key
verification:
post_backup:
114 |
FMOS v9.8
success:
copy-sftp:
- hostname: my-file-server.example.com
username: firemon
password: secretanduniquepassword
Example 2
This example uses public-key authentication and remote host key verification, and stores the file in
the /backups/firemon directory on the remote host:
post_backup:
success:
copy-sftp:
- hostname: backups.example.org
username: sip
key_type: ed25519
Copy to an S3 Bucket
FMOS can copy files to any storage service that is compatible with the Amazon Simple Storage
Service (S3) protocol. Authentication can be performed using a specific Amazon Access Key ID and
Secret Key pair or, when FMOS is running in AWS, using an IAM instance role assigned to the EC2
instance.
Example
post_backup:
success:
copy-azure:
- account_name: myazstoracct
115 |
FMOS v9.8
container: /backups/firemon
key:
'bWmpsDbOqaNFw8PcR1AIkJQrflB/0wN43xrLOkTaeBJvBiUXWoSI4usTPumXBuAeVjyRmM5
5dYRGTdXXTOzL3Q=='
Example 1
post_backup:
success:
notify-email:
- recipients:
- me@mycompany.com
Example 2
post_backup:
failure:
notify-email:
- recipients: ['admins@example.org']
When the command runs, the BACKUP environment variable contains the path to the newly-created
backup file, if it is available.
Example 1
This example makes an HTTP request to a remote server to notify it that the backup failed.
post_backup:
116 |
FMOS v9.8
failure:
run-command:
Example 2
This example uploads the backup file to a remote server using HTTP.
post_backup:
success:
run-command:
Restore a Backup
When restoring a backup, it is important to understand the different operational modes. There are
two separate use cases for restoring FireMon backups: to recover to an earlier point in time, or to
migrate data to another system. While the fmos restore command is used for both cases,
different arguments are necessary.
Recovery
A recovery simply restores the data on the machine to its state from when the backup was created.
A recovery can be performed by restoring a backup file on the same machine where it was created.
When performing a recovery, all three parts of the backup are restored, including the FMOS system
configuration.
To perform a recovery restore, pass the --recovery argument to the fmos restore command
along with the path to the backup file, for example:
117 |
FMOS v9.8
Migration
A migration transfers data from one system to another. This is done, for example, to copy data from
a production environment to a testing environment, or to move data to a new machine. When
performing a migration, the database and filesystem contents are restored, but not the FMOS
system configuration.
To perform a migration restore, use the --migration argument of the fmos restore command,
passing the path to the backup file as well:
Not e: When performing a migration in a distributed deployment, the backup must be restored
before any application server machines are added to the ecosystem. If AS machines have already
joined, they will have to be reset to factory defaults, reconfigured, and added to the ecosystem
again after the restore completes.
118 |
FMOS v9.8
This process is only meant to be used if your database machine has failed. This process is very
fragile and extreme care must be taken. If any steps are performed out-of-order or incorrectly,
the process will fail. It is recommended that you call Support to help with this process.
Not e: This topic is only meant for a fully-distributed multi-server ecosystem deployment.
The appliance in an FMOS ecosystem deployment that holds the certificate authority (CA) role
requires a special backup and restore process. The content of the CA store is extremely sensitive,
as it could be used to obtain unauthorized access to the FMOS ecosystem, potentially allowing an
attacker to obtain or manipulate FireMon application data.
During normal use, the contents are encrypted using appliance-specific information. This is not
possible for a backup file, so user-provided information is necessary to safely encrypt the backup.
For ecosystem deployments where the DB, ES, and AS roles are held by the same machine, backing
up the CA store may not be necessary.
A new CA store can be initialized on the target appliance without disrupting any intra-ecosystem
communication.
l The CA store index has been modified (for example when a new certificate was issued) since
the last time the CA store was backed up
The alert will clear automatically once a new backup has been created.
119 |
FMOS v9.8
This process is very fragile and extreme care must be taken. If any steps are performed out-of-
order or incorrectly, the process will fail. It is recommended that you call Support to help with this
process.
Using certificates signed by the desired CA requires a special process. If this process is not followed,
a new CA will be created, and certificates will be signed by it.
Follow this process when restoring a CA store from a backup onto a different machine, or after
FMOS has been reinstalled on the same machine.
To restore the CA store from a backup file, use the fmos ca restore command, passing the name of
the backup file as an argument on the command line, and then entering the Export Passphrase when
prompted.
Warning! The destination machine must not hold any FMOS roles. This is achieved by choosing
Existing Deployment on the Ecosystem Selection page of the Initial Configuration Wizard. If the
machine already has one or more roles, it must be re-provisioned.
1. Install FMOS as usual, but select Exist ing Deployment on the Ecosystem Selection page of
the Initial Configuration Wizard.
3. Restore the system configuration file from the regular FMOS backup. Because the appliance
holds no roles, the database and file system portions of the backup will NOT be restored at
this time.
4. Use the fmos config --edit command to launch a text editor to modify the FMOS System Con-
figuration file.
5. Locate the following line in the file and remove it: fm_roles: {}
6. Add the following lines to the file: fm_roles: ca: t rue, db: t rue, es: t rue
7. Run the following command to apply the FireMon role changes: fmos redeploy first boot -
early
8. Restore the CA store from the backup file (replace ${FILENAME} with the path to the CA store
backup file): fmos ca rest ore ${FILENAM E}
9. Initialize the database instance by applying the secmgr playbook: fmos redeploy
10. Restore the regular FMOS backup. See Restore a Backup for details.
120 |
FMOS v9.8
The machine is now fully restored, and will operate as a CA, using the exact hierarchy as the original
appliance. All certificates issued by the previous appliance will continue to be valid, and new
certificates will be signed using the same keys.
121 |
FMOS v9.8
Maintenance Mode
Maintenance mode allows you to stop all FireMon services prior to performing any maintenance,
such as an update, to the system.
Not e: Variables listed as critical must be present in the system configuration file when used
during initial deployment (example, for automatic configuration). Variables listed as required
must be present if the server holds one or more of the roles listed in the applies to field.
Backup Commands
Command Type Required Default Funct ion
auto_backup object
122 |
FMOS v9.8
Backup Commands
Command Type Required Default Funct ion
Arguments to pass
to fmos backup. See
fmos backup –help
for possible
auto_backup.args string --quiet --prune options. If this
option is null or
empty, no argu-
ments will be
passed
When automatic
backups are sched-
uled to run
monthly, this
auto_backup.date integer 1
defines the day of
the month on which
the backup will be
performed.
Whether or not to
enable automatic
backups. This
auto_backup.enabled boolean defaults to true if
the server holds the
database role, and
false otherwise.
123 |
FMOS v9.8
Backup Commands
Command Type Required Default Funct ion
When automatic
backups are sched-
uled to run weekly,
this defines the day
of the week on
which the backup
auto_backup.weekday integer 0
will be performed.
The number must
be between 0 and 7,
where 0 and 7 are
both Sunday, 1 is
Monday, etc.
124 |
FMOS v9.8
About Updates
Updates to FireMon software are packaged as a single unit and delivered together as an FMOS
system update. These updates are applied using FMOS tools, which manage the process of
verifying the update source, installing the new software, updating configuration files, and migrating
data.
Updat e Source
Previously, an update source was the URL of a Yum package repository or the path to a block
device or file system image containing a Yum package repository. Now, an update source is a path
or URL to an FMOS Distribution Archive.
Updat e Process
Because the FMOS root file system is immutable, applying updates to a system requires replacing
the file system image. The machine must be rebooted in order to use the new image. Therefore,
the update process for the Generation III platform is as follows:
3. The system is prepared to boot from the new image by generating a new initramfs image
and bootloader configuration file.
6. During the next boot, the FMOS configuration policy is applied. This includes invoking the
Security Manager migration tool (Flyway) to manage database schema and other application-
level updates.
l Product update releases replace an installed release of a product with a new release of the
same product (example: 9.3 to 9.4).
l Maintenance releases occur between product releases and are used to address resolved and
known issues (example: 9.3.4, 9.4.1).
125 |
FMOS v9.8
l It is strongly recommended that you back up the SIP database and files before installing any
updates.
l If you are updating both a single-server Data Collector and an Application Server, you must
upgrade your Application Server first.
l If you are updating from a version that is three (or more) minor versions behind the current
version, please contact Support to help you perform a staged updating.
Caut ion! During the update process, all SIP components will be stopped, and connectivity will be
terminated. Please consider updating your product during periods of low product use to
minimize the effects of this loss of connectivity.
l Prerequisit e for v8.24 users and older: If you are updating from a version that is three (or
more) behind current, please contact support@firemon.com
l Prerequisit e for v8.25 users: You will need to perform a backup of your existing 8.25
installation, move that backup ‘off box’, perform a new install of v9.x, and then restore 8.25
backup onto the new 9.x installation. please contact support@firemon.com
l Prerequisit e for v8.26 users: If you are updating from v8.26, a new install with a previous
backup restore is not needed. You can follow the normal update process.
l Prerequisit e for v9.x users: If you are updating from v9.x, a new install with a previous
backup restore is not needed. You can follow the normal update process
126 |
FMOS v9.8
We only provide full support for the two most recent releases of the FireMon operating system
(FMOS). We will attempt to support customers running unsupported releases, but support will be
limited and best effort only. Customers running an unsupported release are encouraged to update
to a supported release in order to receive the full support experience. A complete list of supported
releases is listed below.
We can provide assistance with updating to a supported release. Customers wanting to receive
assistance should contact us at support@firemon.com and specify the release number they are on
and the release number they want to update to. A customer support agent will reach out to assist.
Supported Releases
l Releases consist of major releases denoted by 0 in the third portion of the release number
and maintenance (bug fix) releases denoted by any number other than 0. For example, 9.4.0
is a major release whereas 9.4.2 is a maintenance release.
l Major releases typically include software improvements, new features, bug fixes, and
security improvements. Major releases are provided two to three times a year on average.
l Maintenance releases deliver software fixes and the occasional minor software
improvement. Maintenance releases are constrained in scope to improve quality and time to
market. Maintenance releases are provided on an as-needed basis until end of support is
reached for that major release.
Supported Releases
M ajor Release Num- M aint enance Release Num-
GA Dat e End of Support Dat e
ber ber
9.5.1 11/15/2021
9.5.3 12/15/2021
127 |
FMOS v9.8
Supported Releases
M ajor Release Num- M aint enance Release Num-
GA Dat e End of Support Dat e
ber ber
9.4.1 8/4/2021
9.4.2 8/8/2021
Unsupported Releases
M ajor Release M aint enance Release End of Support
GA Dat e
Number Number Dat e
128 |
FMOS v9.8
Release Formats
FMOS Generation III system updates are distributed in signed archive files, called distribution
archives. These files end with the extension .tar.gpg. They are cryptographically signed using
GnuPG with keys accessible only to us to ensure that third parties cannot tamper with or modify
them.
Although we distributes FMOS in various forms for initial deployment (new installations), only
distribution archives can be used to update an existing FMOS system.
Build Variants
Every FMOS version is produced in multiple variants. Each variant is designed to serve a specific
purpose. When installing FMOS on a new machine, be sure to select the proper variant:
l Full: This is the default variant. It contains all of the Security Intelligence Platform application
components, including the Security Manager server, the data collector, Global Policy Con-
troller, and all supporting software such as PostgreSQL and elastic search.
l DC Only: This variant only contains the Data Collector application component for the Secur-
ity Intelligence Platform.
l Cloud: This variant is intended to be used for Cloud deployments, such as Microsoft Azure or
Amazon Web Services. It contains all of the Security Intelligence Platform application com-
ponents and all supporting software.
Distribution Formats
Each FMOS build variant is distributed in multiple formats. The various formats are designed to
support different deployment environments or scenarios:
l FM OS Dist ribut ion Archive (.t ar.gpg) [all variant s]: This format is used by all FMOS vari-
ants for upgrading an existing installation of FMOS to a new version. When upgrading, be
sure to use the Distribution Archive for the same variant that is already installed.
l Virt ual M achine Templat e (.ova) [full, dconly]: This format is used to deploy a new virtual
machine, for example using VMware vSphere, Microsoft Hyper-V, or Oracle VirtualBox.
l Virt ual Disk Image (.qcow2) [full, dconly]: This format is used to deploy a new virtual
machine, for example using Linux KVM (with libvirt/QEMU) or OpenStack.
l Physical Hardware Inst aller (.iso) [full, dconly]: This format is used to install FMOS on a
physical machine.
l Azure Virt ual Disk Image (.vhd.zip) [cloud]: This format is used to create a new Virtual
Machine Image in Windows Azure.
129 |
FMOS v9.8
l AWS Virt ual Disk Image (.vmdk) [cloud]: This format is used to create a new Amazon
Machine Image in Amazon Web Services.
By default, FMOS will automatically fetch updates from the FireMon User Center, if possible. If a new
version of FMOS is available on the User Center, it will be downloaded and used. If multiple versions
are available, the one selected is determined by the fmos_updat e_channel System Configuration
Variable. Machines using the latest channel (the default) will always fetch the most recent version
from the User Center. Machines using the stable channel will only fetch updates that are marked as
stable.
For machines that cannot access the FireMon User Center directly, a distribution archive can be
provided manually. This is also useful for updating to a version of FMOS that is not currently
available in the User Center.
Not e: The fmos updat e command will, by default, no longer allow an update to be installed if it
is older (by date or by version) than the currently installed image.
fmos update
130 |
FMOS v9.8
When a URL is specified, the remote file will be downloaded to a temporary location on the local
machine, and removed when the update process is complete.
Reboot Required
After an FMOS update is installed, the appliance must be rebooted in order for it to take effect. The
new software will not be used until the appliance has been rebooted.
When the appliance is first rebooted after installing an update, the FMOS Configuration Policy is
applied in the background. During this process, some services provided by the appliance may not
be available. For FMOS appliances that hold the AS role, it can take several minutes or hours before
the process completes, depending on the amount of data.
The FMOS Health System will report the status of services on the appliance and the deployment
process. The fmos healt h command or the FMOS Control Panel browser application can be used
to view the health of the system.
l Additionally, the fmos updat e command can take a single positional argument, which refers
to the distribution archive to use as the update channel source. The distribution archive can
be located on the local file system or on a remote HTTP server. To specify a remote location,
pass its URL as the source argument.
l The fmos updat e command will, by default, no longer allow an update to be installed if it is
older (by date or by version) than the currently installed image.
Updates to FMOS are packaged as a single unit and delivered together as an FMOS system update.
These updates are applied using FMOS tools, which manage the process of verifying the update
source, installing the new software, updating configuration files, and migrating data.
131 |
FMOS v9.8
l Lat est -the default channel. The system will be kept up-to-date with the most recent
version of FMOS released and available on the User Center.
l St able-this channel only includes fixes for critical bugs and security vulnerabilities,
without introducing new features.
5. When finished, click St age Changes and then click Apply Configurat ion.
132 |
FMOS v9.8
Update FMOS
Caut ion! During the update process, all Security Intelligence Platform components will be
stopped and connectivity will be terminated. Please consider updating your product during
periods of low product use to minimize the effects of this loss of connectivity.
Prerequisit e: Before installing any updates, you will need to back up your data. Then transfer
the backup 'off box' to a secure location. You must also have set your update channel.
For a distributed (multi-server) environment, there is a specific server order to install the update.
1. Database server
2. Application server
3. Data collector
For a single-server environment, install the update on the application server first and then any data
collectors.
Prerequisit e: Put all application servers into maintenance mode. At the prompt, type the
following command: fmos maint enance begin
2. Click Downloads.
3. In the SIP Soft ware section, click the link to be directed to the Art ifact Select ion page.
4. In the Inst all Select ion section, select your deployment type:
5. In the Dist ribut ion Select ion section, select the distribution type based on how your eco-
system is deployed:
133 |
FMOS v9.8
6. In the Select File section, verify that the install and distribution types are correct and then
click Select File to be directed to the file download page.
7. Click Download.
8. For a single-server environment, copy the file to your application server. For a distributed
environment, copy the file to your database server.
Not e: The file should be copied to / var/ t mp and then use that path in the fmos update
command.
9. Log in to the appropriate FireMon server (either application server or database server).
l For existing 9.0 users who have set the update channel: fmos updat e
l For users not updating from v9.0: fmos updat e / var/ t mp/ <filename> (replacing <file-
name> with the name of the ISO file downloaded).
12. You will be asked to reboot the server. Type Y at the prompt to start the reboot process.
13. For a single-server environment, repeat the steps to update any data collectors. For a dis-
tributed environment, repeat the steps to update the application server (if you have multiple
applications servers, update each one-at-a-time and reboot each individually) and then data
collectors.
134 |
FMOS v9.8
There are two methods for applying firmware updates using the Lifecycle Controller:
Warning! Updating system firmware will require the appliance to reboot. When updating
firmware on a machine that is a member of a multi-server ecosystem, be sure any subordinate
servers are placed into maintenance mode, as appropriate.
For FM appliances that have their iDRAC connected and configured, the easiest way to apply
firmware updates is by using the Update and Rollback feature within the iDRAC web UI.
1. Navigate to the iDRAC web application using your browser and log in as a user with iDRAC
administrator privileges.
Not e: The default iDRAC user name and password should be changed before putting am FM
appliance into production.
3. On the Firmware Update page, click the Updat e tab and then select Local for File Location.
4. Click the Browse button for File Path under Single Update Location and navigate to the firm-
ware update image stored on your local machine. After selecting the correct file for your
hardware, click Upload.
Not e: Although FMOS is a Linux-based operating system the Lifecycle Controller uses the
Windows packaging format, so updates are distributed as .exe files.
5. Uploading the firmware image to the iDRAC may take a few minutes. When the upload
completes, select the check box next to the update in the Update Details pane and click
Inst all and Reboot .
6. The update will be processed in the background. To view the status of the update, click the
Job Queue button. The job queue can also be accessed from the server link in the navigation
tree and choosing the Job Queue button from the top bar.
135 |
FMOS v9.8
7. The job queue will show the status of the update as it progresses. Use the refresh button to
update the display.
8. After the update applies successfully, a new job queue entry will be created to reboot the
machine. After the machine reboots, the update process is complete and FMOS will load as
normal.
In cases where the iDRAC is not usable, another option for updating appliance firmware is to use the
pre-boot Lifecycle Controller GUI. This option requires physical access to the machine and a USB
storage device.
1. Copy the firmware image onto a USB storage device, such as a flash drive.
Not e: The device must be formatted with the FAT32 filesystem. USB 2.0 and 3.0 devices are
supported.
2. Connect the USB storage device to the appliance and power it on. During system initialization,
a list of special boot options will be displayed on the screen. Press F10 on the keyboard to
enter the Lifecycle Controller UI.
3. When prompted for the Set up Password, contact FireMon support to obtain the specific
password for your device.
4. When the Lifecycle Controller UI finishes loading, select Firmware Updat e from the
navigation list, then click Launch Firmware Updat e.
5. On the Select Update Repository page, select Local Drive(CD or DVD or USB). Ensure the
USB storage device is connected and click Next .
6. On the Enter Access Details page, select the appropriate device from the Local Drive menu
(e.g. USB0 (Front USB 1)). Type the name of the firmware image file in the File Pat h or
Updat e Package Pat h field box and click Next .
7. The Lifecycle Controller will scan the image file and verify its contents. This process may take
a few minutes, depending on the size and type of firmware to update. If any errors are
encountered, they must be resolved before continuing.
8. After verifying the selected image file, the Lifecycle Controller will present a list of identified
updates. Ensure the check box next to the desired update is selected and click Apply.
9. At this point, the update process should proceed automatically. The Lifecycle Controller will
download the update package from the USB storage device and apply the update to the
system.
136 |
FMOS v9.8
10. After applying updates, the appliance will reboot and the Lifecycle Controller UI will start
again. Click the Exit button at the top-right corner of the screen and then click OK to reboot
the appliance and load FMOS as normal.
137 |
FMOS v9.8
FMOS can automatically check for new items periodically and display a list of unread items to users
when they log in to the FMOS command line (e.g. SSH). To read news items, use the fmos news
read command or enable to show news at log on.
The FMOS Control Panel can also display these messages, for those administrators who do not use
the command-line interface.
RSS Feed
The User Center has an RSS feed available for Security Intelligence Platform v9 releases and
documentation. If you would like to subscribe to this feed, you can find it on the Downloads page.
Please note that it will not interfere or replace the existing v8-specific RSS feed. If you have licenses
for both v8 and v9, please subscribe to both RSS feeds to guarantee you receive the most current
notifications.
138 |
FMOS v9.8
All FMOS configuration is currently done by editing / et c/ firemon/ config.yml using the command
fmos config --edit. The reason we built Control Panel is to decrease the need to access the file
system to perform configuration changes. One of the goals is to be usable by administrators with
little to no experience with Linux or system administration in general. As such, Control Panel is a
simple, intuitive interface to make configuration changes, without requiring you to edit YAML
settings by hand.
Information icons are available for each entry field to provide more detail about the type of data
that can be entered into the field.
139 |
FMOS v9.8
configuration settings available." on the page. Modifying advanced settings requires Support
Services.
140 |
FMOS v9.8
https://FMOSIPaddress:55555
The module’s authentication is the FMOS administrative user account. Typically, this would be the
user account that you created during the initial FMOS installation wizard. You cannot log into this
module using a SIP user account created in the Administration module. If you’ve setup an
authentication server for the FMOS log in, it will also work.
Help Menu
A help menu is located on the toolbar. Click the icon to access it.
l Click User's Guide to view the user's guide available for this module.
l Click About to view the FMOS Version and Server Control Panel Version.
l St age Changes will save any configuration changes, but will not redeploy the server. This is a
useful command if you are making multiple changes to numerous settings and want to wait
until you've completed the changes to redeploy the server.
l Apply Configurat ions only appears if there are changes to any configuration settings. This
function will redeploy the server.
l Submit saves and updates information without the need to redeploy the server.
Not e: All changes made using CP are tracked the same as if you were editing the system config
using CLI and then redeploying.
You cannot unstage changes. If you made a change by mistake, you must revert the field back to its
original default setting, and then click Stage Changes again.
141 |
FMOS v9.8
Any staged changes, even if not applied to the configuration will automatically apply when the
server redeploys.
Logout
To exit the module, click Logout on the toolbar.
Not e: Passwords can only be reset for FMOS user accounts that have an associated e-mail
address. If a user did not associate an e-mail address with his or her account he or she will not be
able to reset the password.
The password for an FMOS user can be reset using the FMOS Control Panel.
3. Enter your FMOS user name in the Username field and click Send Email .
4. Launch your e-mail client and check for a new message with the subject FMOS: Password Reset
Request.
Not e: Instead of clicking the link from the e-mail message, you can also copy the
Authorization Code from the message and enter it in the Aut horizat ion Code field that
appears after you click Send Email.
Not e: The new password must comply with the configured password policy.
7. Type the new password again to confirm it in the Confirm New Password field.
142 |
FMOS v9.8
After the password has been reset successfully, it can be used immediately to log in to the FMOS
Control Panel.
143 |
FMOS v9.8
Home
The Home page displays information on the overall status and performance of the server at any
given time. If you logged in to the actual server, you would have access to this same information.
This is view-only information.
If there are any system alerts that need your attention, they will be listed at the top of the screen.
When you log in to the control panel, the data provided is specific to the server IP address.
l Degraded
l Warning
l Passed
l Click Learn more to open a information topic with possible next steps to correct an issue.
System Status
The Syst em St at us, located in the upper right of the page, provides a quick visual look at the health
of your server.
l Orange—system is degraded
144 |
FMOS v9.8
l Red—system failure
Change Password
Not e: This is only for the password of the FMOS administrator accounts for the server being
accessed. To change a user password, use the Administration module process.
Caut ion! Passwords expire every 90 days and must be changed prior to expiration.
5. Click Submit .
Disk Cleanup
Disk Cleanup can be used to remove old files from the file system that are no longer needed. This
utility is designed to help administrators reclaim disk space.
2. Select the types of files to delete. Click the status key to enable the selection (a solid blue
toggle).
3. You can Include files older t han by setting the number of days.
4. Click Next .
5. Review the results, and then click the check box next to the files to delete.
6. Click Next .
145 |
FMOS v9.8
Diagnostic Package
FMOS provides a feature called diagnostic packages that can be used to troubleshoot system issues,
including crashes, errors, and unexpected behavior. These packages can be created on any FMOS
installation and transferred to FireMon support for analysis.
1. In the Ticket / ID field, if you have an open case with FireMon support enter the ticket number,
or if you do not have an open case enter your organization's name.
2. Click Creat e.
3. The Creat e Diagnost ic Package dialog box will open and you can view the data collection
process. You can close this dialog box and it will not impact the creation process.
Not e: The creation process can take several minutes depending on the file size. Progress is
displayed in the St at us column.
146 |
FMOS v9.8
OS
From the Operating System (OS) page you can access a variety of FMOS configuration settings.
Not e: An information icon is available for numerous entry fields to provide more information
about the type of data that can be entered into the field.
To activate a field for editing, click the Enable toggle to the on position. A blue toggle indicates
that the field is active.
l Usage thresholds
l Crypt o is used
l Healt h is for the FMOS Health Evaluation System settings. The platform consists of a number
of health checks, each of which defines a specific operation to perform to produce a check
result. Check results are aggregated to create a health summary, providing a view of the over-
all health of the system.
l M et rics is used to gather performance information and expose it to Victoria Metrics. Per-
formance metrics can be sent directly to FireMon Support or using a Prometheus remote
write protocol.
l Net work is used for network configuration. You can add static routes from this page.
147 |
FMOS v9.8
l SSH is used for SSH settings, such as allowing weak SSH algorithms
OS Settings Page
Think of the OS Settings as an admin page used for behind-the-scenes system settings, such as
console timeout and adding recipients for system notifications.
Updates to FMOS are packaged as a single unit and delivered together as an FMOS system update.
These updates are applied using FMOS tools, which manage the process of verifying the update
source, installing the new software, updating configuration files, and migrating data.
l Lat est -the default channel. The system will be kept up-to-date with the most recent
version of FMOS released and available on the User Center.
l St able-this channel only includes fixes for critical bugs and security vulnerabilities,
without introducing new features.
5. When finished, click St age Changes and then click Apply Configurat ion.
FMOS can automatically check for new items periodically and display a list of unread items when
you log in to the FMOS command line, to enable this functionality complete the following steps.
148 |
FMOS v9.8
Not e: Set the default value to False to turn off this feature.
Authentication
On the Kerberos Authentication page are settings to use to set authentication requirements. Each
field has an info icon that explains its use.
To change from the default values, move the Status key to the enabled position and then change
the default value. A blue toggle indicates an enabled field. When finished, click St age Changes and
then Apply Configurat ion.
LDAP
On the LDAP page are settings to use to set LDAP authentication requirements. Each field has an
info icon that explains its use.
To change from the default values, move the Status key to the enabled position and then change
the default value. A blue toggle indicates an enabled field. When finished, click St age Changes and
then Apply Configurat ion.
Password Policy
On the Password Policy page are settings to use to set password requirements. Each field has an
info icon that explains its use. Some password policy rules, such as length and complexity, apply
when passwords are set. Changes to those rules will take effect the next time a user changes his or
her password. Other rules, including minimum and maximum age, only apply when the account is
created. To change those, the account must be deleted and recreated.
Not e: Minimum password character length cannot be less than six. Eight is the default minimum
set.
Not e: Maximum Age (the number of days a password is valid until it must be changed) only
applies when the account is created. If the default value (90 days) is changed after account
creation, existing accounts must be deleted and recreated for the change to apply.
149 |
FMOS v9.8
Password Complexit y
If enabled, passwords must contain at least one uppercase letter, one lowercase letter, one number,
and one other symbol. Additionally, new passwords must contain at least 4 characters that were not
present in the previous password, and passwords cannot contain any variation on the user’s
username or real name.
Not e: Using a character delimiter, such as a colon (:), comma (,), period (.), semi-colon (;), or
slashes (\ /) can result in the password not saving correctly.
To change from the default values, move the Status key to the enabled position and then change
the default value. A blue toggle indicates an enabled field. When finished, click St age Changes and
then Apply Configurat ion.
150 |
FMOS v9.8
Backups
FMOS provides utilities to create and restore backups of data created and used by SIP.
When a backup is run, the file that is created is saved to / var/ lib/ backup/ firemon/ by default. The
file will be named HOSTNAM E_DATE.backup, and will be readable only by the group fmbackup.
The backup file that is created will contain the FMOS system configuration, PostgreSQL database
dump, and the file system archive.
After a backup finishes, FMOS can perform additional actions. These actions include copying the
new backup file to a remote server, sending an e-mail notification, or executing a command on the
local machine.
Actions can be configured to run after a successful backup or after a backup fails. Multiple actions
can be configured; they will be run sequentially if more than one is defined.
Cryptographic Settings
The following Red Hat Enterprise Linux 8 policy levels are available in SIP:
l DEFAULT: The default system-wide cryptographic policy level offers secure settings for
current threat models. It allows the TLS 1.2 and 1.3 protocols, as well as the IKEv2 and SSH2
protocols. The RSA keys and Diffie-Hellman parameters are accepted if they are at least 2048
bits long.
151 |
FMOS v9.8
l LEGACY: This policy ensures maximum compatibility with Red Hat Enterprise Linux 5 and
earlier; it is less secure due to an increased attack surface. In addition to the DEFAULT level
algorithms and protocols, it includes support for the TLS 1.0 and 1.1 protocols. The
algorithms DSA, 3DES, and RC4 are allowed, while RSA keys and Diffie-Hellman parameters
are accepted if they are at least 1023 bits long.
l FUTURE: A conservative security level that is believed to withstand any near-term future
attacks. This level does not allow the use of SHA-1 in signature algorithms. The RSA keys and
Diffie-Hellman parameters are accepted if they are at least 3072 bits long
To set the system crypto policy to allow weak ciphers and keys, complete the following steps.
Health Settings
Not e: An information icon is available for numerous entry fields to provide more information
about the type of data that can be entered into the field.
The FMOS Health Evaluation System settings consists of a number of health checks, each of which
defines a specific operation to perform to produce a check result. Check results are aggregated to
create a health summary, providing a view of the overall health of the system.
From this settings page, you can adjust usage thresholds to maximize system performance.
152 |
FMOS v9.8
Swap usage is only a problem if you see it continually climb and eventually reach 100%, which will
cause performance issues. To address this issue from reoccurring, we recommend increasing the
swap alert threshold for swap event alerts from triggering a warning message.
2. Enable the Free Swap Space Threshold field by clicking the status key.
If you continue to see swap alerts after increasing your swap usage threshold consider adding
more RAM for your FMOS server.
153 |
FMOS v9.8
Performance Metrics
Victoria Metrics can be configured to pull metrics from (scrape) any HTTP resource that exposes
data in the Prometheus exposition format.
FMOS configures collectd, using the write_prometheus plugin1, to expose its metrics in this way.
Collectd listens on TCP port 9103 (the same port as the Prometheus collectd exporter) and
exposes metrics at http://localhost:9103/metrics. This port is never exposed to the network,
irrespective of the the vm_allow_outside setting.
7. In the HTTP section, in the URL field enter the SIP server URL.
9. Additional fields can be configured to meet your network security guidelines. What has been
provided is the minimum needed to connect to SIP.
3. Enable the Allow out side access t o Vict oria M et rics field. TCP port 8428 is used for
HTTP API.
154 |
FMOS v9.8
1The Write Prometheus plugin starts an internal webserver on port 9103 (configurable) and accepts
scrape requests from Prometheus, an open-source monitoring system. This plugin is similar in
scope to the collectd_exporter written by the Prometheus team and uses the same naming schema
so it can be used as a drop-in alternative. Synopsis: LoadPlugin write_prometheus <Plugin "write_
prometheus"> Port "9103" </Plugin>
Requires prior setup of Prometheus. FireMon's preferred metrics monitoring service is Grafana.
2. Enable the Send performance met rics t o t hese locat ions field.
4. Enter the full HTTP or HTTPS URL to a Prometheus "remote write" endpoint. Example:
https://prometheus.mycompany.com/api/v1/write
6. Enable the Allow out side access t o Vict oria M et rics field. TCP port 8428 is used for
HTTP API.
155 |
FMOS v9.8
4. Enable the Type field, and then select the type of route to create. Omit this is you are adding
a simple route.
5. Enable the M et ric field, and then select the route metric.
6. In the Net work Address field, enter the destination network prefix of the route in
CIDR notation.
8. In the Address field, enter the address of the next hop gateway or router for this route.
9. Enable the Weight field, and then enter the bandwidth or quality of a path. This should be
omitted for simple routes.
12. If no other changes are being made, click Apply Configurat ion.
HTTP Proxy
Many environments require using an HTTP proxy in order to establish communication with hosts on
the Internet. Depending on the configuration of the proxy server, it may allow access to the FMOS
package repository.
To configure the system to use a proxy server, the proxy URL of the server must be set in the
HTTPS proxy environment variable in the Server Control Panel (SCP > OS > Proxy).
156 |
FMOS v9.8
Not e: Only proxy servers that support HTTP CONNECT will work. Proxies that require TLS
decryption (also called “SSL bumping”) will not work. This is because the FMOS package
repository uses TLS mutual authentication to prevent man-in-the-middle attacks. Since
decrypting proxies are a form of man-in-the-middle attack, they cannot work by definition. If
fmos enable-updates fails with an error like “certificate issuer is not recognized,” it is likely the
proxy is doing TLS decryption.
2. Enable the Default Proxy field and enter the proxy URL.
3. Enable the HTTP Proxy and/or HTTPS Proxy fields and enter the proxy URL to use for each
connection type that will be used.
4. Enable the No Proxy For field and enter host names to which direct connections should be
made without using the proxy set for the specific protocol.
SMTP Settings
Several components of Security Manager and FMOS itself can send notification messages by email.
FMOS supports several configuration modes for sending these messages:
l Configurat ion M ode—configures how email messages will be delivered to their recipients:
l Direct will be delivered directly to the mail server responsible for the recipient
email addresses, found by querying looking up the MX records in DNS.
l Relay will send all email messages to a relay server or “smart host” for delivery.
l Relay Host —if the Send email t hrough an SM TP relay delivery method is selected, value
indicates the host name or IP address of the relay server through which all messages will be
sent.
l Relay Port —the TCP port on which to connect to the SMTP server on the remote host.
157 |
FMOS v9.8
l Securit y M ode—selects the security capability to use when communicating with the SMTP
relay server; has no effect on direct email delivery.
Not e: The legacy method of wrapping the entire SMTP communication in an SSL session,
known as “SMTPS” is not available.
l Aut hent icat ion—selects the authentication method to use when communicating with the
SMTP relay server; has no effect on direct email delivery.
Not e: Only the “plain” authentication mechanism is currently supported. Since this method
sends the username and password in clear text, it should only be used when STARTTLS
security is enabled.
Recommendat ion: Ensure that SMTP is working correctly so that a password recovery email can
be sent / received.
SNMP Agent
An SNMPv3 agent has been added to FMOS to enable or disable the SNMP setting.
Use this setting to allow the SSH client to connect to servers that use weak or outdated
cryptographic algorithms.
To set the client to allow weak SSH algorithms, complete the following steps.
158 |
FMOS v9.8
FMOS Syslog
On the OS> Syslog page, you can add a remote syslog configuration. This setting is used to setup
an external source to listen on events using syslog from FMOS.
External sources can listen over ports 514 or 6514 for either UDP or TCP.
3. In the Host field, enter the FQDN for the remote logging host.
4. Enable the M ode field to select the protocol to use to connect to the host.
5. Enable the Port field to select the port to use to connect to the remote logging host.
6. Enable the Use TLS field and select True if you will use TLS with TCP.
159 |
FMOS v9.8
SecMgr
Not e: Information icons are available for each entry field to provide more information about the
type of data that can be entered into the field.
To activate a field for editing, click the Status key to the enabled position. A blue key indicates
that it is enabled.
The SecMgr (Security Manager) page is used to access configuration settings for application servers,
database servers and data collectors.
l AS (Application Servers)
o Apache
o NdExec
o SecMgr
o Workflow
l DC (Data Collector) - settings specific to the data collector role and its functions
Application Server
Apache
On the Apache HTTPD page are settings to use to set requirements. Each field has an info icon that
explains its use.
To change from the default values, move the Status key to the enabled position and then change
the default value. A blue toggle indicates an enabled field. When finished, click St age Changes and
then Apply Configurat ion.
NdExec
On the Normalization Worker page are settings to use to set requirements. Each field has an info
icon that explains its use.
160 |
FMOS v9.8
To change from the default values, move the Status key to the enabled position and then change
the default value. A blue toggle indicates an enabled field. When finished, click St age Changes and
then Apply Configurat ion.
SecM gr
On the FireMon SecMgr page are settings to use to set requirements. Each field has an info icon
that explains its use.
To change from the default values, move the Status key to the enabled position and then change
the default value. A blue toggle indicates an enabled field. When finished, click St age Changes and
then Apply Configurat ion.
Workflow
On the Workflow page are settings to use to set requirements. Each field has an info icon that
explains its use.
To change from the default values, move the Status key to the enabled position and then change
the default value. A blue toggle indicates an enabled field. When finished, click St age Changes and
then Apply Configurat ion.
We support both UDP and TCP. The UDP port is 514 and TCP port is 1470 (the default port often
used for Cisco devices).
The default setting is false (off). When you enable the field box and change the setting to true, the
DC will begin listening on TCP port 1470 in addition to UDP port 514. There is no way to change the
port number. The DC will always also listen on the UDP port.
The deployment schedule can be customized using the Server Control Panel, under the SecMgr
section. The process must run once a week, and the Aut o Refresh Schedule: Hour, M inut e, and
Weekday fields can control precisely when.
161 |
FMOS v9.8
Not e: If any changes to the configuration are made using the Server Control Panel but have not
been applied, they will be applied by the scheduled deployment.
2. Enable the Aut o Refresh Schedule: Hour field, and then select an hour.
3. Enable the Aut o Refresh Schedule: M inut e field, and then select a minute.
4. Enable the Aut o Refresh Schedule: Weekday field, and then select an day.
Not e: The value is expressed as a number between 0 and 7, where both 0 and 7 refer to
Sunday.
162 |
FMOS v9.8
The disk clean-up utility can be used from the command line using the fmos disk-cleanup
command, or using the FMOS Server Control Panel. The utility has two operational modes: analyze
and clean.
l In Analyze M ode, the disk clean-up utility scans for files identified by the specified selection
profiles and estimates the amount of disk space that would be reclaimed by removing them.
In this mode, no files are actually removed from the file system.
l In Clean M ode, the disk clean-up utility will remove any files identified by the specified selec-
tion profiles. When it is finished, it will report on the number of files removed and the
amount of disk space that was reclaimed by removing them.
The disk clean-up utility includes several predefined selection profiles to classify files on the file
system. When run in either analyze or clean mode, the utility takes a set of selection profiles and
searches for files matching the properties specified by those profiles.
When using the CLI, the list of available selection profiles can be viewed by using the --list -profiles
or -L argument.
The CLI accepts one or more selection profiles as positional arguments. Additionally, a pseudo-
profile all can be used to select all available profiles. When using the all selection, it may be
necessary to exclude one or more profiles, which can be indicated by prefixing the profile key with
a hyphen-minus symbol.
In addition to selection profiles, the files to remove can be further restricted by their age. The age
of a file refers to how much time has elapsed since the file was last modified. By default, the
command-line interface restricts both analyze and clean mode to files that are older than 30 days.
To specify a different age, use the --age or -a argument.
Examples
l Run analyze mode on the default selection: fmos disk-cleanup
l Run clean mode on all profiles, except for log files: fmos disk-cleanup --clean -- all -logs
163 |
FMOS v9.8
Not e: When specifying an exclusion using the hyphen-minus syntax, the double hyphen-minus is
required. This is a limitation of the command-line argument parser used by the FMOS command;
it is needed to distinguish the exclusion from short-form optional arguments.
Example
Run clean mode on all crash dumps older than one day: fmos disk-cleanup - -clean - -age 1 crash-
dumps
164 |
FMOS v9.8
Troubleshooting
Log Files
When an error of "See log file details." is received, these are the log files to review. FMOS provides a
command for quickly viewing the most commonly-used log files: fmos logview. This command
allows users with the FireMon Administrator (privileged user) assigned to view the contents of the
system log (i.e. /var/log/messages), as well as any log file generated by FireMon software, without
explicitly requesting elevated privileges.
Not e: Log files can contain sensitive information, and are not accessible by unprivileged users.
To view a log file using fmos logview, simply invoke the command, passing the path to the log file
as a command-line argument. For example, the following command would display the contents of
the current SecMgr log file:
Not e: If no file name is given, / var/ log/ messages will be displayed. Only log files inside
/ var/ log/ firemon, / var/ log/ fmos, and / var/ log/ messages can be viewed using the fmos
logview command.
Log Files
Name Location
165 |
FMOS v9.8
Not e: Creating a support diagnostic package can also be done from FMOS Server Control Panel
and within the Administration module (Administration > Tools > Support Diagnostic > Export).
FMOS provides a feature called diagnostic packages that can be used to troubleshoot system issues,
including crashes, errors, and unexpected behavior. These packages can be created on any FMOS
installation and transferred to FireMon support for analysis.
Diagnostic packages are XZ-compressed tape archives (“tarballs”) encrypted with GPG using the
fmos-diag key. This allows them to be transferred and stored securely without having to manage
and exchange shared keys. The fmos-diag key has a lifetime of 5 years, and the public key is
distributed in the fmos-util package. As long as you keep your machine up-to-date within a margin of
a few years, there should never be any need to worry about keys.
2. At the prompt, to enter a ticket number to help associate the package with an open support
case. The value is free form, so any input will be accepted.
Not e: If you do not have an open case enter your organization's name.
166 |
FMOS v9.8
Not e: The rescue console is not available on appliances that do not have a directly attached
terminal.
l This will change the active terminal to tty9, where the rescue console is attached.
Because the rescue console provides access to sensitive system configuration, it is protected from
malicious activity by requiring an “unlock code” before allowing any changes to be made. The
unlock code is derived from information about the system and is thus unique for every appliance. It
is also time-based.
Please contact FireMon Support to request and receive the unlock code with the following
information:
l FMOS version
Caut ion! The rescue console will unconditionally exit 5 minutes after it has been unlocked.
1. After activating the rescue console and unlocking it with the correct code, select Reset User
Password.
2. Enter the user name of the user whose password is to be reset and confirm the request.
167 |
FMOS v9.8
Not e: You must enter a strong 8 character password at the prompt using upper and
lowercase letters, numbers, and symbols.
5. To return to the display after using the rescue console, press Alt +F1.
Not e: The FMOS rescue console can only reset passwords for local operating system users. It
cannot be used to reset the password for Security Manager accounts or for users in external
authentication systems (e.g. LDAP, RADIUS, etc.)
168 |
FMOS v9.8
Not e: It is recommended that all machines have at least two accounts with the
FMOS Administrator privilege assigned to it.
169 |
FMOS v9.8
170 |
FMOS v9.8
Next Steps
After completing an FMOS deplyment, you'll log in to the Security Intelligence Platform and open
the Administration module to upload your Security Manager license (and other licenses), add users
and user groups, set permissions, add devices, and a variety of other SIP-related tasks.