Scribd
Upload
713 views2,272 pages

IPS 10.1 Product Guide RevO En-Us

Uploaded by

Kuncen Server (Yurielle's M-Chan)
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
713 views2,272 pages

IPS 10.1 Product Guide RevO En-Us

Uploaded by

Kuncen Server (Yurielle's M-Chan)
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Revision O

Trellix Intrusion Prevention System


10.1
(Product Guide)
COPYRIGHT
Copyright © 2022 Musarubra US LLC.

Trellix, FireEye and Skyhigh Security are the trademarks or registered trademarks of Musarubra US LLC, FireEye Security Holdings US LLC and their affiliates in the US
and /or other countries. McAfee is the trademark or registered trademark of McAfee LLC or its subsidiaries in the US and /or other countries. Other names and
brands are the property of these companies or may be claimed as the property of others.

LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE
GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE
CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE
RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU
DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF
APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE ENTERPRISE (MUSARUBRA US LLC) OR THE PLACE OF PURCHASE FOR A FULL REFUND.

2 Trellix Intrusion Prevention System 10.1


Contents

Contents
Quick Tour . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Trellix Intrusion Prevention System Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Ten Steps to using Trellix Intrusion Prevention System . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Basics of Using Trellix Intrusion Prevention System . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Setting up your Sensors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Establishing Sensor-to-Manager communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Configuring your deployment using the Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Updating your signatures and software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Tuning your deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Trellix IPS documentation set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Manager Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Trellix Intrusion Prevention System Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Trellix Intrusion Prevention System overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Getting familiar with Trellix IPS Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Manager Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Trellix IPS Protection Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Users and roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Dashboard tab overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Attack Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Threat Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Analyze Malware Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
Analyze Callback Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
Analyze High-Risk Endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Using context-aware data for network forensics . . . . . . . . . . . . . . . . . . . . . . . . . . 408
Analyze Endpoint Executables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
Event reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
Trellix Intrusion Prevention System Central Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
About Trellix Intrusion Prevention System Central Manager . . . . . . . . . . . . . . . . . . . . . . 446
Installing and Configuring Trellix IPS Central Manager . . . . . . . . . . . . . . . . . . . . . . . . 448
Synchronization of Managers with the Central Manager . . . . . . . . . . . . . . . . . . . . . . . 460
Monitoring Managers from Central Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . 464
Managing users in the Central Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
MDR support for the Central Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478

IPS Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483


Network security and Trellix Intrusion Prevention System . . . . . . . . . . . . . . . . . . . . . . . . . 483
Network security threats and trends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
Fortifying your network using Trellix Intrusion Prevention System . . . . . . . . . . . . . . . . . . . 487
What are attacks and intrusions? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
How Trellix IPS protects your network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
Trellix IPS Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
Trellix Intrusion Prevention System overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
Trellix Intrusion Prevention System deployment - an overview . . . . . . . . . . . . . . . . . . . . . . . 502
Decide where to deploy Sensors and in what operating mode . . . . . . . . . . . . . . . . . . . . . 503
Sensor deployment modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508

Trellix Intrusion Prevention System 10.1 3


Contents

How to plan your IPS deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530


Establish Sensor-to-Manager communication . . . . . . . . . . . . . . . . . . . . . . . . . . . 531
Configure your deployment using the Manager . . . . . . . . . . . . . . . . . . . . . . . . . . 533
View and work with data generated by Trellix IPS . . . . . . . . . . . . . . . . . . . . . . . . . . 534
Tune your deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534
Update your signatures and software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
Configuring the monitoring and response ports of a Sensor . . . . . . . . . . . . . . . . . . . . . . . . 536
Configuration of device monitoring and response ports . . . . . . . . . . . . . . . . . . . . . . . 536
Hardware for monitoring ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
Configuration of monitoring ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
Configure response ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560
View management port settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562
Deployment of Sensors in inline mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562
Benefits of running inline mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563
Inline deployment walkthrough . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563
Determine your high availability strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564
Setting up the Sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565
Failover — Configuration of two Sensors in inline mode . . . . . . . . . . . . . . . . . . . . . . . 574
Fail-open operation in Sensors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576
Evaluation of fail-open modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577
Physical description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578
Types of fail-open . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579
Configure fail-open kit model 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586
Configure fail-open kits 6 thru 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595
Configure Active Fail-Open kits 12 thru 16 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606
Configure Active Fail-Open kits 18 and 19 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617
Deployment scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631
How to configure Sensors for high availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633
Trellix IPS fail-over architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633
Sensor fail-over implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633
How to understand the current network topology . . . . . . . . . . . . . . . . . . . . . . . . . 633
Optimal Sensor location determination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634
License requirement for NS9500 Sensor failover . . . . . . . . . . . . . . . . . . . . . . . . . . 639
License requirement for NS7500 Sensor failover . . . . . . . . . . . . . . . . . . . . . . . . . . 640
Configuration of the ports on each Sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . 640
How dongles work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 643
Installation of the Sensors physically . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647
How to define the Trellix Intrusion Prevention System fail-over pair . . . . . . . . . . . . . . . . . . . 648
Connecting heartbeat cables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 649
Verification of the fail-over configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 652
How to understand virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 653
Network scenario without virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 654
Virtual IPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 654
Port versus interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 658
Network scenario with virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 658
Interface types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 659
How policies are applied . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 676
Common use of VLAN, bridge VLAN, and CIDR interfaces . . . . . . . . . . . . . . . . . . . . . . . 678
Interface, VLAN, and CIDR limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 678
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 678
Traffic statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 678
Performance charts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 687
Upload diagnostics trace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 690
How to verify if traffic is flowing through the Sensor . . . . . . . . . . . . . . . . . . . . . . . . 692
Verification to check whether HA pair creation is successful . . . . . . . . . . . . . . . . . . . . . . 692
How to replace a Sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 693

4 Trellix Intrusion Prevention System 10.1


Contents

Trellix IPS policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 696


How policies are applied . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 697
Configuration of policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 699
Components of an IPS policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 702
Classification of attack definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 703
Severity level calculation of attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 709
How to block attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 712
Working with IPS policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 715
View attack set profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 715
Manage IPS policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 724
Assign IPS policies at the admin-domain level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 764
Assign IPS policy to interfaces and subinterfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 764
Manage assigned policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 767
Manage policy groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 775
How to export and import policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 784
Deploy pending changes to a device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 787
Response management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 790
Response types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 791
Simulated Blocking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 792
Packet logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 793
Alert notification options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 794
Device Profiling and Alert Relevance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 816
Device Profiling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 816
Alert relevance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 827
Advanced Malware Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 831
How an Advanced Malware policy works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 831
Advanced malware scanning timeout options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 841
Malware engine CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 842
Response actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 842
Add an Advanced Malware policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 843
Malware inspection on HTTP Upload requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 850
Malware engine updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 851
Manage Advanced Malware policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 862
Analyze Malware Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 864
Malware engine caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 872
Archive malware files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 872
File or content mismatch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 880
Advanced callback detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 881
How the Advanced Callback Detection Framework works . . . . . . . . . . . . . . . . . . . . . . . . . . 882
Define callback activity detection in an inspection option policy . . . . . . . . . . . . . . . . . . . . . . . . 908
Assign an inspection option policy to Sensor resources . . . . . . . . . . . . . . . . . . . . . . . . . . . 916
Manage callback detectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 917
Analyze Callback Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 920
CLI commands related to Advanced Callback Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . 932
Denial-of-Service attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 932
What is a Denial-of-Service attack? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 932
What is a Distributed Denial-of-Service attack? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 933
Evolution of Denial-of-Service attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 933
How a Denial-of-Service attack works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 933
DoS attacks defended against by Trellix IPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 934
DoS attack detection mechanism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 939
Layer 7 DoS protection for web servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 955
Manage DoS attack definitions for an interface and a subinterface . . . . . . . . . . . . . . . . . . . . . . . 959
Denial-of-Service profile advanced scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 967
DoS attack prevention methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 974
Managing DoS-related actions using command line interface . . . . . . . . . . . . . . . . . . . . . . . . . 981

Trellix Intrusion Prevention System 10.1 5


Contents

Connection Limiting policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 984


Working with Inspection options policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 998
Add an inspection options policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1000
Assign inspection options policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1012
Protecting web applications servers and inspecting HTTP traffic . . . . . . . . . . . . . . . . . . . . 1014
Inspection of SSL traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1023
SSL decryption support for NS-series and Virtual IPS Sensors . . . . . . . . . . . . . . . . . . . . 1023
Managing licenses for proxy based SSL decryption . . . . . . . . . . . . . . . . . . . . . . . . 1024
Supported cipher suites for proxy SSL inspection . . . . . . . . . . . . . . . . . . . . . . . . . 1028
Decrypting outbound SSL traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1030
Decrypting inbound SSL traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1050
Sensor limits for SSL flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1088
SSL Support in Sensor software releases . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1088
How Trellix identifies applications? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1089
Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1089
Applications-related terminologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1090
How application identification works? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1090
Firewall policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1092
Types of Firewall policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1093
Components of Firewall policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1094
High-level steps for configuring Firewall policies . . . . . . . . . . . . . . . . . . . . . . . . . 1098
Application identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1100
User-based access rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1105
Configure Firewall policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1114
Using stateless access rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1190
How to view the details of matched traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1192
Firewall-related capacity values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1200
Quality of Service policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1204
Components of the QoS feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1205
How QoS works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1210
Considerations regarding rate limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1215
Configuring QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1217
Network scenarios for QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1280
How to create Ignore rules for an applied IPS policy . . . . . . . . . . . . . . . . . . . . . . . . . . . 1281
Configure alert suppression with packet log response . . . . . . . . . . . . . . . . . . . . . . . 1282
Auto-Acknowledgement of alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1284
Manage Ignore Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1287
Ignore rule creation interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1320
Stateless Scanning Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1323
Simulated Blocking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1327
Quarantining hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1328
How Quarantine works? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1329
High-level steps for configuring Quarantine . . . . . . . . . . . . . . . . . . . . . . . . . . . 1331
Considerations for Quarantine rule creation . . . . . . . . . . . . . . . . . . . . . . . . . . . 1332
Procedures for configuring Quarantine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1332
Browser redirect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1381
Quarantining virtual machines using third-party applications . . . . . . . . . . . . . . . . . . . . . . . 1383
High-level configuration steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1384
How traffic between virtual machines is inspected? . . . . . . . . . . . . . . . . . . . . . . . . 1385
Considerations and requirements for inspecting VM traffic . . . . . . . . . . . . . . . . . . . . . 1386
Configure port-mirroring on the vSphere Distributed Switch . . . . . . . . . . . . . . . . . . . . . 1387
Inspect traffic using VMware applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1388
Configure the VM-Aware interface in the Manager . . . . . . . . . . . . . . . . . . . . . . . . 1390
How to view alerts related to VM traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1393
Check the configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1394
Virtual Sensors and VM-Aware ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1395

6 Trellix Intrusion Prevention System 10.1


Contents

Inspection of special traffic types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1396


IPS on double VLAN tagged traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1396
Tunneled traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1399
Jumbo frame parsing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1400
IPS for mobile networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1402
Parsing of GTP Tunneled traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1402
Monitoring subscriber and RADIUS accounting traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . 1407
Advanced Traffic Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1410
Configure Advanced Traffic Inspection at the interface or sub-interface level . . . . . . . . . . . . . . . . . . 1410
Layer 7 data collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1412
Enable Layer 7 Data Collection for an interface or subinterface . . . . . . . . . . . . . . . . . . . . . . . . 1413
CLI command for Layer 7 Data Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1417
Sensor performance with Layer 7 Data Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1417
Exporting Layer 7 data to NTBA appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1423
Configure the monitoring ports to export L7 data . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1423
Define the Layer 7 data to be exported . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1423
IP Reputation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1424
Configure Endpoint Reputation for an admin domain . . . . . . . . . . . . . . . . . . . . . . . . . . . 1425
Configure Endpoint Reputation for an interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1428
Using a Sensor to capture data packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1430
Capture of data packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1430
IP spoofing detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1439
Enable IP address spoofing detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1440
Enable layer 2 settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1441
Enable Layer 2 Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1443
Layer 2 mode on drops at Switch/NIC ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1446
Detection of ARP spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1447
Exit layer 2 pass-through mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1448
Configure IP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1448
Configure TCP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1451
How to counter SYN floods with SYN cookies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1454
Asymmetric traffic handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1454
Configuring non-standard ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1456
Define the non-standard ports at the domain and Sensor levels . . . . . . . . . . . . . . . . . . . . . . . 1456
Edit a non-standard port entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1458
Using context-aware data for network forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1459
Enable Network Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1462
Perform network forensics on an endpoint from the Analysis tab . . . . . . . . . . . . . . . . . . . . . . . 1463
Managing devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1467
Management of remote access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1467
Device Manager in Trellix IPS Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1481
Device Manager in Trellix IPS Central Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1495
View device summary details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1502
Monitoring Sensor Health . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1509
How to reboot devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1516
Add multiple user accounts to devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1518
Import a Sensor configuration file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1518
Export the Sensor configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1519
Enable Sensor CLI activity log events to the Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . 1520
Configure advanced device settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1521
Monitoring Sensor Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1523
How to configure and monitor device performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1523
View device performance settings summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1523
Enable device performance monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1524
Configure of metrics collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1530
Set thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1532

Trellix Intrusion Prevention System 10.1 7


Contents

How to monitor the device performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1543

Custom Attack Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1551


Custom attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1551
Reasons to create your own attack definitions . . . . . . . . . . . . . . . . . . . . . . . . . . 1551
Types of custom attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1552
Trellix IPS signature terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1552
Custom attack editor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1553
Getting started with custom attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1554
Before you create a custom attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1554
Required information for creating a custom attack . . . . . . . . . . . . . . . . . . . . . . . . 1554
Understanding impact packages and protocols . . . . . . . . . . . . . . . . . . . . . . . . . . 1555
How Trellix IPS prevents intrusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1555
Technical information references . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1556
Importance of testing custom attack definitions . . . . . . . . . . . . . . . . . . . . . . . . . 1557
Quick tour of the custom attack editor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1557
Basics of the custom attack editor interface . . . . . . . . . . . . . . . . . . . . . . . . . . . 1557
Default page of the Custom Attack Editor . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1558
Attack creation interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1565
Other Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1575
Mechanics of a custom attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1590
Structure of a custom attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1591
Signature test reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1592
Performance issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1595
Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1595
Creating custom attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1595
Create custom attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1595
Templates for Trellix IPS custom attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1596
Create an exploit attack without template . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1605
Configure custom reconnaissance attack definition . . . . . . . . . . . . . . . . . . . . . . . . 1611
Regular expression language . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1615
Limitations of a custom reconnaissance attack . . . . . . . . . . . . . . . . . . . . . . . . . . 1618
Mechanics of a Snort custom attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1618
Structure of a Snort custom attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1618
Structure of a snort rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1619
Managing Snort custom attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1636
Snort Engines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1636
Best practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1643
Create snort custom attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1643
Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1644
Define the snort variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1644
Viewing the Snort variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1645
Identification of the protocol of a snort custom attack . . . . . . . . . . . . . . . . . . . . . . . 1648
How to use snort rules to detect IP communication between specific hosts . . . . . . . . . . . . . . . 1649
Write snort custom attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1650
Saving the Snort custom attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1651
Save the qualified rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1652
Customizing the snort rules attack responses . . . . . . . . . . . . . . . . . . . . . . . . . . 1652
Delete the snort rules from the database . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1652
Common tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1653
How attacks are published in policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1653
Viewing a policy to verify inclusion of the attack . . . . . . . . . . . . . . . . . . . . . . . . . . 1653
Verify the inclusion of custom attack in IPS policies . . . . . . . . . . . . . . . . . . . . . . . . 1655
Add attack descriptions to the Attack Encyclopedia . . . . . . . . . . . . . . . . . . . . . . . . 1656
Compile the attack definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1659
Update the Sensor configuration to apply a policy . . . . . . . . . . . . . . . . . . . . . . . . . 1660

8 Trellix Intrusion Prevention System 10.1


Contents

Custom attacks export . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1661


Export the custom attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1662
Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1662
Use case scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1662
Management of custom attacks from the Central Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . 1719
Important notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1720

CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1721


Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1721
About Trellix Intrusion Prevention System Sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1721
Issuing CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1721
CLI syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1724
Granular access control for CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1725
Logon to the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1736
Meaning of "?" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1736
IPS CLI Commands - Normal Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1737
accelerate-ftp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1737
accelerate-ftp status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1737
appidlog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1738
appidlog status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1738
arp delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1738
arp dump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1739
arp flush . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1739
arp spoof . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1740
atdcache autopurge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1740
atdcache autopurge status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1740
auditlogupload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1741
checkmanagerconnectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1741
clear afo dst-mac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1742
clear ssl proxy applog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1743
clear ssl proxy stats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1743
clearmalwarecache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1743
clrstat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1744
clrtsstats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1744
clear ssl proxy outbound urlcache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1744
commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1745
console eventlog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1745
debug . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1745
deinstall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1745
deletemgrsecintf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1746
deletesignatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1746
disconnectalertandpktlogchannels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1747
dnsprotect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1747
downloadstatus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1748
dumpappidlog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1749
exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1750
exportsensorcerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1750
exportsshpublickey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1750
factorydefaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1751
failovermode forward-peer-stp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1752
fwdump acl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1753
guest-portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1753
help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1754
importsensorcerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1754
importsshpublickey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1755
ipreassembly timeout forward . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1755

Trellix Intrusion Prevention System 10.1 9


Contents

latency-monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1756
latency-monitor enable action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1756
latency-monitor restore-inline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1757
latency-monitor sensitivity-level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1758
layer2 mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1758
loadconfiguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1759
loadimage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1759
loadsavedimage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1760
loadsavedimagefrompeer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1760
logstat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1760
malwarecache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1761
ntbastat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1761
ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1762
pktcapture-circular attack-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1763
pktcapture-circular force-stop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1764
pktcapture-circular intfport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1764
pktcapture-circular intfport-pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1765
pktcapture-circular stack-node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1766
pktcapture-force-stop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1767
pktcapture intfport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1768
pktcapture intfport-pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1769
pktcapture mgmt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1770
pktcapture stack-node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1771
pktcapturefile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1772
quit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1773
raidrepair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1773
reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1774
reconnectalertandpktlogchannels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1774
rescuedisk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1775
resetconfig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1775
secureerase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1776
sensor perf-debug . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1776
sensor perf-debug off . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1777
sensor perf-debug status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1777
sensor-datapath-stat-analysis log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1777
sensor-datapath-stat-analysis show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1777
sensor-scan-during-update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1778
sensordroppktevent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1779
set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1779
set afo port-pair and dst-mac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1780
set atdcachepurge interval hours . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1780
set autorecovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1781
set auxport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1781
set console timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1782
set debugmode passwd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1782
set dnsprotect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1783
set dospreventionseverity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1783
set dpimonitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1784
set dpimonitor-action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1784
set flowvolumelimit enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1784
set flowvolumelimit disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1785
set gam-airgap-network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1785
set gigfailopen disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1785
set gigfailopendelay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1785
set hypervisor server ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1786
set inactiveuserslock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1786

10 Trellix Intrusion Prevention System 10.1


Contents

set intfport id flowcontrol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1786


set l2OnDrops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1787
set l2OnDrops sensitivity-level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1788
set manager alertport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1788
set manager alertport_RSA-2048-bit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1789
set manager installsensorport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1789
set manager installsensorport_RSA-2048-bit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1790
set manager ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1790
set manager logport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1791
set manager logport_RSA-2048-bit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1791
set manager secondary ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1792
set ma wakeup port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1793
set mgmtport auto . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1793
set mgmtport mtu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1793
set mgmtport speed and duplex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1794
set mnsconfig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1794
set mnsconfig radiusLB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1795
set nmsuserwriteaccess . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1795
set portsettletime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1796
set scpserver ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1796
set sensor gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1796
set sensor gateway-ipv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1797
set sensor ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1797
set sensor ipv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1798
set sensor mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1799
set sensor name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1799
set sensor sharedsecretkey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1799
set sessionlimit timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1800
set sshinactivetimeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1801
set stack name WORD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1801
set syncookietcpreset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1801
set tacacsauthorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1802
set tcpudpchecksumerror drop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1802
set tcpudpchecksumerror forward . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1803
set tftpserver ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1803
set userconfigvolumedosthreshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1804
set vlanbasedrecon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1804
setfailopencfg restore-inline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1805
setfailopencfg restore-inline-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1805
setfailopencfg internal/external-failopen bypass/inline . . . . . . . . . . . . . . . . . . . . . . . . . . . 1805
setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1806
show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1810
show acl profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1813
show acl stats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1814
show afo status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1814
show arp spoof status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1815
show auditlog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1816
show auditlogtomgr status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1817
show auditlog status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1817
show autorecovery status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1817
show auxport status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1818
show botnet-alertstats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1818
show capacity mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1819
show castoreinfo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1820
show console timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1820
show coppersfpserialnumbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1821

Trellix Intrusion Prevention System 10.1 11


Contents

show datapath-memory-usage stats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1821


show dnsprotect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1821
show dnsprotectstat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1822
show dospreventionprofile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1822
show dospreventionseverity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1823
show dpimonitor status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1824
show dpimonitor-action status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1824
show dxl status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1824
show eventlog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1825
showfailopencfg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1825
show failover-status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1826
show flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1826
show flowvolumelimit config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1827
show gam-airgap-network status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1828
show gam engine stats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1828
show gigfailopendelay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1829
show gti config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1829
show gti stats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1830
show inactiveuserslock status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1831
show inlinepktdropstats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1831
show ingress-egress stat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1834
show intfport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1834
show l2OnDropsConfig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1836
show l7ae status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1836
show l7ddosstat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1837
show layer2 forward . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1837
show layer2 forward intfport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1838
show layer2 mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1838
show malwareenginestats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1839
show malwarefilestats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1842
show managercacertinfo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1844
show mem-usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1846
show mgmtport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1847
show mnsconfig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1849
show mvx config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1849
show mvx stats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1850
show mvx status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1852
show netstat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1852
show nmsuserwriteaccess status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1853
show outofcontext acllookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1853
show parsetunneledtraffic status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1853
show pktcapture status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1854
show pluggable‑module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1856
show portsettletime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1856
show powersupply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1857
show previous256byteslogging status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1857
show raid status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1857
show rescueimages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1858
show respport r1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1858
show savedalertinfo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1859
show savedimages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1860
show sensorcacertinfo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1860
show sensordroppktevent status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1862
show sensor-load . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1863
show sessionlimit timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1863
show snort config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1863

12 Trellix Intrusion Prevention System 10.1


Contents

show sshaccesscontrol status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1864


show sshauth status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1864
show sshinactivetimeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1865
show sshlog status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1865
show sslcert-usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1865
show ssl config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1866
show ssl stats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1867
show ssl stats inbound known-key agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1869
show sslagentaccesscontrol status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1870
show stack info . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1870
show suricata sbstats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1871
show suricata enginestats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1872
show syncookietcpreset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1874
show syslog connection status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1874
show syslog profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1875
show syslog statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1875
show tacacs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1876
show tcpipstats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1876
show tcpudpchecksumerror . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1877
show tiestats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1877
show transceiver serial-number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1878
show urlrepstats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1879
show userconfigvolumedosthreshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1880
show userInfo stats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1880
show vlanbasedrecon status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1881
shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1881
snmpv2Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1881
sshaccesscontrol resetlist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1882
sshd disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1882
sshd enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1883
sshlogupload WORD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1883
sshpasswdauth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1884
sslagentaccesscontrol resetlist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1885
status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1885
suricata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1887
traceupload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1887
vlanbridgestp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1888
watchdog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1888
IPS CLI Commands - Debug Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1889
40to10conversion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1889
aclstat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1890
allow intfport id connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1890
arp static . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1891
clr stack protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1891
clr stack stats otherNodePktsProcessed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1892
clrconnlimithost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1892
datapathstat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1892
datapathstat intfport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1894
disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1895
dossampling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1896
dossampling status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1896
downloadgamupdate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1896
dumpdebuglog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1897
dumpDevProfTableEntry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1897
dumpDevProfTableToLog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1897
dumpdgastats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1897

Trellix Intrusion Prevention System 10.1 13


Contents

filerep gti md5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1898


force_ssmode_trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1898
getauthstats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1899
getccstats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1900
getcestats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1904
getmdrinfo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1905
getplstats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1905
getsastats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1907
getscstats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1908
importcacertfile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1909
ipfragstats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1909
ipreassembly timeout millisecond . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1910
layer2 mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1911
layer2 mode deassert-all . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1911
l7dpstat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1912
l7show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1912
loadbalance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1913
logShowCfg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1913
maidstat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1914
matdChnstate WORD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1916
niantic_stats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1916
niantic_stats-sec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1917
nsmChanState . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1918
ntbaChnstate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1918
packetcapture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1919
pptsetprioritytrafficratio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1919
reset debugmode passwd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1920
resetalertstats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1920
rspstat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1920
sensor perf-debug show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1921
sensor perf-debug upload-protoStats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1922
set aidlog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1922
set auditlog-failure-respcfg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1922
set fe-switch-hardware-hashing-method . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1923
set gti filerep cert-check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1923
set gti filerep curl-verbose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1924
set gti filerep ro-flag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1924
set gzip decode limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1925
set inline drop packet log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1925
set inline traffic prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1925
set intfport id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1925
set ipfrag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1926
set ipsforunknownudp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1926
set l3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1927
set l7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1927
set l7ddosresponse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1927
set loglevel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1927
set loglevel dos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1928
set loglevel dp WORD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1928
set loglevel mgmt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1928
set malware split session parsing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1929
set malwareEngine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1929
set malwareEngine gam clean-forward . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1930
set mgmtprocessrestart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1930
set ms-office . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1931
set nianticrecovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1931

14 Trellix Intrusion Prevention System 10.1


Contents

set outofcontext acllookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1931


set recon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1932
set sslDebug disable certid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1932
set sslDebug enable certid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1932
show 40to10conversion status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1933
show ab stats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1933
show aidlog status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1934
show all syslog statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1934
show all datapath error-counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1936
show amchannelencryption status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1943
show attack count . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1943
show auditlog-failure-respcfg status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1943
show botnet-usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1944
show boundarydcapmatchstats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1945
show connlimithost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1946
show connlimitstat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1946
show datapath processunits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1947
show doscfg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1947
show feature status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1948
show fe-switch-hardware-hashing-method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1949
show gam scan stats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1949
show geoloc v4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1950
show gti filerep status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1950
show http-ms decode stats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1951
show ingress-egress stat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1951
show inline traffic prioritization status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1952
show ipsforunknownudp status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1952
show ipfrag status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1953
show l3 status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1953
show l7 status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1953
show l7dcap-usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1954
show l7ddosresponse status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1955
show layer2 portlevel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1955
show layer2 reason . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1955
show malwareclientstats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1956
show malwaredcapstats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1963
show malwareEngine status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1964
show malwareEngine gam clean-forward . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1965
show malwareserverstats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1965
show matd channel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1973
show max cseg list count . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1974
show mgmtcfg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1975
show mem-usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1980
show mgmtnetstats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1981
show mgmtprocessrestart status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1987
show msoffice-dfi stats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1987
show nianticrecovery status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1987
show pktcapture status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1988
show prioritytraffic ratio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1990
show recon status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1990
show saved alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1991
show saved packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1991
show sbcfg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1991
show sensor health . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1996
show ssl stats sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1997
show stack protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1997

Trellix Intrusion Prevention System 10.1 15


Contents

show stack stats otherNodePktsProcessed . . . . . . . . . . . . . . . . . . . . . . . . . . . 1998


show startup stats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1999
show static-arp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1999
show statistics alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2000
show statistics icmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2000
show statistics ipfrag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2001
show statistics l4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2002
show statistics tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2003
show statistics udp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2004
show syslog profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2005
show xff-usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2005
switch matd channel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2006
tustat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2006
unknownapktocloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2007
Manager Shell Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2007
aide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2008
audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2008
audit restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2008
audit start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2008
audit status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2009
audit stop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2009
auditctl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2010
aureport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2010
ausearch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2011
autrace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2011
avvdat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2012
cat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2012
certtool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2013
clear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2013
collect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2013
collect logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2014
copyCertsToSyslogDir . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2014
cron . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2014
cron restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2015
cron start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2015
cron status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2015
cron stop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2016
crontab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2016
database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2016
database start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2017
database status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2017
database stop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2017
database shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2018
date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2019
deleteCerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2019
delete file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2019
delete temp file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2019
df . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2020
du . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2020
edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2021
env . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2021
exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2022
fdisk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2022
firewall_cmd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2022
firewalld . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2022
firewalld restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2023

16 Trellix Intrusion Prevention System 10.1


Contents

firewalld start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2023


firewalld status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2023
firewalld stop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2024
free . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2024
head . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2024
history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2025
iptables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2025
journalctl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2026
kill . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2026
last . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2026
list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2027
logger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2027
Ivextend . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2027
mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2027
manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2027
manager start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2028
manager status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2028
manager stop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2029
move automated backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2029
move manual backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2029
netstat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2030
ntp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2030
ntp restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2030
ntp start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2031
ntp status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2031
ntpstat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2031
ntp stop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2032
ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2032
postconf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2032
postfix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2033
postfix restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2033
postfix start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2033
postfix status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2033
postfix stop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2034
ps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2034
publicKeyAuth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2035
reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2036
reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2036
resize2fs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2037
run . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2037
scp from remote . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2038
scp to remote . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2038
set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2039
Set login banner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2039
set network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2040
set network configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2040
set network dns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2042
set network domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2043
set network gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2043
set network hostname . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2044
set network ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2044
set network ntp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2044
set password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2045
set time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2045
show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2046
show arp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2046

Trellix Intrusion Prevention System 10.1 17


Contents

show backup log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2046


show clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2046
show database version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2047
show editables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2047
show executables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2047
show files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2048
show file systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2048
show java version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2049
show kernel version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2049
show log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2049
show log file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2050
show mail file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2050
show manager version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2050
show network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2051
show network dns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2051
show network domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2051
show network gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2052
show network hostname . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2052
show network ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2052
show network ntp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2053
show network route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2053
show OS version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2053
show process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2054
show process monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2054
show syslogCerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2055
show system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2055
show system info . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2056
show system memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2056
show system uptime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2058
show upgradeHistory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2058
show temp files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2059
show var log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2059
snmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2060
snmp disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2060
snmp enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2061
snmp list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2061
snmp restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2061
snmp start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2062
snmp status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2062
snmp stop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2063
solr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2063
solr restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2063
solr start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2063
solr status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2064
solr stop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2064
shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2064
ssh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2065
syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2065
syslog restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2066
syslog start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2066
syslog status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2066
syslog stop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2067
system config backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2067
system config restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2067
tail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2068
tcpdump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2069

18 Trellix Intrusion Prevention System 10.1


Contents

timedatectl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2070
top . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2070
traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2071
unzip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2071
upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2071
uvscan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2072
vgextend . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2073
watchdog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2073
watchdog start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2073
watchdog status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2074
watchdog stop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2074

Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2075


Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2075
Pre-installation checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2075
Manager version and its compatible Sensor software versions . . . . . . . . . . . . . . . . . . . . . . . . . . 2075
Cabling best practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2076
Hardening the MariaDB installation for Windows platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2076
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2077
Install a desktop firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2077
Harden the MariaDB installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2077
Other best practices for securing Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2080
Hardening the Manager Server for Windows platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2080
Pre-installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2080
Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2081
Post-installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2081
Hardening the Manager Server for Linux platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2088
Database maintenance best practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2093
Database maintenance best practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2093
Alerts and Disk space maintenance best practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2094
Viewing Manager server disk usage statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2095
Large Sensor deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2095
Staging Sensors prior to deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2096
Recommendations for large Sensor deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2096
Using active fail-open kits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2096
Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2098
Effective policy tuning practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2098
Analyzing high-volume attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2099
Managing ignore rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2099
Learning profiles in DoS attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2099
Response management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2100
Sensor response actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2100
How to create rule sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2101
Best methods for rule set creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2101
Working with firewall policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2101
How to handle asymmetric networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2101
SSL best practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2103
Outbound SSL traffic best practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2104
Inbound SSL traffic best practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2107
Suricata Snort best practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2116
Sensor HTTP response processing deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2116
Tests for enabling HTTP response traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2117
Sensor performance with Layer 7 Data Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2119
NS-series Sensor capacity by model number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2125
NS9500 (stack and standalone) Sensor capacity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2125
NS9x00 Sensor capacity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2127

Trellix Intrusion Prevention System 10.1 19


Contents

NS7500 Sensor capacity . . . . . . . . . . . . . . . . . . . . . . . . . . . .


2129 . . . . . .
NS7x50 Sensor capacity . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2131 . . . . . .
NS7x00 Sensor capacity . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2133 . . . . . .
NS5x00 Sensor capacity . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2135 . . . . . .
NS3500 Sensor capacity . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2136 . . . . . .
NS3x00 Sensor capacity . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2138 . . . . . .
Virtual IPS Sensor capacity by model number . . . . . . . . . . . . . . . . . . . . . . .
2139 . . . . . .
Comparison between M-1250/M-1450, NS3100/NS3200, and NS3500 FE ports . . . . . . . . . . . . . . . . . 2141

Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2145
Troubleshooting Trellix Intrusion Prevention System . . . . . . . . . . . . . . . . . . . . . . . . . . 2145
Before you start troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2145
Simplifying troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2145
Issues and status checks for the Sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2146
Issues and status checks for the Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2164
Issues and status checks for the Sensor and Manager in combination . . . . . . . . . . . . . . . . . 2175
Issues and status checks for the Sensor and other devices in combination . . . . . . . . . . . . . . . . 2183
Issues and status checks for 10G/40G Active Fail-Open Bypass Kit . . . . . . . . . . . . . . . . . . . 2190
Integration Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2198
Performance issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2202
Sniffer trace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2202
Data link errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2203
Determine false positives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2203
Reduce false positives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2203
Tune your policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2203
System Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2205
System fault messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2210
Manager faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2211
Sensor faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2223
NTBA faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2238
Troubleshooting scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2240
Network outage due to unresolved ARP traffic . . . . . . . . . . . . . . . . . . . . . . . . . . 2240
Delay in alerts between the Sensor and Manager . . . . . . . . . . . . . . . . . . . . . . . . . 2243
Sensor-Manager Connectivity Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2246
Wrong country name in IPS alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2248
Wrong country name in ACL alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2252
Using the InfoCollector tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2253
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2253
How to run the InfoCollector tool in Windows based Manager . . . . . . . . . . . . . . . . . . . . 2254
How to run InfoCollector in Linux based Manager . . . . . . . . . . . . . . . . . . . . . . . . . 2256
Automatically restarting a failed Manager with Manager Watchdog . . . . . . . . . . . . . . . . . . . . . 2257
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2258
How the Manager Watchdog works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2258
Install the Manager Watchdog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2258
Start the Manager Watchdog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2258
Use the Manager Watchdog with Manager in an MDR configuration . . . . . . . . . . . . . . . . . . 2259
Track the Manager Watchdog activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2259
Utilization of the Trellix Knowledge Base . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2260

Index 2263

20 Trellix Intrusion Prevention System 10.1


1 | Quick Tour

Quick Tour

Trellix Intrusion Prevention System Overview


Trellix Intrusion Prevention System [formerly McAfee® Network Security Platform] is a combination of network appliances and
software that accurately detects and prevents intrusions, denial of service (DoS) and distributed denial of service (DDoS)
attacks, and network misuse. Trellix Intrusion Prevention System combines real-time intrusion detection and prevention for the
most comprehensive and effective network security system.

The following table describes the figure in detail.

Item Description

1 Trellix Intrusion Prevention System Manager

2 Trellix Intrusion Prevention System Sensor

3 Trellix IPS Update Server

4 Web clients accessing the Manager server

Trellix Intrusion Prevention System 10.1 21


1 | Quick Tour

Item Description

5 Manager Disaster Recovery (MDR) server

6 Alert notification - email, pager, and script generation

Ten Steps to using Trellix Intrusion Prevention System

Step 1 Install the Manager software.


Install the Trellix Intrusion Prevention System Manager software on the server machine and ensure that you are
able to log onto the Manager.
For details, see Trellix Intrusion Prevention System Manager Installation Guide.

Step 2 Set up and configure the Sensor(s).


Cable and install your Trellix Intrusion Prevention System Sensor(s) using a command line interface (CLI) and the
Trellix IPS Manager.
For details, see Trellix Intrusion Prevention System Manager Installation Guide.

Step 3 Establish trust between the Manager and the Sensor(s).


The Trellix IPS Sensor initiates all communication with the Manager server until secure communication is
established between them. Later, configuration information is pushed from the IPS Manager to the IPS Sensor.
• Verify on the appliance CLI that the Sensor has established communication with the Manager.
• Verify in the Manager GUI that a node representing the Sensor appears in the Resource Tree under the Device
List.
For details, see Trellix Intrusion Prevention System Manager Installation Guide.

22 Trellix Intrusion Prevention System 10.1


1 | Quick Tour

Step 4 Configure policies in the Manager.


Determine the IPS policies applicable to your network. Use the Manager GUI to set up policies. By default, the
provided Default policy is applied to all of your Sensor ports. You can choose a specific policy to apply by default
to the Root Admin Domain (and thus all monitoring interfaces on the Sensor).
For details, see Trellix IPS policies on page 696.

Step 5 Configure the Update Server and download the latest signature sets.
For your Trellix IPS to properly detect and protect against malicious activity, the Manager and the Sensors must
be frequently updated with the latest signatures and software patches available, which is made available to you
via the Update Server.
Authenticate your credentials with the Update server and download the latest signature set for your Trellix IPS
deployment.
For details, see Trellix IPS Protection Status on page 57.

Step 6 View alerts.


The Attack Log page displays detected security events that violate your configured security policies. The page
also provides powerful drill-down capabilities to enable you to see details on a particular alert like its type,
source and destination addresses, and packet logs where applicable.
View the alerts periodically and perform forensic analysis on the alert to help you tune Trellix IPS, and provide
better responses to attacks.
For details, see Attack Log on page 318.

Step 7 Tune your Trellix IPS deployment.


Once you have configured and started using Trellix IPS, you can further enhance your deployment using the
Manager GUI by utilizing some of the more advanced features, such as changing your deployment mode,
creating multiple admin domains, defining specific user roles, applying multiple policies to multiple domains,
etc.
For details, see Getting familiar with Trellix IPS Manager on page 37.

Step 8 Check the system faults status.


The system faults monitor in the Manager details the functional status for all of your installed Trellix IPS system
components. Check the faults at regular intervals to view messages that detail system faults experienced by
your Manager, appliances, or database.
For details, see Monitoring System Faults on page 285.

Step 9 Block malicious or unwanted traffic.


Analyze the attacks that your network is receiving on a regular basis and take actions, which can range from
analyzing the impact and modifying policies, or blocking specific traffic from transmitting through your system.
For details, see Trellix IPS policies on page 696.

Step 10 Generate Reports.


The Report Generator enables a user to generate reports for the security events detected by the system and
reports on system configuration. Configure your report settings to generate reports manually or automatically,
save them for viewing later, and/or email to specific individuals.
For details, see Report Generation on page 194.

Basics of Using Trellix Intrusion Prevention System


This section provides a high-level overview of how to use Trellix IPS.

The process of setting up and running Trellix IPS falls into some basic stages as given below:

Trellix Intrusion Prevention System 10.1 23


1 | Quick Tour

Task
1 Deciding where to deploy Sensors and in what operating mode

2 Setting up your Sensors

3 Establishing Sensor-to-Manager communication

4 Configuring your deployment using the Manager

5 Updating your signatures and software

6 Viewing and working with data generated by Trellix IPS

7 Tuning your deployment


Each of these stages consists of a number of tasks; some are simple, some are complex. You will generally perform steps 1
through 3 only once per Sensor.

Setting up your Sensors


The process of setting up a Sensor is described below at a high level.

Task
1 Position the Sensor.
• Unpack the Sensor and place on a sturdy, level counter top.

• Attach the provided rack mounting ears to the Sensor.

• Install the Sensor in a rack. Sensors are either 1 or 2 RU, depending on model.
For detailed instructions on these tasks, see your Sensor model's Trellix Intrusion Prevention System Product Guide.

2 Install any additional hardware.


• If your Sensor has Gigabit Ethernet (GE) Monitoring ports, install GBICs or XFP or SFP modules (not included) in the
Sensor's GE ports.

Note
Use only XFP or SFP modules and GBICs purchased either from Trellix or from an approved vendor. For a list of approved vendors,
please see our website.

• (Optional) If you have purchased a redundant power supply for your Sensor, install the power supply. Sensors that
support a redundant power supply ship with only one power supply; the other must be purchased separately from
Trellix. Other Sensor models have an internal power supply.

3 Cable the Sensor for configuration.


• Attach network cables to the Sensor as described in the Sensors Trellix Intrusion Prevention System Product Guide. You
must first cable the Sensor to communicate with the console machine you will use to initialize the Sensor and then with
the Manager server for Sensor configuration. You can cable the Sensor detection and response ports at a later time.

• Power on the Sensor to start initialization.

Establishing Sensor-to-Manager communication


The process of setting up a Sensor is described below at a high level.

24 Trellix Intrusion Prevention System 10.1


1 | Quick Tour

Task
1 Set up the Manager software on the server machine.
• Install the Manager software on the server machine. This process is described in detail in the Trellix Intrusion Prevention
System Installation Guide.

• Start the Manager as described in the Trellix Intrusion Prevention System Installation Guide. You can establish
communication with a Sensor from the Manager server or from a remote client machine connected to the Manager
server via any web browser.

• You can choose a specific policy to apply by default to the root admin domain (and thus to all monitoring interfaces on
the Sensor).

Whatever policy you have specified will apply until you make specific changes; this policy gets you up and running quickly.
Most users tune their policies over time to best suit their environments and reduce the number of irrelevant alerts.

Note
By default, the Default Prevention policy is applied to all of your Sensor ports. Note that this policy's behavior is to automatically block
certain attacks upon detection. For more information on other provided policies, see Trellix IPS policies in the IPS Administration section.

Open the Sensors tab in Device Manager page and add a Sensor, providing the Sensor with a name and a shared secret key
value. For instructions on how to open the Sensors tab in Device Manager page, see the IPS Administration section. For
instructions on how to add a Sensor to the Manager, see Trellix Intrusion Prevention System Installation Guide.

2 Configure the Sensor.


From a console connected physically or logically to the Sensor, configure the Sensor with network identification information
(that is, an IP address, the IP address of the Manager server, and so on), and configure it with the same name and shared
secret key value you provided in the Manager. For more information on Configuring the Sensor using the Sensor CLI, see
the CLI commands section.

3 Verify communication between the Sensor and the Manager.


There are three ways to check that the Sensor is configured and available:

• In the Manager Dashboard, check the System Faults. (See if the Sensor is active. If the link is yellow, click on the cell to
see the System Faults on the Sensor. For more information, see the Manager Administration section.

• In the Manager, click Devices | <Admin Domain Name> | Devices | <Device Name> | Setup | Physical Ports |
Monitoring Ports. Look at the color of the button(s) representing the ports on the Sensor, and check the color legend on
the screen to see the status of the Sensor's ports. For more information on this process, see the Manager Administration
section.

• Type status in the Sensor command line interface (CLI). Check the following line:
trust established between sensor and manager = yes

If the answer is no, recheck that your Sensor name and shared secret are the same on both the Sensor and the
Manager.

4 Troubleshoot any problems you run into.


If you run into any problems, check your configuration settings and ensure that they are correct. For troubleshooting tips,
see the Troubleshooting section.

Trellix Intrusion Prevention System 10.1 25


1 | Quick Tour

5 Verify the monitoring mode of the ports on your Sensor.


Your IPS Sensor ports are configured by default for monitoring in Default Prevention mode; that is, connected in-line on a
network segment (for example, between a switch and a router or two switches). If you've cabled the Sensor to monitor in
another monitoring mode, check your settings to make sure everything is correct. Some users choose instead to monitor in
SPAN mode at first, and move to tap and/or in-line mode later.
For more information on verifying port configuration, see Trellix Intrusion Prevention System Installation Guide.

Configuring your deployment using the Manager


Once you're up and running and reviewing the data generated by the Manager, you can further configure it. For example, you
can do the following:

• Apply security policies to each interface of your multi-port Sensor (instead of the Default Inline IPS policy applied to all
interfaces): You can ensure all of your interfaces deploy policies specifically for the areas of your network they are
monitoring. For example, you can apply the Web Server policy to one interface, the Mail Server policy to another, and the
Internal Segment policy to another, and so on. For more on the policies, see the section Trellix IPS policies on page 696.

• Configure responses to alerts: Developing a system of actions, alerts, and logs based on impact severity is recommended
for effective network security. For example, you can configure Trellix IPS to send a page or an email notification, execute a
script, disconnect a TCP connection, send an ICMP Host Not Reachable message to the attack source for ICMP transmissions,
or send a block address filter to a host.
• For information on response actions, see the section Sensor response actions on page 2100.

• For information on configuring a pager, email, or script notification for alerts, see the section Alert notification options
on page 135.

• For information on configuring a quarantine response, see the section Quarantining hosts on page 1328.

• You can also send SNMP traps to a third-party management system. For more details, see the sections Forward alerts to
an SNMP server on page 136, and Forward faults to an SNMP server on page 151.

• Filter alerts: An ignore rule limits the number of alerts generated by the system by excluding certain source and
Destination IP address parameters. If these address parameters are detected in a packet, the packet is not analyzed further
(and is automatically forwarded when in Inline Mode). For more information on ignore rules, see Trellix Intrusion Prevention
System Product Guide.

• View the system's health: The Faults tab in the Logs page details the functional status for all of your installed Trellix IPS
system components. Messages are generated to detail system faults experienced by your Manager, Sensors, or database.
For more information, see the Manager Administration section.

• View a Sensor's performance: The Devices | <Admin Domain Name> | Global | Common Device Settings |
Performance Monitoring | Summary action enables you to view performance data for a Sensor. The data collected is a
reflection of the traffic that has passed through the Sensor. For more information, see Manager Administration section.

• Back up all or part of your Manager configuration information to your server or other location. For more information, see
the section Backing up data and settings on page 250.

Updating your signatures and software


An essential element to a reliable IPS is updating the system signature and software images. Trellix periodically releases new
Manager software, Sensor signature and software images, and makes these updates available via the Update Server.

26 Trellix Intrusion Prevention System 10.1


1 | Quick Tour

Field Description

1 Trellix IPS Update Server

2 Internet

3 IPS Manager Server

4 PC/TFTP server

5 Import/disk

6 IPS Sensor

There are several options for loading updates to your Manager and Sensors.

Task
1 Download latest software and signature updates from the Update Server to your Manager.
You can use the Manager interface to download Sensor software and signature updates from the Update Server to the
Manager server, and then download the updates to the Sensor.

2 Import update files from a remote workstation to your Manager.


If your Manager server is not connected to the Internet, you can download signature and software updates from the
Download Server to any host by doing one of the following:
• Download the update to a host, then log in to the Manager and import the update to the Manager server. You can then
download the update to the Sensor.

• Similar to above, download the update from the Download Server to any host, put it on a disk, take the disk to the
Manager server, and then import the update and download it to the Sensor.

For more information, see Trellix Intrusion Prevention System Product Guide.

Trellix Intrusion Prevention System 10.1 27


1 | Quick Tour

3 Download software from the Update Server to a TFTP client and then download to a Sensor.
You can download software images from the Download Server onto a TFTP server, and then download the software directly
to the Sensor using Sensor CLI commands. This is useful if you are unable or prefer not to update Sensor software via the
Manager. This method is described in the Trellix Intrusion Prevention System Installation Guide.

Tuning your deployment


Once you become familiar with the basics of the Manager, you can further enhance your deployment by using some of the
more advanced features. Trellix IPS is an extremely complex system and can be tuned on a highly granular level. You might try
working with some of the following features as you tune your system:

• Cloning and modifying a provided policy. For more details, see the section Working with IPS policies on page 715.

• Creating Firewall policies to block specific traffic or pass specific traffic without sending it through the intrusion detection
engine. For more details, see the section User-based access rules on page 1105.

• If you have started out in SPAN mode, you might try taking advantage of Trellix IPS prevention capabilities by deploying your
Sensor to monitor traffic in in-line mode. For more details, see the section Deployment of Sensors in in-line mode on page
513.

• Adding users and assigning management roles. See the section Management of users and user roles on page 82 for more
details.

• Adding administrator domains for resource management. See the section Create an admin domain on page 96 for details.

• Changing your interface type to CIDR or VLAN depending on your network configuration. See the section Managing
interfaces on page 521 for more details.

Trellix IPS documentation set


The Trellix Intrusion Prevention System product documentation is available on the Trellix Documentation Portal and Trellix
Download Server.

The Trellix IPS documentation set is designed to provide you with the information you need during each phase of the product
implementation from evaluating a new product to maintaining existing ones. After the product is released, additional
information regarding the product is entered into the online Knowledge Base available on Trellix Service Portal.

Refer the following tables for a list of Trellix IPS software and hardware documentation:

28 Trellix Intrusion Prevention System 10.1


1 | Quick Tour

Table 1-1 Trellix IPS software documentation


Guide Description

Installation Guide System requirements, installation of the Manager software, management of IPS Sensor/failover pairs,
and upgrade steps

Product Guide • A high-level view of how to interact with Trellix IPS


• Management of devices, such as IPS Sensors and NTBA Appliances
• Obtaining updates from the Trellix IPS Update Server
• Monitoring alerts and hosts on your network
• In-depth details for inline mode configuration
• Management of admin domains, users, and roles
• Configuration of MDR
• Definition of failover pairs
• Various IPS features supported up to the latest Trellix IPS release
• Achieving virtualization using IPS Sensor
• Creation of custom attacks and signatures using the Custom Attack Editor
• Generation of reports
• Import of Snort signatures
• Troubleshooting techniques for Trellix IPS
• Recommended practices for using Trellix IPS most effectively
• List of all public and debug CLI commands for IPS Sensors
• Initialization, upgrade or replacement of a Sensor, troubleshooting an issue, and performance
monitoring for the Sensor
• Viewing the system health status of your Trellix IPS components
• Configuration and management of Trellix Intrusion Prevention System Central Manager
• Management of policies and rule sets
• Management of ignore rules

Integration Guide Integration with:


• ePolicy Orchestrator • Vulnerability Manager
• Global Threat Intelligence • Host Intrusion Prevention
• Multi-Vector Virtual Execution Engine • Logon Collector
• Trellix Intelligent Sandbox • HP Network Automation
• Threat Intelligence Exchange • Third party SIEM products

Manager API Application Programming Interface (API) framework for external applications to access core IPS
Reference Guide functionalities through the REST protocol.

Trellix Intrusion Prevention System 10.1 29


1 | Quick Tour

Table 1-2 Trellix IPS hardware documentation


Guide Models

Manager Appliance Product Guide • MLOS


• Windows Operating System

NS-series Sensor Product Guide NS9500, NS9x00, NS7500, NS7x50, NS7x00, NS5x00, NS3500, and NS3x00

NS-series Reference Guide 1 NS-series Interface Modules

2 NS-series Transceiver Modules

3 NS-series Sensors DC Power Supply Installation

Fail-Open Kit Product Guide • 100 Gigabit Modular Active Fail-Open Bypass Kit
• 40 Gigabit Modular Active Fail-Open Bypass Kit
• 1/10 Gigabit Modular Active Fail-Open Kit
• 1/10 Gigabit Modular Passive Fail-Open Kit
• 40 Gigabit Active Fail-Open Bypass Kit Guide
• 10/100/1000 Copper Active Fail-Open Bypass Kit with SNMP
• 10/100/1000 Copper Active Fail-Open Bypass Kit
• 1 Gigabit Optical Active Fail-Open Bypass Kit
• 10 Gigabit Optical Active Fail-Open Kit
• 10/100/1000 Copper Passive Fail-Open Kit
• 1 Gigabit Optical Passive Fail-Open Bypass Kit
• 10 Gigabit Optical Passive Fail-Open Kit

30 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

Manager Administration

Trellix Intrusion Prevention System Manager

Trellix Intrusion Prevention System overview


®
Trellix Intrusion Prevention System [formerly McAfee Network Security Platform] is a combination of network appliances and
software built for the accurate detection and prevention of intrusions, denial of service (DoS) attacks, distributed denial of
service (DDoS) attacks, malware download, and network misuse. Trellix Intrusion Prevention System provides comprehensive
network intrusion detection, and can block or prevent attacks in real time, making it truly an intrusion prevention system (IPS).

Trellix IPS components

The following are the major Trellix Intrusion Prevention System components for IDS and IPS:

• Trellix Intrusion Prevention System Sensor

• Trellix Intrusion Prevention System Manager, with its Web-based graphical user interface

Trellix IPS Sensors


Trellix IPS Sensors are high-performance, scalable, and flexible content processing appliances built for the accurate detection
and prevention of intrusions, misuse, malware, denial of service (DoS) attacks, and distributed denial of service (DDoS) attacks.
Sensors can be physical or virtual appliances. IPS Sensors are specifically designed to handle traffic at wire-speed, efficiently
inspect and detect intrusions with a high degree of accuracy, and flexible enough to adapt to the security needs of any
enterprise environment. When deployed at key network access points, a Sensor provides real-time traffic monitoring to detect
malicious activity and respond to the malicious activity as configured by the administrator.

Once deployed and the communication is established, Sensors are configured and managed through the Manager server.

• In this chapter, the term Sensor applies to both physical as well as Virtual IPS Sensors unless otherwise specified.

• In this guide, the term Sensor resources refers to the monitoring ports, interfaces, and subinterfaces of a physical or a Virtual
IPS Sensor.

Sensor functionality

The primary function of a device is to analyze traffic on the selected network segments and to respond when an attack is
detected. The device examines the header and data portion of every network packet, looking for patterns and behavior in the
network traffic that indicate malicious activity. The device examines packets and matches the packets against the applied
policies. These policies determine what attacks to watch for, and how to respond with countermeasures if an attack is detected.

If an attack is detected, a physical or a Virtual IPS Sensor responds according to its configured policy. A Sensor can perform
many types of attack responses, including generating alerts and packet logs, resetting TCP connections, “scrubbing” malicious
packets, and even blocking attack packets entirely before they reach the intended target.

Trellix Intrusion Prevention System 10.1 31


2 | Manager Administration

In addition to its primary function of preventing exploit, recon, and DoS attacks, a Sensor can also do the following:

• Detect malware— A Sensor uses various methods to inspect files being downloaded for embedded malware. If a malware
is detected, the Sensor blocks the download and takes further response actions.

• Enforce Firewall access rules— You can define Firewall access rules (similar to ACLs) in the Manager. Then you can
configure a Sensor to enforce these rules on your network.

• Provide and facilitate Quality of Service (QoS)— You can configure a physical Sensor to provide QoS using the rate
limiting technique. Additionally, a physical Sensor can facilitate Differentiated Services and IEEE 802.1p by differentiating
traffic and tagging them accordingly.

• Provide connection limiting services— Based on how you configure, a Sensor can limit the number of connections a host
can establish. One of the advantages of connection limiting is that it can minimize connection-based DoS attacks.

• Export NetFlow data— If Network Threat Behavior Analysis (NTBA) is deployed, you can configure a Sensor to export
NetFlow data to the NTBA Appliance.

Sensor platforms

Trellix IPS offers several types of Sensor platforms providing different bandwidth and deployment strategies.

• M-series: M-8000, M-6050, M-4050, M-3050, M-2950, M-2850, M-1450, and M-1250

• NS-series: NS9500, NS9300, NS9200, NS9100, NS7500, NS7350, NS7250, NS7150, NS7300, NS7200, NS7100, NS5200,
NS5100, NS3500, NS3200, and NS3100

• Virtual IPS Sensors: IPS-VM600

Trellix IPS Manager components


The Manager is a term that represents the hardware and software resources that are used to configure and manage the Trellix
IPS. The IPS Manager consists of the following components:

• Manager server platform

• The Manager software

• A back-end database that is installed along with the Manager

• A connection to Trellix IPS Update Server

• Signature Set

Manager server platform

The Manager server platform hosts the Manager software and the Manager database. It is a server running on an operating
system as specified in the Trellix Intrusion Prevention System Installation Guide. You can remotely access the Manager user
interface from a client machine using a browser. Refer to the Trellix Intrusion Prevention System Installation Guide to know the
supported browsers and the supported operating systems for the clients.

Sensors use a built-in 10/100 Management port to communicate with the Manager server. You can connect a segment from a
Sensor Management port directly to the Manager server; however, this means you can only receive information from one
Sensor (typically, your server has only one 10/100 network port). During the Sensor configuration, you will establish
communication between your Sensors and your Manager server.

32 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

Manager software

The Manager software has a web-based user interface for configuring and managing Trellix IPS. Users connect to the Manager
server from a supported client using a supported browser, the details of which are in the Trellix Intrusion Prevention System
Installation Guide. The Manager functions are configured and managed through a GUI application, which includes
complementary interfaces for alerts, system status, system configuration, report generation, and fault management. All
interfaces are logically parts of the Manager program.

The Manager user interface has five main tabs:

• Dashboard — The Dashboard is the first page displayed after the user logs on to the system. Options available within the
page are determined by the current user's assigned roles. The Dashboard enables you to view all the critical information
regarding Trellix IPS deployment in the same page. The Dashboard is very user configurable. You can configure the
information that you want to view, the timeframe for which you want to view the information, the frequency with which the
Dashboard must auto-refresh, and so on. All these information can be customized to view for a particular admin domain.
You can select the admin domain from the Domain drop-down list to display data for the selected admin domain.
Some of the information displayed on the dashboard includes:

• Release announcements

• Information regarding the frequently seen malicious activities on your network. This includes things, such as the most
downloaded malware, most callback activity, the most targeted hosts, the most detected attack and so on.

• System faults of Trellix IPS components which show whether all those are functioning properly, the number of
unacknowledged alerts in the system, and the configuration options available to the current user

• Manager-related details, such as the version, signature set version, users logged on to the Manager, and so on

• Information like whether the devices are up-to-date

• Analysis — This tab presents the options using which you can view the granular details of all the malicious activities on your
network. The intention here is to provide you all the critical information needed for further analysis for the selected admin
domain.
One of the key options on the Analysis tab is the Attack Log, which displays the alerts triggered by the Sensors. The Attack
Log page displays the hosts detected on your network as well as the detected security events that violate your configured
security policies. The Attack Log provides powerful drill-down capabilities to enable you to see all of the details on a
particular alert, including its type, source and destination addresses, and packet logs where applicable.

• Policy — All the major features in Trellix IPS are policy based. For example, to block exploit and recon attacks, you use the
IPS and the recon policies; for Firewall, you use the Firewall policies; for QoS, you use the QoS policies and so on. The Policy
tab provides the options to manage all these policies and other related functionality.

• Devices — You can use the same instance of the Manager to manage both the physical and virtual devices. The Devices tab
provides all system configuration options, and facilitates adding and configuration of your devices - Sensors, NTBA
Appliances, HA pairs of Sensors, etc. This tab provides configuration options on per device basis as well. Access to various
activities is based on the current user's role(s) and privileges, administrative domains, attack policies and responses,
user-created signatures, and system reports.

• Manager — This tab provides the configuration options related to the Manager software. This includes managing
administrative domains, users, and roles, downloading signature sets and other software such as Sensor software,
integrating the Manager with other Trellix products, maintenance activities such as database backups, and so on.

Trellix Intrusion Prevention System 10.1 33


2 | Manager Administration

Other key features of Manager include:

• Integration with other Trellix products — You can integrate Trellix IPS with other Trellix products to provide you with a
comprehensive network security solution.
• McAfee ePolicy Orchestrator — McAfee ePolicy Orchestrator (ePO) is a scalable platform for centralized policy
management and enforcement of your system security products, such as anti-virus, desktop firewall, and anti-spyware
applications. You can integrate Trellix IPS with McAfee ePO 5.0 and above. The integration enables you to query the
McAfee ePO server from the Manager for viewing details of a network host.

• McAfee Host Intrusion Prevention — McAfee Host Intrusion Prevention (HIP) is a host-based intrusion prevention
®

system that prevents external and internal attacks on the hosts in the network, thus protecting services and applications
running on them. Trellix IPS integrates with McAfee Host Intrusion Prevention version 7.0 and above.

• McAfee Vulnerability Manager — Vulnerability assessment is an automated process of proactively identifying


®

vulnerabilities of computing systems in a network to determine security threats. Trellix IPS integrates with McAfee
Vulnerability Manager to enable import of the Vulnerability Manager scan data into the Manager, to provide automated
updating of IPS-event data relevancy. You can view the scan details in the Attack Log page. This provides a simple way
for security administrators to access near real-time updates of host vulnerability details, and improved focus on critical
events. You can initiate an on-demand scan for an IP address from the Threat Explorer.

• Trellix Global Threat Intelligence — Trellix Global Threat Intelligence (formerly McAfee® Global Threat Intelligence™) is a
global threat correlation engine and intelligence base of global messaging and communication behavior including
reputation, volume, trends, email, web traffic and malware. By having Trellix Global Threat Intelligence integration, you
can report, filter, and sort hosts involved in attacks based on their network reputation and the country of the attack
origin.

For more information on all the above mentioned integration options, see Trellix Intrusion Prevention System Integration
Guide.

• Integration with third-party products — Trellix IPS enables the use of multiple third-party products for analyzing faults,
alerts, and generated packet logs.
• Fault/Alert forwarding and viewing — You have the option to forward all fault management events and actions, as
well as IPS alerts to a third-party application. This enables you to integrate with third-party products that provide trouble
ticketing, messaging, or any other response tools you may want to incorporate. Fault and/or alert forwarding can be
sent to the following ways:
• Syslog Server — forward IPS alerts and system faults

• SNMP Server (NMS) — forward IPS alerts and system faults

• Java API — forward IPS alerts

• Packet log viewing — View logged packets/flows using third-party software, such as Wireshark.

Manager database

The Manager server operates with an RDBMS (relational database management system) for storing persistent configuration
information and event data. The compatible database is MariaDB. Refer to the Trellix Intrusion Prevention System Installation
Guide for the current version of MariaDB.

The Manager server includes a database that is installed (embedded) on the target Windows server during Manager software
installation.

The database can be tuned on-demand or by a set schedule through the Manager user interface configuration. Tuning
promotes optimum performance by defragmenting split tables, re-sorting and updating indexes, computing query optimizer
statistics, and checking and repairing tables.

34 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

Signature Set
Signature set is a comprehensive set of attack definitions developed and provided by Trellix Labs. An attack definition contains
one or more signatures, which indicate suspicious or malicious activity. These signatures are then matched against traffic
passing through the Sensor monitoring ports.

Each attack definition can be configured to perform response actions like sending an alert to the Manager, dropping traffic,
capturing packets, or generating an email. It is used to detect threats and anomalies in the network traffic.

Signature sets are available in Trellix IPS Update Server (Update Server). Trellix regularly updates the signature set with latest
attack definitions which you can download from the Update Server.

The threat landscape is constantly evolving, and new attacks are regularly added to the signature set to keep the network
protection up-to-date. The attack definitions in the signature set are categorized as high, medium, and low priority attacks. This
helps optimize Sensor resources on older Sensor models and Sensors running older software versions, thereby protecting
against the most critical and relevant attacks.

Based on the priority attribute configured for the Sensor models, the Manager dynamically compiles the signature set using the
current signature set version available in the Manager. The corresponding set of attack definitions are then pushed to the
Sensors.

The NS-series and Virtual IPS Sensor models support high, medium, and low priority attack definitions, thereby providing
complete attack coverage. The M-series Sensor models support high and medium priority attack definitions which optimizes
Sensor resources.

Trellix Intrusion Prevention System 10.1 35


2 | Manager Administration

The availability of attack definitions in the signature set is based on Sensor models:

Sensor Models Signature Set Attack Priorities

High Only High and Medium Only All

NS-series: Yes Yes Yes


• NS9500 standalone and stack
• NS9300, NS9200, and NS9100
• NS7500
• NS7350, NS7250, and NS7150
• NS7300, NS7200, and NS7100
• NS5200 and NS5100
• NS3500
• NS3200 and NS3100

Virtual IPS: Yes Yes Yes


• IPS-VM600
• IPS-VM600-VSS

M-series: Yes Yes No


• M-8000XC and M-8000
• M-6050, M-4050, and M-3050
• M-2950 and M-2850
• M-1450 and M-1250

Note
Sensor software versions 9.2 and 10.1 are not supported on the M-series Sensor model. However, you can manage the M-series Sensors
running older software version using the Manager version 9.2 and 10.1. To secure your network with the complete signature set, Trellix
recommends you to migrate your M-series Sensors to the latest NS-series or Virtual IPS Sensors.

Trellix IPS Update Server


For your Trellix IPS to properly detect and protect against malicious activity, the Manager and Sensors must be frequently
updated with the latest signatures and software patches available. Thus, the Trellix IPS team constantly researches and
develops performance-enhancing software and attack-detecting signatures that combat the latest in hacking, misuse, and
denials of service (DoS). When a severe-impact attack happens that cannot be detected with the current signatures, a new
signature update is developed and released. Since new vulnerabilities are discovered regularly, signature updates are released
frequently.

New signatures and patches are made available to customers via Trellix IPS Update Server (Update Server). The Update Server
is a Trellix IPS owned and operated file server that houses updated signature and software files of Managers and Sensors for
customer installations. The Update Server securely provides fully automated, real-time signature updates without requiring any
manual intervention.

Note
Communication between the Manager and the Update Server is SSL-secured.

36 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

Obtaining updates from the Update Server

You have the following options for obtaining updates from the Update Server:

1 Connecting directly from your Manager server (via Manager interface action).

2 Connecting through a proxy server (through Manager interface action). You will then authenticate as in option 1.

Configuring software and attack signature updates

You can configure interaction with the Update Server using the Manager. You can pull updates from the Update Server on
demand or you can schedule update downloads. With scheduled downloads, the Manager polls the Update Server (over the
Internet) at the desired frequency. If an update has been posted, that update is registered as “Available” in the Manager
interface for on-demand downloaded. Once downloaded to the Manager, you can immediately download (via an encrypted
connection) the update to deployed Sensors or deploy the update based on a Sensor update schedule you define. Acceptance
of a download is at the discretion of the administrator.

• Automatic update to Manager, manual update from Manager to Sensors — This option enables Manager server to
receive updates automatically, but allows the administrator to selectively apply the updates to the Sensors.

• Manual update to Manager, automatic update from Manager to Sensors — This option enables the administrator to
select updates manually, but once the update is selected, it is applied to the Sensors automatically without reboot.

• Fully manual update — This option allows the security administrator to determine which signature update to apply per
update, and when to push the update out to the Sensors. You may want to manually update the system when you make
some configuration change, such as updating a policy or response.

• Fully automatic update — This option enables every update to pass directly from the Update Server to the Manager, and
from the Manager to the Sensors without any intervention by the security administrator. Note that fully automatic updating
still happens at the scheduled intervals.

• Real-time update — This option is similar to fully automatic updating. However, rather than waiting for a scheduled
interval, the update is pushed directly from Update Server to Manager to Sensor. No device needs to be rebooted; the
Sensor does not stop monitoring traffic during the update, and the update is active as soon as it is applied to the Sensor.

Getting familiar with Trellix IPS Manager

Trellix IPS Manager is a browser-based graphical user interface used to view, configure, and manage network security appliance
deployments.

This section provides a high-level tour of the basic features and interfaces of the Manager and some basic concepts of working
with the Manager.

Tasks
• Accessing the Manager from a client machine on page 38
• View server/client date and time on page 41
• View Reports on page 51

Trellix Intrusion Prevention System 10.1 37


2 | Manager Administration

Accessing the Manager from a client machine

To access the Manager from a client machine:

Task
1 Start your browser and then type the URL of the Manager server:
https://<hostname or host-IP>

2 Log on to the Manager by entering your Login ID and Password.

About the Manager user interface design

The Manager user interface is designed with a task-based approach. This gives you the ability to view and drill down into
network issues easily throughout the interface.

The Manager user interface is a two-tiered structure to facilitate ease of navigation. You can use the Menu bar to logically
navigate around the user interface based on what task you want to perform. The left navigation pane is designed such that you
can manage your tasks with more ease in your enterprise level deployments.

Figure 2-1 Manager user interface

The design provides you with these advantages.

Callout Description

1 Tab - Tabs are located on the menu bar and display specific set of tabs, menus, and options.

2 Sub-tab - A tab contains sub-tabs, which display a number of menus when clicked.

3 Menu - A menu displays one or more sub-menus when clicked.

4 Sub-menu - A sub-menu displays options or more sub-menus when clicked.

38 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

Callout Description

5 Option - An option displays a page in which you can either view or view and modify settings.

6 Display pane - When you click an option to display a page, the area within which the page is displayed is known as
the display pane.

• Information availability — Network information is available at your finger tips in the Dashboard page and helps you to
immediately check on any issue.

• Customized display — You can drag and drop monitors and set dashboard preferences based on your needs.

• Operational and Security monitoring — You can view top threats in your network and check the overall system health on
the Dashboard page.

• Dynamic control — The hyperlinks in the Dashboard page enable you to dynamically click and investigate any network or
system health issue across the Manager.

• Context-aware interfaces — From the Dashboard, you can click and drill down into the Threat Explorer and other relevant
pages for further analysis. The details are in sync with what you choose in the Dashboard page and help you to investigate
further. For example, if you click a hyperlink in the Top Attack Applications monitor, you are directed to the Threat Explorer
with the core attribute already set in the view. You can then choose to add more filter criteria and drill down to resolve an
issue.

Scenario: System Health Check

Assume that you want to view the overall system health and fix an issue with a faulty device.

The Dashboard page allows you to view multiple operational monitors namely Manager Summary, Release Announcements,
Running Tasks and System Faults.
1 Select Dashboard | Dashboard Settings | Monitors list and select the Operational monitor.

2 View the System Faults monitor for Manager and device status.

3 For a faulty device, under the Critical column, click the hyperlink.

4 The Faults tab in the Logs page display the fault severity and summary details.

5 View the fault details. For example, a link failure between the port and external device.

6 Fix the issue. In the preceding example, the link needs to re-established between the port and the external device.

Browser requirements

This section contains the client and browser requirements for accessing the Manager.

The following table lists the 10.1 Manager client requirements when using Windows 10.

Minimum Recommended

Operating Windows 10, English or Japanese Windows 10, version 1903 English or
system Japanese

Note: The display language of the Manager client must be


same as that of the Manager server operating system.

Memory 8 GB 16 GB

Trellix Intrusion Prevention System 10.1 39


2 | Manager Administration

Minimum Recommended

CPU 1.5 GHz processor 2.4 GHz or faster

Monitor 32-bit color, 1440 x 900 display setting 1920 x 1080 (or above)

Browser • Microsoft Edge • Microsoft Edge 42.0 or later


• Mozilla Firefox • Mozilla Firefox 70.0 or later
• Google Chrome • Google Chrome 76.0 or later

Note: To avoid the certificate mismatch error and security


warning, add the Manager web certificate to the trusted
certificate list.

Note: Internet Explorer 11 is not supported.

For the Manager/Central Manager client, in addition to Windows 10, you can also use the operating systems mentioned for the
Manager server.

The following table lists the 10.1 Central Manager/Manager client requirements when using Mac:

Mac operating system Browser

• Yosemite Safari 8 or 9
• El Capitan

Menu bar

The menu bar contains five tabs:

• Dashboard • Devices

• Analysis • Manager

• Policy

A click on each tab opens a tab tree that has sub-tabs, menus, sub-menus, and options.

Figure 2-2 Menu bar of Manager

The menu bar also provides you with the following:

• (Help)— links to the complete system help.


(Log Out)— logs you out of the Manager and returns to the login screen.

40 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

Menus
Each item in the tab tree is a menu and represents a set of sub-menus and options. Example: Updating menu.

Figure 2-3 Manager user interface

The design provides you with these advantages.

Callout Description

1 Tab – Tabs are located on the menu bar and display specific set of tabs, menus and options.

2 Sub-tab – A tab contains sub-tabs which display a number of menus when clicked.

3 Menu – A menu displays one or more sub-menus when clicked.

4 Sub-menu – A sub-menu displays options or more sub-menus when clicked.

5 Option – An option displays a page in which you can either view or view and modify settings.

6 Display pane – When you click on an option to display a page, the area within which the page is displayed is known
as the display pane.

Online Help
• To view online Help, including the table of contents, index, and full-text search, click the question mark (?) button on the
menu bar.

• To obtain Help on the action displayed in a specific configuration page, click the question mark (?) button in the upper-right
corner of the right display pane. The corresponding Help page is displayed.

View server/client date and time

A Manager server can be accessed through various clients spread across different geographical locations. When a user
accesses a server placed in a different time zone, the server time is converted to the client time zone based on Greenwich
Mean Time (GMT), and displayed to the user.

Trellix Intrusion Prevention System 10.1 41


2 | Manager Administration

If the clock time between the server and the client has a difference of more than 1 minute, Trellix IPS displays a warning
message that prompts the user to reset the client machine clock to match with the server clock. This message is displayed only
once per browser session.

If your Trellix IPS deployment is at a geo-location that uses daylight savings, then:

Task
1 On your Windows Operating System, select Start | Settings | Control Panel | Date and Time.

2 Select the Automatically adjust clock for daylight saving changes.


This will add an hour to GMT during daylight savings time.

Scenario

Scenario 1: User accessing a server placed in different time zone


Trellix Intrusion Prevention System Central Manager (Central Manager) can access Managers spread across different
geographical locations and time zones. If a Manager user is accessing Trellix IPS Central Manager, which is situated in a
different zone, the time displayed is the client time zone and vice versa.

For example, Consider a Central Manager running at Eastern Standard Time (EST) that is, GMT-5 hours. There are two users:
user1 and user2 accessing the Manager and Central Manager from their respective time zones. User1 is situated at GMT+5:30
hours, and user2 is situated at GMT -5 hours respectively. If the time at Central Manager is 2007-01-03 4.30.00 EST, the time
displayed to user1 will be 2007-01-03 15:00:00 IST, while the time displayed to user2 will be 2007-01-03 4.30.00 EST respectively
as the last retrieved time in the Home page.

Figure 2-4 Manager Time Zones

42 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

The time stamp format is displayed in yyyy-MMM-dd HH:mm:ss:z or when displayed in a tabular fashion as in reports, it is
displayed as yyyy-MM-dd HH:mm:ss:z

For example: 2007-Feb-21 17:52:50 IST or 2007-02-21 17:52:20 IST

Scenario 2: Manager Scheduler actions run at the server time zone


Consider a user who wants to schedule the Trend Analysis Report. The Manager server is placed in Eastern Standard Time (EST)
zone, and the user is situated in Indian Standard Time (IST). If the user sets the date and time for the report to generate at
2007-03-03 12:00:00, the report will run at the Manager server date and time that is, 2007-03-03 12:00:00 EST. The scheduled
report will have the server time, that is, EST in this example.

In general, scheduling triggered by the server considers the server time. For example, the Trellix IPS Update server messages,
values in the Admin Configuration report etc. display the server date and time.

Note
If a user triggers a manual report generation, it will run at the client time zone.

Customizable views

All table views in the Manager UI for alerts, attacks, etc., provide the flexibility of customizing the columns for viewing
information.

The Manager supports the following customization to the columns in a table:

• Column visibility (columns shown versus hidden)


When you hover the mouse over a column, a small drop-down arrow is displayed. This drop-down list contains different
columns that display information. You can use the drop-down list to select/hide columns based on the information required
for current viewing. The information in the column can be sorted in ascending or descending order.

Figure 2-5 Column visibility

Trellix Intrusion Prevention System 10.1 43


2 | Manager Administration

• Column width
The width of the column can be adjusted (increased/decreased) to view information as required.

Figure 2-6 Column width

• Column presentation order (left to right)


You can rearrange the columns to match the order in which you would like to view the columns.

Figure 2-7 Column presentation order

• Column sort order (up/down)


You can modify the panel height in case of vertically stacked panels to suit the screen resolution or viewing priorities.

Any change made to the column persists even after you leave the page and/or log out, which means that the columns are
displayed with the changes when you log into the account next time. The Reset GUI Presentation restores any changes made
to the column or panel presentation to its default setting. To access the button, go to Manager | <Admin Domain Name> |
Users and Roles | My Account. The reset of the settings is applicable for all the tables across the Manager. For the changes of
the reset to take effect, you have to either log out and login back to the account or refresh the page.

See also
How to view user account information on page 91

44 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

Dashboard tab

The first page that you view after a successful logon to the Manager is the Dashboard page.
The Dashboard page is the central interface from which all Manager interface components are available. The Dashboard page
is logically divided into two sections: the top Menu bar and the lower Monitors section.

Figure 2-8 Dashboard page

Dashboard Settings

The Dashboard Settings dialog enables you to further customize your Dashboard page view.

Trellix Intrusion Prevention System 10.1 45


2 | Manager Administration

You can perform the following tasks here:

• Monitors — Use this option to add the monitors. The default category is All. Use the Operational or Security category to
choose the monitors you want to view. You can also customize the data displayed in the monitors based on the admin
domain and child domain. Monitors display data based on the admin domain selected from the Domain drop-down list.
The following monitors are displayed under different categories: All, Operational, and Security monitors.

Category Monitors Description

All View both Operational and Security monitors.

Operational

CPU Usage View the high CPU usage of the Sensor.

Device Summary View the current versions of the Sensor software and signature set of the
logged in domain.

Manager Summary View the Manager details such as software version, signature set version,
and others.

Memory Usage View the high memory usage of the Sensor.

Release Announcements View the latest updates and the current version of signature set applied to
your Sensor.

Running Tasks View the status of all the Sensors configured in the Manager.

System Faults View the health of your device and the Manager.

Throughput Usage View the high throughput usage of the Sensor.

Note: Data remains unchanged for the Manager summary, Release Announcements, and Running tasks
monitors irrespective of the admin domain selected. The System Faults and Device Summary monitors display
the list of all the child domains linked to the admin domain selected.

Security

Attack Severity Summary View the unacknowledged alerts in the database, sorted by alert severity

Attacks Over Time View the attacks over a period of time in your network.

Big Movers View the attacks whose frequency has increased during a selected time
period.

Top Applications (IPS) View the top applications based on attacks, bytes, or connections.

Top Applications (NTBA) View the top applications in the NTBA device based on bytes or
connections.

Note: At least 1 NTBA appliance is required to be configured to view this


monitor.

Top Attack Subcategories View the attack subcategories in your network.

Top Attacker Countries View the top attacker countries in your network.

Top Attackers View the top attackers in your network.

Top Attacks View the top attacks in your network.

46 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

Category Monitors Description

Top Callback Activity View the callback activity.

Top Destinations (NTBA) View the top destinations based on bytes or connections.

Note: At least 1 NTBA appliance is required to be configured to view this


monitor.

Top Endpoint Executables View the top executables based on number of endpoints using them or the
(NTBA) number of attacks they have initiated. You can filter the executables based
on the device, attacks (default) or endpoints, malware confidence, and
classification.

Note: This monitor is populated only if you have enabled McAfee EIA
integration.

Top Endpoints Using Risky URLs View the top endpoints using risky URLs in your network.

Top Files (NTBA) View the top files based on malware confidence level.

Note: At least 1 NTBA appliance is required to be configured to view this


monitor.

Top High-Risk Endpoints View the high-risk endpoints of your network.

Top Malware Files View the top malware downloads in your network. You can filter malware
based on their confidence and detections (blocked, unblocked, and all).

Top Risky URLs View the top risky URLs of your network.

Top Sources (NTBA) View the top sources based on bytes or connections.

Note: At least 1 NTBA appliance is required to be configured to view this


monitor.

Top Target Countries View the top target countries in your network.

Top Targets View the top targets in your network.

Top URLs (NTBA) View the top URLs at risk.

Note: At least 1 NTBA appliance is required to be configured to view this


monitor.

Note
The Dashboard displays only the top 10 unacknowledged alerts under each Security Monitor. To view the acknowledged alerts, go to the
Attack Log page and select Acknowledged from the drop-down list. You can also select Any Alert State from the drop-down list, and the
Manager will display both acknowledged and unacknowledged alerts.

Trellix Intrusion Prevention System 10.1 47


2 | Manager Administration

• Automatic Refresh — Use this option to set the automatic refresh time. The default time is 10 minutes. The minimum and
maximum time for the automatic refresh are 1 minute and 10 minutes, respectively. For a manual refresh, select Disabled
to disable the automatic refresh.

• Layout — Use this option to customize the number of columns to be displayed in the Dashboard page. The default layout is
3 columns. The minimum and maximum number of columns that can be displayed are 2 columns and 4 columns,
respectively.
The following figure shows the Dashboard with a three-column view.

Figure 2-9 Three-column view

• Time Range — Use this option to select the time range to set the time range for viewing data on the selected monitor.
For example, if you select Automatic Refresh time as 10 minutes and the Time Range as 1 hour, then the information
available for the selected monitor will be for the last 1 hour from the last refresh time. That is, if you select the Time Range
at 9:30 AM, then you can view the data from 8:30 AM to 9:30 AM. But, as soon as the monitor is refreshed after 10 minutes,
the data displayed on the Dashboard will be from 8:40 AM to 9:40 AM.

Analysis tab

The Analysis tab on the Menu bar enables you to perform network and events analysis.

The following table gives a high-level overview of the tab tree and the available options.

Item Description

Attack Log Analyze the alerts detected by your network security appliances.

Threat Explorer View the top attacks, attackers, targets, and malware within a given period of time and a direction.

Malware Files Monitor the potential malware downloads on the network and to view or export the related file
reports.

Callback Activity Analyze the callback activities participating in the damage of the endpoints including the background
of the bot, the time till it was active, the IP address involved, and similar other useful information
such as the host name, the operating system, and the user details.

48 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

Item Description

High-Risk Endpoints Monitor the suspicious endpoints infected by the malware by providing the name of the endpoint,
the user details, and the operating system of the endpoint.

Network Forensics Capture the network activity information and summarize them for user consumption.

Endpoint Executables View the entire list of executables that makes network connections to either block or allow them. This
item works only if at least one NTBA appliance is connected.

Quarantine View the list of endpoints quarantined for all the Sensors

Event Reporting Generate and view the Next Generation and Traditional reports based on the analysis of the events
and the network.

Policy tab

The Policy tab enables you to view, edit, and configure different policies when the corresponding options are selected.

The following table gives a high-level overview of the options available in the Policy tab tree.

Item Description

Intrusion Prevention Configure and manage the IPS policies that govern what traffic is permitted across your
network, and how to respond to misuse of the network.

Network Threat Behavior Configure and manage the Network Threat Behavior Analysis (NTBA) policies that monitor the
Analysis network traffic.

You can also configure the policies at various domain levels by selecting your choice from the Domain drop-down list.

Figure 2-10 Domain option

This page enables you to view and manage all policies using a single tab.

Devices tab

The Devices tab helps you to manage and configure your devices. The navigation pane has the following sub-tabs:
• Global — Manage different functionalities related to the devices like failover pairs, add and remove devices, and others.

• Devices — Manage individual device-specific configuration.


When there are no devices added, a text is displayed as No Device Managed (Add). You can add a device by clicking on the
Add link.

Note
When a new device is added and the trust is established, the device does not get listed in the drop-down list unless you click on the
Refresh button on the Devices tab.

Global sub-tab

Trellix Intrusion Prevention System 10.1 49


2 | Manager Administration

The following table gives a high-level overview of the available options under the Global sub-tab:

Item Description

Device Manager Information about all the devices configured in the Manager including the health and status of
the devices are displayed.

XC Clusters Configure the XC clusters that enable high traffic loads to be processed by distributing the traffic
flow to multiple Sensors to avoid congestion.

Common Device Settings Configure the several device settings like Name Resolution, Gateway Anti-Malware Engine
updating, and Performance Monitoring.

IPS Device Settings Apply inheritable global settings to added IPS devices

NTBA Device Settings

Devices sub-tab

The following table gives the high-level overview of the options displayed in the left navigation pane of the Devices sub-tab:

Item Description

Summary View the essential details about the device.

Deploy Pending Changes Deploy the configuration changes to your devices.

Setup Manage the device by allowing you to configure the physical ports, adjust the time zone, configure
the proxy server, NTBA integration, Quarantine, and other similar important functions.

Maintenance Maintain your device by providing the options to shut down, reboot, import and export
configuration.

Troubleshooting View the device debugging information and logs, current performance monitoring configuration,
Denial of Service, and other related essentials to manage your device.

IPS Interfaces Configure the policies at the interface and sub-interface levels.

Manager tab

The Manager tab allows you to set up and maintain activities for your Trellix IPS deployment.

The following table gives a high-level overview of the available options in the tab tree.

Item Description

Summary View the summary of the Manager and its status.

Updating View important information regarding the update and upgrade of the software.

Users and Roles Add users and assign roles to them thereby granting the users specific privileges to use every security
resource deployed in your deployment.

Setup Create the admin domains and child admin domains, view the alert notifications, configure Manager
Disaster Recovery (MDR) pair, etc.

Integration Manage and configure the integration of Trellix IPS with other products like McAfee® ePolicy Orchestrator,
Trellix Global Threat Intelligence, and others.

Reporting Generate configuration reports to view your current software and signature versions, the configuration
and status of a Sensor, policy settings, and so forth.

50 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

Item Description

Maintenance Maintain your device by archiving, pruning, backing up your data, and others.

Troubleshooting View all the product-specific announcements, the system logs, and system faults. This also gives the details
about background processes initiated by administrative users, alert relevance analysis, MDR pair
switchover events, Manager policy cache, and helps you to audit the actions of administrative users on the
Manager.

View Reports

The Event Reporting and Reporting menus enable you to produce a range of reports for both the alert information reported to
your Manager, as well as information pertaining to your configuration settings. IPS reports are summaries of alert information,
such as severity, impact category, source/destination IP, time of alert, and so forth. Configuration reports detail information
such as the current Manager and Sensor software versions, proxy server settings, and so forth.

To view the Reports

Task
1 From the Analysis tab, click Event Reporting. You have the following reports:
• Next Generation Reports

• Traditional Reports

2 From the Manager tab, click Reporting. You have the following options:
• Configuration Reports

• Report Automation

• Preferences

See also
Report Generation on page 194

Manager Summary

The Summary page enables you to view the summary details of the Manager/Central Manager. You can also perform the
Product Registration here.

View summary details of the Manager

To view summary details of the Manager, do the following:


In the Manager, select Manager | <Root Admin Domain Name> | Summary.

Trellix Intrusion Prevention System 10.1 51


2 | Manager Administration

The Summary page displays.

Status Description

Manager Software Version Displays the current Manager software version.

Last Reboot Specifies the most recent time the Manager service was started

Central Manager Displays the synchronization status of the Central Manager with the Manager.
Synchronization

Host Name Displays host name and IP address of the Manager server (if host name is not available,
only the IP is displayed)

Manager GUID Displays the unique identifier of the Manager server

Product Registration Displays if the Manager is registered with Trellix or not.

Protections Displays the signature set and callback detectors information.

Signature Set Displays the active Signature Set version available in Manager and the latest Signature Set
version available for download

Callback Detectors Displays the active Callback Detectors version available in Manager and the latest
Callback Detectors version available for download

Connected Users Displays the current open Manager user sessions information.

52 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

Status Description

Name Displays the user of the Manager session.

IP Address Displays the client machine IP address used to access the Manager.

Logon Time Displays the start time stamp of the Manager session.

Register Product Allows you to register the Manager with Trellix.

Note: This option is available if your Manager instance unregistered only.

Product Registration

The Manager should be registered with Trellix for receiving automatic updates regarding the signature set, callback detectors,
and device software from Trellix in real time.

At a higher level, the Manager registration with Trellix is a two-step procedure as follows:
1 Obtain the Trellix IPS Registration Key on page 54.

2 Register the IPS Manager with Trellix on page 54.

Trellix recommends you to register the product immediately after installation when the Product Registration window appears
after the initial login.

Upon skipping product registration, the following functionalities will be disabled:


• On-demand and scheduled download of Signature Sets in the Manager

• On-demand and scheduled download of Callback Detectors in the Manager

• On-demand download of device software

• Creating vIPS Components and vIPS Protected Groups

On registering the Manager with Trellix, general setup information will be sent to Trellix Research Labs when Telemetry is
enabled. The purpose of Telemetry is to facilitate you in providing helpful information to Trellix about your usage of Trellix vIPS
solution so that Trellix in turn optimizes your protection.

Note
Telemetry is enabled in the Manager by default. You can change the telemetry configurations at Manager | <Admin Domain Name> |
Setup | Telemetry page in the Manager.

Listed below are the setup details sent to Trellix Research Labs when product registration is complete and Telemetry is
enabled:

Manager Details

• Manager Software Version • Automatic downloading of Callback Detectors

• Active Signature Set Version • Automatic deployment of Callback Detector

• Manager Install Type • Inline Port Count

• Manager OS Type • Dedicated Interface Count

• Manager OS Version • CIDR Interface Count

Trellix Intrusion Prevention System 10.1 53


2 | Manager Administration

• Manager VM Type • VLAN Interface Count

• Is Manager Disaster Recovery (MDR) in Use • Administrative User Count

• Automatic downloading of signature sets • Custom Role Count

• Automatic deployment of signature sets

Device Details

• Total number of virtual sensors currently in use with vIPS clusters

• Total number of virtual probes currently in use with vIPS clusters

• Maximum number of virtual probes used

• Manager version

The Default - Telemetry (Trellix) report lists the Telemetry data sent to Trellix Corporate team in detail. The Default -
Telemetry (Trellix) report is available in the Manager under Analysis | <Admin Domain Name> | Event Reporting | Next
Generation Reports.

Obtain the Trellix IPS Registration Key


To obtain the Trellix IPS Registration Key, do the following.

Task
1 Go to the Trellix Download Server.

2 Login using your Grant Number and registered Email Address.

Note
If you do not have a Grant Number provided by Trellix, contact Trellix Technical Support and request for a trial Grant Number.

The My Products page opens.

3 Make a note of the Trellix IPS Registration Key (formerly, NSP Registration Key).

Note
The Trellix IPS Registration Key is unique to each customer. For example, if Customer A has two grant numbers, 1234 and 5678, the
Trellix IPS Registration Key is same for both of these grant numbers as the registration keys are generated per customer.

Register the IPS Manager with Trellix


To register your Manager with Trellix, do the following:

Before you begin

Obtain the Product Registration Key from the Trellix Download Server.

Note
If you have skipped the Product Registration during initial login after installation or upgrade, go to Manager | <Admin Domain Name> |
Summary (Manager | Summary in Central Manager), click Register Product, and follow the below procedure from step 3 to register the
Manager.

54 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

Task
1 Log in to the Manager.
The End User License Agreement opens.

2 Select the checkbox and click Activate.

Trellix Intrusion Prevention System 10.1 55


2 | Manager Administration

Note
Trellix recommends you perform Product Registration immediately after the initial login. If you do not want to register the Manager,
click Skip.

Note
When the Manager is not registered with Trellix, the following features are automatically disabled:
• Download Signature Sets • Signature Sets Automatic Updating

• Download Callback Detectors • Callback Detectors Automatic Updating

• Download Device Software

56 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

3 The Product Registration dialog box appears.


In case you do not have the registration key readily available, click Lost Key? to procure the registration key.

4 Enter the Trellix IPS Registration Key and click Register.

5 Once the Product Registration is complete, an Informational dialog box appears with success message.

Trellix IPS Protection Status

The Trellix IPS Protection Status page contains the following tabs:

• Signature Sets — Download the required signature sets or schedule automatic download from the Update Server to the
Manager. You can also schedule automatic deployment from the Manager to devices.

• Callback Detectors — Download the required callback detectors or schedule automatic download from the Update Server
to the Manager. You can also schedule automatic deployment from the Manager to devices.

• Device Software — Download the required Sensor or NTBA Appliance software image file from the Update Server to the
Manager.

• Manual Import — Manually import downloaded Sensor or NTBA Appliance software image and signature files to the
Manager.
The Manager allows you to manually import the following device updates from the file system if your Manager deployment
has no access to internet.
• Device software (.jar)

• Signature set (.ivu or .jar)

• Callback detectors (.zip)

• Gateway antimalware updates (.upd)

• Release Announcements — View and delete messages related to operating system updates, signature set release, Manager
software update, and others.

Trellix Intrusion Prevention System 10.1 57


2 | Manager Administration

You can manually download and import the latest software and signatures for the Sensor and the NTBA Appliance. You can
also schedule automatic downloads and imports.

Important
Make sure you are connected to the internet while downloading and updating antimalware software and signatures. If you are on an air-gap
network, refer to the section Offline Signature Set Downloader on page 64.

Note
You can perform only one download or upload at a time from any Trellix IPS component, including the Update Server.

Signature set deployment optimization

The Manager/Central Manager is enhanced to reduce the compilation and deployment time of the signature set. The
compilation time is the duration required by the Manager to create the signature set file to be deployed to the Sensor. The
deployment time is the sum of compilation time - the time required to transfer signature set file from the Manager to the
Sensor and the time required to apply the signature set file to the Sensor. The reduction in signature set compile/deploy time
reduces the duration of signature set processes in the Manager.

Note
To achieve faster signature set compilation/deployment, the Sensor software version must be running on software version 10.1 or above.

The following table provides the test conditions for the Signature set compilation/deployment enhancement:

For example, in a Windows 2016 Manager server with 8 CPU cores, 500 GB HDD, and 32 GB RAM, the time consumed for
signature set based processes before and after the signature set deploy and compile enhancement are as follows:

Task Policies Sensor models


Manager server specifications

VM-based Windows 2016 R2 IPS Policy: Default Testing with 1000 UDS and Default malware NS-series Sensors
policy
32GB RAM Virtual IPS Sensors
Advanced Malware Policy: All Malware Engines Enabled
8 x 2.6 GHz CPU cores
500GB Hard Disk Drive
16 GB allocated for JVM (by default)

Linux based Manager server appliance


64GB RAM
20 CPU cores
1 TB Hard Disk Drive
16 GB allocated for JVM (by default)

58 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

The following table provides the test results for the Signature set compilation/deployment enhancement:

Task Reduction in time required to complete the task

Manager Installation/Upgrade/Restart 70-80 %

Manual import of a signature set 50-60 %

(Optional) Test compilation of one snort or UDS attacks 70-80 %

(Optional) Saving one thousand snort or UDS attacks 70-80 %

Deploy the signature set to the Sensors 50-60 %

Failover pair Sensor software upgrade using the Manager GUI 25-35 %

For example, consider you are deploying or upgrading the Manager, followed by a manual signature set upgrade, and
deployment of Sensor software and signature set to the Sensors. The total downtime required for the completion of these
tasks is reduced proportionally according to the percentage in the above table as applicable in your network. If you have any
user-defined or snort attacks configured, the time required to Test Compile or Save these attacks is also reduced considerably.

The Sigperf.log file available under the System files tab in the Manager | <Admin Domain Name> | Troubleshooting | Logs
page provides a detailed log regarding the signature set process in the Manager with the time stamp.

Note
The above ranges are obtained from the Trellix test environment and may differ from your network depending on parameters like the
internet speed, geo-location, Sensor models, etc.

Automatically updating signature sets and callback detectors

The Manager allows you to schedule the download of the signature set and callback detectors. Once configured, the scheduler
downloads the signature set and callback detectors from Trellix IPS Update Server to the Manager. For example, every one
hour, the Manager verifies the Trellix IPS Update Server and downloads the new file uploads.

The success/failure of the import process is indicated through fault notifications, emails, and SNMP traps.

Once the new signature set and callback detectors are available on the Manager, they can be scheduled to be deployed on your
devices.

A proxy server is provided for all internet communications. You can manage the proxy server and know the proxy details from
the scheduler page.

For more information on automatically updating signature sets, refer to Automatic download of signature set on page 62.

For more information on automatically updating callback detectors, refer to Automatic download of callback detectors on page
69.

Trellix Intrusion Prevention System 10.1 59


2 | Manager Administration

Signature sets

The Signature Sets option enables you to download available attack signature updates on demand from the Update Server to
the Manager server. You can then push the signature download onto your Sensors or NTBA Appliance. You can also download
the latest signature sets from an offline utility OfflineSigsetDownloader. For more information, see Offline Signature Set
Downloader on page 64.

Tip
Because incremental emergency signature sets can be downloaded with regular signature sets, you do not need to use the custom attack
definitions feature to import late-breaking attacks.

The Signature Sets option not only allows you to import regular signature sets, but also incremental emergency signature sets
that include attack signatures not yet available in regular signature sets.

Incremental emergency signature sets are meant to address late-breaking attacks that might need to be addressed
immediately.

Emergency signature sets are non-cumulative and can only add new signatures, so they do not contain a full set of signatures.

To make sure that you have a complete set of signatures, Trellix IPS verifies to see if a required regular signature set is missing
and downloads it before downloading the related emergency signature set.

Note
You must use the Automatic Download option of Signature Sets tab from Manager | <Admin Domain Name> | Trellix IPS Protection
Status for Trellix IPS to download a required regular signature set automatically, before downloading an emergency signature set. You
receive an error if you try to import an emergency signature set through the Manual Import tab. For more information about Automatic
Download, refer to Automatic download of signature set on page 62.

When a signature file or version is downloaded, the version is displayed in the Active Manager Version.

Setting a schedule enables the Manager to verify the Update Server for signature updates on a periodic basis, download the
available updates, and push these updates to your Sensors or NTBA Appliances without your intervention.

Task
1 Select Manager | <Admin Domain Name> | Trellix IPS Protection Status. Then, select Signature Sets tab. The Signature
Sets tab is displayed.
• The Active Manager Version displays currently available version for your Sensors or NTBA Appliances.

• The Latest Available Version displays the latest available version for your Sensors or NTBA Appliances to download. This
signature set is kept in a queue for download to your Sensors or NTBA Appliances. You can only have one version in the
queue for download.

Note
You can also change the display settings to meet your requirements from the filter option.

60 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

2 To download the latest signature set, select Download Latest Signature Set.

A Confirmation dialog box appears, select OK. A status window opens to process the signature download.

3 To download other versions of signature set, select Download Other Versions.


The Download Specific Signature Set dialog box appears, it displays the update details such as Release Date and Size (MB)
for that particular Version.

Trellix Intrusion Prevention System 10.1 61


2 | Manager Administration

Select the required version and click Download. A status window opens to process the signature download.

• If the active manager version is the latest available version, Download Latest Signature Set is disabled.


A icon is displayed beside the Active Manager Version if the active signature set version matches the latest
signature set version.


A icon is displayed beside the Active Manager Version if the active signature set version is older than the latest
signature set version.

Note
In an air-gap network, unregistered, or proxy server disabled Manager:
• The Latest Available Version is displayed as ---.


A icon is displayed beside the Active Manager Version.

• When you select Download Other Versions, the Download Specific Signature Set does not display the available
versions of signature sets.

Tasks
• Automatic download of signature set on page 62

• Offline Signature Set Downloader on page 64

Automatic download of signature set

Task
1 Select Manager | <Admin Domain Name> | Trellix IPS Protection Status. Then, select Signature Sets tab.

The Signature Sets tab is displayed.

62 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

2 In the Automatic Download (Update Server to Manager), schedule automatic downloads of signature set by entering the
relevant details.

Option Definition

Automatically Enabling it activates the automatic download.


Download New By default, it is disabled.
Signature Sets?

When Frequency for the Manager to poll the Update Server. The following options are displayed in the
drop-down list:
• Daily: To download new signature sets daily. Set the time at which the download must occur.
• Weekly: To download new signature sets weekly. Set the day of the week and time at which the
download must occur.
• Custom: To customize the interval at which the downloads must occur. The following options are
displayed:
• Every: Set the recurrence of time for the Manager to poll the Update Server.
• Between: Set the time range at which the download must occur.

3 Click Save.

4 In the Automatic Deployment (Manager to Devices), schedule automatic deployments of signature sets by entering the
relevant details.

Option Definition

Automatically Enabling it pushes the updates directly from the Manager to Sensor.
Deploy New By default, it is disabled.
Signature Sets?

Deployment The following options are displayed from the drop-down:


• Immediate (after download): To deploy the signature set immediately after the download.
• Scheduled: To schedule the deployment of signature set. Choosing this provides, When option.
From the When option, customize the interval at which the deployment must occur. The following
options are displayed in the drop-down list:
• Daily: To deploy new signature sets daily. Set the time at which the deployment must occur.
• Weekly: To deploy new signature sets weekly. Set the day of the week and time at which the
deployment must occur.
• Custom: To customize the interval at which the deployments must occur. The following options
are displayed:
• Every: Set the recurrence of time for the devices to poll the Manager.
• Between: Set the time range at which the deployment must occur.

5 Click Save.
To deploy signature set manually to Sensors, see Deploy pending changes to a device on page 76.

Note
If the Manager is not registered, Automatic Download (Update Server to Manager) prompts Product registration is required to use
this feature.

Trellix Intrusion Prevention System 10.1 63


2 | Manager Administration

Offline Signature Set Downloader


Points for considerations:

Consider the following points before you use this offline utility:
• Download the offline signature set downloader from the Trellix Download Server.

• Make sure Java is installed in your machine.

• Internet connection is required to download the latest signature set to the client machine.

OfflineSigSetDownloader is an offline utility used to download the latest signature sets from the Trellix IPS Update Server.
It displays the 5 latest signature sets available to download. The downloaded file will be available within the sigsetdownloader
folder. In an air-gap network, the downloaded signature set file can be copied from a remote machine with internet connection
to the Manager server.

Note
The downloaded signature set file can be uploaded into any Manager version (9.1, 9.2, and 10.1).

To download the latest signature set from Trellix IPS Update Server, perform the following steps:
1 Go to <filepath>\OfflineSigSetDownloader

2 Run OfflineSigSetDownloader.bat for a Windows client.


Run OfflineSigSetDownloader.sh for a RedHat Linux like CentOS client.

64 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

3 Enter "y" if you want to configure proxy details and "n" if not.
If yes (y), enter the proxy server IP address or hostname, port number, and user credentials (optional) details when
prompted.

4 Enter the signature set version that you want to download from the list of latest signature sets available.

Note
You can press Enter to download the latest version by default.

The signature set file (.ivu) gets downloaded to folder sigsets. The sigsets folder gets created within the sigsetdownloader
folder.

Lite Signature Set

The Lite signature set is a lightweight version of the signature set, a version moderated by Trellix IPS researchers. This is to
make sure the oldest signatures are excluded without posing an appreciable risk to modern day attacks. Exclusion of older
signatures allows you to continue updating your Sensors with the latest attack signatures while keeping the memory use
relatively low.

Note
The lite signature sets are available only in the Download Server upon entering your Grant number.

Trellix Intrusion Prevention System 10.1 65


2 | Manager Administration

Following are the steps to update the signature set with the lightweight version:

Task
1 Download the Lite signature set file (.ivu) from the Trellix Download Server.

2 Select Manager | <Admin Domain Name> | Trellix IPS Protection Status. Then, select Manual Import tab.
The Manual Import tab is displayed.

3 Click Browse and choose the file on your system or a network location and then click Import.

4 Download the Sensor software version in the Manager.


For more information about downloading the Sensor software version, see Device software on page 70.

5 Deploy the pending changes when both the Sensor software upgrade file and the Signature Set Lite is available in the
Manager.
For more information about deploying pending changes, see Deploy pending changes to a device on page 76.

Callback detectors

You can download callback detectors and push it to the Sensor.

66 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

Task
1 Select Manager | <Admin Domain Name> | Trellix IPS Protection Status. Then, select Callback Detectors tab. The
Callback Detectors tab is displayed.
• The Active Manager Version displays currently available version.

• The Latest Available Version displays the latest available version for you to download.

Note
You can also change the display settings to meet your requirements from the filter option.

2 To download the latest callback detectors, select Download Latest Callback Detectors.

A Confirmation dialog box appears, select OK. A status window opens to process the signature download.

3 To download other versions of callback detectors, select Download Other Versions.


The latest 10 versions are available for you to download. It displays the update details such as the Release Date and Size
(MB) for that particular Version.

4 Select the version required and click Download.


The selected callback detectors become the active callback detectors on the Manager.
To automatically download the callback detectors, refer to Automatic download of callback detectors on page 69.

Trellix Intrusion Prevention System 10.1 67


2 | Manager Administration

You can also view the active and latest callback detectors version in the Manager Summary monitor of the Manager
Dashboard. In the Device Summary monitor, you can view the callback detectors version on specific devices.

• If the active manager version is the latest available version, Download Latest Callback Detectors is disabled.


A icon is displayed beside the Active Manager Version if the active callback detector version matches the latest
callback detector version.


A icon is displayed beside the Active Manager Version if the active callback detector version is older than the latest
callback detector version.

Note
In an air-gap network, unregistered, or proxy server disabled Manager:
• The Latest Available Version is displayed as ---.


A icon is displayed beside the Active Manager Version.

• When you select Download Other Versions, the Download Specific Callback Detector Version does not display
available versions of callback detectors.

Tasks
• Automatic download of callback detectors on page 69

68 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

Automatic download of callback detectors

Task
1 Select Manager | <Admin Domain Name> | Trellix IPS Protection Status. Then, select Callback Detectors tab. The
Callback Detectors tab is displayed.

2 In the Automatic Download (Update Server to Manager), schedule the automatic download of callback detectors by
entering the relevant details.

Option Definition

Automatically Enabling it activates the automatic download.


Download New By default, it is disabled.
Callback Detectors?

When Frequency for the Manager to poll the Update Server. The following options are displayed in the
drop-down list:
• Daily: To download new callback detectors daily. Set the time at which the download must occur.
• Weekly: To download new callback detectors weekly. Set the day of the week and time at which
the download must occur.
• Custom: To customize the interval at which the downloads must occur. The following options are
displayed:
• Every: Set the recurrence of time for the Manager to poll the Update Server.
• Between: Set the time range at which the download must occur.

3 Click Save. A status window opens to process the download.

4 In the Automatic Deployment (Manager to Devices), schedule the automatic deployment of callback detectors by entering
the relevant details.

Trellix Intrusion Prevention System 10.1 69


2 | Manager Administration

Option Definition

Automatically Enabling it activates the automatic download.


Deploy New By default, it is disabled.
Callback
Detectors?

Deployment The following options are displayed from the drop-down:


• Immediate (after download): To deploy the callback detectors immediately after the download.
• Scheduled: To schedule the deployment of callback detectors. Choosing this provides, When
option.
From the When option, customize the interval at which the deployment must occur. The following
options are displayed in the drop-down list:
• Daily: To deploy new callback detectors daily. Set the time at which the deployment must occur.
• Weekly: To deploy new callback detectors weekly. Set the day of the week and time at which the
deployment must occur.
• Custom: To customize the interval at which the deployments must occur. The following options
are displayed:
• Every: Set the recurrence of time for the devices to poll the Manager.
• Between: Set the time range at which the deployment must occur.

5 Click Save. A status window opens to process the download.

Note
If the Manager is not registered, then, Automatic Download (Update Server to Manager) prompts Product registration is required to
use this feature.

Device software

You can download the available Sensor software and NTBA Appliance updates on demand from the Update Server. If more
than one version is available, select the most recent version.

Automation enables the Manager to verify the Update Server for software updates on a periodic basis.

70 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

Task
1 Select Manager | <Admin Domain Name> | Trellix IPS Protection Status. Then, select Device Software tab.
The Device Software tab is displayed.

It displays the details of downloaded device software such as Model, Version, Release Date, FIPS-Compliant, and Size (MB).

To download the details of downloaded device software, select Save as CSV. You can also view the total available software
images.

2 To download the required device software, select Download Device Software.


The Download Device Software dialog-box appears. It displays the details, such as Version, Release Date, FIPS-Compliant,
and Size (MB).

Note
If you download the Device Software directly from the Update Server, the Release Date is available in DD-MMM-YYYY format. When you
manually import the Device Software, the date is displayed in MMM-YYYY format.

Trellix Intrusion Prevention System 10.1 71


2 | Manager Administration

3 Select the Sensor model from drop-down. Then, select the required version of the device software.

Note
Only the latest three Sensor software versions for 10.1, 9.2, and 9.1 releases will be available for download, provided the releases are
supported by the selected Sensor model.

4 Click Download to download the software updates.

Note
In an air-gap network, unregistered, or proxy server disabled Manager, Download Device Software does not display any details of the
available software version.

Use the Deploy Device Software option to deploy these software updates. For more information, see the Trellix Intrusion
Prevention System Installation Guide.

Manually import device updates

The Manager allows you to manually import the following device updates from the file system if your Manager deployment has
no access to internet.
• Device software (.jar)

• Signature set (.ivu or .jar)

• Callback detectors (.zip)

• Gateway antimalware updates (.upd)

Task
1 Select Manager | <Admin Domain Name> | Trellix IPS Protection Status. Then, select Manual Import tab. The Manual
Import tab is displayed.

72 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

2 Click Browse and choose the file on your system or a network location and click Import.
Later, do a configuration update for the corresponding Sensors.
The Manager audits the import process. The success or failure can be verified in the audit messages.

Release Announcements

The Release Announcements tab enables you to view any product or security-related messages. To view the messages, select
Manager | <Admin Domain Name> | Trellix IPS Protection Status. Then, select Release Announcements tab. The Release
Announcements tab is displayed.

The messages can be related to operating system updates, signature set release, Manager software update, and others. The
Manager verifies the Trellix IPS Update Server for such messages every 15 minutes and it displays messages that are relevant to
the version of Manager and signature set that you are using.

This feature makes sure that all relevant messages from the Trellix IPS support team reach you on time. Because the new
messages are displayed on the homepage and Release Announcements tab, the chances of you missing any message are
remote.

The Manager displays the release date and the message description of the relevant messages on the Release Announcements
tab. The release date is the date on which the message was posted on the Update Server. You can delete the messages that

you have already seen with option and it is not listed again. To download these messages, select Save as CSV. You can also
view the total available announcements.

The latest four unacknowledged messages are displayed on the Manager Dashboard page as well. Click View All Messages on
the Dashboard page to navigate to the Release Announcements tab where all messages are displayed that are not deleted.

Note
Though all users can view the messages, only users with the role of Super User in the root admin domain can delete messages.

Note
In the Manager, child admin domain users can view only the last four messages displayed in the Dashboard page.

Trellix Intrusion Prevention System 10.1 73


2 | Manager Administration

Update the latest software images on all devices

You can download the available Sensor software updates on demand from Manager | <Admin Domain Name> | Trellix IPS
Protection Status. Select Device Software tab. Then, select Download Device Software. If more than one version is available
for download, select the most recent version. For example, if multiple versions, such as 10.1.1.4, 10.1.1.5, and 10.1.1.6 are
available for download, Trellix recommends you download version 10.1.1.6. The latest version of software always contains the
changes included in all previous releases. If needed, you can also downgrade your Sensor by choosing from the list of available
versions.

The Manager allows you to simultaneously download software images to all your Sensors listed under the Devices node. The
Manager also provides an option to concurrently perform the Sensor upgrade by selecting the specific Sensor under Devices |
<Admin Domain Name> | Devices | <Device Name> | Maintenance | Deploy Device Software. For Sensors in a stack, select
Devices | <Admin Domain Name> | Devices | <Device Name> | Member Sensors | <Stackname-node id> | Maintenance |
Deploy Device Software.

Note
Once the software is updated in the Sensor, you must reboot all updated Sensors.

To download a software update, do the following:

Task
1 Go to Devices | <Admin Domain Name> | Global | Device Manager.

The Device Manager page is displayed.

2 Select the Sensors tab.

3 From the list, select the required Sensor.


The Manager also provides an option to concurrently perform the software upgrade for multiple Sensors using same model
and software version.

74 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

4 Select Upgrade Device Software from Other Actions drop-down.

The Software Upgrade dialog box is displayed.

Figure 2-11 Software Upgrade dialog box

5 Select the New Software Version to be downloaded to the Sensor from the drop-down.

Note
You can only view the downloaded device software versions.

For the Sensor, if required software version is not downloaded in the Manager, an Informational dialog box is displayed.

6 To automatically push the Sensor for reboot, enable Reboot Automatically.

Note
By default this option is enabled. If required, it can be disabled.
For NS-series Sensors, you must do a full reboot as hitless reboot is not supported when SSL decryption is enabled.

Trellix Intrusion Prevention System 10.1 75


2 | Manager Administration

7 Click the Upgrade to initiate the process.


An Informational dialog box is displayed to provide the status update. Click OK.

The Last Upgrade section of Device Details column provides the time stamp of last upgrade performed.

To view the software upgrade status, go to Upgrade Status section of Device Details column. You can also view the status
from Background Tasks tab of Manager | <Admin Domain Name> | Troubleshooting | Logs.

The following statuses are displayed:

Status Definition

When the Sensor upgrade is successful.


Successful

In-progress When the Sensor is upgrading to the latest software version.

When the Sensor upgrade fails.


Failed

--- When no upgrade is performed.

8 The Export Sync File from Other Actions drop-down is used to update and export files for offline Sensors.

Deploy pending changes to a device

When you make any configuration changes or policy changes on the Manager, or a new/updated signature set is available from
Trellix, you must apply these updates to the devices (such as Sensors and NTBA Appliances) in your deployment for the
changes to take effect.

Note the following:

• Configuration changes such as port configuration, non-standard ports, and interface traffic types are updated regardless of
the changes made to the Sensor, interface/ subinterface.

• NTBA configuration updates refer to the changes done in the several tabs of the Devices node.

• Policy changes are updated on the Sensor or NTBA Appliance in case of a newly applied policy, or change made to the
current enforced policy.

• Signature updates contain new and/or modified signatures that can be applied to the latest attacks.

• When policy and rule updates are applied to the devices, the current traffic analysis is not impacted until the last phase of
configuration updates (i.e the Manager status update is at 95%).

Refer the following steps to deploy the configuration changes to all devices in the admin domain or at a device level.

76 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

Task
1 Go to Devices | <Admin Domain Name> | Global | Device Manager.
The Device Manager page is displayed.

Figure 2-12 Device Manager

2 Click Sensors tab. Select the required Sensor from the list.

3 Select Sync.

The Sync: <Device Name> window is displayed.

Trellix Intrusion Prevention System 10.1 77


2 | Manager Administration

4 Select the required configurations and click Sync.

Note
The Manager provides an option to concurrently deploy pending changes for multiple Sensors. When you select multiple Sensors for
deployment, the Bulk Sync window is displayed and enables all check-boxes by default. Select the options you wish to deploy and click
Sync.

Figure 2-13 Sync: <Device Name> window

A Deployment Details dialog box is displayed. Click .

Figure 2-14 Deployment Details

78 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

You can also deploy the changes to a specific device from Devices <Admin Domain Name> Devices <Device Name> Deploy
Pending Changes. Select the required configurations and click Deploy.

Figure 2-15 Device-level deploy pending changes

The following status can be viewed from Sync section of Status column:

Status Description

Synchronized Indicates that no pending changes are required.

Sync in progress Indicates when the deployment is in progress.

Sync required Indicates if any pending changes are required.

--- Indicates that there is no trust established between the Sensor and the Manager.

5 Click Export Sync File under Other Actions to view and export the deployment changes file to indirect mode Sensors. The
changes can then be deployed to the Sensors manually using the CLI command window.

6
Click to refresh the page and the status of the deployment.

Viewing pending deploy configuration changes


You can view the status and details about the number of devices that are having pending deploy configuration changes. The
status of the pending deploy configuration is indicated as an icon in the application menu bar.

The following are the lists of available icons that are displayed, based on the status in the pending deploy configuration.

Icons Description

Specifies that there are no pending changes on the devices.

Specifies the number of devices where the changes are pending. Clicking on this icon displays the Deploy Pending
Changes page.

Trellix Intrusion Prevention System 10.1 79


2 | Manager Administration

Users and roles

User management in Trellix IPS

Security organizations usually are comprised of multiple individuals, and management of the overall system is generally
delegated to different people according to some logical categorization—by department, by geographic location, by system (that
is, the email servers, the Web servers), and so on. In Trellix IPS, you delegate the management of system components by
organizing the components logically into admin domains and then granting various management privileges for the domains to
your Trellix IPS users.

The Manager enables the creation of multiple users within the system, and enables Super Users to grant specific privilege rules,
called roles, to those users to allow them to manage an admin domain and any of its children. Within each admin domain,
permission to carry out tasks is limited to only those users with appropriate roles.

For example, recall that a child admin domain can consist of something as granular as an interface on a Trellix IPS Sensor. You
use roles to specify who can do what with that interface in that child domain.

What is a role?
A role is defined as a group of actions that a user is allowed to perform within a given domain. Roles determine the user's
authorized activities, ensuring the users have access to only the functions necessary to complete their particular operational
responsibilities.

Trellix IPS implements role-based authorization, wherein users can perform only those activities permitted by their role. Roles
are always domain based, that is, a role governs what activities a user can perform within a particular domain. Users never have
roles that are not tied to managing a resource within a specific domain and its children, although users can exist in the
database without being assigned a role.

Roles promote the integrity of security configuration by not allowing universal access to every security resource deployed in the
system. Thus you can create a user with privileges to manage and configure a single child domain, perform user management
tasks within that domain, generate reports, manage Sensors, and so on. You can assign the least privileges necessary for a user
to perform his/her specific job function, and no more. The user is limited to the specific role functions within the assigned child
domain and its children, and prevents the user from manipulating other domains.

For example, only the Root Admin Domain System Administrator sees the Manager. System Administrators without privileges
at the Root Admin Domain level are allowed to configure and maintain their child domains within the system, but do not see
the Manager.

Note
The Root Admin Domain Super User is able to override the roles of any user.

Creating a user
You create a user from the Manager | <Admin Domain Name> | Users and Roles menu, and you can assign the user roles for
a particular domain at the time the user is created, or you can assign roles at a later time. Only users who have Super User
privileges can assign or modify the assignment of user roles, and then only for the domains permitted by their role(s).

Users are stored in the database with their username, a PBKDF2WithHmacSHA256 hash of their password, their role(s), and
their roles in various domains. When the user logs in, the Manager makes available only those activities permitted by the user's
role.

As most companies now centralize their user management and authentication, the Manager also supports RADIUS and LDAP
authentication for users. For either authentication method, you configure the authentication server information, and then
when creating a user, you can choose whether the user is a RADIUS, LDAP, or Manager Local user.

80 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

User accounts for the Sensor can be centrally stored and authenticated with a TACACS+ (Terminal Access Controller Access
Control System plus) server.

Roles within Trellix Intrusion Prevention System

Trellix IPS provides five categories of roles. The section Role descriptions lists the five role types with the applicable description
and activities available to each.

All role types can view the Dashboard page. No Role users—as their names imply—have the most limited read-only privileges
within the system.

In addition to Trellix IPS-provided roles, custom roles can added in order to assign specific abilities to certain members of an
organization.

Role relationships between parent and child domains


Roles apply within the current domain and any of its children. Because child domains are essentially contained within parent
domains, if a user is given, for example, Operator role for a parent domain, that role also applies to all children of the parent.
Note that additional roles can be granted to the user at the child level, but a role granted at a parent cannot be overridden at a
child level. Using the example above of a user granted an Operator role at the Root Admin Domain level, suppose you create a
child admin domain. The user with the Operator role inherits that role at the child level; however, if you wanted the user to
have Super User status at the child level, you can assign the Super User role within that child domain.

Trellix IPS roles provide a granular level of access within the system. This enables you to provide very limited responsibilities to
a number of individuals, or to assign a single user multiple roles so the user can accomplish multiple administrative tasks (for
example, grant System Administrator and Security Expert roles) within the system.

Role descriptions

The following section summarizes the Trellix IPS-provided user roles.

Table 2-1 Roles and Descriptions

Role Descriptions

ePO Dashboard Data The ePO Dashboard Data Retriever has rights to retrieve information from Trellix IPS to McAfee
Retriever ePO for displaying Trellix IPS information in McAfee ePO.

Policy Administrator The Policy Administrator administers the intrusion prevention environment.

NOC Operator The NOC Operator monitors the security environment.

Report Generator The Report Generator runs reports.

Security Expert The Security Expert role manages intrusion policies. The Security Expert administers the IPS and
NTBA environments. The Security Expert can create, edit, and delete policies, view alerts, manage
software and signature update downloads, generate reports, manage system faults, and handle
security alerts.

Trellix Intrusion Prevention System 10.1 81


2 | Manager Administration

Table 2-1 Roles and Descriptions (continued)

Role Descriptions

Super User The Super User role (not represented by an icon) enjoys all privileges. Each shipped Manager is
configured with one built-in Super User account, including a default password.
The Super User role provides:
• All the privileges possible in the current domain
• All the privileges a Super User has in all the children of the current domain
• The special privilege to assign (or remove) the Super User role for a user in the current domain
A Super User can be defined at any level, and the role applies to the current domain and all of its
children, but not for its parent domain or any other "sibling" domains.

System Administrator The System Administrator role pertains strictly to administration of the system itself. The System
Administrator administers the Manager and the Device List. The System Administrator manages
software and system performance, adds, configures, and deletes Sensors, and handles system
faults.

Management of users and user roles

Trellix IPS enables creation of users for various administrative functions. This enables selected entities (users/groups/business
units) to manage specific domain resources.

User management in Trellix IPS environment consists of creating users and granting them privileges. Network security requires
careful planning when creating users to ensure the integrity of the environment. All users must authenticate at the Manager
login prior to performing any activities. The username and password is securely stored in the database with matching privilege
rules. A class of user privileges, termed roles, determines the authorized activities of the various users in the system. Once a
user logs in, Manager makes available activities based on the role. Roles promote the integrity of security configuration by not
allowing universal access to every security resource deployed in the system.

User management
The Users option allows you to add a user, change the default administrator, delete, or edit a user.

The Users list only displays the users created within the current admin domain and any of its children. This list does not display
users that were created in a higher admin domain level even if an administrator has a role in that higher admin domain
regardless of role. If a user's name is not displayed, the viewing user needs to move to the admin domain level where the user
was created in order to administer that user. Admin domain viewing is role dependent.

When you are in Edit mode, you will see the Reset GUI Presentation button. This version of the Manager allows you to make
changes to a column or panel presentation. For example, you can resize the width of a column in a table or apply a filter by
using a small arrow situated next to a column. Once you customize the width of a column or apply a filter, it stays that way
even when you log out and log in next time. If you want to reset these changes and revert to the default settings, click Reset
GUI Presentation.

Add users

To add a new user and optionally assign a domain role, do the following:

Task
1 Select Manager | <Admin Domain Name> | Users and Roles | Users.

2
Click .
The Add a User page is displayed. Fill in the required fields. The fields marked with an asterisk (*) are required fields.

82 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

3 Type the Login ID. The Login ID parameters that can be used are as follows:
• 26 alpha: upper and lower case (a,b,c,...z and A, B, C,...Z)

• 10 digits: 0 1 2 3 4 5 6 7 8 9

• 6 symbols: . ' : - _ ( ) space

4 For Authentication Type choose one of the following (if available):


• Local — Authenticate locally on Manager.

• LDAP — Authenticate using an LDAP server. If you select this option, also type the LDAP User DN (distinguished name).
Use the following format for the LDAP User DN:

uid=userName,ou=People,dc=DomainName,dc=com

If using Active Directory, use the following format:

[email protected]

or

cn=userName,ou=People,dc=DomainName,dc=com

Use a valid DN, as LDAP authentication may not operate correctly without a valid DN. Consult with your system
administrator to obtain the correct DN for your LDAP server.

• RADIUS — Select one of the following RADIUS authentication protocols. If you select this option, also type a valid
RADIUS ID, which will be used for authenticating your settings against the RADIUS server.
• RADIUS using PAP (Password Authentication Protocol)

• RADIUS using the CHAP (Challenge Handshake Authentication Protocol)

• RADIUS using the EAP-MD5 (Extensible Authentication Protocol-MD5)

If you have selected the Authentication Type as Local, you will have to fill the Password and Verify Password field.

5 The Password must be a minimum of eight (8) characters and maximum of sixty four (64) characters in length, and must
contain a combination of numbers, characters, and special characters. Password parameters that can be used are as
follows:
• 26 alpha: upper and lower case (a,b,c,...z and A, B, C,...Z)

• 10 digits: 0 1 2 3 4 5 6 7 8 9

• 32 symbols: ~ ` ! @ # $ % ^ & * ( ) _ + - = [ ] { } \ | ; : " ' , . <>? /

Note
If RADIUS or LDAP authentication is enabled, you must also select the type of authentication to use for this new user.

Note
Trellix strongly recommends that you change the default password for security purposes. For more information on the password
control, see Configure password complexity settings on page 186.

6 Re-enter the password in Verify Password.

7 [Optional] Select the checkbox Account Locked to disable the user.

Trellix Intrusion Prevention System 10.1 83


2 | Manager Administration

8 The First and Last Name must be a minimum of one (1) character and a maximum of thirty two (32) characters in length.
The parameters that can be used are as follows:
• 26 alpha: upper and lower case (a,b,c,...z and A, B, C,...Z)

• 10 digits: 0 1 2 3 4 5 6 7 8 9

• 2 symbols: . space

9 Type the Email address of the user.

10 Type the relevant details, if required for the following fields: Company, Phone, State, Address, and Country.

11 In the Role Assignments section, select the Roles from the drop-down list. Admin Domain displays the user domain by
default.

Figure 2-17 Add User page

12 Click Save; click Cancel to abort.

13 Select Manager | <Admin Domain Name> | Users and Roles | Users to view the newly added user.

Edit users

Note
Editing a user in Central Manager is similar to that in the Manager, described below.

84 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

To edit an existing user, do the following:

Task
1 Select Manager | <Admin Domain Name> | Users and Roles | Users.

2 Select a user.

3
Click .

4 Type your changes in the appropriate fields.

5 Click Save.

View Users

To view the users available in the Manager, select Manager | <Admin Domain Name> | Users and Roles | Users.

Note

If the account is locked, will be displayed beside the user name in the Name column.

Delete users

Note
Deleting users in Central Manager is similar to that in Manager, described below.

To delete an existing user account, do the following:

Task
1 Select Manager | <Admin Domain Name> | Users and Roles | Users.

2 Select a user.

3 Click . A pop-up with the following message appears: You are about to permanently delete this record. Do you wish to
continue?

4 Click OK to delete the user record; click Cancel to abort.

Trellix Intrusion Prevention System 10.1 85


2 | Manager Administration

Assign roles to users


You can assign or remove a role to/from a user at any time.

Note
A user granted a role in a parent admin domain inherits the same role in any child domains below the parent, unless the user's role is
altered in a child domain.

To assign a role to a user in a domain, do the following:

Task
1 Select Manager | <Admin Domain Name> | Users and Roles | Role Assignments.

2 Select a user in the Role Assignments table.

3 View the user's role in the field Roles (Current Domain). If no role has been assigned, this field is empty.

4
Click .

Note
A user can have a different role in any or all admin domains regardless of the admin domain in which the user was created. If the user is
to be granted a role in an admin domain higher than the one where it was created, the administrator of that higher domain must assign
that role. An administrator can only grant or deny roles in the admin domains where he/she has that privilege. If a user has been allotted
a Super user role at the parent and the child domain, the user should select a domain from the home page at the time of login. The
home page displays a drop-down above the menu bar in such cases.

Current Assignments and New Assignment sections are displayed. If a role is already assigned to the user, the role in
Assigned Role column is displayed in Current Assignments section.

5 In New Assignment, the Login ID of the user is displayed by default.

6 Select the Admin Domain from the drop-down list.

7 Select the role(s) to be assigned to the user from the drop down list.

8 Click Save.

Define Roles
A role is a group of actions that a user is allowed to perform within a given administrative domain. Trellix IPS provides
role-based authorization to the users.

Users authenticate themselves by logging into the Manager. For an admin domain, you can create users and assign roles to the
users in the Manager. You can also create users in the child admin domains and assign roles to them.

The role privilege indicates the actions that are allowed for a user with assigned with the particular role. Each role has role
privileges with Create, Edit, Run Only, or View Only permissions. For example, Configuration Reports - Create allows the user
with that role to have Create permissions for the Reports in the Manager.

Trellix IPS includes default roles, and you can create custom roles. Users created for an admin domain are specific to that
domain, but roles can be assigned to the users across domains. That is, you can assign a role to a user in one domain, and
another role to the same user in the corresponding child domain.

86 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

The Roles option (Manager | <Admin Domain Name> | Users and Roles | Roles) lists the various default roles and allows you
to create custom roles.

Figure 2-18 Roles page

The following table lists the default role types and their corresponding role descriptions.

Note
Options to edit or delete are disabled for the default roles.

Role Description Role Privilege

Policy Administrator Administer the intrusion prevention environment Configuration Reports - Create
Dashboard and Analysis - Edit
Deploy Pending Changes
Event Reports - Create
Policy - Edit
Run Vulnerability Scan
View Packet Captures

NOC Operator Monitor the security environment Configuration Reports - Run Only
Event Reports - Run Only
View Packet Captures

Report Generator Run reports Configuration Reports - Create


Event Reports - Create

Trellix Intrusion Prevention System 10.1 87


2 | Manager Administration

Role Description Role Privilege

Security Expert Administer the IPS and NTBA environments Configuration Reports - Create
Dashboard and Analysis - Edit
Deploy Pending Changes
Devices - View Only
Event Reports - Create
Manager - View Only
Policy - Edit
Run Vulnerability Scan
View Packet Captures

System Administrator Administer the Manager and the Device List Configuration Reports - Create
Deploy Pending Changes
Devices - Edit
Event Reports - Run Only
Manager - Edit
Policy - View Only
Synchronize Policy
View Packet Captures

ePO Dashboard Data Rights to retrieve information from Trellix IPS to ePO, for ePO Dashboard Data Retrieval
Retriever displaying Trellix IPS information in the ePO.

88 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

Role Description Role Privilege

Super User Full rights. Super Users must manage themselves within Configuration Reports - Create
the domains they reside. Configuration Reports - Run Only
Dashboard and Analysis - Edit
Dashboard and Analysis - View Only
Deploy Pending Changes
Devices - Add and Remove
Devices - Edit
Devices - View Only
ePO Dashboard Data Retrieval
Event Reports - Create
Event Reports - Run Only
Guest Portal User Account Manager
Manager Central Manager - Edit
Manager Central Manager - View Only
Manage Managers - View Only
Manager - Edit
Manager - View Only
Policy - Edit
Policy - View Only
User Auditing - Edit
Users and Roles - Edit
Users and Roles - View Only
View Packet Captures

No Role The user cannot log on to Manager. This is the state


when a user is first created but is yet to be assigned any
role.

Custom roles

Custom roles can be created in the Manager and assigned to users. You can create a new custom role and assign the role by
using Roles and Role Assignments options.

You can edit or delete the custom roles in the Roles option. You can also assign roles using the Role Assignments option and
view the user account information using My Account option as before.

Important
If you are upgrading from Manager version prior to 9.1, you can view the existing custom roles after upgrade. However, the privileges that
were assigned to the roles will be lost, and must be re-assigned in the 10.1 Manager.

Add roles

Trellix Intrusion Prevention System 10.1 89


2 | Manager Administration

You can add new roles (custom roles) in the Manager from the Manager | <Admin Domain Name> | Users and Roles | Roles
option.

Note
Only users with 'Users and Roles - Edit' role privilege can create users or roles, assign roles to users, and modify the user account settings.

Note
Users with 'Users and Roles - View Only' role privilege can only view the users, roles, or user accounts.

Adding custom roles


Users with 'Users and Roles - Edit' role privilege can add roles. Once added, the roles are listed along with default roles
available for the users.

To add a custom role in the Manager, do the following:

Task
1 Select Manager | <Admin Domain Name> | Users and Roles | Roles.

Note
Roles option can be accessed only from the parent administrative domain. Default roles cannot be edited or deleted.

2
Click to create a new custom role.

Figure 2-19 Add a Custom Role page

The Add a Custom Role window is displayed.

3 Enter a name to identify a role and a description.

4 Select the permissions you want to assign to this role from the Available list, and click the arrow to move them to the
Assigned list. The Read, Write or Operate permissions (RO, RW, etc) for the privileges are in the privilege name.

5 Click Save.

90 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

Tasks
• Assign custom roles on page 91

Assign custom roles


To assign a custom role to a user, do the following:

Task
1 From the Manager tab, select <Admin Domain Name> | Users and Roles | Users.

2
Click to add a user.

3 Enter the user information.

4 In the Role Assignment section, select the Role.

5 Click Save. The assigned role is displayed in the Users page.

Note
A custom role created in the Central Manager can be associated with a Manager user. If this role is deleted or if the Manager is made a
standalone, then the role will be deleted in the Manager. Even the role's association with the Manager and user get deleted.

Super User Privileges

Trellix IPS resources are governed by users with Super User access; a Super User is capable of configuring every resource and
function in the system. Each shipped Manager is configured with one built-in Super User account, including a default password.

A Super User is only limited by domain boundaries. Only the Super Users created at the root domain have full access; Super
Users in a child domain only have Super User privileges in that domain and the subsequently added child domains.

Caution
The default Super User account username is admin and password is admin123. Trellix strongly recommends that you change the default
Super User password for security purposes. The new password must be at least 8 characters in length and must contain a combination of
numbers, characters, and special characters. For more information on the password control, see Configure password complexity settings on
page 186.

A Super User can be defined at any level, and the role applies to the current domain and all of its children but not for its parent
or sibling domains.

Management of user roles

The Role Assignments option enables a user administrator to assign roles to users within an existing admin domain. Adding a
user to a domain requires the application of a role, or privilege, thus limiting a user's configuration abilities.

How to view user account information


The My Account option displays the My Account page, which lists the account information for the logged-in user. The
navigation path for this page is Manager | <Admin Domain Name> | Users and Roles | My Account.

If you want to change your information (password, address, and so forth), clear the appropriate field, type the new information,
and click Save; click Cancel to exit without saving changes.

Trellix Intrusion Prevention System 10.1 91


2 | Manager Administration

The Reset GUI Presentation restores any changes made to the column or panel presentation to its default setting.

Setup

What is an administrative domain?

An administrative domain, or admin domain for short, is an organizational tool used specifically to group Trellix IPS resources so
that management of the resources can be delegated to specific Trellix IPS users.

An admin domain can contain other admin domains, Trellix IPS Sensors, Sensor interfaces, and Sensor sub-interfaces. This
administrative domain concept enables enterprises to create a central authority that is responsible for the overall Trellix IPS,
and to allow this central authority to delegate day-to-day operations of Trellix IPS security resources to appropriate entities—
business units, geographic regions, IT departments, individual security personnel, and so on.

Root Admin Domain

The top level admin domain is called the Root Admin Domain. Users with Super User access to the Root Admin Domain have
complete control over the entire administrative domain and all resources within it, including any child domains, and thus all
security resources in the system.

For example, suppose your company (which we'll call My Company) is headquartered in London, and has satellite offices in
New York, Paris, and San Francisco. If your Trellix IPS deployment monitors the entire company, your Root Admin Domain could
encompass all four sites and all of the Trellix IPS components within the environment, and you could manage the entire system
from London.

92 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

The admin domain is displayed at the top of the tab tree across the Policy, Manager, and Devices tabs. The root admin domain
is labeled "My Company."

Parent and child admin domains


Perhaps managing "My Company's" entire Trellix IPS deployment from London is impractical. It might make more sense to
delegate management of the Trellix IPS resources protecting various geographical locations to entities in those locations. To
delegate management functions to each of the four offices, you would create a subdomain representing each office. These
subdomains are called child admin domains or child domains.

Creating child domains enables you to delegate entities more familiar with the subdomain's environment to monitor and/or
configure the IPS devices in that subdomain. You are not required to subdivide your admin domains into child domains;
however, if you want to delegate responsibilities for managing Trellix IPS resources among multiple individuals within your
organization, you do so by creating child domains.

Note
To delegate responsibilities, you create user accounts and give each user a role that defines how the user can interact with the resources in
the child admin domain. For more information on roles, see Management of users and user roles on page 82.

You can further break child domains into smaller subdomains. Any domain with child domains is a parent. A child domain can
be parent to other child domains.

You can subdivide your Root Admin Domain into child domains that are large, from a resource perspective, delegating
management of all the Trellix IPS resources protecting multiple geographic regions. Or you can create domains that are very
small—a few interfaces on a single Sensor, or even a VLAN tag or CIDR address within a segment of traffic transmitting between
two hosts in the protected network.

Trellix Intrusion Prevention System 10.1 93


2 | Manager Administration

Admin domain hierarchy


Administrative domains are graphically represented in the tab structures as a hierarchical tree structure. In the tab tree, you
can drill-down levels using menus, sub-menus, and options. The hierarchy is: Device, interface node, sub-interface node, child
admin domain node, and allocated interface node.

Figure 2-20 Admin domain hierarchy

The Domain field at the top of the tab tree represents the Root Admin Domain.

Note
The tab tree structure applies to the way the actions are performed by system users and not necessarily to any networking or physical
relationship between the resources.

A user's role determines his/her view of the tab tree. Only resources the user is permitted to view are displayed in the tab tree.

Inheritance

It is important to understand the relationship between parent and child admin domains because (by default) child admin
domains inherit policies from parent admin domains, and because users are automatically granted the same privileges in the
child domains as those enabled by their roles in the parent domain.

Policy inheritance means that a child takes policies, or inherits them, from the parent. If you do not specify a policy when you
create the child, the child automatically inherits the policies of its parent. To override policy inheritance from parent, you assign
a policy to the child admin domain that is specific to that child domain.

94 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

For more information on policies, see Working with IPS policies on page 715.

User roles work similarly, but with a slight difference. Roles apply within the current domain and any of its children. Because
child domains are essentially contained within parent domains, if a user is given, for example, a Super User role for a parent
domain, that role also applies to all children of the parent. Thus, to use the domain hierarchy shown in the figure in Admin
domain hierarchy as an example, a user assigned a System Administrator role for the Finance department has that role for the
Payroll and Accounts Payable domains as well.

Note that additional roles can be granted to the user at the child level, but a role granted at a parent cannot be overridden at a
child level.

For more information on roles, see Management of users and user roles on page 82.

Configuration of Administrative Domains


An administrative domain, or admin domain for short, is an organizational tool used specifically to group Trellix IPS resources
so that you can delegate resource management to specific Trellix IPS users. An admin domain can contain other admin
domains, Devices, and Device interfaces.

Administrative domains enable enterprises to create a central authority that is responsible for the overall Trellix IPS system,
and to allow the central authority to delegate day-to-day security operations to the appropriate entities, such as business units,
geographic regions, and individual security personnel.

The top level admin domain is called the root admin domain. Users with Super User access to the root admin domain have
complete control over the entire administrative domain and all resources within it, including any child domains, and thus all
security resources in the system. To delegate management functions to entities within your organization, you would create a
sub domain (of the root or other parent domain) representing each entity or department. These sub-domains are called child
admin domains or child domains.

In Trellix IPS Manager, the functions that you can perform at the admin domain level are as follows:

• Configuring and managing admin domains: enables you to view details of admin domains and create child admin domain

• Managing users and user roles: enables the creation of users for various administrative functions

• Viewing system information logs: enables a privileged admin to create audits and logs to view system information

• Setting up fault notifications: allows you to send system fault information to third-party machines such as SNMP servers
and Syslog servers.

Child domains
Creating child domains enables you to delegate, monitor, and/or configure Trellix IPS Sensors in that sub-domain to entities
more familiar with the sub-domain's environment. You are not required to subdivide your admin domains into child domains;
however, if you want to delegate responsibilities for managing Trellix IPS resources among multiple individuals within your
organization, you do so by creating child domains. To delegate responsibilities, you create child admin domains and user
accounts, giving each user a role that defines how the user can interact with the resources in the child admin domain.

For example, suppose you manage three IPS Sensors. You can create a child domain and allocate a single port (1A) from one of
your Sensors to that domain. You can create a user and assign that person a Super User role in only that domain; that user has
no role in the root domain, and therefore cannot see or configure root domain resources. The child domain's Super User has
been delegated full management responsibilities for the allocated interface.

A user's role determines his/her view of the Resource Tree; only resources the user is permitted to view are displayed in the
tree.

Any domain with child domains is a parent; thus, a child domain can be a parent to other child domains. When you create a
child domain you can enable or disable it to be a parent for other domains (enabled by default). The root can always have child
domains.

Trellix Intrusion Prevention System 10.1 95


2 | Manager Administration

It is important to understand the relationship between parent and child admin domains because child admin domains inherit
policies from parent admin domains, and users inherit the same privileges in the child domains as enabled by their roles in the
parent domain.

Note
Throughout this guide, named admin domain instances are represented as <Admin Domain Name>. The default root admin domain is My
Company.

Management of admin domains


Managing an admin domain involves creating an admin domain, changing the root admin domain name, and deleting an
admin domain.

Create an admin domain

The procedure to create an admin domain is the same for a domain created under the root or a domain created under a child
of the root, and so on. You can create up to four levels of child domains under an admin domain. During child domain creation,
you have the option of delegating Sensor interfaces from the parent for management by the child.

If you do not want at this time to allocate interfaces or allow Sensor addition, you may enable these options later.

To create an admin domain:

Task
1 Click Manager | <Admin Domain Name> | Setup | Admin Domains. The Admin Domains page is displayed.

2
Select the domain to which you want to add a child domain and then click .

3 Type the required information. The red asterisks (*) denote required fields.
The tables below describe the fields.

Field Description

Domain Name Enter a unique name for identifying the domain. For an enterprise, naming your domain after
the specific network segment, department, or building is suggested: HR, Finance, Bldg1,
Bldg1-Floor2.

Contact Person Enter the name of the person responsible for the domain. This person should be someone
who can be reached in case of emergency or other domain questions.

E-mail Address Email address of the Contact Person.

Title Title of the Contact Person.

Contact Phone Number Phone number of the Contact Person.

Company Phone Number Phone number of the Company where the Contact Person works.

Organization Name of the Contact Person's employer company.

Address Address of the Organization.

City Name of the City where the Organization is located.

State Name of the State where the Organization is located.

Country Name of the Country where the Organization is located.

96 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

You can choose to enter additional details like phone number and address while creating the domain.
The fields mentioned below set restrictions on the child admin domain being created:

Field Description

Allow Child If you select this check box, the administrator of the domain you are currently creating can create child
Admin admin domains for the domain.
Domains? If you create a child admin domain and disallow the creation of further child admin domains, the new
child domain cannot have its own children due to rule inheritance.

Allow Devices? If you select this check box, the administrator of the domain you are currently creating can add, edit, or
delete physical Sensors. Otherwise, the domain is only permitted interface or sub-interface resources
as allocated in Step5.
If you create a child admin domain and disallow the adding of physical Sensors, any children of the new
child domain are also disallowed from adding physical Sensors due to rule inheritance.

You can provide the following permissions to an admin domain:


• Create a child admin domain from the existing admin domain by selecting Allow Child Admin Domains?

• Add devices in the admin domain by selecting Allow Devices?

The permissions can be provided to the admin domain only while creating a new admin domain. Once the admin domain is
created, these permissions cannot be edited/modified. To change the permission settings, you have to delete the existing
admin domain and create a new admin domain with new permissions.

4 For IPS devices, select the IPS policy from Default IPS Policy drop-down list. For the NTBA Policy and Worm Policy, the fields
mentioned below are displayed:

Field Description

Default NTBA Policy Sets the default NTBA Policy to be inherited by child admin domain resources. Several
pre-configured policies are provided that encompass different network environments.

Default Worm Policy Sets the default Worm policy to be inherited by child admin domains.

5 Click Save.
The Allocated Interfaces page appears.

6 Click Allocate.

7 Select a Sensor from Select an IPS sensor drop-down list to allocate interfaces/sub-interfaces to the child domain. You can
allocate interfaces/sub-interfaces from one or more Sensors.

8 Click Allocate. You may only select one interface from one Sensor at a time.

9 Repeat until you have allocated all the interfaces you require.

10 Click Finish.
The child admin domain you created appears at the bottom of the resource list of the domain in which it was created.

Modify the admin domain name

You can customize some of the settings of your root domain, including the name that appears across all the tree-tab structures
and subsequent system configuration navigation. Customizing the admin domain name helps to properly maintain the
environment that is being protected.

Trellix Intrusion Prevention System 10.1 97


2 | Manager Administration

Task
1 Click Manager | <Admin Domain Name> | Setup | Admin Domains. The Admin Domains page is displayed.

2 Select the root admin domain (My Company) from the Admin Domains page in the Manager. For Central Manager, there is
only one admin domain, whose details are displayed.

3
Click .

4 Clear the Domain Name and type your new domain name.

5 Clear the Contact Person and type a name. This typically would be the Super User.

6 Clear the E-mail Address and type a new email address.

7 Optionally, change the other fields if required.

8 Click Save. In all the tree-tab structures, the root domain name changes from My Company to the modified name.

Details of an admin domain

Navigate to Manager | <Admin Domain Name> | Setup | Admin Domains and click View to see the currently configured
information for the selected admin domain.

Note
The View option is available for the users with Manager View Only permission.

Note
At the fourth level of admin domain hierarchy, Summary of the current admin domain is displayed by default.

Note
The information displayed for the selected admin domain varies according to the features available. For instance, if the NTBA license is
enabled, information on Default Anomaly Policy and Default Worm Policy is displayed on this page.

Delete an admin domain

To delete an existing admin domain, do the following:

Task
1 Click Manager | <Admin Domain Name> | Setup | Admin Domains. The Admin Domains page is displayed.

2 Select an admin domain from the Admin Domains List page.

3 Click and then click OK to confirm.

Note
An admin domain with resources such as Sensors and interfaces cannot be deleted until all resources have been removed.

98 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

Modification of child domain configurations


You can use the Admin Domains action to do the following:

• Edit the details of a selected domain.

Note
The root is the only domain that can be edited from its own node. All child nodes under the root must be edited directly from the parent
domain where the child was created.

• Allocate or remove interfaces to/from an existing child domain:


• You can allocate additional Sensor interfaces from the parent to the child. You have an opportunity to allocate interfaces
to a child domain during the child domain creation. However, if you decide to allocate more interfaces to a child after
creating the child domain, you must perform that task from the parent admin domain where the child was created.

• You can revoke (that is, remove) interfaces from the child admin domain. This must be performed from the parent
domain where the child was created. Revoking an interface brings the interface back under full control of the parent
domain; the child domain can then no longer configure the revoked interface.

Edit domain details or the number of interfaces in a child admin domain

Task
1 Select the appropriate (named) parent domain by navigating to Manager | <Admin Domain Name> | Setup | Admin
Domains.

2 Select the child domain to be edited from the parent's Admin Domains list.

3
Click .

4 Change any of the general information fields that require updating/editing in the Edit the Admin Domain page.

5 Click Next.

Figure 2-21 Allocated Interface page

6 Do one of the following:


• Select an already allocated interface and click Revoke to remove the interface(s) from the child domain.

• Select a Sensor and an interface and then click Allocate to allocate more interfaces to the child domain.

7 Click Finish.

Trellix Intrusion Prevention System 10.1 99


2 | Manager Administration

Manager Disaster Recovery (MDR)

Sometimes the worst happens. In this age, where outages to IT systems can cost millions of dollars in lost revenue, lost
productivity, and legal issues, every organization must face the near certainty of a system failure occurring at a future date.
Anticipating these events and planning corrective courses of action is a prerequisite to business success. Most organizations
now employ some manner of business continuity planning (BCP), a subset of which is disaster recovery planning (DRP). To this
end, Trellix IPS has long provided a Sensor high-availability configuration; but what if the worst should happen to your Manager
server? Most companies are not willing to rely on the manual method of Manager data archival, restoration of backups, and
importing of exported policies to recover their Manager as part of their IPS DRP.

Here enters the MDR feature. With MDR, two Manager servers are deployed as part of Trellix IPS. One host is configured as the
Primary system; the other as the Secondary. Each uses the same major release Manager software with mirrored databases;
however, the two hosts’ hardware configuration does not need to be identical. The Secondary Manager can be deployed
anywhere, for example, at a disaster recovery site, far from the Primary Manager.

The Primary Manager is the active Manager by default. This Manager communicates with the Update Server, pushes
configuration data to the Sensors, and receives alerts from the Sensors.

The Secondary Manager remains in a standby state by default. While in standby mode it monitors the health status of the
Primary Manager and retrieves Sensor configuration information from the Primary Manager at configured intervals of time.

Note
The Secondary Manager is a warm standby system; it will not guarantee state synchronization with the Primary Manager. It does update
configuration information at regular intervals (every 15 minutes), but it does not maintain state. (You can also manually update Secondary
Manager configuration rather than waiting for the automatic update.)

An MDR pair can manage both hardware Sensors as well as Virtual Sensors deployed in an AWS environment.

A Sensor connected to an MDR pair maintains communication with both Managers at all times. The Sensor sends alerts, packet
logs to both the Managers. Real-time synchronization between the MDR pair ensures that the data present in the active mode
is exactly mirrored in the standby.

In case one of the Managers goes down, after it comes up, it will be updated with the missed alerts and packet log data during
the next synchronization from the peer Manager. This synchronization restores the missed alerts and packet log data only from
previous 24 hours. The maximum number of alerts and packet logs restored with synchronization is 10,000.

100 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

Sensors can only be added to an active Manager. (A new Sensor added to the active Manager in an MDR pair establishes trust
first with the Primary Sensor, and then attempts on its own to establish trust with the Secondary.)

Figure 2-22 Communication of an MDR pair with Sensors

Switchover
Switchover, or failover from the Primary to the Secondary, can be manual/voluntary or involuntary.

Note
In a situation where you have planned manual downtime and the downtime is expected to be brief, Trellix recommends that you manually
suspend MDR, preventing the Secondary Manager from taking over and becoming active. You can then resume MDR when the downtime
period is over.

The Secondary Manager performs regular “health checks” on the Primary Manager. If the Primary Manager is found to be
unavailable during a health check by the Secondary Manager, the Secondary Manager waits for a configurable time interval. If
the Primary Manager is still unavailable after that time period elapses, control then switches over to the Secondary Manager.

Note
You can switch over to the Secondary manually, as well.

Once the Secondary Manager is active, the Primary moves to standby. The Sensors are made aware of the switchover,
communicate with the Secondary Manager, and the system continues to function without interruption.

All “in-flight transactions” are lost upon failover from Primary to Secondary Manager. For instance, if the Primary Manager
failed while a user was in the middle of a policy edit, the Secondary Manager will not be able to resume the policy edit.

Note
The MDR feature, in fact, assumes that the Secondary Manager is a standby system, and that it will NOT assume control indefinitely. The
Primary Manager should be diagnosed and repaired, and be brought back online.

Trellix Intrusion Prevention System 10.1 101


2 | Manager Administration

While the Secondary Manager is active, Trellix recommends against making any configuration modifications on the Secondary
Manager, as these modifications could cause potential data synchronization problems when the Primary Manager is
resurrected.

Once the Primary Manager has recovered, you can switch control back to the Primary system. During this switch back, if you
have made configuration changes on the Secondary, you have a choice whether to retain the configuration on the Primary or
overwrite with changes made on the Secondary. After switch-back, alert and packet log data is copied from Secondary to
Primary Manager, and can be viewed in the Attack Log page. Data is re-synchronized, the Sensors return to communicating
with the Primary, and the system is restored with the Primary Manager active and the Secondary Manager in standby mode.

Note
You can easily dissolve the MDR relationship between the two Managers and return either Manager to stand-alone mode.

Preparations for Manager Disaster Recovery (MDR)


The Setup | MDR option enables you to have a standby Manager available in cases where the Primary Manager fails.

Manager Disaster Recovery (MDR) feature is available for deployments where the following conditions are met:

• Two Managers (called Primary and Secondary) are available. The Primary is in active mode and the secondary in standby
mode.

• The Primary and Secondary use the same Manager software release version. Manager version of both Primary and
Secondary Manager needs to be similar for the creation of MDR pair.

• The Primary and Secondary Managers share the same database structure.

The Primary and Secondary Managers can be located in the same Network Operations Center (NOC) or in geographically
diverse locations, as long as they can communicate via SSL through TCP port 443. Managers can also be on different hardware.

If the Primary and Secondary Managers are located in different geographical regions, then there needs to be time
synchronization between the two Managers keeping the Coordinated Universal Time (UTC) as the standard time.

Let's say, one Manager is in California (UTC - 8 hours), and the other Manager is in New York (UTC - 5 hours). The MDR setup will
work in this scenario as long as the time set in both the Managers are in sync with each other. That is, at 09:00 UTC hours, if the
Manager in California shows 01:00 hours local time, and the Manager in New York shows 04:00 hours local time, MDR will work.

Note that the Sensor does not have a built-in clock. It gets UTC time from the Manager.

Note
When upgrading the Primary and Secondary Managers, first suspend MDR. Otherwise, MDR may malfunction. Once MDR is suspended,
upgrade the Primany Manager, and then upgrade the Secondary Manager. Once both Managers are upgraded, resume MDR.

Sensors communicate to the Primary and Secondary Managers independently. The Secondary Manager receives configuration
information from the Primary on a regular basis. If the Managers are unable to communicate with each other, the Secondary
Manager queries each Sensor and becomes active only when a majority of Sensors fail to reach the Primary. The Secondary
Manager can also become active by performing manual switchover.

Note
Custom roles created on the Primary Manager are automatically copied onto the Secondary Manager.

When the Secondary Manager becomes active, all the alerts present in Primary manager also appears in the Attack Log page of
the Secondary Manager. The switch-back from the active Secondary Manager to the Primary Manager does not occur
automatically. There is a manual switch-back action that is required to be performed from the Primary Manager.

102 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

After switch-back, alert and packet log data is copied from the Secondary Manager to the Primary Manager. This data can be
viewed in the Attack Log page.

MDR communication

The MDR architecture incorporates Sensor to Manager communication and Manager to Manager communication.

A Sensor connected to an MDR pair maintains communication with both Managers at all times. The Primary Manager
synchronizes data with the Secondary Manager every 15 minutes. However, the Primary and Secondary Managers receive
system events from a Sensor independently, and store the events also independently. If the Sensor has trouble communicating
with the Primary Manager, it will send a system event to the Secondary Manager about the communication error between it
and the Primary Manager.

Sensor to Manager communication


Sensors in Trellix IPS are MDR-aware. When Sensors first establish trust with the Manager, they query the Manager to find out if
the Manager is part of an MDR pair. The Manager responds and, if it is part of an MDR pair, includes its current status (active or
standby) and the IP of its peer Manager. The Sensor then establishes trust with the peer as well.

The Sensor sends alerts and packet logs to both the Managers. Real-time synchronization between the MDR pair ensures that
the data present in the active mode is exactly mirrored in the standby. This ensures minimal loss of data if the active Manager
goes down. Alerts and packet logs sent by the Sensor to the Manager can be viewed in the Attack Log page.

In addition to alerts, faults are also synchronized between the Managers. You can view all hosts, alerts, and packet log data in
the Attack Log page.

If one of the Managers goes down, after it comes up, the other Manager will update the missed alerts and packet log data to
the first Manager during synchronization.

Manager to Manager communication


The Primary and Secondary Managers exchange a "heartbeat" communication once each minute, . This communication
includes a byte of data specific to the health of the Manager in question. Manager receiving the heartbeat concludes that its
peer has failed under two scenarios:

• One of the Trellix IPS subsystems reports a failure.

• A heartbeat has not been received within the Downtime Before Switchover interval (configured using the Pair Creation
action). For example, if the default interval is 5 minutes and the heartbeat is sent once a minute, the Secondary Manager
takes control after five minutes of missed heartbeats.

If the Secondary Manager becomes unavailable, the Primary remains active and logs the failure. If the Primary Manager
becomes unavailable, the Secondary logs the event and becomes active.

If both Managers are online but are unable to communicate with each other, the Secondary Manager queries each Sensor and
becomes active only if more than half the Sensors cannot communicate with the Primary Manager.

Data synchronization between the Primary and Secondary Manager occurs every 15 minutes.

Alert Synchronization between an MDR Pair


When the alert is sent to the Manager, it is acknowledged for storage or marked for deletion.

If one Manager goes down, after it comes up, the other Manager will update the missed alerts and packet log data to the first
Manager during synchronization.

Note
Alert synchronization between peer Managers restores missed alerts and packet logs from previous 24 hours. The maximum number of
alerts and packet logs restored with synchronization is 10,000.

MDR alert synchronization model

Trellix Intrusion Prevention System 10.1 103


2 | Manager Administration

There are 2 types of alert actions that can be performed in the Attack Log:

• Acknowledge/Unacknowledge

• Delete

The active Manager identifies these alert actions that are performed in the Attack Log and forwards these alert actions to the
standby Manager. The standby Manager accepts these alert actions and updates in the Attack Log.

Alert action synchronization between Managers


The actions that are triggered on these generated alerts from the active Manager are synchronized with the standby Manager
in real time.

The following table explains the possible scenarios that can be observed during MDR alert action synchronization.

Scenario MDR alert action synchronization

No Communication between Alert actions from active manager fails to synchronize to the standby Manager in real time.
MDR Managers. These actions are saved in the database and cache, and will be synchronized to the standby
Manager as soon as the connection is back.

Standby Manager is down. Alert actions from active Manager fails to synchronize to the standby Manager in real time.
These actions are saved in the database and cache, and will be synchronized to the standby
Manager as soon as the connection is back.

Active Manager goes down Any alert actions done in the new active manager will be synchronized to the new standby
comes back as standby. Manager.

MDR is suspended. Alert actions are not synchronized when the MDR is in suspended mode. These actions are
saved in the database and cache, and synced when MDR is resumed.

Note
Alert synchronization between the peer Managers restores the missed alerts and packet logs from previous 24 hours. The maximum
number of events restored with synchronization is 10,000.

Configure MDR

Before you begin

You must have a freshly installed Manager to be configured as the Secondary Manager.

The Pair Creation action enables you to configure both the Primary and Secondary Managers used for MDR.
Initial MDR Configuration

First, you must configure MDR separately on both the Primary and Secondary Managers.

104 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

Task
1 Select Manager | <Admin Domain Name> | Setup | MDR.

Note
The Manager supports a maximum of three IP addresses during MDR configuration. The Manager assumes that all the IP addresses are
bound to the same host name.

Note
The Manager supports one public IPv6 address per NIC. This means that there should be only one IPv6 address for the IPv6 stack
supported by your operating system.

Figure 2-23 MDR Pair Creation page

2 Fill in the following fields:

Table 2-2 Option definitions

Option Definition

Role of this Manager Select Primary to use this Manager as the active Manager, or Secondary to use this
Manager as the standby.

Use Out-of-Band (OOB) • Yes to use separate interfaces for Manager-Manager and Manager-Sensor
Manager-to-Manager communication.
Communication?
• No to use the same interface for Manager-Manager and Manager-Sensor
communication.

IP Address of the Other Manager This option appears if you selected the option Yes in Use Out-of-Band (OOB)
(for Manager-to-Manager Manager-to-Manager Communication?. Enter the IP address of the other Manager
Communication) that you want to use for Manager-Manager communication.

Note: If you set Use Out-of-Band (OOB) Manager-to-Manager Communication? to


Yes in the Primary Manager, then set this option as Yes in your Secondary Manager
as well. A mismatch in this option setting between the Primary and Secondary
Manager pair will result in an MDR configuration failure.

Trellix Intrusion Prevention System 10.1 105


2 | Manager Administration

Table 2-2 Option definitions (continued)

Option Definition

IP Address of the Other Manager Enter the IP address of the other Manager that is used for communication with the
(for Manager-to-Sensor Sensor.
Communication)

MDR Pair Shared Secret The same shared secret key must be entered on both Managers for MDR creation to
be successful. Enter a minimum of eight characters and use no special characters.

Confirm MDR Pair Shared Secret Re-enter the same shared secret key.

Downtime Before Switchover Enter the downtime in minutes before the switch to the Secondary Manager occurs.
Downtime before switchover should be between 1-10 minutes. This field is disabled if
the Role of this Manager of Manager is set to Secondary.

Copy certificate Select this option to Copy the SSL certificate for web server authentication from
Primary Manager to Secondary Manager in the MDR pair.

Note: The Copy certificate option is available only in the Primary Manager.

Note: The Copy certificate option does not impact working of the Manager MDR.

3 Click Finish to confirm your changes.

Note
When you click Finish and your peer Manager's MDR settings are not yet configured, then Trellix IPS displays a warning to remind you to
configure the peer Manager MDR settings.

You can configure either IPv4 address or IPv6 address or both for Manager-Sensor communication as given in the following
scenarios:
• If a Sensor is connected to Manager over an IPv4 network, or you want to add a Sensor from the IPv4 network to the
Manager, you need to enter the IPv4 address of the peer Manager.

• If a Sensor is connected to Manager over an IPv6 network, or you want to add a Sensor in the IPv6 network to the
Manager, you need to enter the IPv6 address of the peer Manager.

• If there are Sensors configured in Manager over both IPv4 and IPv6 networks, you need to configure both IPv4 address
and IPv6 address of the peer Manager.

Note
While configuring the IP Address of the Other Manager (for Manager-to-Sensor Communication), make sure that the operating
system support both IPv4 and IPv6 stacks.

106 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

• When Use Out-of-Band (OOB) Manager-to-Manager Communication is set to No, IP Address of the Other Manager
(for Manager-to-Sensor Communication) is used for both Manager-Manager and Manager-Sensor communication.

• When Use Out-of-Band (OOB) Manager-to-Manager Communication is set to Yes, IP Address of the Other Manager
(for Manager-to-Sensor Communication) is used only for Manager-Sensor communication.

Important
You need to use the IP Address of the Other Manager (for Manager-to-Sensor Communication) while establishing trust between
the Sensor and Manager. Ensure that your peer Manager is configured to use the same IP address as selected from the Dedicated
Interface list during the Peer Manager installation. If misconfigured, Trellix IPS generates an error message to prompt you to enter
the correct IP address. For more information on Sensor communication Interface, see Trellix Intrusion Prevention System Installation
Guide.

Scenarios for MDR configuration

Scenario 1
Two Managers are in an MDR pair, and you are adding the Sensor configuration information in Manager 1.

Figure 2-24 MDR Scenario 1

If connection A between Manager 1 and Manager 2 is over IPv4 network, and you are adding Sensor configuration in Manager
1, the communication between Manager 1 and Sensor (that is, connection B) should also be over IPv4 network.

Similarly, if connection A between Manager 1 and Manager 2 is over IPv6 network, and you are adding Sensor configuration in
Manager 1, the communication between Manager 1 and Sensor (that is, connection B) should also be over IPv6 network.

If connection A between Manager 1 and Manager 2 is over both IPv4 and IPv6 networks, and you are adding Sensor
configuration in Manager 1, the communication between Manager 1 and Sensor (that is, connection B) can be configured over
either IPv4 or IPv6 network.

Trellix Intrusion Prevention System 10.1 107


2 | Manager Administration

Scenario 2
Suppose Manager 1 is standalone (not part of an MDR pair), and you want to add a peer Manager (that is, Manager 2) with
Manager 1 to form an MDR pair.

Figure 2-25 MDR Scenario 2

If the communication between Sensors and Manager 1 (that is, connection B and C) is over IPv4 network, the communication
between Manager 1 and Manager 2 (that is, connection A) should also be configured for IPv4 network.

Similarly, if the communication between Sensors and Manager 1 (that is, connection B and C) is over IPv6 network, the
communication between Manager 1 and Manager 2 (that is, connection A) should also be configured for IPv6 network.

If B and C support both IPv4 and IPv6 networks, A can be configured to support either IPv4 or IPv6 network.

Using NAT (Network Address Translation)

Network Address Translation (NAT) is a technique in which the source and/or destination addresses of IP packets are rewritten
as they pass through a router or firewall. It is commonly used to enable multiple hosts on a private network to access the
Internet using a single public IP address.

108 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

Only static NAT entries are supported in Manager. Consider the following scenarios to explain the use of NAT in Manager:

Scenario 1: Manager using a private IP address


To establish the Manager-Sensor communication, configure the Manager's public IP address (external reachable) on the Sensor
by using the following CLI command:

set manager IP

Note
To support multiple NIC cards, you need to select the respective local IP address in Sensor Communication Interface during Manager
installation.

Note
For more information on Sensor Communication Interface, see Trellix Intrusion Prevention System Installation Guide.

Scenario 2: Sensor using a private IP address


The Manager-Sensor communication works as usual. You need not make any changes to the setup to achieve this.

Configuring MDR with NAT

To set up MDR with NAT, consider the following scenarios:

Scenario 1: Manager-Sensor communication with NAT and Manager-Manager communication without NAT
Configure the public IP address (external reachable) in the Peer Host IP address field to establish Manager-Sensor
communication.

Note
To support multiple NIC cards, select the respective IP address in the Sensor communication Interface field during installation. For more
information, refer to Trellix Intrusion Prevention System Installation Guide.

Configure the OOB Peer Manager IP field with the local IP address of the peer Manager to reach the Manager without using
NAT.

If Manager is in a private network, enter the public IP address in the Peer Host IP address field of the Secondary Manager.

Scenario 2: Manager-Sensor Communication with NAT and Manager-Manager communication with NAT
Configure the public IP address (external reachable) in the Peer Host IP address field to establish Manager-Sensor
communication.

You need not configure OOB Peer Manager IP field as communication takes place using the Peer Host IP Address field.

Note
In case the peer Manager uses different translated IP addresses, you can configure the public (external reachable) IP address in the OOB
Peer Manager IP field.

Trellix Intrusion Prevention System 10.1 109


2 | Manager Administration

How to view the current details of MDR


The Pair Creation action enables you to view the current state of MDR functions including Primary Manager status, Secondary
Manager status, and a summary of current MDR settings. To view the MDR status and the details, click Manager | <Admin
Domain Name> | Setup | MDR. You will be able to see the status and the details only if you have configured a peer manager
already as part of MDR.

Note
The Pair Creation action assigns a GUID to the MDR pair. The GUID of the primary Manager in an MDR pair is assigned as the MDR Pair
GUID. That is, if the GUID of the primary Manager is 8a4534bd-9c6b-4a40-aa2d-383611358801 and GUID of the secondary Manager is
8a4594bd-8c6b-4a90-cd2d-431211358832, the Manager Pair GUID is 8a4534bd-9c6b-4a40-aa2d-383611358801.

You can also view the MDR status in the application header.

Figure 2-26 MDR status

MDR status displays the role of the Manager, whether it is Primary or Secondary. It also displays the status link of the Manager,
whether it is in Active or Standby mode. Clicking on the Active status link navigates to the MDR page on the Manager tab.

MDR Actions
After configuring MDR, the following actions are available:

Action Description Availability

Reset to Standalone End MDR and have sole control of Sensors using one of Available on both the Primary and
the Managers. Secondary Managers.

Switch Over Request that the Secondary Manager be active. Available only when the Primary Manager
is active.

Switchback Switch back from the Secondary Manager and make the Available when the Primary Manager
Primary Manager active. status is in standby mode.

Suspend MDR Instruct the Secondary Manager not to monitor via MDR Available only on the Primary Manager
Status check and to resume MDR only when indicated. when in the active state.

Resume MDR Resume MDR mode when the MDR is suspended. Available only when the Primary Manager
is in the suspended state.

Force Switch Force the Secondary Manager to become active. Available only when the Secondary
Manager is in standby mode.

Retrieve Transfer configuration data from the Primary Manager to Available in the Secondary Manager only
Configuration the Secondary Manager. This is provided to allow manual when it is in standby mode.
synchronization between Managers in addition to the
automatic transfer of configuration data at regular time
intervals.

110 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

MDR verification via CLI


The show and status commands include information specific to MDR. For more information on using CLI commands, see the
CLI commands section.

Figure 2-27 MDR verification via CLI

Manager Disaster Recovery (MDR) best practices


A newly created MDR pair does not synchronize for the first 15 minutes after creation. This is by design because, depending on
the quantity of the Sensors, it takes approximately 5 to 10 minutes for the newly formed pair to finish MDR-related tasks and
become stable.

If you have only one or two Sensors, you can press the Retrieve Configuration button in the MDR page of the secondary
Manager soon after MDR creation to force the Managers to synchronize. In most cases, however, we recommend you wait for
15 minutes and allow the new MDR pair to synchronize automatically.

If you return to the user interface of the primary Manager, the details on the Manage MDR page validate the information seen
on the secondary.

Manage Central Manager details

To enable trusted communication between your Manager and Central Manager, you need to specify the details of Central
Manager in Manager. Once communication has been established, Central Manager can synchronize with Manager and can
access its configuration.

Trellix Intrusion Prevention System 10.1 111


2 | Manager Administration

To add a Manager to Central Manager, do the following:

Task
1 Select Manager | <Admin Domain Name> | Setup | Central Manager.

Figure 2-28 Central Manager Trust Establishment page

2 Type the Manager Name.


The Name must begin with a letter. The maximum length of the Name is 40 characters.

Note
Special characters except hyphens and underscores are not allowed.

3 Enter Central Manager IP Address. This can be either IPv4 or IPv6 address.

4 The Shared Secret must be a minimum of 8 characters and maximum of 64 characters in length. The Shared Secret cannot
start with an exclamation mark nor have any spaces. Secret parameters that can be used in Manager are:
• 26 alpha: upper and lower case (a,b,c,...z and A, B, C,...Z)

• 10 digits: 0 1 2 3 4 5 6 7 8 9

• 32 symbols: ~ ` ! @ # $ % ^ & * ( ) _ + - = [ ] { } \ | ; : " ' , . <? /

Caution
The exact, case-sensitive Manager Name and Shared Secret must also be entered into the Central Manager setup. If not, the
Manager will not be able to register itself with the Central Manager.

Retype the Shared Secret to confirm.

5 Type the Contact Information and Location (Optional).

112 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

6 Synchronization Enabled is enabled by default. Select No to disable synchronization with Central Manager.

7 Click Finish to begin the Central Manager-Manager trust establishment process.

Note
Trust establishment to Central Manager may take a while. You will need to Refresh the page to see the latest settings.

Figure 2-29 Central Manager Details

Establishing communication with Central Manager


Trellix IPS provides a centralized, "manager of managers" capability named Trellix Intrusion Prevention System Central
Manager.

Trellix IPS Central Manager allows users to create a management hierarchy that centralizes policy creation, management, and
distribution across multiple Trellix IPS Managers. For example, a policy can be created in the Central Manager and synchronized
across all Managers added to that Central Manager. This avoids manual customization of policy at every Manager.

The Central Manager provides you with a single sign-on mechanism to manage the authentication of global users across all
Managers. Sensor configuration and threat analysis tasks are performed at the Manager level.

A Manager can be added to Central Manager using a method similar to that of adding a Sensor to a Manager, or configure
Managers to work in MDR mode by establishing trust between a Secondary and Primary pair.

Note
When trust establishment is initiated from Manager to Central Manager, the system may take approximately two minutes to display the
configured Manager on the Central Manager Resource Tree.

The Manager | <Admin Domain Name> | Setup | Central Manager option enables the viewing and managing details for
synchronizing with Central Manager.

Trellix Intrusion Prevention System 10.1 113


2 | Manager Administration

Viewing Central Manager details

The Central Manager page shows Central Manager configuration details such as Manager Name, Central Manager IP Address,
contact information, location, and Synchronization Enabled (Y/N). If Central Manager is configured in an MDR pair, then details
of the MDR pair are available in Manager.

Figure 2-30 Central Manager Details Page

Field Description

Manager Name Logical name given to Manager to connect to the Central Manager

Status Status of trust establishment between the Manager and Central Manager

IP Address Central Manager server's IP address

Version Central Manager's version number

Contact Information Name of contact person

Location Geographical location (area, city)

Synchronization Status Enable synchronization between the Central Manager and Manager (It is Enabled by default)

Last Synchronization Time The last synchronized time between the Central Manager and Manager

Specify an email server for notifications

Using the E-mail Server option, you can configure Manager (or Central Manager) to point to an email server for sending out
system emails. For example, these emails can be security notifications that have been prioritized by selecting E-mail or Pager.
Using this action, you can also specify the From address for the system emails.

114 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

To configure a mail server for notifications, do the following:

Task
1 Select Manager | <Admin Domain Name> | Setup | E-mail Server.

Figure 2-31 E-mail Server Configuration

2 Provide the following information:


• Enable E-mail Forwarding? — Select the check box to allow notifications to be sent to an email server, or deselect the
check box to disable notifications to the email server.

• Sender E-mail Address — Email address from where messages are sent.

• SMTP Server Name or IP Address — IP address or name of the email server.

• Port Number — Port number on which SMTP Server is listening.

Note
By default, port 25 (default SMTP port) is set in the Port Number field. You can change it depending on the SMTP port you set while
configuring the email server.

• Message Subject Prefix — This is an optional field where the text entered in it is prefixed to the message subject for all
emails sent by the Manager.

• Server Authentication Required? — Select the check box if Server Authentication is required, or leave it unchecked if
Server Authentication is not required.

• Login Name — of the sender's email account.

• Password — of the sender's email account.

3 Click Save to apply all the changes.

Note
Upon saving the changes, you can click Test Connection to test if the SMTP server connection is successful or not.

Trellix Intrusion Prevention System 10.1 115


2 | Manager Administration

Specify a proxy server for Internet connectivity

If you employ a proxy server for Internet connectivity, you can configure the Manager or your devices to connect to that server
for proxy service. This is necessary if you want to download updates directly to Manager from the Update Server or if you want
to download host reputation and country of origin information during integration with TrustedSource.

The Manager supports application-level HTTP/HTTPS proxies, such as Squid, iPlanet, Microsoft Proxy Server, and Microsoft ISA.

Note
To use Microsoft ISA, you must configure this proxy server with basic authentication. Trellix IPS does not support Microsoft ISA during NTLM
(Microsoft LAN Manager) authentication.

Note
SOCKS, a network-level proxy, is not currently supported by Trellix IPS.

To specify your proxy server, do the following:

Task
1 Select Manager | <Admin Domain Name> | Setup | Proxy Server. The Proxy Server page is displayed.

Figure 2-32 Proxy Server Settings

2 Type the Proxy Server Name or IP Address. This can be either IPv4 or IPv6 address.

3 Type the Proxy Port of your proxy server.

4 Type User Name and Password.

5 Provide the appropriate URL. You may test to ensure that the connection works by entering a Test URL and clicking Test
Connection.

6 Click Save to save your settings.


When the Manager or the device makes a successful connection, it displays a message indicating that the proxy server
settings are valid.

116 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

Managing Licenses

Licenses are required by the Manager to access certain Sensor functionalities. You can use the Licenses page to manage the
following licenses:

• System

• Proxy Decryption

• Virtual Sensors

System
The NS9500, NS7500, and NS3500 Sensors require a license to activate the baseline throughput of 10 Gbps on NS9500 Sensors,
3 Gbps on NS7500, and 750 Mbps on NS3500 Sensors. The license is provided as a .zip or .jar file. The Manager supports both
formats. The license procured contains the details of the throughput for the Sensors.

In case of the NS9500 standalone and stack and NS7500 Sensors, an additional license or upgrade license is required to
increase the throughput of the Sensor. The various throughputs available are as follows:

Sensor Existing license Additional license Upgrade license

NS9500 standalone 10 Gbps • 20 Gbps • 10 to 20 Gbps


• 30 Gbps • 10 to 30 Gbps
Note: You must have a stack Sensors setup to upgrade
licenses from Standalone to Stack.
Standalone to stack:
• 10 to 40 Gbps
• 10 to 60 Gbps
• 10 to 100 Gbps

20 Gbps 30 Gbps • 20 to 30 Gbps


Standalone to stack:
• 20 to 40 Gbps
• 20 to 60 Gbps
• 20 to 100 Gbps

30 Gbps NA Standalone to stack:


• 30 to 40 Gbps
• 30 to 60 Gbps
• 30 to 100 Gbps

NS9500 stack 40 Gbps • 60 Gbps • 40 to 60 Gbps


• 100 Gbps • 40 to 100 Gbps

60 Gbps 100 Gbps 60 to 100 Gbps

NS7500 3 Gbps • 5 Gbps • 3 to 5 Gbps


• 7.5 Gbps • 3 to 7.5 Gbps

5 Gbps 7.5 Gbps 5 to 7.5 Gbps

For more information, see Trellix Intrusion Prevention System Installation Guide.

Trellix Intrusion Prevention System 10.1 117


2 | Manager Administration

Proxy Decryption
The proxy SSL decryption feature requires license to access a few Sensor functionalities. The proxy license is provided as a .zip
or .jar file. The Manager supports both formats. The license procured contains the number of Sensors on which the proxy SSL
feature can be enabled.

A valid outbound and inbound proxy based SSL decryption license can be obtained for the following Sensor models:

Sensor Model Outbound proxy based SSL decryption Inbound proxy based SSL decryption

NS9500 (Standalone) with 30 Gbps Yes Yes

NS9500 (Standalone) with 20 Gbps Yes Yes

NS9500 (Standalone) with 10 Gbps Yes Yes

NS9200 Yes NA

NS9100 Yes NA

NS7500 with 7.5 Gbps Yes Yes

NS7500 with 5 Gbps Yes Yes

NS7500 with 3 Gbps Yes Yes

NS7300 Yes NA

NS7200 Yes NA

For more information, see Managing licenses for proxy based SSL decryption on page 1024.

Virtual Sensors
Licenses are required to add vIPS Clusters. These licenses can either be individual .jar files, or they can be bundled together
and provided to you in the form of a .zip file. Each license supports a pre-defined number of Virtual IPS Sensors, and this
number is specific to the license file you have procured.

System and Proxy Decryption tab


The System and the Proxy Decryption tabs in the Licenses page displays information regarding the number of licenses
available, their capacity, and all the details required for a license. This page also allows you to add, remove, upgrade, assign,
and unassign licenses.
To view the System tab, go to Manager | <Admin Domain Name> | Setup | Licenses | System.

118 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

The following details are displayed on the System tab:

Option Definition

Required Model – Sensor model compatible with the license


Capacity – Throughput limit for the license

Assigned To Name of the Sensor assigned to the license

License Details Customer – Customer for whom the license file was generated
Grant ID – Trellix Grant ID of the corresponding customer
Key – License key number of the customer
Expiration – Expiration date of the license

Note: The expiration is applicable only for demo and subscription licenses.

: Valid license

: Expired license

: Expired license running on grace period

Note: A grace period of 30 days is provided to subscription-based System licenses after they
expire.

Type – Displays if the license is Perpetual, Subscription, or Evaluation (Demo) type.

Note: It is recommended to install subscription license from Manager version 10.1.7.44 and later.

Added Time – Date in <mm-dd-yy> format, and time when the license was added
By – Name of the user who added the license

Comments Enables you to add your comment per license file that is imported. Double-click in the Comment field and
enter your comment. Click outside this field and your comment is automatically saved.

Add a license

Delete a license

Assign Assign a license to the Sensor

Unassign Unassign a license from the Sensor

Save as CSV Export the license usage details as a .csv file

For more information, see Trellix Intrusion Prevention System Installation Guide.

Trellix Intrusion Prevention System 10.1 119


2 | Manager Administration

To view the Proxy Decryption tab, go to Manager | <Admin Domain Name> | Setup | Licenses | Proxy Decryption.

The following details are displayed on the Proxy Decryption tab:

Option Definition

Required Model – Sensor model compatible with the license


Capacity – Throughput limit for the license

Assigned To Name of the Sensor assigned to the license

License Details Customer – Customer for whom the license file was generated
Grant ID – Trellix Grant ID of the corresponding customer
Key – License key number of the customer
Expiration – Expiration date of the license

Added Time – Date in <mm-dd-yy> format, and time when the license was added
By – Name of the user who added the license

Comments Enables you to add your comment per license file that is imported. Double-click in the Comment field and
enter your comment. Click outside this field and your comment is automatically saved.

Add a license

Delete a license

Assign Assign a license to the Sensor

Unassign Unassign a license from the Sensor

Save as CSV Export the license usage details as a .csv file

Virtual Sensors tab


The Virtual Sensors tab in the Licenses page displays your compliance, and maintains the count for Virtual IPS Sensors. This
page also displays and allows you to add and remove individual licenses.

To view the System tab, go to Manager | <Admin Domain Name> | Setup | Licenses | Virtual Sensors.

The following details are displayed in the Virtual Sensors tab:

120 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

Option Definition

Status Overall compliance which can either be Compliant or Non-compliant.


If the vIPS Sensor count is within the maximum limit defined in the license, the overall state is
displayed as Compliant with a green icon preceding it.
If the vIPS Sensor count exceeds the maximum limit, the overall state is displayed as

Non-Compliant with a red icon preceding it.

Additional Licenses Additional number of licenses required for compliance


Required

Trellix Virtual IPS Number of Virtual IPS Sensors in use along with the maximum number
Sensors

Virtual Probes Number of Virtual Probes in use

Allowed Virtual Displays the allowed number of virtual sensors as per the license imported
Sensors

License Customer – Customer for whom the license file was generated
Grant ID – Trellix Grant ID of the corresponding customer
Key – License key number of the customer

Added Time – Date in <mmm-yy> format, and time when the license was added
By – Name of the user who added the license

Comments Enables you to add your comment per license file that is imported. Double-click in the Comment
field and enter your comment. Click outside this field and your comment is automatically saved

Add a license

Delete a license

Save as CSV Export the license usage details as a .csv file

Managing Certificates for Manager and Sensor

The Manager and Sensor can also use a CA-signed certificate to establish trusted connection. By default, the Manager and
Sensor use a self-signed certificate to establish trust. You can also use a CA-signed certificate chain issued by trusted CAs, such
as Verisign, GeoTrust, and others, to establish trust between the Manager and the Sensor.

Note

• For non-certification, the CA-signed certificates can be assigned only when the Manager and Sensor are on version 10.1.

• For certification, the CA-signed certificates can be assigned when the Manager and the Sensor are on version 9.1 or
later.

To manage the certificates for the Manager, go to Manager | <Root Admin Domain> | Setup | Certificates.

Trellix Intrusion Prevention System 10.1 121


2 | Manager Administration

The Certificates page opens. It consists of following tabs:

• Trust Establishment

• GUI Certificate

To manage the certificates for the Sensor, go to Devices | <Root Admin Domain> | Devices | <Device Name> | Setup | Trust
Certificate.

The Trust Certificate page contains the following details:

Certificate Status

This section displays the following information:

122 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

Option Definition

Active Certificate Displays the type of the active certificate as either self-signed or CA-signed

Self-Signed Listening Ports Ports used by the Manager to establish trust with Sensor when both use self-signed certificates

CA-Signed Listening Ports Ports used by the Manager to establish trust with Sensor when both use CA-signed certificates

The action supported for Sensor in this section is:

Option Definition

Change Active Certificate Changes the active certificate of the Sensor from self-signed to CA-signed or CA-signed to
self-signed

Self-Signed Certificate

This section displays the following information regarding the self-signed certificate issued by Trellix:

Option Definition

Subject Displays the following information about the certificate:


• Common Name • City
• Organization • State/Province
• Department • Country

Issued By Name of the signing authority for the certificate

Validity Duration for which the certificate is valid

Key Length Number of bits used in the cryptographic algorithm

Signature Algorithm Signature Algorithm used for the certificate

Updated Date when the certificate was last updated

The action supported for Manager and Sensor in this section is:

Option Definition

Export Certificate Exports the self-signed certificate to the remote machine accessing the Manager

CA-Signed Certificate

This section displays the following information regarding the CA-signed certificate:

Trellix Intrusion Prevention System 10.1 123


2 | Manager Administration

Option Definition

Subject Displays the following information about the certificate:


• Common Name • City
• Organization • State/Province
• Department • Country

The drop-down list displays all certificates in the certificate chain.

Issued By Name of the signing authority for the certificate

Validity Duration for which the certificate is valid

Key Length Number of bits used in the cryptographic algorithm

Signature Algorithm Signature Algorithm used for the certificate

Updated Date when the certificate was last updated

The actions supported for Manager and Sensor in this section are:

Option Definition

Generate CSR Generates the Certificate Signing Request (CSR).

Note: The CSR for both the Manager and the Sensor are generated in the Manager and is stored in the
Manager database.

Export CSR Exports the Certificate Signing Request (CSR) to the remote machine accessing the Manager

Import Certificate Imports the CA-signed certificate from the remote machine accessing the Manager

Other Actions

Remove Certificate Removes the CA-signed certificate

Export Certificate Exports the CA-signed certificate

For more information about GUI Certificate, refer to CA-signed certificate for the Web Server Authentication on page 132.

Considerations for CA-signed certificate chain

The CA-signed certificate chain for the Manager and the Sensor is considered valid if the following conditions are met:

• The CSR should not be modified after exporting from the Manager. This will cause the certificate validation in the Manager
to fail.

• The certificate must be X.509v3 version.

• The CA-signed certificate chain should comply with the following requirements:
• Should be issued from a trusted Certificate Authority

• Should be in .pem format

• Must contain valid serial numbers and valid issuer domain name

• Must include minimum SHA256 with RSA 2048 bit encryption

• The number of intermediate CA-certificates in the certificate chain should be between 0 and 4.

124 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

• The certificate chain should be in correct order. The chain should begin with the identity certificate (also known as leaf
certificate) followed by intermediate CA-certificate 1, intermediate CA-certificate 2, ... intermediate CA-certificate N and end
with the root CA-certificate.

• The identity certificate must be signed by the intermediate CA. The intermediate certificate must be signed by the root CA.

• The Basic Constraint CA flag must be set to True in case of root and intermediate certificates. For identity certificate, the flag
must be set to False.

• The certificate must comply with the following parameters:


• ExtendedKeyUsage: TLS WebServerAuthentication and TLS WebClientAuthentication

• KeyUSage: Must not be set to Critical.

• Ensure that the validity period for the certificate specifies a valid date range.

• OCSP requests and responses use CertID.issuerNameHash and CertID.issuerKeyHash parameters to validate the
revocation status of CA certificates.
Currently, the Manager supports SHA-1 hashing algorithm for the two parameters which needs to be managed in OCSP
server configuration.

Generate Certificate Signing Request (CSR)


Certificate Signing Request is used to apply for a CA-signed certificate. To generate a CSR from the Manager, perform the
following steps:

Task
1 To generate a CSR for the Manager, go to Manager | <Root Admin Domain> | Setup | Certificates.
To generate a CSR for the Sensor, go to Devices | <Root Admin Domain> | Devices | <Device Name> | Setup | Trust
Certificates.

2 In the CA-Signed Certificate section, click Generate CSR. The Generate CSR window opens.

Trellix Intrusion Prevention System 10.1 125


2 | Manager Administration

3 Enter the following details in the Generate CSR window:

Option Definition

Common Name Displays the IP Address of the device.

Organization Legal name of your organization. This field should not contain any wildcard characters (such
as * or ?).

Organizational Unit [Optional] Name of the organizational unit.

Note: Additional organizational units can be added based on your requirement. A maximum
of 10 organizational units can be added.

City [Optional] City where the organization is located. This field should not contain any
abbreviations.

State/Province [Optional] State or province where the organization is located. This field should not contain
any abbreviations.

Country Country where the organization is located.

Key Size Only 2048-bit RSA keys are supported which is displayed by default.

Subject Alternative Name Displays the IP address of your server by default. This field is non-editable.

Note
The maximum length for Organization, and Organizational Unit fields are 64 characters. The maximum length for City and State/
Province fields are 128 characters.

4 Click Generate.

Apply for CA-signed certificates


You can apply for CA-signed certificates based on the CSR generated. To apply for the certificate, perform the following steps:

Task
1 To apply for a CA-certificate, you must first export the CSR for the Manager and Sensor.
To export CSR for the Manager, go to Manager | <Root Admin Domain> | Setup | Certificates.
To export CSR for the Sensor, go to Devices | <Root Admin Domain> | Devices | <Device Name> | Setup | Trust
Certificates.

126 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

2 In the CA-Signed Certificate section, click Export CSR. The CSR is exported to the Downloads folder of the remote machine
accessing the Manager.

Note
The Export CSR button becomes active only after you generate the CSR.

3 Once the CSRs are exported, send both the Manager and Sensor generated CSRs to a Certified Authority of your choice.

4 The CA processes the CSR and returns the CA-signed certificate.

Import the CA-signed certificate


To import the CA-signed certificate chain, perform the following steps:

Task
1 To import the CA-signed certificate chain for the Manager, go to Manager | <Root Admin Domain> | Setup | Certificates.
To import the CA-signed certificate chain for the Sensor, go to Devices | <Root Admin Domain> | Devices | <Device
Name> | Setup | Trust Certificates.

2 In the CA-Signed Certificate section, click Import Certificate.

Note
If the Manager or Sensor already contains CA-signed certificate, the Import Certificate option will be disabled.

Note
The Import Certificate button becomes active only after you generate and export the CSR.

Trellix Intrusion Prevention System 10.1 127


2 | Manager Administration

3 In the Import Certificate dialog box, click Browse.

4 Browse to the directory that contains the certificate chain, click Open.

Note
The CA-signed certificate chain should be in .pem format.

5 Click Import for the manager and each sensor connected to the manager.
The Manager validates the CA-signed certificate chain with the CSR. If the validation is successful, the certificate chain
details are displayed in the CA-Signed Certificate section.

Change the active certificate for the Sensor

To change the active certificate for a Sensor, perform the following steps:

Task
1 Go to Devices | <Root Admin Domain> | Devices | <Device Name> | Setup | Certificates.

2 In the Certificate Status section, click Change Active Certificate drop down.

3 Select the certificate (self-signed or CA-signed) based on your requirement.

128 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

4 Click OK to confirm.

5 Click OK to change the active certificate.

Note
If your Manager is part of an MDR pair, you can change the certificate from self-signed to CA-signed or vice versa only for the primary
(active) Manager.

Migrating the Manager-Sensor trust from self-signed to CA-signed certificate chain

The high-level steps to establish trust between the Manager and the Sensor using CA-signed certificate chain are given below.
Perform these steps to:
• Provision the Manager with its CA-signed certificate

• Use the Manager to provision the Sensor with its CA-signed certificate

• Migrate the trust based on the existing self-signed certificates to the provisioned CA-signed certificates between the
Manager and the Sensor

Note
For CA migration in an MDR setup, you must first create an MDR pair, then create Certificate Signing Request (CSR) and migrate to CA.

1 Generate CSR for the Manager and Sensors.

2 Export the CSR for both the Manager and Sensors and send it to a CA of your choice.

Trellix Intrusion Prevention System 10.1 129


2 | Manager Administration

3 The CA processes the CSR and sends a CA-signed certificate.

Note
For validations for CA-signed certificate, see Considerations for CA-signed certificate chain on page 124.

4 After receiving the CA-signed certificate chain, import the certificate chain to the Manager. You need to migrate the
Manager to CA-signed certificate chain before migrating the Sensors.

Note
Migrating the Manager to CA-signed certificate chain is a one time activity. Once the Manager is migrated to the CA-signed certificate
chain, you must migrate the Sensors that are attached to the Manager.

5 The Manager validates its CA-signed certificate chain against its generated CSR.

6 From the Manager, import the CA-signed certificate chain to the Sensors managed by the Manager.

7 The Manager validates the Sensor's CA-signed certificate chain against its generated CSR.

8 If the validation is successful, from the Manager change the active certificate to use the CA-signed certificate chain to
establish trust between Manager and Sensor. The switch is completed one Sensor at a time.

This migration is applicable to the Manager and all Sensors managed by the Manager. The Manager can establish trust with
Sensors using either self-signed certificate or CA-signed certificate chain.

Note
The trust establishment works when both the Manager and Sensors are using the CA-signed certificate chain or when both are using
self-signed certificate.

Export the CA-signed certificate chain


To export the CA-signed certificate chain, perform the following steps:

Task
1 To export the certificate chain for the Manager, go to Manager | <Root Admin Domain> | Setup | Certificates.
To export the certificate chain for the Sensor, go to Devices | <Root Admin Domain> | Devices | <Device Name> | Setup |
Trust Certificates.

130 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

2 In the CA-Signed Certificate section, click Other Actions | Export Certificate.

The CA-signed certificate chain will be exported to the remote machine accessing the Manager.

Remove the CA-signed certificate chain

Before you begin

You can remove the CA-signed certificate chain only if the following conditions are met:

• You can remove the certificate chain for the Manager only if all the Sensors managed by the Manager is using
self-signed certificate.

• The active certificate should be changed to self-signed before removing the CA certificate from the Manager.

To remove the certificate chain, perform the following steps:

Task
1 To remove the certificate chain for the Manager, go to Manager | <Root Admin Domain> | Setup | Certificates.
To remove the certificate chain for the Sensor, go to Devices | <Root Admin Domain> | Devices | <Device Name> | Setup
| Trust Certificates.

Trellix Intrusion Prevention System 10.1 131


2 | Manager Administration

2 In the CA-Signed Certificate section, click Other Actions | Remove Certificate.

The CA-signed certificate chain will be removed from the Manager.

Note
You must remove the CA-signed certificate chain separately for every Sensor and then have the trust reestablished with the Manager.

CA-signed certificate for the Web Server Authentication


The Manager/Central Manager use self-signed certificate to establish a trusted connection with the client systems. You can also
use a CA-signed certificate issued by trusted CAs, such as Verisign, GeoTrust, and others, to establish trust between the
Manager server and the client systems.

Note

• For non-certification, the CA-signed certificates can be assigned only when the Manager and Sensor are on version 10.1.

• For certification, the CA-signed certificates can be assigned when the Manager and the Sensor are on version 9.1 or
later.

132 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

Considerations for CA-signed certificate for the Web Server Authentication

The CA-signed certificate for the Manager is considered valid if the following conditions are met:

• The certificate must be X.509v3 version.

• The CA-signed certificate chain should comply with the following requirements:
• Should be issued from a trusted Certificate Authority

• Should be in P12 format

• Must contain valid serial numbers and valid issuer domain name

• Must include minimum SHA256 with RSA 2048 bit encryption

• Ensure that the validity period for the certificate specifies a valid date range.

Import the CA-signed certificate for Web Server Authentication

To import the CA-signed certificate to the Manager, perform the following steps:

Task
1 In the Manager, go to Manager | <Admin Domain Name> | Setup | Certificates. Select GUI Certificate tab.

The GUI Certificate tab is displayed.

2
Click .

The Import Certificate dialog box opens.

Note

The option is available only when the Manager uses a self-signed certificate. You cannot add a new CA-signed certificate to the
Manager that is already using a CA-signed certificate for establishing trust with the client systems.

3 In the Import Certificate dialog box, click Browse.

Trellix Intrusion Prevention System 10.1 133


2 | Manager Administration

4 Browse to the directory that contains the CA-signed certificate, click Open.

Note
The CA certificate should be in P12 format.

5 Provide an Alias and the Passphrase of the certificate.

6 Click Import to upload the certificate to the Manager.

7 Restart the Manager server.

The Manager server starts to use the CA signed certificate to establish trust with the client systems.

Export the CA-signed certificate for Web Server Authentication

To export the CA-signed certificate from the Manager, perform the following steps:

Task
1 In the Manager, go to Manager | <Admin Domain Name> | Setup | Certificates. Select GUI Certificate tab.

The GUI Certificate tab is displayed.

2 Click Export Certificate and save the file to a location of your choice.

Delete the CA-signed certificate for Web Server Authentication

To delete the CA-signed certificate from the Manager, perform the following steps:

Task
1 In the Manager, go to Manager | <Admin Domain Name> | Setup | Certificates. Select GUI Certificate tab.

The GUI Certificate tab is displayed.

134 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

2
Click .

The Confirmation dialog box opens.

Note

The option is available only when there is a CA-signed certificate in the Manager. You cannot delete the self-signed certificate in the
Manager.

3 Click OK to confirm deletion.

Note
When the CA-signed certificate in the Manager is deleted, automatically a self-signed certificate is used for the web server
authentication.

4 Restart the Manager server.

The Manager server automatically starts using self-signed certificate to establish trust with the client systems.

Alert notification options

The Manager can send alert information to third-party repositories, such as SNMP servers and syslog servers. Further, you can
configure your Sensor to forward syslog notifications directly to a syslog server, thereby ensuring that the Sensor forwards
alerts to a server other than that assigned to the Manager.

In addition to SNMP and syslog notifications, the Manager can also be configured to notify you through email, pager, or script
of detected attacks.

For the alert notifications for the Sensor and the NTBA Appliance, select Manager | <Admin Domain Name> | Setup |
Notification | (IPS/NTBA) Events.

Alert notifications are forwarded to syslog servers based on the configuration. Within the configuration, settings notification
destination form only one aspect. The Manager and Sensor send notifications depending on the attack, the attack severity, or
both.

Trellix Intrusion Prevention System 10.1 135


2 | Manager Administration

How to view alert notification details


The Summary page for alert notification (Manager | <Admin Domain Name> | Setup | Notification | (IPS/NTBA) Events |
Summary) displays a summary of configured alert notification settings. The summary displays your configuration settings
made for each individual notification option.

Figure 2-34 Summary page

Forward alerts to an SNMP server


You can configure the SNMP server to which alert information for Sensor or NTBA Appliance is to be sent.

You can configure more than one SNMP server. You can configure the SNMP servers for each admin domain separately. The
SNMP server configured for a root admin domain can be different from the SNMP server configured for its child domains.
When the Children and the Current checkboxes are selected while configuring an SNMP server for the root admin domain, the
SNMP server configured for the child domain will forward notifications to both the parent and child domain SNMP servers.
When the Children checkbox is not selected in the root admin domain, then the child domain will use only the SNMP server
configured for that domain to forward notifications. The SNMP Servers list on the SNMP tab displays the SNMP servers you
have configured.

Task
1 Select Manager | <Admin Domain Name> | Setup | Notification | IPS Events/NTBA Events | SNMP.
The SNMP tab is displayed where Enable SNMP Notification option and the configured SNMP Servers list is displayed.

2 Select Yes against Enable SNMP Notification and click Save.

136 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

3
Click .
The SNMP page is displayed.

4 Specify your options in the appropriate fields.

Field Description

Admin Domains Specify whether this applies to the child domains as well.

IP Address IP address of the target SNMP server. This can be an IPv4 or IPv6 address.

Target Port SNMP listening port of the target server

SNMP Version The version of SNMP running on your target SNMP server. Version options are 1, 2c,
Both 1 and 2c, and 3.

Community String Enter an SNMP community string to protect your Trellix IPS data. SNMP community
strings authenticate access to Management Information Base (MIB) objects and
functions as embedded passwords.

Send Notification If By attack for Sensor and the attack definition has this notification option explicitly
enabled for IPS — Forwards attacks that match customized policy notification
settings, which you must set when editing attack responses within the Policy Editor.
By Alert Filter for Sensor and the following notification filter is matched for NTBA —
Sends notification for all, or based on the severity of alerts:
• Severity Informational above — Includes all alerts
• Severity Low and above — Includes low, medium, and high severity alerts
• Severity Medium and above — Includes both medium, and high severity alerts
• Severity High — Includes only high severity alerts

The following fields appear only when SNMP Version 3 is selected.

User Name User name for authentication

Trellix Intrusion Prevention System 10.1 137


2 | Manager Administration

Field Description

Authoritative Engine ID (Hex The authoritative (security) engine ID used for SNMP version 3 REQUEST messages
Values) by primary Manager.
The hex value of the Authoritative Engine ID should have only even pairs (For
example, you can have hex value of 4 pairs like 00-1B-3F-2C).

Note: MAC address can also be used as Authoritative Engine ID.

Authoritative Peer Engine ID (Hex The authoritative (security) engine ID used for SNMP version 3 REQUEST messages
Values): by secondary Manager.

Note: The Authoritative Note: The Authoritative (security) engine ID for any Manager is unique. At any point
Peer Engine ID field is of time, the Authoritative Engine ID of the Manager is static irrespective of Manager
available while configuring status in case of an MDR pair. That is, when MDR switchover occurs, the authoritative
SNMP version 3 only after engine ID of the Manager will not change with the status of the Manager. Hence, the
successful creation of an alerts generated from the Primary and Secondary Manager will have their respective
MDR pair. authoritative engine IDs.

Note: After successful deletion of an MDR pair, the Authoritative Engine IDs are
retained by the respective Managers.

Authentication Level This specifies the authentication level and has the following categories:
• No Authorization, No Privileges — Uses User name match for authentication
• Authorization, No Privileges — Provides authentication based on the MD5 or SHA
algorithms
• Authorization and Privileges — Provides authentication based on the MD5 or SHA
algorithms. It also provides encryption in addition to authentication based on the
DES or AES standards.

Customize Community Enter an SNMP community string to protect your Trellix IPS data. SNMP community
strings authenticate access to Management Information Base (MIB) objects and
functions as embedded passwords.

The following fields appear only when Authorization, No Privileges is selected as Authentication Level:

Authentication Type The authentication protocol (MD5 or SHA) used for authenticating SNMP version 3
messages

Authentication Password The authentication pass phrase used for authenticating SNMP version 3 messages

The following fields appear only when Authorization and Privileges is selected as Authentication Level:

Authentication Type The authentication protocol (MD5 or SHA) used for authenticating SNMP version 3
messages

Authentication Password The authentication pass phrase used for authenticating SNMP version 3 messages

Encryption Type The privacy protocol (AES or DES) used for encrypting SNMP version 3 messages

Privacy Password The privacy pass phrase used for encrypting SNMP version 3 messages

5 Click Save.

138 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

The SNMP server is added to the SNMP Servers page.

Note
Do not use a broadcast IP address (that is, 255.255.255.255) as the target SNMP server for forwarding alerts.

Tasks
• Modify or delete SNMP server settings on page 139

Modify or delete SNMP server settings

You can modify or delete the SNMP server settings at the Manager node.

Task
1 Select Manager | <Admin Domain Name> | Setup | Notification | IPS/NTBA Events | SNMP.
The SNMP tab with the Enable SNMP Notification option and the SNMP Servers list is displayed.

2 Select the configured SNMP server instance from the SNMP Servers list.

3 Configure the following:


a
To edit the settings, click , modify the fields as required, and click Save.

b
To delete the settings, click and click OK to confirm deletion.

Forward alert notifications from the Manager to a syslog server


Alerts forwarded from the Manager to a syslog server enables you to view the alerts on the third-party applications that
support UDP and TCP over SSL, for example, Syslog NG.

Task
1 Select Manager | <Admin Domain Name> | Setup | Notification | IPS Events | Syslog.

Trellix Intrusion Prevention System 10.1 139


2 | Manager Administration

2 Click Yes in Enable Syslog Notification to enable syslog forwarding of alerts.

3 Click Save.

Note
You can forward Sensor alerts to multiple syslog servers by creating new syslog notification profiles. You can forward IPS alerts to syslog
servers using UDP or TCP (with or without SSL).

Tasks
• Add a syslog notification profile on page 140
• Edit or delete a syslog notification profile on page 147
• Add a syslog server profile on page 146
• Edit or delete a syslog server profile on page 147

Add a syslog notification profile

You can add notification profiles that will be displayed in the Syslog page.

Task
1
Click in the Syslog page.

The Add a Syslog Notification Profile page is displayed.

2 Specify your options in the corresponding fields.

Field Description

Admin • Current — Send notifications for alerts in the current domain. Always enabled for current domain by
Domain default.
• Children — Include alerts for all child domains of the current domain (Not applicable to NTBA)

Notification Profile name from where notifications are sent


Profile Name

140 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

Field Description

Target Server You can perform the listed action on the target server:
• Add — To add a new target server

Note: For more information on adding a new syslog forwarder target server profile, see Add a syslog
server profile on page 146.

• Edit — To edit the target server


• Delete — To delete the target server

Note: For more information on editing or deleting a new syslog forwarder target server profile, see Edit
or delete a syslog server profile on page 147.

Facility Standard syslog prioritization value. The choices are as follows:


• Security/authorization (code 4)
• Security /authorization (code 10)
• Log audit (note 1)
• Log alert (note 1)
• Clock daemon (note 2)
• Local user 0 (local0)
• Local user 1 (local1)
• Local user 2 (local2)
• Local user 3 (local3)
• Local user 4 (local4)
• Local user 5 (local5)
• Local user 6 (local6)
• Local user 7 (local7)

Severity You can map each severity (Informational, Low, Medium, or High) to one of the standard syslog
Mappings severities listed below:
• Emergency — System is unusable
• Alert — Action must be taken immediately
• Critical — Critical conditions
• Error — Error conditions
• Warning — Warning conditions
• Notice — Normal but significant condition
• Informational — Informational messages
• Debug — Debug-level messages

Notify for All By default, this checkbox will be selected. Notifies for all discovered attacks.
Alerts

The following field is enabled only on deselecting the Notify for All Alerts checkbox.

Trellix Intrusion Prevention System 10.1 141


2 | Manager Administration

Field Description

Only Notify The attack definition has this notification option explicitly enabled
When Send notification for attacks that match customized policy notification settings, which you must set
when editing attack responses within the policy editor (Policy | <Admin Domain Name> | Intrusion
Prevention | Policy Types) | IPS based on the following filters:
• Severity High — Includes only high severity alerts
• Severity Informational and above — Includes all alerts
• Severity Low and above — Includes low, medium, and high severity alerts
• Severity Medium and above — Includes both medium and high severity alerts

Notify on Select this checkbox to see quarantine events.


Quarantine
Events (not
applicable to
NTBA
Appliance)

Message The default message is a quick summary of an alert with two fields for easy recognition: Attack Name
and Attack Severity. A default message reads:
$IV_SENSOR_NAME$ detected $IV_DIRECTION$ attack $IV_ATTACK_NAME$ (severity =
$IV_ATTACK_SEVERITY$). $IV_SOURCE_IP$:$IV_SOURCE_PORT$ -> $IV_DESTINATION_IP
$:$IV_DESTINATION_PORT$ (result = $IV_RESULT_STATUS$)

Note: For syslog message to appear correctly, ensure that you use the dollar-sign ($) delimiter immediately
before and after each parameter. Example: $ATTACK_TIME$

Type a message and select (click) the parameters for the wanted alert identification format. You can type
custom text in the Message field.

Note: Prior to Sensor software version 10.1.5.116, the variables $IV_MALWARE_FILE_SHA1_HASH$ and
$IV_MALWARE_FILE_SHA256_HASH$ do not display the file hashes.

3 Click Save.

The newly added notification profile will be displayed in the Syslog page.

Table 2-3 Syslog variables for alert notification and the equivalent Attack Log columns

Syslog variable name Description Attack Log column

$IV_ADMIN_DOMAIN$ The domain to which the Sensor that detected the attack Domain
belongs

$IV_ALERT_ID$ The globally unique ID that the Manager assigns to an alert Alert ID

142 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

Table 2-3 Syslog variables for alert notification and the equivalent Attack Log columns (continued)

Syslog variable name Description Attack Log column

$IV_ALERT_TYPE$ The Sensor decides the type of alert. This is mainly used by Not available
the Manager for its internal processing. This is not related
to the Attack Category or Attack Sub-category. Some
example alert types are signature, statistical anomaly,
threshold anomaly, port scan, and host sweep.

$IV_APPLICATION_PROTOCOL$ The application-layer protocol associated with the attack Not available
traffic. This is not related to the Application Identification
feature, and this information is displayed even if you have
not enabled Application Identification. There could be
instances when a Sensor might not be able to detect the
protocol.

$IV_ATTACK_CONFIDENCE$ This is a value between 1 and 7. For example, a confidence Not available
level of 7 indicates that there is low possibility of the attack
being a false-positive.
The attack confidence values are inversely related to the
Benign Trigger Probability (BTP) values of attack signatures.
• Confidence 1 = BTP 7 • Confidence 5 = BTP 3
(high) (medium)
• Confidence 2 = BTP 6 • Confidence 6 = BTP 2
(high) (low)
• Confidence 3 = BTP 5 • Confidence 7 = BTP 1
(medium) (low)
• Confidence 4 = BTP 4
(medium)

Note: When the BTP value is 0, there is no


corresponding confidence value for the attack.

$IV_ATTACK_COUNT$ The number of types the attack occurred. This information Attack Count
is more relevant for suppressed alerts. Consider you have
enabled alert suppression such that the alert is raised only
when the attack is seen 5 times within 30 seconds.
Subsequently, the Sensor detected this attack 10 times
within 30 seconds. Then the attack count for this alert is 10.

$IV_ATTACK_ID$ Trellix Labs assigns a universally unique hexadecimal value The equivalent
to each attack. This field displays the integer value of the hexadecimal value is
hexadecimal ID assigned by Trellix Labs. displayed in the
Attack Information
& Description page
as Intruvert ID.

$IV_ATTACK_NAME$ The name assigned by Trellix Labs to an attack Name

Trellix Intrusion Prevention System 10.1 143


2 | Manager Administration

Table 2-3 Syslog variables for alert notification and the equivalent Attack Log columns (continued)

Syslog variable name Description Attack Log column

$IV_ATTACK_SEVERITY$ Indicates the severity value of an attack specified in the Attack Severity (high,
corresponding attack definition. medium, low, or
informational)
• 0 - Informational
• 1 to 3 - low
• 4 to 6 - medium
• 7 to 9 - high

$IV_ATTACK_SIGNATURE$ The ID of the signature that matched the attack traffic Not available

$IV_ATTACK_TIME$ The time when the Sensor created the alert Time

$IV_CALLBACK_ACTIVITY$ The name of the Callback Activity family Callback Activity

$IV_CATEGORY$ The category to which the attack belongs. This is decided by Attack Category
Trellix Labs. Some examples are exploit, policy violation,
and reconnaissance. You can view the attack categories in
the IPS Policy Editor when you group by Attack Category.

$IV_CC_DOMAIN$ The name of the Callback Activity domain C&C Domain

$IV_DESTINATION_CRITICALITY$

$IV_DESTINATION_IP$ The destination IP address to which the attack is destined Target IP address

IV_DESTINATION_PORT$ The port number on the destination host to which the Target Port
attack traffic is sent

$IV_DESTINATION_PROXY_IP The IP address of the proxy server Target Proxy IP

$IV_DEST_APN$ This is the destination Access Point Name (APN). This Not available
information is part of a mobile subscriber's identity data
and is relevant only if you have deployed Sensors to
monitor mobile networks. To see this data, you must enable
capturing and tagging of mobile subscriber data in the
alerts by using the set mnsconfig Sensor CLI command.

$IV_DEST_IMSI$ This is the destination International Mobile Subscriber Not available


Identity (IMSI). The details provided for APN apply to this as
well.

$IV_DEST_OS$ The operating system installed on the destination host Target OS

$IV_DEST_PHONE_NUMBER$ This is the destination mobile phone number. The details Not available
provided for APN above apply to this as well.

$IV_DETECTION_MECHANISM$ The method the Sensor used to detect the attack. For Detection (in Alert
example, signature, multi-flow-correlation, threshold, and Details panel)
so on. Each method relates to a specific attack category.

$IV_DIRECTION$ Indicates whether the attack traffic originated from your Direction
network or the outside network. For example, inbound
direction means that the attack traffic originated from the
outside network, targeting the hosts on your network.

$IV_INTERFACE$ The interface or sub-interface on which the Sensor detected Interface


the attack traffic

$IV_LAYER_7_DATA$ Provides the Layer 7 data Layer 7 Data

$IV_MALWARE_CONFIDENCE$ Confidence level of the malware as detected by the engine Malware Confidence

144 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

Table 2-3 Syslog variables for alert notification and the equivalent Attack Log columns (continued)

Syslog variable name Description Attack Log column

$IV_MALWARE_DETECTION_ENGINE$ Engine which detected the malware (Gateway Anti-Malware, Engine


Global Threat Intelligence, PDF‑JS, etc)

$IV_MALWARE_FILE_LENGTH$ The length of the malware file Not available

$IV_MALWARE_FILE_MD5_HASH$ The MD5 hash of the malware file (fingerprint) File Hash

$IV_MALWARE_FILE_NAME$ The name of the malware file. For SMTP traffic, it displays File Name
the file name of the attachment and for HTTP traffic, it
displays the URL of the file.

$IV_MALWARE_FILE_SHA1_HASH$ The SHA1 hash of the malware file (fingerprint) File Hash

$IV_MALWARE_FILE_SHA256_HASH$ The SHA256 hash of the malware file (fingerprint) File Hash

$IV_MALWARE_FILE_TYPE$ The file type of the malware file Not available

$IV_MALWARE_VIRUS_NAME$ The virus name as detected by Gateway Anti-Malware Not available

$IV_NETWORK_PROTOCOL$ The network protocol, such as TCP, of the attack traffic Protocol (in Alert
Details panel)

$IV_QUARANTINE_END_TIME$ The time when the attacking host will be out of quarantine. Not available
This is relevant only if you had enabled Quarantine feature.

$IV_RESULT_STATUS$ Indicates whether the attack traffic reached the victim host Result

$IV_SENSOR_ALERT_UUID$ The universally unique ID assigned by the Sensor for the Alert ID
alert. For a specific alert raised by a specific Sensor, the
Central Manager also displays the same ID.

$IV_SENSOR_CLUSTER_MEMBER$ The member Sensor of a HA pair that generated the alert Not available

$IV_SENSOR_NAME$ The Sensor that generated the alert Device

$IV_SOURCE_IP$ The IP address of the attacking host Attacker IP address

$IV_SOURCE_OS$ OS of the attacking host Attacker OS (in Alert


Details panel)

$IV_SOURCE_PORT$ The port number on the attacking host from which the Attacker Port
attack traffic is sent

$IV_SOURCE_PROXY_IP$ The IP address of the proxy server Attacker Proxy IP

$IV_SRC_APN$ This is the source Access Point Name (APN). This Not available
information is part of a mobile subscriber's identity data
and is relevant only if you have deployed Sensors to
monitor mobile networks. To see this data, you must enable
capturing and tagging of mobile subscriber data in the
alerts by using the set mnsconfig Sensor CLI command.

$IV_SRC_IMSI$ This is the source International Mobile Subscriber Identity Not available
(IMSI). The details provided for APN apply to this as well.

$IV_SRC_PHONE_NUMBER$ This is the source mobile phone number. The details Not available
provided for APN apply to this as well.

Trellix Intrusion Prevention System 10.1 145


2 | Manager Administration

Table 2-3 Syslog variables for alert notification and the equivalent Attack Log columns (continued)

Syslog variable name Description Attack Log column

$IV_SUB_CATEGORY$ The subcategory to which the attack belongs. This is Attack Subcategory
decided by Trellix Labs, and is a classification within Attack (in Alert Details
Category. Some examples are brute-force, buffer-overflow, panel)
host-sweep, and restricted-application. You can view the
attack subcategories in the IPS policy editor when you
group by Attack Subcategory.

$IV_VLAN_ID$ The VLAN ID seen on the attack traffic VLAN

Tasks
• Add a syslog server profile on page 146
• Edit or delete a syslog server profile on page 147

Add a syslog server profile


You can add server profiles that will be populated in the Target Server drop-down list on the Add a Syslog Notification Profile
page.

Task
1 Click Add beside the Target Server drop-down list.

The Add a Syslog Server Profile page is displayed.

2 Enter the Target Server Profile Name.

3 Enter the syslog server name or IP address.

Note
The length of server name has been increased to support up to 255 characters from 40 characters.

4 Select TCP or UDP from the Protocol drop-down list.

Note
If you select the TCP protocol:
• You will have to provide a certificate when you select the Use SSL checkbox.

• Click Test Connection to check if the connection is successful. If a TCP server is down, at least five attempts will be
made to ping the server before a fault is raised.

146 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

5 Specify the port. By default, the port is set to 514.

6 Click Save.

Now you can select the server where you want to forward the alert.

Edit or delete a syslog server profile


You can edit or delete a syslog server profile by clicking the Edit or Delete in the Edit a Syslog Notification Profile section.

Note
You can delete a syslog server only when it is not in use, else you will see an error message.

Edit or delete a syslog notification profile

You can edit or delete a syslog notification profile by clicking the or in the Syslog Notification Profiles section.

Configure email or pager alert notifications

Before you begin

You must identify a mail server for email notifications in the E-mail page (Manager | <Admin Domain Name> |
Setup | Notification | IPS/NTBA Events | E-mail).

Users can be alerted by email or pager when an alert is generated that matches a chosen severity or customized attack setting.
The procedure for configuring email alerts is described here. The procedure for configuring pager is similar.

Task
1 Select Manager | <Admin Domain Name> | Setup | Notification | IPS/NTBA Events | E-mail.
The E-Mail and Recipient List information is displayed under the E-mail tab.

2 Specify your options in the corresponding fields.

Trellix Intrusion Prevention System 10.1 147


2 | Manager Administration

Field Description

Enable E-mail Select Yes to enable alert notification through email.


Notification

Send The attack definition has this notification option explicitly enabled — Send notification for attacks
Notification If that match customized policy notification settings, which you must set when editing attack responses
within the policy editor.
The following notification filter is matched — Send notification based on the following filters:
• Severity Informational and above — Includes all alerts
• Severity Low and above — Includes low, medium, and high severity alerts
• Severity Medium and above — Includes both medium and high severity alerts
• Severity High — Includes only high severity alerts
The table below explains the functional interdependency of the two options.

Suppression Type a Suppression Time for the notification. The suppression time is the duration (minutes and
Time seconds) to wait after an alert notification has been sent before sending another alert notification. The
default and minimum value is 10 minutes and 0 seconds. Suppression time is useful to avoid sending
excessive notifications when there is heavy attack traffic.

Message Body The message body is a preset response sent with the notification with information pertaining to the
alert.
System Default — The system default message provides the notified admin with the most basic attack
details so that an immediate response can be made. Details include the attack name, time detected,
attack type, severity, the Sensor interface where detected, and the source and/or destination IP
addresses.

Note: You cannot edit the System Default message.

Customized — Select Customized against Message Body and click Edit to view the Custom Message
page.
You can type custom text in the Subject field or Body section, as well as click one or more of the
provided variable links at Subject Line Variables or Content-Specific Variables.

Note: Prior to Sensor software version 10.1.5.116, the variables $IV_MALWARE_FILE_SHA1_HASH$ and
$IV_MALWARE_FILE_SHA256_HASH$ do not display the file hashes.

Notification option Notification filter is Functionality


explicitly enabled matched

✔ Emails are sent only for the attacks where the notification option is
enabled.

✔ Emails are sent only when the defined severity level is matched and the
notification option is disabled.

✔ ✔ If the attack matches at least one of the criteria, an email is sent.

3 Click Save to return to the email or pager notification settings page.

4
Click in the Recipient List section of the E-mail page.

The Add a Recipient page is displayed.

148 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

5 Enter the Recipient email address in the SMTP Address field and click Save.
The email address is listed under the Recipient List on the E-mail tab.
• You can configure pager settings using a similar procedure in the Pager page. Select Manager | <Admin Domain
Name> | Setup | Notification | IPS/NTBA Events | Pager to view the Pager page.

• Email and pager notifications are configured per admin domain.

Enable alert notification by script


Users can be alerted through an executed script when an alert is generated that matches a chosen severity or customized
attack setting.

Task
1 Select Manager | <Admin Domain Name> | Setup | Notification | IPS/NTBA Events | Script.

The Script page is displayed.

2 Specify the options in the corresponding fields.

Field Description

Enable Script Select Yes to enable alert notification through an executed script.
Execution

Send Notification The attack definition has this notification option explicitly enabled — send notification for attacks
If that match customized policy notification settings, which you must set when editing attack responses
within the policy editor.
The following notification filter is matched:
• Severity Informational and above — Includes all alerts
• Severity Low and above — Includes low, medium, and high severity alerts
• Severity Medium and above — Includes both medium and high severity alerts
• Severity High — Includes only high severity alerts

Suppression Time Enter a Suppression Time for the notification. The suppression time is the amount of time (minutes
and seconds) to wait after an alert has been generated before sending the notification. This will
prevent alerts being sent through notification in the event an alert has been acknowledged or deleted
through the Attack Log page within the suppression time. The default and minimum value is 10
minutes and 0 seconds.

3 Click Edit.

Trellix Intrusion Prevention System 10.1 149


2 | Manager Administration

The Script Contents page is displayed.

• Enter a description in the Description field.

• Enter the required text in the Script Contents field. Click the links provided against Content-Specific Variables to add
variables in the Script Contents field.

Note
Prior to Sensor software version 10.1.5.116, the variables $IV_MALWARE_FILE_SHA1_HASH$ and $IV_MALWARE_FILE_SHA256_HASH$
do not display the file hashes.

4 Click Save to return to the Script page.

5 Click Save to save your settings.


• The local system user needs to have permission to create the script output file on the Manager installation directory.

• Notifications are configured per admin domain.

Set up of fault notifications

The Manager can send system fault information to third-party machines such as SNMP servers and syslog servers. You can also
configure Manager to notify you — via email, pager, or script — for system faults based on fault severity. You can view fault
notification details, forward faults to an SNMP or Syslog server, configure fault notification, send alerts to an email or pager,
and specify script parameters for fault notifications.

How to view fault notification details


The Summary (Manager | <Admin Domain Name> | Setup | Notification | Faults | Summary) option displays a summary of
configured fault notification settings for the Manager (or Central Manager). The summary reflects configurations made within
the other Fault Notification group actions.

150 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

In case of Central Manager, select Manager | Setup | Notification | Faults | Summary.

Figure 2-35 Fault Notification Details

Forward faults to an SNMP server


The Manager | <Admin Domain Name> | Setup | Notification | Faults | SNMP option enables you to specify an SNMP server
to which system fault information will be sent from the Manager. You can configure more than one SNMP server where you
want to send fault messages. The SNMP Servers page displays the SNMP servers that have been configured. The fields in this
page are described within the configuration steps that follow.

To configure an SNMP server to receive system faults from your Manager, do the following:

Task
1 Select Manager | <Admin Domain Name> | Setup | Notification | Faults | SNMP.

2 Check Enable SNMP Notification (default is Yes) and click Save.

Trellix Intrusion Prevention System 10.1 151


2 | Manager Administration

3
Click .
The SNMP page is displayed.

4 Fill in the following fields:

Field Description

Admin Domains Select the below options to enable admin domain notification:
• Current— Send notifications for alerts in the current domain. Always enabled for the
current domain.
• Children— Include alerts for all child domains of the current domain

IP Address IP address of the target SNMP server. This can be an IPv4 or IPv6 address.

Target Port Target server's SNMP listening port. The standard port for SNMP, 162, is pre-filled in the field.

SNMP Version Version of SNMP running on the target SNMP server. Version options are 1, 2c, and Both 1
and 2c, and 3.

Community String Type an SNMP community string to protect your Trellix IPS data. SNMP community strings
authenticate access to Management Information Base (MIB) objects and functions as
embedded passwords.

Forward Faults Choose the severity level for forwarding faults. The options are Critical, Error and above,
Warning and above, and Informational and above.
Choose the severity of alerts that will have information forwarded. Limiting your alert
severities to Critical or Error and above is recommended for focused analysis.

The following fields appear only when SNMP Version 3 is selected.

User Name Type a username that will be used for authentication

Authoritative Engine ID (Hex Values) The Authoritative (security) Engine ID of the Manager used for
sending SNMP version 3 REQUEST messages.
The hex value of the Authoritative Engine ID should have only
even pairs (For example, you can have hex value of 4 pairs like
00-1B-3F-2C).

Note: MAC address can also be used as Authoritative Engine


ID.

152 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

Field Description

Authoritative Peer Engine ID (Hex Values): The authoritative (security) engine ID used for SNMP version 3
REQUEST messages by secondary Manager

Note: The Authoritative Peer Engine ID field is


available while configuring SNMP version 3 only Note: The Authoritative (security) engine ID for any Manager is
after successful creation of an MDR pair. unique. At any point of time, the Authoritative Engine ID of
the Manager is static irrespective of Manager status in case of
an MDR pair. That is, when MDR switchover occurs, the
authoritative engine ID of the Manager will not change with
the status of the Manager. Hence, the alerts generated from
the Primary and Secondary Manager will have their respective
authoritative engine IDs.

Note: After successful deletion of an MDR pair, the


Authoritative Engine IDs are retained by the respective
Managers.

Authentication Level This specifies the authentication level and has the following
categories:
• No Authorization, No Privileges— Uses a user name match
for authentication
• Authorization, No Privileges— Provides authentication based
on the MD5 or SHA algorithms
• Authorization, Privileges— Provides authentication based on
the MD5 or SHA algorithms. It also provides encryption in
addition to authentication based on the DES or AES standards.

The following fields appear only when Authorization, No Privileges or Authorization and Privileges is selected in
Authentication Level.

Authentication Type The authentication protocol (MD5 or SHA) used for


authenticating SNMP version 3 messages

Authentication Password The authentication pass phrase used for authenticating SNMP
version 3 messages

Encryption Type The privacy protocol (DES or AES) used for encrypting SNMP
version 3 messages

Privacy Password The privacy pass phrase used for encrypting SNMP version 3
messages

5 Click Save.

Tasks
• Modify or delete SNMP forwarder settings on page 153

Modify or delete SNMP forwarder settings

To modify or delete SNMP Forwarder settings, do the following:

Task
1 Select Manager | <Admin Domain Name> | Setup | Notification | Faults | SNMP.

2 Select the configured SNMP server instance from the SNMP Forwarder list page.

Trellix Intrusion Prevention System 10.1 153


2 | Manager Administration

3 Do one of the following:


a
To edit the settings, click , modify the fields as required, and then click Save.

b To delete the settings, click and then click OK to confirm the deletion.

Forward faults to a Syslog server


The Manager | <Admin Domain Name> | Setup | Notification | Faults | Syslog option enables the forwarding of Trellix IPS
faults to a syslog server. Syslog forwarding enables you to view the forwarded faults via a third-party syslog application. For
syslog forwarding, the root domain and parent domains have the option to include faults from all corresponding child domains.
To enable syslog forwarding for fault notification, do the following:

Task
1 Select Manager | <Admin Domain Name> | Setup | Notification | Faults | Syslog (same for Central Manager).
The Syslog window is displayed.

2 Fill in the following fields:

Field Description

Enable Syslog Yes is enabled; No is disabled


Notification

Admin Domain Select the below options to enable admin domain notification:
• Current— Send notifications for alerts in the current domain. Always enabled for current domain.
• Children— Include alerts for all child domains of the current domain.

Note: This field is not present for Central Manager.

Server Name or Type either the Host IP Address or Host Name of the syslog server where alerts will be sent.
IP Address For Host IP address, you can enter either IPv4 or IPv6 address.

Note: The length of server name has been increased to support up to 255 characters from 40
characters.

Port Port on the target server which is authorized to receive syslog messages. The standard port for
syslog, 514, is pre-filled in the field.

Facilities Standard syslog prioritization value. The choices are as follows:


• Security/authorization (code 4) • Local user 2 (local2)
• Security/authorization (code 10) • Local user 3 (local3)
• Log audit (note 1) • Local user 4 (local4)
• Log alert (note 1) • Local user 5 (local5)
• Clock daemon (note 2) • Local user 6 (local6)
• Local user 0 (local0) • Local user 7 (local7)
• Local user 1 (local1)

154 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

Field Description

Severity Mapping You can map each fault severity (Informational, Error, Warning, and Critical) to one of the standard
syslog severities listed below (default severity mappings are noted in parentheses):
• Emergency— System is unusable
• Alert— Action must be taken immediately
• Critical— (HIGH) Critical conditions
• Error— Error conditions
• Warning— (MEDIUM) Warning conditions
• Notice— (LOW) Normal but significant condition
• Informational— (INFORMATIONAL) Informational messages
• Debug: Debug-level messages

Forward Faults Select the severity of the faults that you want to be forwarded to the syslog server. The options are:
• Critical— Only Critical faults
• Error and above— Both Error and Critical faults
• Warning and above— Warning, Error, and Critical faults
• Informational and above— All faults

3 Click Save.

Note
You must click Save before you will be able to customize the message format sent to your syslog server.

4 Select the Message Preference to send as the syslog forwarding message. The choices are:
• System Default— The default message is a quick summary of a fault with two fields for easy recognition: Attack Name
and Attack Severity. A default message reads:
Attack $IV_ATTACK_NAME$ ($IV_ATTACK_SEVERITY$)

Trellix Intrusion Prevention System 10.1 155


2 | Manager Administration

• Customized— Create a custom message. To create a custom message, do the following:


1 Click Edit to create a custom message.

2 Type a message and select (click) the parameters for the desired alert identification format. The following figure
displays a custom message. You can type custom text in the Message field as well as click one or more of the
provided elements below the field box.

3 Click Save when finished to return to the Syslog page. The Customized button is automatically selected after you
have customized the Message Preference.

Caution
For syslog information to appear correctly, ensure that you use the dollar-sign ($) delimiter immediately before and after each
element. Example: $ATTACK_TIME$

Table 2-4 Syslog variables for fault notification

Syslog variable name Description

$IV_ACK_INFORMATION$ Displays additional acknowledgment information when a created fault is


acknowledged after the hysteresis period.

$IV_ADDITIONAL_TEXT$ Displays additional text for the raised fault.

$IV_ADMIN_DOMAIN$ Name of the domain.

$IV_DESCRIPTION$ Description of the fault.

$IV_DEVICE_NAME$ Name of the device.

$IV_FAULT_COMPONENT$ The component for which the fault is generated.

$IV_FAULT_LEVEL$ Displays the fault level (Manager system level, Sensor level, or Sensor interface
level)

$IV_FAULT_NAME$ The name of the fault.

$IV_FAULT_SOURCE$ Indicates if the fault is generated by the Manager or sent by the Sensor.

$IV_FAULT_TIME$ The time at which the fault is generated.

$IV_FAULT_TYPE$ Indicates if the event is created, acknowledged, or cleared.

$IV_MEMBER_DEVICE_NAME$ Name of the Sensor.

$IV_OWNER_ID$ ID of the Manager or the Sensor.

$IV_SEVERITY$ The severity of the fault (critical, error, or warning).

5 Click Save.

Set up common settings for fault notification


The Common Settings option enables you to determine the breadth and detail of fault information that will be sent via email,
pager, or script. You can configure a suppression time within which faults are held pending Acknowledge or Delete actions — or
automatic clearing events from the source — within Operational Status.

156 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

To manage fault notification details, do the following:

Task
1 Select Manager | <Admin Domain Name> | Setup | Notification | Faults | Common Settings (same for Central Manager).

2 Fill in the following fields:


• Admin Domains
• Current — Send only faults for the current domain. This is always selected for the current domain.

• Children — Send faults for all child domains of the current domain

• Notification Scope— If Sensor interfaces have been delegated to a child domain, faults can be set to display by the
Admin domain in which the delegated interface resides, rather than by the domain where the Sensor is controlled.
• Entire Device — Faults based on Sensor-domain relationship

• Individual interface — Faults based on interface-domain relationship

• Suppression Time — The amount of time to suppress system faults before forwarding

Note
Suppression Time can only be set within the root admin domain.

3 Click Save.

Send alerts to an email or pager


Users can be alerted by email or email pager when a fault occurs that matches a specified severity.

Note
You must also identify a mail server for email notifications.

Note
Email and pager notifications are configured per admin domain.

Figure 2-36 Pager notification settings

Trellix Intrusion Prevention System 10.1 157


2 | Manager Administration

To enable email or pager fault notification, do the following:

Task
1 Select Manager | <Admin Domain Name> | Setup | Notification | Faults | E-mail or Manager | <Admin Domain Name>
| Setup | Notification | Faults | Pager (same for Central Manager).

2 Select the enabled status (Enable E-mail / Pager Notification). Yes is enabled; No is disabled.

3 Select a fault Severity Level to be notified of:

Field Description

Informational and above Notifies for all faults.

Warning and above Notifies for Warning, Error, and Critical faults.

Error and above Notifies for Error and Critical faults.

Critical Notifies only for Critical faults.

4 Select a Message body. The message body is a preset response sent with the notification with information pertaining to the
fault.
• System Default — The system default message provides the notified admin with the most basic fault details so that an
immediate response can be made. Details include the fault type (severity) and the component source. The subject line of
the default message contains the fault name.

Note
You cannot edit the System Default message.

• Customized — Type a message and select (click) the parameters for the desired attack identification format. The
following figure displays a custom message. You can type custom text in the Subject field or Message Body section, as
well as click one or more of the provided elements at Subject Line Variables or Content-Specific Variables to add to the
description. When you are finished formatting your message template, click Save. The Customized button is selected if
you have customized the message.

Figure 2-37 Customize Email Notification Messages window

5 Click Save, to save your notification settings.

6 Specify the email or pager address of the intended recipient(s).

158 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

7 Scroll to the bottom of the E-mail or Pager page.


a
Click .

b In SMTP Address, type an email address or email pager address.

c Click Save when complete.

d Repeat steps a through d to add additional recipient addresses.

Specify script parameters for fault notification


Users can be alerted via executed script when a system fault occurs that matches a configured severity.

Note
Script notifications are configured per admin domain.

To enable alert notification by script, do the following:

Task
1 Select Manager | <Admin Domain Name> | Setup | Notification | Faults | Script (Same for Central Manager).

2 Select the enabled status (Enable Script Execution). Yes is enabled; No is disabled.

3 Select a Severity Level to be notified of:

Field Description

Informational and above Notifies for all faults

Warning and above Notifies for Warning, Error, and Critical faults

Error and above Notifies for Error and Critical faults

Critical Notifies only for Critical faults

4 Configure Script Contents. This is a preset response sent with the notification with information pertaining to the fault.
a Click Edit.

b Type a name for the script at Description.

c For the Script Contents section, type the text and select the content-specific variables for the attack information you
want to see.

d Click Save to return to the notification form. The script is saved to your installation directory at <Manager_Install
_Dir>\temp\scripts\0\<script‑name>. The script file name is appended with ".bat".

Note
The default Manager installation directory is %programfiles%\Trellix\IPS Manager\App.

5 Click Save to save your notification settings.

Trellix Intrusion Prevention System 10.1 159


2 | Manager Administration

Management of audit notifications

Every action that is performed by Manager and the Manager server is audited with all information. All audit information
contains the following:

• action performed • user information

• result of the action (success or failure) • category of the action performed

• time of action • admin domain

• action message • comments in detail

Manager can forward this audit information to syslog server.

Configure SNMP forwarder


Trellix IPS allows you to configure an SNMP server to which system audit information is sent from the Manager. You can
configure more than one SNMP servers where you want to send audit messages. You can configure the SNMP servers for each
admin domain separately. The SNMP server configured for a root admin domain can be different from the SNMP server
configured for its child domains. When the Children and the Current checkboxes are selected while configuring an SNMP
server for the root admin domain, the SNMP server configured for the child domain will forward notifications to both the
parent and child domain SNMP servers. When the Children checkbox is not selected in the root admin domain, then the child
domain will use only the SNMP server configured for that domain to forward notifications. The Manager displays the SNMP
servers that have been configured. The fields in this page are described within the configuration steps that follow.

For SNMP forwarding, the root domain and parent domains have the option to include audit information from all
corresponding child domains.

To configure an SNMP server from your Manager, do the following:

Task
1 Select Manager | <Admin Domain Name> | Setup | Notification | User Activity | SNMP.

2 Select Enable SNMP Notification (default is No) and click Save.

160 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

3
Click .
The SNMP page is displayed.

Fill in the following fields:

Field Description

Admin Domains Enables VLAN based reconnaissance

IP Address Disables VLAN based reconnaissance

Target Port Target server's SNMP listening port. The standard port for SNMP, 162, is pre-filled
in the field.

SNMP Version Version of SNMP running on the target SNMP server. Version options are 1, 2c,
Both 1 and 2c, and 3.

Community String Type an SNMP community string to protect your Trellix IPS data. SNMP community
strings authenticate access to Management Information Base (MIB) objects and
functions as embedded passwords.

Forward Audit Choose the audit logs to be forwarded. The options are Allow All Auditlogs, Failed
Only, Successful Only, and In Progress Only.

The following fields appear only when SNMP Version 3 is selected.

User Name Type a username that will be used for authentication.

Authoritative Engine ID (Hex The Authoritative (security) Engine ID of the Manager used for sending SNMP
Values) version 3 REQUEST messages by Primary Manager
The hex value of the Authoritative Engine ID should have only even pairs (For
example, you can have hex value of 4 pairs like 00-1B-3F-2C).

Note: MAC address can also be used as Authoritative Engine ID.

Trellix Intrusion Prevention System 10.1 161


2 | Manager Administration

Field Description

Authoritative Peer Engine ID (Hex The authoritative (security) engine ID used for SNMP version 3 REQUEST messages
Values): by Secondary Manager

Note: The Authoritative Peer Note: The Authoritative (security) engine ID for any Manager is unique. At any
Engine ID field is available point of time, the Authoritative Engine ID of the Manager is static irrespective of
while configuring SNMP Manager status in case of an MDR pair. That is, when MDR switchover occurs, the
version 3 only after successful authoritative engine ID of the Manager will not change with the status of the
creation of an MDR pair. Manager. Hence, the alerts generated from the Primary and Secondary Manager
will have their respective authoritative engine IDs.

Note: After successful deletion of an MDR pair, the Authoritative Engine IDs are
retained by the respective Managers.

Authentication Level This specifies the authentication level and has the following categories:
No Authorization, No Privileges — Uses a user name match for authentication
Authorization, No Privileges — Provides authentication based on the MD5 or SHA
algorithms
Authorization and Privileges — Provides authentication based on the MD5 or SHA
algorithms. It also provides encryption in addition to authentication based on the
DES or AES standards.

The following fields appear only when Authorization, No Privileges or Authorization and Privileges is selected in
Authentication Level.

Authentication Type The authentication protocol (MD5 or SHA) used for authenticating SNMP version 3
messages

Authentication Password The authentication pass phrase used for authenticating SNMP version 3 messages

Encryption Type The privacy protocol (DES or AES) used for encrypting SNMP version 3 messages

Privacy Password The privacy pass phrase used for encrypting SNMP version 3 messages

4 Click Save.
To edit or delete an SNMP server, select the appropriate server from the list of SNMP servers and use the desired option

( or ).

Configure Syslog Forwarder


The User Activity option enables the forwarding of Trellix IPS audit information to a syslog server. Syslog forwarding enables
you to view the forwarded audit information via a third-party syslog application. For syslog forwarding, the root domain and
parent domains have the option to include audit information from all corresponding child domains. To enable syslog
forwarding for audit notification, do the following:

Task
1 Select Manager | <Admin Domain Name> | Setup | Notification | User Activity | Syslog.
The Syslog page is displayed.

2 Fill in the following fields:

162 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

Field Description

Enable Syslog Yes is enabled; No is disabled


Notification

Admin Domain • Current— Send notifications for audit information in the current domain. Always enabled for
current domain.
• Children— Include audit information for all child domains of the current domain.

Server Name or Type either the Host IP Address or Server Name of the syslog server where audit information will be
IP Address sent.
For Host IP address, you can enter either IPv4 or IPv6 address.

Note: The length of server name has been increased to support up to 255 characters from 40
characters.

Protocol Select TCP or UDP from the drop-down list.

Note: If you select the TCP protocol, you will have to provide a certificate when you select the Use SSL
checkbox.

Port Port on the target server which is authorized to receive syslog messages. The standard port for
syslog, 514, is pre-filled in the field.

Facilities Standard syslog prioritization value. The choices are as follows:


• Security/authorization (code 4)
• Security/authorization (code 10)
• Log audit (note 1)
• Log alert (note 1)
• Clock daemon (note 2)
• Local user 0 (local0)
• Local user 1 (local1)
• Local user 2 (local2)
• Local user 3 (local3)
• Local user 4 (local4)
• Local user 5 (local5)
• Local user 6 (local6)
• Local user 7 (local7)

Trellix Intrusion Prevention System 10.1 163


2 | Manager Administration

Field Description

Result Mapping You can map each audit result (Failed to, Successful to, and In Progress to) to one of the standard
syslog severities listed below (default result severities are noted in parentheses):
• Emergency— System is unusable
• Alert— Action must be taken immediately
• Critical— (HIGH) Critical conditions
• Error— Error conditions
• Warning— (MEDIUM) Warning conditions
• Notice— (LOW) Normal but significant condition
• Informational— (INFORMATIONAL) Informational message
• Debug— Debug-level messages

Forward Audit Select the severity of the audit that you want to be forwarded to the syslog server. The options are:
• Allow all Auditlogs
• Failed only
• Successful only
• In Progress only

Message Select the preference of the message. The options are:


Preference
• System default— This is available by default
• Customized— This is available once the notification is enabled

3 Click Apply.

Tasks
• Import syslog server certificate on page 164

Import syslog server certificate

Perform the following steps to import the certificate:

1 Import the CA certificate to the Manager Keystore:


a Copy the exported CA certificate CRT file to <Manager_Install_Dir>\config folder.

Note
Replace all <Manager install directory> with %programfiles%\Trellix\IPS Manager\App.

b In the Manager, navigate to Start | Run type cmd, and press ENTER.

c Type the following command and press ENTER to import the certificate:
<Manager install directory>\jre\bin\keytool.exe ‑import ‑alias "syslog‑server" ‑keystore
<Manager install directory>\config\CustomSecurity\customjssecacerts ‑file<Manager install
directory>\config\CustomSecurity\syslog‑server.crt

164 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

d In the Password prompt, type changeit, and press ENTER.

e In the Trust this certificate prompt, type yes.

2 Verify the certificate import:


a In the Manager, navigate to Start | Run type cmd, and press ENTER.

b Type the following command to verify:


<Manager install directory>\jre\bin\keytool.exe -list -keystore <Manager install directory>
\config\CustomSecurity\customjssecacerts

3 Restart the Manager service:


a In the Manager, navigate to Start | Run type cmd, and press ENTER.

b Click the Trellix IPS icon in the taskbar, and select Start Manager.

Customize syslog messages


For customizing syslog message, ensure that Enable Syslog Notification is enabled in the page.
1 Go to, Manager | <Admin Domain Name> | Setup | Notification | Firewall Access Events.

2 Enter the Server name or IP address.

3 Enter the port number

Note
The page displays the message: Settings successfully saved.

Note
In Message body, the default option is selected as Customized.

After configuring the syslog forwarder, do the following steps to customize syslog message.

Task
1 Click Edit.
The Customize Syslog Forwarder Message page is displayed. By default, the following audit information parameters are
included in Messages:
• audit action

• audit result

• audit time

These parameters are displayed as: Audit $IV_AUDIT_ACTION$ $IV_AUDIT_RESULT$ at $IV_AUDIT_TIME$

Trellix Intrusion Prevention System 10.1 165


2 | Manager Administration

2 Type a message and select (click) the parameters that should be included in Message. The following are the list parameters
that are available in the Message field.

Table 2-5 Syslog variables for audit notification

Syslog variable name Description

$IV_AUDIT_ACTION$ The audit action value based on the action ID that was passed.

$IV_AUDIT_RESULT$ Indicates the stage of auditing (received, succeeded, failed, or ongoing).

$IV_AUDIT_TIME$ Time stamp of the audit message.

$IV_AUDIT_MESSAGE$ The audit message.

$IV_AUDIT_USER$ The username for the audit.

$IV_AUDIT_CATEGORY$ The action taken for the audit.

$IV_AUDIT_DOMAIN$ Name of the domain.

$IV_AUDIT_DETAIL_COMMENT$ Displays committed comments if the audit details are available.

$IV_AUDIT_DETAIL_DELTA$ Displays audit data if the audit details are available.

Caution
For syslog message to appear correctly, ensure that you use the dollar-sign ($) delimiter immediately before and after each parameter.
Example: $ATTACK_TIME$

3 Click Save to save the customized syslog message.

GUI Access

Configuration of LDAP servers


Lightweight Directory Access Protocol (LDAP) is a set of protocols for accessing information directories. LDAP runs on top of
TCP/IP, which is necessary for any type of Internet access. LDAP is used to look up encryption certificates, pointers to printers
and other services on a network, and provide a single sign-on across many services.

LDAP is appropriate for any kind of directory-like information, where fast lookups and less-frequent updates are the standard.

Using Manager, you can configure a LDAP server at the Manager level. You can configure a maximum of 4 LDAP servers onto
Manager. If the first LDAP server is not available for communication due to a network failure, Manager will try to communicate
with the second or the third server. If authentication fails at any available servers, the Manager will not communicate with the
other available servers.

The LDAP action enables you to use LDAP to authenticate existing users on their LDAP server.

Figure 2-38 LDAP Server Configuration

166 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

You can configure the LDAP server in the Manager/Central Manager from Manager | <Admin Domain Name> | Setup | GUI
Access | LDAP Authentication.

Note
If LDAP servers are configured with Central Manager, and the LDAP servers exist in private networks and Managers exist in public network,
the LDAP configuration needs to be customized at the Manager in a way that it reaches the LDAP server through the translated public IP
address.

Add an LDAP server

To add the LDAP server configuration in Manager, do the following:

Tasks
• Without SSL enabled on page 167

• With SSL enabled on page 168

Without SSL enabled

Trellix Intrusion Prevention System 10.1 167


2 | Manager Administration

Task
1 Select Manager | <Admin Domain Name> | Setup | GUI Access | LDAP Authentication.

2
Click .
The Add an LDAP Server page is displayed.

Figure 2-39 Add an LDAP server

3 Update the following fields to complete adding a new LDAP server:

Option Definition

Enable LDAP Authentication? Select Yes to continue adding the LDAP server.

Enable SSL? Not applicable when not using SSL.

LDAP Server Name or IP Address Type the LDAP server IPv4 or IPv6 address.

Caution: Only use a valid server name, since Trellix IPS does not check to see if the
names are valid. A valid server name is the name of the host on which LDAP server is
configured.

Server Port Type the port number between 0 and 65535. Default port is 389.

Test Connection (Optional) Click to verify that the Manager can connect to the LDAP server.

Save Click to save the changes.

Cancel Click to cancel the changes and exit.

With SSL enabled

Before you begin

Before enabling SSL, perform the following steps to confirm LDAP over SSL is working in the AD server:

1 In the Start menu, select Run.

2 Type ldp.exe and press ENTER.


You see a new window named Ldp.

3 Click Connection.
The Connect pop-up opens.

168 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

4 Enter the Fully Qualified Domain Name (FQDN) of the AD server used to generate the certificate in the Server
field.

Note
If you enable SSL and use a third-party SSL certificate (for example, Verisign, Thawte, etc.), you must provide the same Fully
Qualified Domain Name (FQDN) or IP address that is provided in the SSL certificate.

5 Select SSL. Confirm that the Port is 636, and then click OK.

Task
1 Select Manager | <Admin Domain Name> | Setup | GUI Access | LDAP Authentication.

2
Click .
The Add an LDAP Server page is displayed.

3 Update the following fields to complete adding a new LDAP server:

Option Definition

Enable LDAP Authentication? Select Yes to continue adding the LDAP server.

Enable SSL? Select the checkbox to enable SSL encryption.

Tip: You have to import the LDAP server’s SSL certificate into the Manager keystore for
authentication. To import the SSL certificate, see Import certificate on page 169.

LDAP Server Name or IP Type the LDAP server IPv4 or IPv6 address.
Address

Caution: Only use a valid server name, since Trellix IPS does not check to see if the
names are valid. A valid server name is the name of the host on which LDAP server is
configured.

Server Port Type the port number between 0 and 65535. Default port is 636.

Test Connection (Optional) Click to verify that the Manager can connect to the LDAP server.

Save Click to save the changes.

Cancel Click to cancel the changes and exit.

Tasks
• Import certificate on page 169

Import certificate

Trellix Intrusion Prevention System 10.1 169


2 | Manager Administration

Perform the following steps to import the certificate.

1 Import the CA certificate to the Manager Keystore:


a Copy the exported CA certificate CRT file to <Manager_Install_Dir>\config folder.

Note
Replace all <Manager install directory> with %programfiles%\Trellix\IPS Manager\App.

b In the Manager, navigate to Start | Run type cmd, and press ENTER.

c Type the following command and press ENTER import the certificate:
<Manager_Install_Dir>\jre\bin\keytool.exe -import -alias "LDAP Certificate" -keystore
<Manager_Install_Dir>\config\CustomSecurity\customjssecacerts -file<Manager_Install_Dir>
\config\CustomSecurity\<file name>.crt

d In the Password prompt, type changeit, and press ENTER.

e In the Trust this certificate prompt, type yes.

2 Verify the certificate import:


a In the Manager, navigate to Start | Run type cmd, and press ENTER.

b Type the following to verify:


<Manager_Install_Dir>\jre\bin\keytool.exe -list -keystore <Manager_Install_Dir>\config
\CustomSecurity\customjssecacerts

3 Restart the Manager service:


a In the Manager, navigate to Start | Run type cmd, and press ENTER.

b Click the Trellix IPS icon in the taskbar, and select Start Manager.

Edit an LDAP server

Task
1 Select Manager | <Admin Domain Name> | Setup | GUI Access | LDAP Authentication.

Note
To edit an LDAP server in the Central Manager, select Manager | <Admin Domain Name> | Setup | GUI Access | LDAP Authentication.

2
Select a server and click .
You can either enable or disable the LDAP server. You can also change the Server Port value and enable or disable SSL.

3 Follow the steps as in Add an LDAP server on page 167.

4 Click Save.

170 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

Delete an LDAP server

Task
1 Select Manager | <Admin Domain Name> | Setup | GUI Access | LDAP Authentication.

Note
To delete an LDAP server in the Central Manager, select Manager | Setup | GUI Access | LDAP Authentication.

2 Select a server and click .

3 Click OK in the confirmation page to delete the LDAP server.


The LDAP server is deleted.

Test connection status

Task
1 Select Manager | <Admin Domain Name> | Setup | GUI Access | LDAP Authentication.

Note
To test the connection status with the LDAP server and Central Manager, select Manager | Setup | GUI Access | LDAP Authentication.

2 Select a server and click Test Connection.


Verify that Manager can connect to the LDAP server.

Configuration of RADIUS server in the Manager


Remote Authentication Dial In User Service (RADIUS) is an AAA (authentication, authorization and accounting) protocol for
applications such as network access.

While connecting to the internet using a modem, you are required to enter a username and password. The information is
passed through a Network Access Device (NAD) device, and then to a RADIUS server over the RADIUS protocol. The RADIUS
server checks if the information is correct using authentication schemes like PAP, CHAP, and EAP-MD5. If accepted, the server
will authorize the access.

Using Manager, you can configure a RADIUS server at the Manager level. You can configure a maximum of 4 RADIUS servers
onto Manager. If the first RADIUS server is not available for communication, due to a network failure, Manager will try to
communicate with the second or the third server. If authentication fails at any available servers, then Manager will not
communicate with the other available servers.

Trellix Intrusion Prevention System 10.1 171


2 | Manager Administration

The RADIUS action enables you to use RADIUS to authenticate existing users on their RADIUS server. Trellix IPS supports the
PAP, CHAP, and EAP-MD5 schemes of RADIUS authentication.

Note
When EAP-MD5 scheme is selected, the Manager internally authenticates requests that use MS-CHAPv2.

Figure 2-40 RADIUS Server Configuration

You can configure the RADIUS authentication in the Manager from Manager | <Admin Domain Name> | Setup | GUI Access |
RADIUS Authentication.

Note
For the Central Manager, you can configure RADIUS authentication from Manager | Setup | GUI Access | RADIUS Authentication.

Add a RADIUS server

To add the RADIUS server configuration in Manager, do the following:

Task
1 Select Manager | <Admin Domain Name> | Setup | GUI Access | RADIUS Authentication.

Note
To add a RADIUS server in the Central Manager, select Manager | Setup | GUI Access | RADIUS Authentication.

2
Click .
The Add a RADIUS Server page is displayed.

3 Select Yes next to Enable RADIUS Authentication?.

4 Type the RADIUS Server Name or IP Address (IPv4 or IPv6 address).

Caution
Only use a valid server name, since Trellix IPS does not check to see if the names are valid. A valid server name is the name of the host
on which RADIUS server is configured.

Type the RADIUS Server Port. The port number should be between 0 and 65535. (default =1812).

5 Type a Shared Secret Key that is required on both the Manager and the RADIUS server. The Shared Secret key is same as
entered in the RADIUS server during configuration.

172 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

6 Select the Connection Time Out (in milliseconds).


This time determines how long the Manager should wait for authentication. Three attempts are made to connect before
timeout occurs, so the value you enter is how long Trellix IPS waits between attempts before timeout (default =6000
milliseconds).

7 (Optional) Click Test Connection to verify that the Manager can connect to the RADIUS server.

Note
If Manager Disaster Recovery (MDR) is enabled, both the Primary and Secondary Manager IP addresses must be registered in the RADIUS
server.

8 Click Save to save your changes.

Note
If RADIUS servers are configured with Central Manager, and the RADIUS servers exist in private networks and Managers exist in public
network, the RADIUS configuration needs to be customized at Manager in a way that it reaches the RADIUS Server through translated
public IP address.

Edit a RADIUS server

Task
1 Select Manager | <Admin Domain Name> | Setup | GUI Access | RADIUS Authentication.

Note
To edit RADIUS server settings in the Central Manager, select Manager | Setup | GUI Access | RADIUS Authentication.

2
Select a server and click .
You can either enable or disable the RADIUS server. You can also change the Server Port or the Connection Time Out value.

3 Follow the steps as in Add a RADIUS server on page 172.

4 Click Save.

Delete a RADIUS server

Task
1 Select Manager | <Admin Domain Name> | Setup | GUI Access | RADIUS Authentication.

Note
To delete RADIUS server settings in the Central Manager, select Manager | Setup | GUI Access | RADIUS Authentication.

2 Select a server and click .

3 Click OK in the confirmation page to delete the RADIUS server.


The RADIUS server is deleted.

Trellix Intrusion Prevention System 10.1 173


2 | Manager Administration

Test connection status

Task
1 Select Manager | <Admin Domain Name> | Setup | GUI Access | RADIUS Authentication.

Note
To test the connection status of RADIUS server settings in the Central Manager, select Manager | Setup | GUI Access | RADIUS
Authentication.

2 Select a server and click Test Connection.


Verify that the Manager can connect to the RADIUS server.

Authentication of access to the Manager using CAC/PIV


Common Access Card (CAC) and Personal Identification Verification (PIV) are smart cards that are used for general identification
as well as authentication of user access to secure networks. CAC/PIV holds a unique digital certificate and user information,
such as photograph, personal identification number (PIN), and signature, to identify each user. Trellix IPS provides an option for
authentication of users to log onto the Manager based on their smart card verification.

Authentication to the Manager using CAC/PIV requires a smart card reader connected to the Manager client workstation. The
administrator inserts the CAC/PIV into the smart card reader and opens the Manager UI through the web browser. The
Manager sends an SSL certificate to the client and requests the user’s certificate from the browser. The browser validates if the
Manager's certificate is signed by a trusted Certificate Authority. The browser then selects the user’s certificate by prompting
the user if required. The browser retrieves the selected certificate from the smart card which triggers the CAC/PIV interface
software (called middleware) to request the user PIN associated with the smart card. The user must correctly enter the PIN to
unlock the smart card.

The Manager validates the following attributes of the user’s certificate:

• If the certificate is signed by a trusted Certificate Authority (CA)

• If the certificate is valid and has not been revoked

• When the certificate was last validated

The Manager extracts the common name from the user’s certificate and checks for a matching administrator account in the
Manager with that common name. If the match is successful, a secure session is established and the user is logged into the
Manager.

To validate the user’s certificate, the trust chain is validated by two CA certificates. The first validation is that the client's
certificate is signed by the intermediary CA. Then the intermediary CA certificate is validated by verifying if it was signed by the
root CA which is trusted. The root CA is a self-signed CA that is used to sign the intermediary CA certificates.

At a high level, authenticating user access to the Manager through CAC/PIV can be brought about by a 5-step process:

• Obtain the CA certificates

• Import the CA certificates

• Set up CAC users in the Manager

• Enable the CAC authentication

• Log on to the Manager using the CAC/PIV authentication

174 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

Obtain the CA certificates

Obtain the intermediate and root certificates in the certificate chain of your CAC cards. To obtain the CAC certificates, perform
the following steps:

Task
1 Plugin the CAC card reader in the Windows client machine which is used to access the Manager. The drivers for the
smartcard reader are automatically installed and detected. If the drivers are not installed automatically, you have to
manually install the drivers for the smartcard reader.
To troubleshoot problems with CAC card reader installation, see Installing and updating the CAC reader driver/Firmware
update/Check services to make sure Smart Card is running.

2 Once the CAC card reader is active, plugin the CAC card.

3 In the Internet Explorer browser, navigate to Internet Options | Content | Certificates | Personal.
The certificates of the card are available in the Personal tab. There are three certificates corresponding to the card's user,
two for email and one for ID.

4 Select the certificate for ID and click View.

The Certificate window with the details of the certificate opens.

5 The Certification path tab lists the chain of the certificate.

6 Select the intermediate certificate which is the issuer of the leaf and click View Certificate to view the intermediate
certificate.

7 Go to the Details tab in the Certificate window and click Copy to File. This allows you to export the certificate. Choose any
of the .cer formats and save it to a file. Trellix recommends you to select Base-64 encoded option as it is compatible with
the Manager. Create a new folder for the certificates as "Saved intermediate and root certificates".

8 Repeat the process for the root certificate and save that to a file as well.

Note
The root and intermediate certificates can be obtained simultaneously by obtaining the certificate chain.

9 Convert the certificates to .pem format and save them in a separate file.

Trellix Intrusion Prevention System 10.1 175


2 | Manager Administration

Import the CA certificates

Import the intermediate and root certificates in the certificate chain of your CAC cards to the Manager. To import the CAC
certificates, perform the following steps:

Task
1 Log in to the Manager GUI.

2 Go to, Manager | <Admin Domain Name > | Setup | GUI Access | CAC Authentication.
The CAC Authentication page opens.

3
In the Trusted Certificates tab, click .

4 In the Import dialogue box, click Browse.

5 Browse to the directory that contains the certificate chain and click Open.

Note
The CAC certificate should be in .pem format.

176 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

6 Provide an Alias for the certificate and click Import.

7
Click .
The Manager imports the certificate to its keystore and the details of the certificate are displayed on the Trusted
Certificates tab.

Note
Click Save as CSV to export the trusted certificates details as .csv file.

Set up CAC users in the Manager

Task
1 Connect the smart card reader to your Manager client through a USB port.
The smart card reader can be connected to a Manager server, if the server doubles up as a Manager client.
• Refer to the card reader manufacturer's recommendations for the necessary device drivers to be installed.

• Install the ActivID ActivClient CAC software on the Manager client.

Note
Trellix currently supports integration with smart card reader model SCR3310 from TxSystems. Other smart card readers will also work
but have not been tested by Trellix.

2 Insert a card into the card reader.

Trellix Intrusion Prevention System 10.1 177


2 | Manager Administration

3 Open the ActivClient software | Smart Card Info | User Name.


User name is available in the CN field under Subject in the Certificate details window. The user name is a combination of
alphanumeric characters and a few special characters like "." or spaces. For example, "BROWN.JOHN.MR.0123456789"

4 Log onto the Manager and create a user with the exact same name as provided in the CN field, that is
"BROWN.JOHN.MR .0123456789".

Note
If you have RADIUS/LDAP servers in your setup for external authentication, an additional field Authentication Type will be displayed in
the Manager with the following choices: Local, LDAP, RADIUS:PAP, and RADIUS:CHAP.

Enable the CAC authentication

The CAC authentication feature is disabled by default. It is mandatory to set up the CAC user accounts and import the CAC
certificates to the Manager, before enabling it.

To enable CAC, do the following:

Task
1 Log in to the Manager GUI.

2 Go to, Manager | <Admin Domain Name> | Setup | GUI Access | CAC Authentication.
The CAC Authentication page opens.

178 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

3 In the Settings tab, configure the CAC Authentication as needed.

The table below describes the fields available for configuration:

Field Description

CAC Support Enabled Select the checkbox to enable CAC Authentication. By default, the CAC Authentication is
disabled.

Raise Fault for Expiring Select the checkbox to configure the Manager to generate faults when a trusted certificate is
Certificates about to expire.

Expiration Threshold Number of days for the trusted certificate expiration when a fault is generated in the Manager.
(days)

Note: The Expiration Threshold (days) can be within the range of 30 to 60 days only.

Note: The Expiration Threshold (days) can be configured only when the Raise Fault for Expiring
Certificate option is enabled.

Enable OCSP Support Select the checkbox to enable OCSP Support. By default, the OCSP Support is disabled.

OCSP Options

OCSP URL Select Default to use the OCSP URL defined in the trusted certificate or Custom to configure a
unified OCSP URL for all trusted certificates in the Manager.

Custom URL Specify the OCSP URL for authenticating the trusted certificates.

Note: The Custom URL field is available only when you have the OCSP URL option set to
Custom.

Trellix Intrusion Prevention System 10.1 179


2 | Manager Administration

Field Description

Require OCSP Re-Check Select Yes to verify the authenticity of the trusted certificate after a definite interval.

Re-Check Interval Specify the duratin in minutes after which the authenticity of the trusted certificate is
(minutes) rechecked.

Note: The Re-Check Interval (minutes) can be within the range of 30 to 1440 minutes only.

Note: The Re-Check Interval (minutes) can be configured only when the Require OCSP
Re-Check option is enabled.

4 Click Save.

5 Log in to the Manager shell.

6 Stop the Manager service using the manager stop command.

7 Restart the Manager service using the manager start command.

Log on to the Manager using the CAC/PIV authentication

Task
1 Insert a card into the card reader.

2 Start a fresh browser session for the Manager.


You are prompted to choose the CAC/PIV certificate.

3 Select the certificate.


You are prompted to enter the PIN.

4 Enter the PIN.


A maximum of 3 attempts is allowed while entering PIN, following which, the user will be locked out. It is impossible to
unlock a CAC/PIV card that is locked and the card has to be replaced.
If the user name, certificate, and PIN match, you are directly given access to the Manager Home Page.

Delete a trusted certificate from the Manager

You can delete a previously added trusted certificate from the Manager.

Task
1 Log in to the Manager.

2 Go to Manager | <Admin Domain Name > | GUI Access | CAC Authentication.

The CAC Authentication page opens.

3 Click Trusted Certificates.

4 Select the certificate from the Trusted Certificates section.

180 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

5 Click .

The Confirmation dialog box opens.

6 Click OK to confirm deletion.

Troubleshooting tips

• If the card is not inserted in the card reader, the Manager will not be accessible in this setup.

• When authenticating users through CAC, you do not have to enter your Manager user name and password while logging on.

• If you have imported a CA certificate to the Trusted Certificates in the Manager, you can’t reimport the same certificate to
the Manager.

• You are loading a CA certificate to the Manager, and yet you are unable to import it, then verify the validity of the certificate
and make sure it is not expired.

• You have imported the relevant CA into the Manager, and yet you are unable to view the Manager Login page, then check
whether a firewall is blocking your access to destination port 443 on the Manager server.

• If you are able to view the Manager Login page but are unable to log onto the Manager, it means that the user name on the
CAC card does not match the user name in the Manager database. To remedy the problem, verify that the user name on the
CAC card exactly matches the Manager user name.

Authorization for Manager access


By default, any host can access Manager/Central Manager from any IP address. You can allow access to specific hosts by
enabling GUI Access from Manager | <Admin Domain Name> | Setup menu and defining the list of authorized hosts/
networks.

Note
You need to have at least one authorized host to enable GUI Access.

All attempts by authorized and unauthorized hosts to access your Manager are logged in the user activity log, which you can
access from the View User Activity Audit Log link in the page.

Trellix Intrusion Prevention System 10.1 181


2 | Manager Administration

Enable GUI Access

In the Manager, to configure authorized hosts:

Task
1 Select Manager | <Admin Domain Name> | Setup | GUI Access | Logon Control.

Note
In the Central Manager, select Manager | Setup | GUI Access | Logon Control. The fields displayed are similar to that in Manager,
explained below.

Figure 2-41 GUI Access Control Configuration

2 Select Any endpoint at Allow Access to this Web-Based User Interface from. (default is Any endpoint)
The Enable Audit Logging for Access Attempts by option is highlighted. Select Authorized Endpoints or Unauthorized
Endpoints and click on View User Activity Audit Log link to see audit log messages.

3 Click Save.
You can now define the list of hosts to access your Manager. You can do this by adding, editing and deleting CIDR networks.

Add a network from Logon Control

You can enter IPv4 or IPv6 address in the Logon Control page in Manager.

To add a network in the Logon Control page, do the following:

Task
1 Select Manager | <Admin Domain Name> | Setup | GUI Access | Logon Control.

Note
In the Central Manager, select Central Manager | Setup | GUI Access | Logon Control. The fields displayed are similar to that in
Manager, explained below.

182 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

2
Click .
The Add a Network page is displayed.

Figure 2-42 Add a Network Dialog

3 In Network, enter the IP address (IPv4 or IPv6) and the prefix length.
Enter a Description (optional).

4 Click Save.

Edit a CIDR network

Task
1 Select Manager | <Admin Domain Name> | Setup | GUI Access | Logon Control.

Note
In the Central Manager, select Manager | Setup | GUI Access | Logon Control. The fields displayed are similar to that in Manager,
explained below.

2
Select a CIDR network and click .
The Edit the Network page is displayed.

3 Edit the changes and click Save.

Delete a CIDR network

Task
1 Select Manager | <Admin Domain Name> | Setup | GUI Access | Logon Control.

Note
In the Central Manager, select Manager | Setup | GUI Access | Logon Control. The fields displayed are similar to that in Manager,
explained below.

2 Select a CIDR network and click .

3 Click OK in the confirmation page to delete CIDR network.


The CIDR network is deleted.

Trellix Intrusion Prevention System 10.1 183


2 | Manager Administration

User activity log error messages

Fault Fault Description Category

Authorized endpoints User "<user name>" with login id "<login ID>" successfully logged into the Manager User
from "<IP address>". Login URI: <login URI>, URI referrer: <referrer>, protocol:
<protocol>.

Unauthorized endpoints User "<user name>" failed to log into Manager from "<IP address>". Login URI: <login User
URI>, URI referrer: <referrer>, protocol: <protocol>.

Add a Manager logon banner


The logon banner option enables you to upload your company logo (or any other relevant image) and customized text on the
Manager logon page.

The size of the banner image must be 100x35 pixels and only .jpeg and .png files are supported. Banner image of different
sizes will be resized to 100x35.

To upload a logon banner, do the following:

Task
1 Select Manager | <Admin Domain Name> | Setup | GUI Access | Logon Banner

Note
In the Central Manager, select Manager | Setup | GUI Access | Logon Banner. The fields displayed are similar to that in Manager,
explained below.

Figure 2-43 Logon Banner

2 Provide the following information:


• Enable — Select Yes to allow the logon banner to be displayed and select No not to display the logon banner.

• Banner Text — Type the required text to be displayed.

184 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

• Banner Image — Browse to select the banner image that you want to upload.

• Current banner Image — Specifies the current banner image.

3 Click Save to save the changes.

Configure session control settings


The Session Control provides the option to automatically close Manager/Central Manager sessions.

Only events constitute for a key stroke activity. For example, Session timeout is applicable even when there is an activity in the
Add a User page. Only when you click Submit, it is considered as an activity. Accessing the Port Settings and IPS Policies are
considered as events.

Figure 2-44 Inactivity timeout duration and message setup

Perform the following steps to set this option:

Task
1 Select Manager | <Admin Domain Name> | Setup | GUI Access | Session Control.

Note
In the Central Manager, select Manager | Setup | GUI Access | Audit Settings. The fields displayed are similar to that in Manager,
explained below.

2 Set the following options:

Field Description

Limit the Number of Select this option and set the maximum value to 1.
Concurrent Sessions
a User Can Open?

Session Options The session control options help you to configure your security requirements for monitoring user
activity on currently open Manager sessions. User Activity is defined as the mouse clicks or
keyboard usage not in use for X minutes on the Manager.
Select Automatically close user sessions after X minutes of inactivity. Set the time to 15
minutes.

Warning Interval This option appears only if you have opted to automatically close a user session after a set
period.
Set a value between 1-43,200 minutes as per your site’s policy. The Administrator is warned
before the session is timed out due to inactivity or time limit.

Note: The warning interval value must be lesser than the set timeout activity.

Trellix Intrusion Prevention System 10.1 185


2 | Manager Administration

Configure password complexity settings


The Password Control page allows administrators to set password requirements such as Password Strength, Password
History, Password Expiration, and Account Lockout.

Select Manager | <Admin Domain Name> | Setup | GUI Access | Password Control.

Note
In the Central Manager, select Manager | Setup | GUI Access | Password Control. The fields displayed are similar to that in Manager,
explained below.

The Password Control page appears.

Figure 2-45 Password Control page

186 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

Tasks
• Set up account lockout parameters on page 188

Password strength

Ensure the Require Strong Passwords? check box is selected. To strengthen your password use the fields in this section to set
parameters.

Field Description

Minimum Password Length Set the minimum password length to 15 characters.

Require Uppercase Letters Select this option and set the minimum value to 2.

Require Lowercase Letters Select this option and set the minimum value to 2.

Require Numbers Select this option and set the minimum value to 2.

Require Special Characters Select this option and set the minimum value to 2.

Password Cannot be the Same Select this option to ensure that the user does not enter the same set of characters as
as Login ID Login ID and Password.
For example: If the Login ID is admin1, the Manager must disallow the user from entering
the password as 'admin1'.

Password History

Ensure the Track Previous Password Usage: check box is selected. Use the fields in this section to ensure that the previously
set passwords are not repeatedly used:

Field Description

Number of Characters that must be Changed Set the number of characters that must be changed between 1 and 8.

Number of Previous Passwords to Track Set the number of passwords to track to 10.

Password Expiration

If you try to log on after your password has expired, the following message is displayed:

Login failed: Account has been locked due to password expiration, contact your Administrator.

Ensure the Expire Passwords: check box is selected. Use the fields in this section to ensure that the passwords are changed at
regular intervals:

Field Description

Time to Wait Before Set the time to wait before new passwords can be changed between 0 and 72 hours.
New Passwords Can
Be Changed

Passwords Expire Set the passwords expiry period between 1 and 180 days.
After

Trellix Intrusion Prevention System 10.1 187


2 | Manager Administration

Field Description

Warning Interval Set the warning interval as per your requirement.

Note: The warning interval you set should be at least 1 day less than the password expiry period. For
example, if the password is expiring after 5 days, the warning interval should be set between 1 and 4
days. That way, if you are setting the password to expire in 1 day, you should set the warning interval to
0 days.

Get Email Select this check box to enable email notifications for expiring passwords. The Manager sends these
Notification for email notifications to the users when their passwords are about to expire. These emails are sent every
Expiring Password day until the last day of expiry. For example, if you set the warning interval as 4 days, the user
receives 1 email everyday for 4 days before the password expires.

Note: The emails are sent to the user's email ID which was specified during user creation.

Note: This feature works only when the E-mail Server is configured.

Note:
• In case of a Central Manager setup that manages multiple Managers, the Central Manager
sends the email notifications to the users added in it.
• In case of a Manager Disaster Recovery (MDR) setup that involves a primary and a
secondary Manager, users will receive email notifications from only one of the Managers
in the MDR pair.

Set up account lockout parameters

Ensure the Login Failure and/or Inactivity check boxes are selected. Use the fields in this section to set the parameters based
on which a user account would be locked:

Field Description

Number of Consecutive Login Failures Set the maximum number of unsuccessful login attempts to 3.

Prevent Login For Set the duration of lock out field between 1 and 1440 minutes.

Lock Inactive Users After Set the number of days to lock the inactive users between 1 and 180 days.

Note: Admin user can never be marked as inactive.

After selecting the required parameters, any new user created henceforth will comply with the password policy enabled. The
password policy can be enabled only at the root admin domain level.

Tasks
• Display account lockout message on page 188

Display account lockout message


Enter the Login ID and Password and if you have exceeded the login attempts, the following message is displayed.

188 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

Login failed: Maximum allowable login attempts <number of login attempts configured> have exceeded. Your account is
locked for <duration configured> minutes. Please check your credentials and retry after <duration configured> minutes. If
you still have a problem, contact your Administrator.

A similar message appears for password expiration and account locked for timeout.

Figure 2-47 Sample Account Lock Message

Set up audit log parameters


Setting audit log parameters enables you to determine what information to display in relation to a user's activities. You can
choose whether to view actions performed on admin domains and users (creation, editing, role assignment), the Manager
(backups, Update Server settings), Sensor (addition, port configuration), and so on. By disabling any of the categories, you will
not see user actions in regard to those resources.

Trellix Intrusion Prevention System 10.1 189


2 | Manager Administration

To choose user audit parameters, do the following:

Task
1 Select Manager | <Admin Domain Name> | Setup | GUI Access | Audit Settings.

Note
In the Central Manager, select Manager | Setup | GUI Access | Audit Settings. The fields displayed are similar to that in Manager,
explained below.

Figure 2-48 Audit Log Parameters

Following Audit Log categories are displayed:


• Admin Domain • Operational Status

• User • Alert

• Manager • NTBA

• Sensor • FIPS Self Test

• IPS Policy • MVM

• Report • ePolicy Orchestrator

• Update Server

2 Select the categories you want to enable.

3 Click Save to save the changes.

190 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

Active Directory Servers

A list of Active Directory servers are used in Manager to enforce firewall rules when Require Authentication is enabled as the
primary response action. When authentication is required by the firewall rule, the Sensor initially attempts to obtain the
username transparently by snooping login attempts from the list of Trusted Domain Controllers. If the username cannot be
obtained transparently, the Sensor redirects the browser to the guest portal. The Active Directory servers are then used to
authenticate the user's credentials entered in the guest portal.

Add Active Directory servers

Task
1 Go to, Manager | <Admin Domain Name> | Setup | Intrusion Prevention | Active Directory Servers.

2
Click .

Figure 2-49 Add an Active Directory Server

Note

When the Active Directory Servers tab is accessed from child admin domains, the Inherit Settings? option is available. The button is
visible only if you deselect Inherit Settings?.

3 In Add Active Directory Server window, enter the AD server details in the appropriate fields:

Trellix Intrusion Prevention System 10.1 191


2 | Manager Administration

Option Definition

Server IP Address Enter the IPv4 IP address of the Active Directory server.

DNS Domain Name Enter the Active Directory domain name, like Trellix.com.

NetBIOS Domain Name Enter the NetBIOS domain name of the Active Directory; for example, Trellix.

Decryption Enabled Select this option if you want to enable SSL connection for secure data communication.

Server Port The Active Directory server port. If you select Decryption Enabled, the port automatically
changes to the default value, 636. Else the default value is 389.

Start Search from the Select this option if you want Trellix IPS to check user information from the root node of the
Root of the Base Active Directory tree. When you select this option, the value of the next field Base DN is
Directory? displayed as Root, by default.

Base DN Base DN represents the intermediate node name in the Active Directory tree. If you want Trellix
IPS to check user information from an intermediate node in the Active Directory tree, enter the
corresponding node name in Base DN.

User Name Active Directory login name for the domain.

Password Password for the Active Directory login.

Test Connection Click to test whether the connection with the configured Active Directory Server is working fine.
If the connection is successful, a message is displayed for the same.

Save Saves the configuration in the Manager database.


The Manager attempts to verify the details that you provided before creating the record. Even if
the Manager is unable to verify the details currently, you can go ahead and create the record.
The added Server is listed in the Active Directory Servers list.

Notes:
• In Active Directory Servers list, if the configuration needs to be inherited to the child admin domains, you can optionally
check Make Settings Visible to Child Admin Domains? option.

• You are prompted to add the Active Directory server that you created to the list of trusted domain controllers
automatically.

• If you configure multiple Active Directory servers, the Manager considers them in a top-down fashion. If two servers
from the same domain are listed, the second is only consulted if the one above it cannot be reached.

Add Trusted Domain Controllers


When you add the Active Directory servers for an admin domain, you are prompted to automatically create the Trusted Domain
Controllers using the same information. If you have done so, you can just verify the list of Trusted Domain Controllers.

192 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

Task
1 Go to, Manager | <Admin Domain Name> | Setup | Intrusion Prevention | Trusted Domain Controllers.

2
Click .

Figure 2-50 Add Trusted Domain Controllers

3 In the Add Trusted Authentication Server window, enter the Trusted Domain Controller details in the appropriate fields.

Option Definition

Server IP Address Enter the IPv4 IP address of the Active Directory server.

DNS Domain Name Enter the Active Directory domain name, like Trellix.com.

NetBIOS Domain Name Enter the NetBIOS domain name of the Active Directory; for example, Trellix.

Visible to Child Admin Domain Select if the configuration needs to be inherited by the child admin domains.

Description Optionally enter additional information about the Trusted Domain Controller.

Save Saves the configuration in the Manager database.

Cancel Clears the details you have entered in the Add Trusted Authentication Server window.

Guest Portal settings

The Guest Portal Settings page allows you to display a custom logo and a custom message for the guest portal.

Trellix Intrusion Prevention System 10.1 193


2 | Manager Administration

To display a custom logo and a custom message in the guest portal in the Manager, do the following:

Task
1 Go to Manager | <Admin Domain Name> | Setup | Intrusion Prevention | Guest Portal Settings.

Figure 2-51 Guest Portal Settings in the Manager

2 Check the required settings for Presentation.


• (Optional) Select the Display a Custom Logo? checkbox.

• Click Choose File and add a file from the appropriate location.

• Click Custom Message to customize text that needs to be displayed for a user to acknowledge before logging into the
Guest Portal.

3 To save the Guest Portal settings, click Save.

Reporting

Report Generation

Trellix IPS provides you report generation options for three types of reports: next generation reports, traditional reports, and
configuration reports.

• Click Manager | <Admin Domain Name> | Reporting | Configuration Reports to open the configuration reports.

• Click Analysis | <Admin Domain Name> | Event Reporting to open the next generation and traditional reports.

Access to the reports is based on user roles. By definition, report generation is available for Super User, Security Expert, and
Operator roles. Access is also restricted by admin domain; for example, a user with access to a child domain only cannot view
data or templates that require root or higher-level domain access.

Reporting menu
The Manager | <Admin Domain Name> | Reporting menu allows you to generate configuration reports, schedule reports, and
set report preferences.

194 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

The following options are available:

• Configuration Reports — These are based on specific type of information like the configuration of Manager, policies, alerts,
and summaries of current Manager and Sensor software versions. These reports provide an updated result of the different
configurations set on Manager and Sensors.

• Report Automation — Schedule report to run automatically and mail to recipients on a daily or weekly basis.

• Preferences — Edit report header footer, schedule for running the report, and recipient's list for sending the generated
reports.

The report generation time is the time displayed when a report generation is initiated. This is displayed according to the time
zone.

Note
Click Back to navigate to the Configuration Reports list from a generated report page.

Localization of Reports
The Manager supports report generation in the following languages:

• English • Japanese

• Chinese Simplified • Korean

• Chinese Traditional

You can configure, schedule, and view the generated reports in all the five languages mentioned.

You can select the language from Manager | <Admin Domain Name> | Reporting | Preferences | Language drop-down list.
The Configuration Reports page is displayed in English the first time you access it. Subsequently, it is displayed in the language
that you last chose.

Note
If you are accessing Manager from a client machine, you need to install East Asian characters; else such characters in the reports appear as
square boxes or question marks. To install the East Asian characters, select Settings | Control Panel | Regional and Language options |
Languages and select Install files for East Asian languages, Install Asian Language Characters and then restart the machine.

Note
To view the PDF version of the localized reports, you need the required fonts in your Acrobat Reader. The first time you attempt to view the
PDF version, Acrobat Reader attempts to update with the required fonts.

You can specify the language for the recipients of scheduled reports, and the scheduled reports are generated in those
languages. For example, if you have scheduled the Executive Summary Report with five recipients (one recipient for each
language including English), this report is generated in all the five languages at the specified time and the appropriate version is
emailed to the recipients. That is, the Japanese recipient receives the Japanese version of the report.

Trellix Intrusion Prevention System 10.1 195


2 | Manager Administration

The data retrieved from the database is displayed in the language in which it is stored in the database, and this data is
independent of the language that you choose in the Reporting menu. For example, if a saved report was generated in English,
you cannot view it in Japanese by choosing Japanese in the Language page. To do this, you need to add another recipient for
this report with the language as Japanese.

Figure 2-52 Add Recipient

The Language column in the Sent Reports page indicates the language in which the reports were generated. Also, for saved
reports that are not in English, you can identify the language through the last two letters of the report name:

"ja" indicates Japanese, "ko" indicates Korean, "CN" indicates Chinese Simplified, and "TW" indicates Chinese Traditional.

In the following pages, you can enter text in the language that you had chosen:

• Add Report Template (Description)

• Edit Report Template (Description)

• Add Recipient (First Name and Last Name)

• Edit Recipient (First Name and Last Name)

The following table provides the extent of localization in the Reports module:

Category Extent of Localization

User-configurable data retrieved from the database Not localized

Data that is not user-configurable Fully localized

Informational messages Fully localized

Error messages Fully localized

Online Help Available in English only by default. The localized online help can be
requested for separately, which can be manually installed in your
Manager setup.

Text in charts and graphs Partially localized

Dates Fully localized

Calendar Fully localized

Numeric, monetary, and metric Partially localized

Data input through keyboard Partially localized

196 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

Configuration Reports
Configuration Reports are based on pre-defined conditions and detail your system configuration settings. The Configuration
reports are available in Manager | <Admin Domain Name> | Reporting | Configuration Reports.

You can generate these reports to view your current software and signature versions, the configuration and status of a Sensor,
policy settings, and so forth. The report generation time is the time displayed when a report has been executed. This is
displayed according to the time zone. Several pre-formatted reports are provided for simple information gathering.

Figure 2-53 Configuration Reports

The available configuration reports are:

• Admin Domain and Users Report — Information on the admin domains and users controlled through your Manager.

• Attack Set Profile Report — Information on all of the attack sets available for application.

• Device Summary Report — Information about all the devices configured.

• Faults Report — Information on Manager and Sensor fault logs.

• Firewall Policy Definitions Report — Provides a detailed view of the selected Firewall policy, its Access Rules, and the Sensor
resources to which it is assigned.

• Integration Summary Report — Provides a summary of configurations done in the Manager to integrate with other Trellix
products, such as ePO and Vulnerability Manager.

• IPS Configuration Summary Report — Provides a detailed view of the IPS configuration settings made by the user.

• IPS Policy Assignment Report — Provides a detailed view of the IPS policies available for application.

• IPS Policy Details Report — Provides a detailed view of the IPS policies available for application.

• IPS Sensor Report — Information on the policies applied to one or more Sensors.

• Licenses— Information about the System Licenses, Proxy Decryption Licenses, and Virtual Sensors licenses.

• Manager Report — Configuration information related to the notification mail server, proxy server, and MDR.

Trellix Intrusion Prevention System 10.1 197


2 | Manager Administration

• Performance Monitoring - Admin Domain Configuration Report — Displays information on admin domain wise
configuration made in the Manager

• Performance Monitoring - Sensor Configuration Report — Displays information on Sensor configuration settings made in
the Manager

• QoS Policy — Information on all the Quality of Services (QoS) policies available for application.

• Reconnaissance Policy Report — Information on all the Reconnaissance policies available for application.

• Scanning Exceptions Report — Displays information of the scanning exceptions that are configured on the Sensor's VLAN,
TCP, or UDP port.

• User Activity Report — Information on the actions performed by Trellix IPS users.

• Version Summary Report — Information on the versions of software and signatures in use.

This figure shows the difference between the admin domain filter available in the left pane, and the admin domain filter for the
reports.

Figure 2-54 Admin Domain Filters

1 — This admin domain filter has no impact on the reports generated.

2 — This is the admin domain filter that you can use to generate the report based on the admin domain selected.

Saving Configuration reports

To save a Configuration report, select the Output Format:HTML, PDF Portrait, PDF Landscape, Save as CSV or Save as HTML.
You can then click Save and specify a location where to save the file.

If you select either PDF Portrait or PDF Landscape, a PDF file format displays on the Report page. You need Adobe Acrobat 7.0
or later to view reports in PDF. The recommended viewing size for the PDF version of a report is "Actual Size" or 100%. If you
want to save the PDF of a report, Trellix recommends customizing the file name for easy recognition. If you want to keep the
generated file name, check the length of the name. If you had de-selected Day/Time Detected from the Fields of Interest
section of a report generation template, the default file name will be ViewReport.pdf.

If you select Save as CSV, a dialog box is displayed prompting you for the file name and location. You can specify an
appropriate file name and location and click Save to save the report in CSV format and you can open the file using Microsoft
Excel.

Generate Admin Domain and Users reports

The Admin Domain and Users report provides information on the admin domains and users created and configured using the
Manager. Information presented reflects the basic settings for each resource (admin domain and user).

To generate an Admin Domain and User Report, do the following:

Task
1 Select Manager | <Admin Domain Name> | Reporting | Configuration Reports | Admin Domains and Users.

2 Select the Output Format.

198 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

3 Click Submit.
The field descriptions for each table in this report are as follows:
Admin Domain Information
• Name— Name of an admin domain.

• Contact Information— The name and email of the main user to contact for the domain.

• Child Admin Domain Allowed?— Whether a child domain can be configured for the domain. A tick mark indicates that
child domain configuration is allowed. For the root admin domain, this is always allowed.

• Add Device Allowed?— Whether a Sensor can be added to the domain. A tick mark indicates that Sensors can be added
to the domain. For the root admin domain, this is always allowed.

• Default IPS Policy— The IPS Policy applied to the domain.

• Default Reconnaissance Policy— The Reconnaissance Policy applied to the domain.

User Information
• Name— Name of a user.

• Contact Information— Email address for the user.

• Creator Domain— The admin domain where the user was created.

• Login ID— The user's ID for logging into Manager.

• Role(s)— The user's role(s) with the corresponding domains in parentheses.

Undefined SNMP Forwarder Information


• Admin Domain— All current domains.

• IP Address— The address of the target SNMP server.

• Destination Port Number— The target server's SNMP listening port.

• SNMP Version— The version supported by your SNMP server. Version options are 1, 2c, Both 1 and 2c or 3.

• Notification for All Child Admin Domains— A tick mark indicates that notifications generated for all the child admin
domains are also factored in for this report.

Note
The SNMP Forwarder information is displayed only for those domains for which SNMP Trap Receivers have been configured.

Fault Syslog Forwarder Information


• Admin Domain— All current domains.

• Syslog Forwarder Enabled— Syslog forwarder has been enabled or disabled.

• Child Domain Notification Enabled— whether child notification has been enabled.

• Syslog Server (Host Name or IP Address)— Syslog server is enabled.

• Port— Port on which it is forwarded.

User Activity Audit Syslog Information


• Admin Domain— All current domains.

• Syslog Forwarder Enabled— Syslog forwarder has been enabled or disabled.

Trellix Intrusion Prevention System 10.1 199


2 | Manager Administration

• Child Domain Notification Enabled— Whether child notification has been enabled.

• Syslog Server (Host Name or IP Address)— Syslog server is enabled.

• Port— The port of the Audit Syslog server.

• Facilities— Standard syslog prioritization value.

• Result Mapping— Informational messages of the mapped results. It is categorized into: Failed, In progress, and Success.

• Forward Audit— Severity of the audit log forwarded to the syslog server.

• Message Preference— Preference of the message.

Proxy Server Settings


• Admin Domain— All current domains.

• Use Parent Settings?— Whether parent settings are inherited.

• Use Proxy Server?— Whether proxy server is enabled or disabled.

• Proxy Server Name or IP Address— The address of the target proxy server.

• Port Number— The proxy server's port.

• User Name— Name of a user.

Generate Device Summary report

The Device Summary report contains information regarding all the IPS, Virtual IPS, NTBA, and Virtual NTBA devices configured.
It provides a summary of information per device irrespective of the number of similar Sensor models configured. The device
count provides a summarized count of all the devices configured.

To generate a Device Summary report, do the following:

Task
1 Click the Manager tab.

2 Select <Admin Domain Name> | Reporting | Configuration Reports | Device Summary.

3 Select the Output Format.

4 Click Submit.
The field descriptions in this report are as follows:
Summary
• Device model — Provides the Sensor models configured

• Count — Displays a summarized count of the similar Sensor models

Sensor Name (IPS, Virtual IPS, NTBA, Virtual NTBA)

Field Name Description Applicable to Sensor model

Name Displays the name of the Sensor. IPS, Virtual IPS, NTBA, Virtual NTBA

Model Displays the Sensor model number. IPS, Virtual IPS, NTBA, Virtual NTBA

Serial Number Displays the serial number specified on the physical IPS, NTBA, Virtual NTBA
Sensor.

200 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

Field Name Description Applicable to Sensor model

Software Version Displays the current software version configured on IPS, Virtual IPS, NTBA, Virtual NTBA
the Sensor.

Contact Information Displays the contact information provided by the user IPS, Virtual IPS, NTBA, Virtual NTBA
at the time of configuration of the Sensor.

Location Displays the geographical location provided by the IPS, Virtual IPS, NTBA, Virtual NTBA
user at the time of configuration of the Sensor.

Updating Mode Displays the mode of configuration update for the IPS, Virtual IPS
Sensor. It can be updated online or offline.

Signature Version Displays the current signature version configured on IPS, Virtual IPS
the Sensor.

Hardware Version Displays the current hardware version running on the IPS
Sensor.

Gateway Anti-Malware Displays the current version of the Gateway IPS (NS Series), Virtual IPS, NTBA,
DAT Version Anti-Malware DAT file. Virtual NTBA

Gateway Anti-Malware Displays the current version of the Gateway IPS (NS Series), Virtual IPS, NTBA,
Engine Version Anti-Malware Engine. Virtual NTBA

Anti-Virus DAT Version Displays the current version of the Anti-Virus DAT file. IPS (NS Series), Virtual IPS, NTBA,
Virtual NTBA

Anti-Malware Engine Displays the current version of the Anti-Malware IPS (NS Series), Virtual IPS, NTBA,
Version Engine. Virtual NTBA

IP Address Connected to Displays the IP address used by the Sensor to connect IPS, Virtual IPS, NTBA, Virtual NTBA
the Manager with the Manager.

Subnet Mask Displays the subnet mask IP address. IPS, Virtual IPS

Default Gateway Displays the IP address of the default gateway. IPS, Virtual IPS

Up Time Displays the time period from when the Sensor started IPS, Virtual IPS, NTBA, Virtual NTBA
running.

Last Reboot Displays the date and time of the previous reboot. IPS, Virtual IPS, NTBA, Virtual NTBA

Last Signature Set Update Displays the date and time of the previous signature IPS, Virtual IPS, NTBA, Virtual NTBA
set update.

FIPS Mode Displays if FIPS mode is enabled or disabled. IPS, Virtual IPS

Generate Faults reports

The Faults Report enables you to see the details of Sensor and Manager faults that have occurred in the past. Reports can be
generated based on the fault name, its creation time, its fault severity, or by the Sensor ID.

To generate a Faults report, do the following:

Task
1 Click the Manager tab from the Manager Home page.

2 Select <Admin Domain Name> | Reporting | Configuration Reports | Faults.

Trellix Intrusion Prevention System 10.1 201


2 | Manager Administration

3 Specify the following to narrow down the scope of your report:


• Fault Source — Select Sensor and/or Trellix IPS Manager to find faults on your Sensor and/or Manager, respectively.

• Admin Domain — Select an admin domain on which to run the report. This is enabled only if the selected Fault Source
is Sensor.

Note
The admin domain selected in the left pane has no impact on the reports generated. The Admin Domain drop-down list is explicitly
to filter the reports that are generated.

• Include Child Admin Domains — If you have selected Include Child Admin Domains, Sensors in the child admin
domains of the selected admin domain are also displayed. This is enabled only if the selected Fault Source as Sensor.

• Sensor — Select one or all devices on which to run the report.

• Fault Severity — Select one or more of the following:


• Informational

• Warning

• Error

• Critical

• Fault State — Select one of the following:


• All Faults

• Active Faults

• Deleted Faults

• Acknowledged Faults

• Faults — Select from one of the following time options:


• Select Faults for this day (yyyy/mm/dd) — Displays faults for a selected day.

• Select Faults between these dates (yyyy/mm/dd hh:mm:ss) — Displays faults between the Begin Date and the End
Date.

• Select Faults in the past — Displays faults for the specified period and ending at the specified time. The default is
the current time.

Note
Faults with creation date previous to the Begin date may get displayed too, implying that the particular fault had occurred before
the begin data and re-occurred again between the Begin and End date.

202 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

• Report Format — Select any of the following format for the report:
• HTML • Save as CSV

• PDF Portrait • Save as HTML

• PDF landscape

• Organized by — Specify how you want the information to be organized in the report. Choices are Severity, Fault Name,
Sensor, or Create Time. For example, if you choose Severity, then the information is organized by fault name in the
reverse alphabetical order. Create Time is the fault generation time.

4 Click Run Report to generate the report.

Note
Only 5000 faults can be processed for a report. If more than 5000 faults are involved, a note is displayed recommending you to narrow
down the scope of your report.

The field descriptions in this report are as follows:

Field Name Description

Time The time at which the fault was generated.

Duration The length of time the fault lasted. For example, in the case of a performance fault, this is the number of
minutes between when the performance first went over its threshold and when it subsequently fell
below its reset threshold.

Source The source of the fault.

Criticality Specifies the severity level of the fault.

Undefined Specifies the name of the fault that is undefined.

Description A detailed description of the fault.

Type The type of fault.

Acknowledged Indicates whether the fault is acknowledged or not.

Deleted Indicates whether the fault is deleted or not.

Last Updated The time at which the fault was last modified. This time stamp gets updated when the fault is
acknowledged.

Generate Firewall Policy Definition report

The Firewall Policy Definition Report provides a detailed view of the selected Firewall policy, its Access Rules, and the Sensor
resources to which it is assigned.

Task
1 Click the Manager tab.

2 Select <Admin Domain Name> | Reporting | Configuration Reports | Firewall Policy Definitions.

Trellix Intrusion Prevention System 10.1 203


2 | Manager Administration

3 Select a filter from the Admin Domain drop-down list.

Note
The admin domain selected in the left pane has no impact on the reports generated. The Admin Domain drop-down list is explicitly to
filter the reports that are generated.

4 Select the Firewall Policy.

5 Select the Output Format.

6 Click Submit.

Generate Integration Summary reports

The Integration Summary report provides a summary of configurations done in the Manager to integrate with other products
such as, McAfee ePO and Vulnerability Manager Configuration.

To generate an Integrated Summary Report, do the following:

1 Click the Manager tab from the Manager Home page.

2 Select <Admin Domain Name> | Reporting | Configuration Reports | Integration Summary.

3 Select the Output Format.

4 Click Submit.

The Integration Summary Report displays the following details:

1 ePO DB Configuration

2 Vulnerability Manager Configuration

3 API Server

4 Database Settings

5 Relevance Details

6 State

7 Manual Scan Reports

8 Database Settings

9 Automated Vulnerability Manager Scan Reports

10 Host Intrusion Prevention

11 Telemetry Submission

12 Technical Contact Information

13 Global Threat Intelligence

204 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

ePO DB Configuration
The integration between the Manager and the ePO server is done with the help of an extension file. After the installation of the
extension file, the detail is listed in this report and its fields are described in the following table:

Field Name Description

Admin Domain The selected admin domain for the summary report to be generated.

Endpoint Summary Displays details of the Endpoint Summary Queries which can be enabled or disabled.
Queries

Endpoint Lookup Displays details of the Endpoint Queries which can be enabled or disabled.

Endpoint Tagging

Server Name or IP The name or the IP of the ePO server running the extension file. Note that this ePO server should
Address have the details of the hosts covered by the admin domain. Contact your ePO administrator for
the server name and IP.

Server Port Specify the HTTPS listening port on the ePO server that will be used for the Manager-ePO
communication. Contact your ePO administrator for the port number.

User Name The username to be used while connecting to the ePO server. Trellix recommends you use a local
ePO user account with View-only permissions.

For more information on ePO, refer to ePO documentation.

Note
If you update the IP address of ePO from the Manager in the Manager | <Admin Domain Name> | Integration | ePO Integration page, you
should reboot the Manager.

Vulnerability Manager Configuration


The Vulnerability Manager Configuration settings allow the Manager to connect directly to the Vulnerability Manager engine
servers and database. Enabling Vulnerability Manager scanning is the first step in configuring Vulnerability Manager from the
Manager.

Note
For more information on Vulnerability Manager, refer to Vulnerability Manager documentation.

Vulnerability Manager Server Settings


Manager uses the scan engine information to view the vulnerabilities for the host after the scan is complete.

Database Settings
The second essential step in Vulnerability Manager configuration is configuring the Vulnerability Manager database settings.

Using these settings, Manager connects to the Vulnerability Manager database to get relevance information, scan configuration
details, scan engine details and vulnerability data for scanned hosts. The required data is fetched directly from the Vulnerability
Manager database using stored procedures specific to the Manager.

Relevance Details
Relevance analysis involves the analysis of the vulnerability relevance of real-time alerts, using the vulnerability data imported
to the Manager database.

Trellix Intrusion Prevention System 10.1 205


2 | Manager Administration

State
This field reveals the state of relevance analysis.

Manual Scan Reports


The details of the manually scanned reports are displayed in this report and its fields are described in the following table:

Field Name Description

File Name Name of the report file.

Report Type This can be plain text, XML or Trellix IPS format.

Description Description of the report file.

Scan Time Time of the Vulnerability Manager scan.

State This field shows the status of completion of the Vulnerability Manager scan. For example, the scan status can
be queued, complete, retrieved etc.

Automated Vulnerability Manager Scan Reports


The details of the automated scanned reports are displayed in this report and its fields are described in the following table:

Field Name Description

Organization or Workgroup These two fields are created in the


Vulnerability Manager side that is used to scan.

Scan Name The name of the scan organization or workgroup.

Description The details of the scanned file.

Host Intrusion Prevention


The details of prevented intruders are displayed in this report and its fields are described in the following table:

Field Name Description

Name The name of the intruder.

Description The details of the intruder.

Telemetry Submission
The details of what has actually been sent to Trellix are described in the following table:

Field Name Description

Alert Data Details This field shows the details of the Alert data sent to Trellix for each attack.

Only send data for following This field helps to configure the levels of severities.
alert severities (Filter)

Alert Data Summary This field shows the alert summary information sent hourly to Trellix like List of Trellix IPS
attack IDs seen.

206 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

Field Name Description

General Setup This field shows the general setup information sent daily to Trellix like Manager software
version and active signature set version.

Feature Usage This field shows the feature information sent daily to Trellix like the number of default
policies in use.

Technical Contact Information


The details of your contact information that are provided to the Trellix Labs are described in the following table:

Field Name Description

Send Technical contact information Technical contact information is gathered to communicate End of Life and other key
milestones.

First Name The first name of the contact person.

Last Name The last name of the contact person.

Street Address The street address of the contact person.

Phone Number The phone number of the contact person.

E-mail Address The email address of the contact person.

Global Threat Intelligence


The details of private TI cloud integration are described in the following table:

Field Name Description

Private GTI Cloud Integration Displays if the private GTI cloud integration is enabled or disabled.

Private GTI Cloud Server IP Displays the server IP of the private GTI cloud.

Generate IPS Configuration Summary reports

The IPS Configuration Summary report provides a detailed view of the IPS configuration settings made by the user. This
includes SNMP Forwarder Information, Alert Syslog Forwarder Information, Firewall Syslog Forwarder Information, Quarantine
information, Network Objects, Quarantine Zones, Syslog Forwarding, Remediation Portal, IPS Settings and Quarantine.
Information can be displayed for any selected admin domain in either .html, .pdf or .csv file formats.

To generate an IPS Configuration Summary report for an admin domain, do the following:

Task
1 Click the Manager tab from the Manager Home page.

2 Select <Admin Domain Name> | Reporting | Configuration Reports | IPS Configuration Summary.

3 Select a filter from the Admin Domain drop-down list.

Note
The admin domain selected in the left pane has no impact on the reports generated. The Admin Domain drop-down list is explicitly to
filter the reports that are generated.

4 Select the Output Format.

Trellix Intrusion Prevention System 10.1 207


2 | Manager Administration

5 Click Submit.
For the selected Admin Domain, IPS Configuration Summary report gives the following IPS configuration details:
IPS Events SNMP Forwarder Information
SNMP Forwarder Information specifies the server to which alert information will be sent from Manager. You can configure
more than one SNMP server to where you want to send alert messages. The field details are described in the following
table:

Field Name Description

IP Address IP address of the target SNMP server which can be IPv4 or IPv6 address.

Destination Port Number The target server's SNMP listening port.

SNMP Version Version of SNMP running on the target SNMP server. Version options are 1, 2c, Both 1
and 2c, and 3.

SNMP Forwarder Information The SNMP server to where you want to send alert messages.

Alert Syslog
Alert Syslog Forwarder Information enables the forwarding of Trellix IPS alerts to a Syslog Server. The field detail is
described in the following table:

Field Name Description

Syslog Forwarder Enabled Syslog forwarder has been enabled or disabled.

Alert Syslog Forwarder Information


Alert Syslog Forwarder Information enables the forwarding of Trellix IPS alerts to a Syslog Server. The Syslog forwarding
enables you to view the forwarded alerts from a third-party Syslog application. The field details are described in the
following table:

Field Name Description

Child Domain Notification Enabled Child notification has been enabled.

Notification Profile Name Name of the notification profile.

Syslog Server (Host Name Or IP Address)/Port Syslog server or port on which it is enabled.

Protocol Syslog server using UDP or TCP connection

Use SSL Use SSL when syslog server uses TCP

Quarantine Enabled Quarantine enabled or disabled.

Firewall Notification Information


It is an optional Firewall feature that will log packets that are dropped or permitted based on your Access Rules. You can
configure the Sensor to forward Firewall logs to Manager, where they are formatted and converted to Syslog messages and
sent to the configured Syslog server. You can also configure the Sensor to directly send logs to the configured Syslog server.
The field details are described in the following table:

208 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

Field Name Description

Syslog Forwarder Enabled Syslog forwarder has been enabled or disabled.

Child Domain Notification Enabled Child notification has been enabled.

Syslog Server (Host Name Or IP Address) Syslog server is enabled.

Port Port on which it is forwarded.

Quarantine
To protect your network from security threats, Trellix IPS provides the Quarantine feature which quarantine and remediate
the non-compliant network devices (or hosts) connecting to your network.
Rule Objects
Rule objects provide a convenient way of grouping together IP addresses, VLAN, CIDR or MAC addresses. The field details
are described in the following table:

Field Name Description

Name Name of the rule object.

Type This indicates the four different types of network address types that can be listed together in a network
object.
• IP Address
• Network Address ( CIDR )
• MAC Address
• VLAN

Value Enter the Value for the Type selected.

Quarantine Zones
Quarantine Zones are a set of ACL rules that define the zone of network access provided to a host subjected to Quarantine.
The field details are described in the following table:

Field Name Description

Name The name of the Quarantine Zone.

Description The description of the Quarantine Zone.

Syslog Forwarding
The Alert NotificationSyslog action enables the forwarding of Trellix IPS alerts to a Syslog Server. Syslog forwarding enables
you to view the forwarded alerts from a third-party Syslog application. For Syslog forwarding, the root domain and parent
domains have the option to include alerts from all applicable child domains.

Field Name Description

Syslog Syslog forwarder has been enabled or disabled.

Name Host Name of the Syslog Server where alerts will be sent.

Trellix Intrusion Prevention System 10.1 209


2 | Manager Administration

Field Name Description

Facility Standard Syslog prioritization value. The choices are as follow:


• Security/authorization (code 4) • Local user 2 (local2)
• Security/authorization (code 10) • Local user 3 (local3)
• Log audit (note 1) • Local user 4 (local4)
• Log alert (note 1) • Local user 5 (local5)
• Clock daemon (note 2) • Local user 6 (local6)
• Local user 0 (local0) • Local user 7 (local7)
• Local user 1 (local1)

Priority The severity level of a higher or lesser priority.

Remediation Portal
To make the quarantined host clean of malicious traffic and thus compliant to the security policies of the network, Trellix IPS
provides remediation by re-directing the HTTP traffic from the host to a Remediation Portal.

Field Name Description

Remediation Portal State Enable the redirection of HTTP traffic to the Remediation Portal.

Remediation Portal IP Address Configure the Remediation Portal, by specifying the Remediation Portal IP Address.

Remediation Portal URL Configure the Remediation Portal, by specifying the Remediation Portal URL

IPS Settings
The IPS Settings node in each admin domain facilitates actions related to configuration and management of IPS related
policies configuration on the Trellix IPS.
Quarantine

Field Name Description

State Whether Quarantine is enabled or not.

Quarantine Zone The quarantine zone selected.

Release Logic Whether the Sensor is configured to release the endpoint from quarantine automatically after a set
timing or whether you have to manually release the endpoint from quarantine.

Release After If the Sensor is configured to release the endpoint, what is the time duration after which the endpoint
is released.

Browser Message How is the browser message enabled.

Quarantine Exceptions
You can exclude certain hosts or network from being quarantined. This can be configured from the Quarantine Exceptions
page of the Quarantine Configuration Wizard.

210 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

Field Name Description

Type The IP address, IPv4 Network, or Rule Object.

Value Enter the Value for the Type selected.

Description The description of the hosts or network.

File Reputation
The File Reputation Report provides you details of Global Threat Intelligence (GTI) IP Reputation-related alerts such as
Dirtiness Level, Matched fingerprint, Sensor Source IP, Source Port, etc.
Fingerprints - GTI

Field Name Description

Maximum file size scanned 4194304 bytes (for signature set 10.8 and higher) - fixed size up to which malware files are
detected.

Primary DNS Server The main DNS server - configured first.

Secondary DNS Server The backup DNS server – configured next and if main DNS server fails to respond.

Response Action Detect/Allow (Alert only), block, block and send TCP resets.

Sensitivity The severity of malware to block can be controlled.

Fingerprints - Custom

Field Name Description

Number of custom fingerprints The number of custom finger prints that are added.

Maximum file size scanned 4194304 bytes (for signature set 10.8 and higher)- fixed size up to which malware files
are detected.

Response Action Detect/Allow (Alert only), block, block and send TCP resets.

File types supported

Field Name Description

GTI The Portable Executable (PE) files.

Custom File types based on custom signatures.

MVX Integration

Field Name Description

Enable VX Appliance Integration VX appliance Integration has been enabled or disabled.

VX IP Address IP address of the VX broker integrated with Trellix IPS.

Manager to VX Communication Port (TCP) Manager-to-VX Appliance Communication Port number.

Trellix Intelligent Sandbox Integration

Trellix Intrusion Prevention System 10.1 211


2 | Manager Administration

Field Name Description

Enable Trellix Intelligent Sandbox Integration Trellix Intelligent Sandbox Integration has been enabled or
disabled.

Trellix Intelligent Sandbox IP Address IP address of Trellix Intelligent Sandbox integrated with Trellix IPS.

Sensor-to-Intelligent Sandbox Communication Port Sensor-to-Intelligent Sandbox Communication Port number.


(TCP)

Manager-to-Intelligent Sandbox Communication Manager-to-Intelligent Sandbox Communication Port number.


Port (TCP)

Generate IPS Policy Assignment reports

The IPS Policy Assignment provides a detailed view of the policies - Exploit, Reconnaissance, and DoS - applied to one or more
Sensors. Policy information includes severity, responses, thresholds, notifications, and other information configured for each
attack whether from a pre-configured or user-customized policy. Also, you can view attack set profile, and DoS ID settings for all
of the policies applied within a Sensor. The Customized Attacks option consolidates all user-customized attacks into one
section for easy viewing.

To generate an IPS Policy Assignment report for a Sensor, do the following:

Task
1 Click the Manager tab from the Manager Home page.

2 Select <Admin Domain Name> | Reporting | Configuration Reports | IPS Policy Assignments.

3 Select one or more Devices.

Tip
Sensor Policy Configuration Reports can be very long when multiple Sensors are selected. Trellix recommends selecting a single Sensor
for ease of readability.

4 Select one or more of the following based on what information you want to see in the report:
• Reconnaissance Policy

• Exploit/DoS Policy
• IPS Policy Detail

• DoS Detail

• Attack Set Profile Detail

• Recon Attacks

• Customized Attacks

5 Select the Output Format.

6 Click Submit.

Generate IPS Policy Details reports

The IPS Policy Details provides a detailed view of the IPS policies available for application. This includes any user-created or
user-cloned policies. Policy information includes severity, responses, thresholds, notifications, and other information
configured for each attack from a policy. Also, you can view attack set profile and DoS settings for all of the policies applied
within an admin domain.

212 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

To generate an IPS Policy Details report, do the following:

Task
1 Click the Manager tab from the Manager Home page.

2 Select <Admin Domain Name> | Reporting | Configuration Reports | IPS Policy Details.

3 Select one or more Policies.

Tip
IPS Policy Reports can be very long when multiple policies are selected. Trellix recommends selecting a single policy for ease of
readability.

4 Select one or more of the following based on what information you want to see in the report:
• IPS Policy Detail

• DoS Detail

• Attack Set Profile Detail

• Customized Attacks: Consolidates all user-customized attacks into one section

• Recon Attacks: This is enabled only if the selected policy is Trellix Global IDS.

5 Select the Output Format.

6 Click Submit.

Generate IPS Sensor reports

The Physical Sensor report provides information on the current software/signature versions, the status of a Sensor's ports, as
well as configured settings such as non-standard ports.

To generate a Physical Sensor report, do the following:

Task
1 Click the Manager tab from the Manager Home page.

2 Select <Admin Domain Name> | Reporting | Configuration Reports | IPS Sensor.

3 Select one or more Sensors.

Tip
Sensor Reports can be very long when multiple Sensors are selected. Trellix recommends selecting a single Sensor for ease of
readability.

4 Select one or more of the following based on what information you want to see in the report:
• Device Information— Sensor name, Sensor IP address, Sensor up time, and so on.

• Port Configuration— Operation mode, operational status, port speed, and so on.

• Interface Configuration— Traffic type (CIDR, VLAN, dedicated), applied policies, sub-interfaces created, and so on.

• TCP/IP Settings— Settings configured within the <Device Name> | Advanced Settings | TCP/IP action.

• Non-standard Ports— Configured non-standard ports

Trellix Intrusion Prevention System 10.1 213


2 | Manager Administration

• Alerting Options— Alert Suppression Response Action, Packet Log Response Action, Passive Device Profiling, and IPS
Event Notification.

• Trellix Intelligent Sandbox Integration— Settings configured within <Device Name> | Settings | Trellix Intelligent
Sandbox Integration.

• TIE Integration—

• L2 Switch & SSL Configuration— Layer 2 Pass-Through Monitoring, ARP Spoofing, Layer 2 Pass-Through Status, and SSL
Configuration Settings

• TACACS+ Authentication Settings— Status, Server IP Address(s) and Encryption status.

• NMS Configuration— IP Address, Creation level and Users.

• Exception Details—

• NTBA Configuration— NTBA Appliance name, Destination IP address and Destination Port Number.

• CLI Auditing—

• Response Actions— Settings configured within the <Device Name> | Advanced Settings | Response Action.

• Firewall Configuration—

• Quarantine Information— Remediation Portal IP Address, Quarantine Time Interval.

• Layer 7 Data Collection—

• NTP Server Details—

• Performance Monitoring—

5 Select the Output Format.

6 Click Submit.

Generate Manager Report

Manager Report provides a quick view of the notification mail server and/or proxy server settings configured using Manager.

To generate a Physical Sensor Report, do the following:

Task
1 Click the Manager tab from the Manager Home page.

2 Select <Admin Domain Name> | Reporting | Configuration Reports | Manager.

3 Select the Output Format.

4 Click Submit.
The field descriptions for each table in this report are as follows:
• Notification Mail Server Settings
• Hostname/IP— Hostname or IP address of the mail server.

• From Address for Messages— "From:" address appended to notification emails.

• Login Name— The optional login ID used for mail server access.

214 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

• Proxy Server Settings


• Use Proxy Server?— If proxy server is used.

• Proxy Server Name or IP Address— Hostname or IP address of proxy server.

• Port Number— Port number where proxy server receives requests from Manager.

• User Name— Name of the Proxy Server.

• MDR Information For Trellix IPS Manager


• Manager Status— Administrative status of Manager you are logged on. "Primary" indicates that Manager is in active
mode, and "Secondary" indicates that Manager is in standby mode.

• Out of Band (OOB) Manager to Manager Communication— Whether OOB communication is enabled between
Managers in the MDR pair.

• OOB Peer Manager IP— The IP used for OOB communication by the peer Manager comprising the MDR pair.

• Operation Status— Operative status of Manager you are logged on.

• Peer IP Address— Hostname or IP address of the peer Manager.

• Peer Manager Status— Administrative status of the peer Manager.

• Peer Manager Operation Status— Operative status of the peer Manager.

Note
The hostnames and IP addresses for the peer Manager are specified in Manager Disaster Recovery Details page. For information,
see Preparations for Manager Disaster Recovery (MDR) on page 102

• Access Control
• Allow Access to this Web-Based User Interface from— Permit the user to Web-based user interface from authorized
or any host.

• Audit Logging for Access Attempts by Authorized Endpoints— Permit the user to log from authorized host.

• Audit Logging for Access Attempts by Unauthorized Endpoints— Permit the user to log from unauthorized host.

• Authorized Hosts / Networks


• Network— Displays the authorized network.

• Description— Displays the description for the authorized host name.

• Authentication Details
• RADIUS Configuration
• Server Enabled— Displays if RADIUS is enabled or displayed.

• IP Address— Displays the host name or IP address.

• Port— Displays the configured port.

• LDAP Configuration
• Server Enabled— Displays if LDAP is enabled or displayed.

• IP Address— Displays the host name or IP address

Trellix Intrusion Prevention System 10.1 215


2 | Manager Administration

• Port— Displays the configured port.

• Decryption Enabled— Displays if decryption is enabled or displayed.

View NTBA Appliance reports

The NTBA Appliance report displays information on the selected NTBA Appliance. Information includes device name, serial
number, port configuration, flow information, general settings, IP settings to the interfaces, exporters settings, SNMP settings,
list of NTBA interfaces, list of inside zones, list of outside zones, and zone elements.

Follow this procedure to view the NTBA Appliance report:

Task
1 Select Manager | <Admin Domain Name> | Reporting | Configuration Reports.

The Configuration Reports page is displayed.

2 Click the NTBA Appliance link.

The NTBA Appliance report page with the configuration options is displayed.

Figure 2-55 NTBA Appliance report page

3 Configure the following:


• Select the device for which you want to generate the report from the Device field.

• Select the required checkboxes against Device Information, Port Configuration, NTBA Configuration, and Zone.

• Select the required Output Format from the Output Format drop-down list.

• Click Submit.

For the selected admin domain, the NTBA Appliance report displays the following device configuration details:
1 NTBA Appliance Information for <Device Name>
a Name j Uptime

b Model k Last Reboot Time

c Serial Number l Contact Information

d Software Version m Location

e NTBA Appliance Signature Version n Gateway Anti-Malware DAT Version

f Last Signature Set Update o Gateway Anti-Malware Engine Version

g IP Address p Anti-Virus DAT Version

h Subnet Mask q Anti-Malware Engine Version

i Default Gateway

216 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

2 Current NTBA Port Configuration for device <Device Name>:


a Port Settings
a Port #

b Port Type

c Configuration
a Speed

b Duplex

d Administrative Status

e Operational Status

3 Flow Information
a Flow Protocol Supported

4 Proxy Server Settings


a Use Parent Settings? d Port Number

b Use Proxy Server? e User Name

c Proxy Server Name or IP Address

5 NTBA General Settings


a Use Global Settings?

b NTBA listening port for flow records

c Enable De-duplication?

6 IP Settings to the NTBA interfaces


a IP Address

b Network Mask

c Gateway IP

7 Exporters
a Name d Enabled

b IP Address e Description

c Type f Flow Type and Version

8 SNMP Settings for exporter


a Use Global settings? d Read-Only Community String

b UDP Port e SNMP Polling Interval Time

c SNMP Version

Trellix Intrusion Prevention System 10.1 217


2 | Manager Administration

9 List of NTBA-ready Interface


a Enabled

b Name

c External?

d Description

10 Gateway Anti-Malware Engine Updating


a Use Parent Settings?

b Enabled ?

c Update Interval

11 Active Device Profiling


a Enabled ? e TCP/UDP Ports

b Available Zones f Profiling Frequency Schedule

c Selected Zones g Profiling Frequency Days

d CIDR Blocks h Profile Expiration (days)

12 EIA Integration
a Use Parent Settings?

b Enabled ?

c NTBA Listening Port

13 ePO Settings
a ePO Server IP Address

b ePO Server Port

c ePO Server Username

14 Auto Classification Settings


a Automatically Allow Executables Signed by a Trusted Certificate Authority?

b Automatically Allow Executables Found on the GTI Allow List?

c Automatically Block Executables Found on the GTI Block List?

15 Summary of list of inside zones


a Name

b Description

16 Summary of list of outside zones


a Name

b Description

218 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

17 Zone elements of inside Zones


a Zone

b Element

c Type

18 Zone elements of outside Zones


a Zone

b Element

c Type

View NTBA Configuration Summary reports

The NTBA Configuration Summary report displays information on NTBA Appliance configuration. The settings include spambot
detection, Manager Presentation, services, collector details, and exporter settings.

Task
1 Select Manager | <Admin Domain Name> | Reporting | Configuration Reports.

The Configuration Reports page is displayed.

2 Click NTBA Configuration Summary link.

The NTBA Configuration Summary report page with the configuration options is displayed.

Figure 2-56 NTBA Configuration Summary report page

3 Configure the following:


• Select the Admin Domain for which you want to generate the report from the drop-down list.

Note
The admin domain selected in the left pane has no impact on the reports generated. The Admin Domain drop-down list is explicitly
to filter the reports that are generated.

• Select the Output Format from the drop-down list.

• Click Submit.

For the selected Admin Domain, the NTBA Configuration Summary report is displayed with the following configuration
details:
1 Spambot Detection
a Email Domain

Trellix Intrusion Prevention System 10.1 219


2 | Manager Administration

2 Manager Presentation
a The Value of N in Top N lists

b Consider Endpoints/Protocols "New" if Seen for First Time Within (days)

c Consider Endpoints/Protocols "New" if Seen for First Time With Reference Days As (days)

d Consider Endpoints/Protocols "Active" if Seen for First Time Within (days)

3 Services
a Name

b Enabled?

c Service Details

4 Collector Details
a Listen for flow information on UDP Port d Secondary Name Server

b Enable De-duplication e Refresh Interval (hours)

c Primary Name Server

5 Exporter Settings
a UDP Port

b SNMP Version

c Read Only Community String

d SNMP Polling Interval Time

Generate Performance Monitoring - Admin Domain Configuration reports

The Performance Monitoring - Admin Domain Configuration report displays information on admin domain wise configuration
made in the Manager.

Follow this procedure to generate the admin domain report.

Task
1 Click the Manager tab from the Manager home page.

2 Select <Admin Domain Name> | Reporting | Configuration Reports | Performance Monitoring - Admin Domain
Configuration.
The configuration options of the Performance Monitoring - Admin Domain Configuration is displayed.

3 Select a filter from the Admin Domain drop down list.

Note
The admin domain selected in the left pane has no impact on the reports generated. The Admin Domain drop-down list is explicitly to
filter the reports that are generated.

4 Select or clear the checkboxes against Metrics, Thresholds and Display.

220 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

5 Select the Output Format.

6 Click Submit.
The Performance Monitoring - Admin Domain Configuration report is generated.

Generate Performance Monitoring - Sensor Configuration reports

The Performance Monitoring - Sensor Configuration report displays information on Sensor configuration settings made in the
Manager.

Task
1 Click the Manager tab from the Manager home page.

2 Select <Admin Domain Name> | Reporting | Configuration Reports | Performance Monitoring - Sensor Configuration.
The configuration options of Performance Monitoring - Sensor Configuration report is displayed.

3 Select the Sensors to be included against Sensors. Select or clear checkboxes against Metrics and Thresholds.

4 Select the Output Format.

5 Click Submit.
The Performance Monitoring - Sensor Configuration report is generated.

Generate QoS Policy Report

The QoS Policy Report details the configuration information for each port on the Sensor.
To generate a report for the QoS policies, do the following:

Task
1 Click the Manager tab from the Manager Home page.

2 Select <Admin Domain Name> | Reporting | Configuration Reports | QoS Policy.

3 Select a filter from the Admin Domain drop-down list.

Note
The admin domain selected in the left pane has no impact on the reports generated. The Admin Domain drop-down list is explicitly to
filter the reports that are generated.

4 Select the QoS Policies and Rate Limiting Profiles.

5 Select the Output Format.

6 Click Submit.

Generate Reconnaissance Policy reports

Th Reconnaissance Policy report allows users to see their Reconnaissance attack list and their customization done on selected
policies. Users can select multiple reconnaissance policies at the same time.

Note
Only Reconnaissance policies visible to the admin domain are shown.

Trellix Intrusion Prevention System 10.1 221


2 | Manager Administration

To generate a report displaying all current policies in the Reconnaissance Policy Editor, do the following:

Task
1 Click the Manager tab from the Manager Home page.

2 Select <Admin Domain Name> | Reporting | Configuration Reports | Reconnaissance Policy.

3 Select one or more Reconnaissance Policies.

Tip
Reconnaissance Policy Reports can be very long when multiple policies are selected. Trellix recommends selecting a single policy for ease
of readability.

4 Select one or more of the following based on what information you want to see in the report:
• Customized Attacks— Consolidates all user-customized attacks into one section

• Recon Attacks— This is enabled only if the selected policy is Trellix Global IDS.

5 Select the Output Format.

6 Click Submit.

The Reconnaissance Policy report is generated.

Generate Attack Set Profile reports

The attack set profile report provides a detailed view of the attack set profiles available for the application. This includes any
user-created or user-cloned attack set profiles. Attack set profile information includes severity, responses, notifications, and
other information configured for each Exploit attack, whether from a pre-configured or user-customized attack set profile.

To generate a report displaying all current attack set profiles in the Attack Set Profile Editor, do the following:

Task
1 Click the Manager tab from the Manager Home page.

2 Select <Admin Domain Name> | Reporting | Configuration Reports | Attack Set Profile.

3 Select one or more Attack Set Profiles.

Tip
Attack set profile Reports can be very long when multiple attack set profiles are selected. Trellix recommends selecting a single attack set
profile for ease of readability.

4 Select the Output Format.

5 Click Submit.

Generate Scanning Exception reports

The Scanning Exceptions report provides a detailed view of the scanning exceptions that are configured on the device's VLAN,
TCP, or UDP port. Scanning exceptions information includes the type of exception and the assigned interface.

222 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

Task
1 Click the Manager tab from the Manager Home page.

2 Select <Admin Domain Name> | Reporting | Configuration Reports | Scanning Exceptions.

3 Select the Devices.

4 Select one or more exceptions — VLAN, TCP, and UDP.

5 Select the Output Format.

6 Click Submit.

Generate User Activity reports

The Audit report enables you to view the actions performed by Trellix IPS users. Similar to the generating a user activities audit
option, this report allows you to view the actions of all users or a single user in one or more admin domains.

Note
You can create report templates and also schedule report generation on a daily or weekly basis for the Audit report.

To generate an audit report, do the following:

Task
1 On the Manager Home page, click the Manager tab.

2 Select <Admin Domain Name> | Reporting | Configuration Reports | User Activity.

3 Select a filter from the Admin Domain drop-down list.

Note
The admin domain selected in the left pane has no impact on the reports generated. The Admin Domain drop-down list is explicitly to
filter the reports that are generated.

4 Select whether or not to include audit data from all child domains of the selected domain. (Include All Child Admin Domain
Audit Data)

5 Select "All Users" or a single user to audit. (Select User(s) to Audit)

6 Select one or more Audit Categories. By default, all categories except Unspecified are selected. Audit categories are areas/
resources where users can perform actions. Choose from the following (examples of each provided):
• Unspecified — All actions not covered by the other categories

• Admin Domain — Created an admin domain, generated a system log

• User — Logged into the system, created a user, assigned a role to a user

• Manager — Configured proxy server settings

• Sensor — Configured ports, pushed configuration changes

• IPS Policy — Created a policy, cloned a attack set profile

• Report — Designed a scheduled report template, generated a report

Trellix Intrusion Prevention System 10.1 223


2 | Manager Administration

• Update Server — Configured Update Server settings, downloaded software

• System Faults — Delete Manager or Sensor related faults.

• Attack Log — Acknowledge alerts, delete alerts.

• NTBA — Reports all the network threat behavior analysis

• FIPS Self Test — Reports all the audits related to FIPS mode crypto activity

• MVM — Reports all the audits related to Vulnerability Manager integration

7 Select Show Details to include detailed audit information in the report output, such as Date and Time when a change was
made, username against each change, etc.

8 Type the number of audit messages to show. The default is 10 messages. (Show x messages)

9 Select from one of the following time options:


• Up to Current Time — Displays the requested number of most recent messages

• Ending (All messages before this date will be displayed) — Displays the requested number of messages starting from
this time and proceeding backwards

• Select Messages Between These Dates — Select the desired range of dates for activity by a user.

10 Select the Output Format.

11 Click Run Report to start the audit.


• The fields displayed in the audit result are as follows:
• Date — When an action was performed

• Admin Domain — The domain in which the action was performed

• User — Who performed the action

• Attack Category — Audit category. That is, area/resource, where action was performed.

• Action — Short description of the performed action

• Result — Status of the performed action as either "Success" or "Failure"

• Description — Verbose description of the performed action

• The following additional fields are displayed if Show Details is selected:


• Commit Comments — Comments that the user entered before committing the policy changes

• Audit Data Details — Details of the changes made

Generate Version Summary reports

The Version report provides information on the software and signatures versions currently loaded on the Manager and all
devices. Signature and software versions do not run in parallel and may not be similar.

To generate an Version Summary report, do the following:

Task
1 Click the Manager tab from the Manager Home page.

2 Select <Admin Domain Name> | Reporting | Configuration Reports | Version Summary.

3 Select the Output Format.

224 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

4 Click Submit. The Version Summary report is displayed.


The Version Summary report gives the following details:
• Version Information for Intrusion Prevention System Manager

The field details are described in the following table:

Field Name Description

Trellix IPS Manager Version Currently running Manager software version.

Current Signature Set Version Latest signature version available on Manager for download to Sensors for policy
enforcement.

Note: The latest signature version may be available on Manager and not yet loaded
to the Sensor.

Current Callback Detectors Latest version of callback detectors.


Version

• Software Ready for Installation— The Sensor software version last downloaded to the Manager from Trellix IPS Update
Server. This version may or may not have been applied to your devices. Different device platforms may have different
available software versions.

• Device Version Information

The field details are described in the following table:

Field Name Description

Device (Failover Pairs) Names of Sensors/failover pairs currently deployed.

Model Names of the models.

Signature Set Version The signature set version loaded and running on a device. The signature version on the
device may be different than the latest available on the Manager.

Callback Detectors Version The callback detector's version loaded and running on a device.

Software Version The software version loaded and running on a device. The software version on the device
may be different than the latest available on the Manager.

Gateway Anti-Malware The current versions of the Gateway Anti-Malware DAT and Engine.

Anti-Malware The current versions of the Anti-Malware DAT and Engine.

Generate the Licenses report

The license report lists the Trellix Virtual IPS Licenses, Managed Trellix Virtual IPS Sensors, Proxy Decryption Licenses, Proxy
Decryption License Usage Per Sensor Model, Sensors with missing System Licenses, and System License.

Task
1 In the Manager, go to Manager | <Admin Domain Name> | Reporting | Configuration Reports.

2 Click Licenses.

3 Select the Output Format.

4 Click Submit.

Trellix Intrusion Prevention System 10.1 225


2 | Manager Administration

The Licenses report is generated.

226 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

Automation of reports
You can schedule reports to be automatically generated and emailed on a daily or weekly basis. You can schedule the IPS
Reports as well as Configuration Reports. This enables convenient and regular forensic analysis of the alerts and user-activity
details.

After a scheduled report is generated, it is emailed to the list of recipients that you can specify. The generated report is also
saved in Manager server for viewing.

Note
The scheduling of reports in the Central Manager is similar to that in the Manager.

Scheduling reports

Click the Manager tab on the Home page and select <Admin Domain Name> | Reporting | Report Automation | Automation
Settings.

The Automation Settings page enables you to do the following:

• Add, or edit, or delete scheduled report template

• Edit report scheduler

You can click Recipient List link to add recipients for a scheduled report.

Field Name Description

State Displays the state of report. A green tick mark indicates that the report is enabled. A red cross mark indicates
that the report is disabled.

Name Displays the name of report.

Report Type Displays the type of report.

Last Modified Displays the date and time of the latest modification done on the report.

Frequency Indicates the frequency report to be generated(Weekly or Daily).

E-mail To Displays the email address of the recipient receiving the report.

Add automated reports


You can add a scheduled report template which enables you to schedule a new report that generates automatically and
emailed regularly. You can schedule a report for any of the IPS Reports and Configuration Reports. When you schedule a report,
you need to specify the parameters for the report (Example: Admin Domain, Sensor).

To schedule a report:

Task
1 Click the Manager icon from the Home page.

2 Select <Admin Domain Name> | Reporting | Report Automation | Automation Settings.

The Automation Settings page is displayed.

3
Click .
The Add an Automated Report page is displayed.

Trellix Intrusion Prevention System 10.1 227


2 | Manager Administration

The Enable? field is enabled by default.


1 Select the Report Category — IPS Events or Configuration Reports.

2 Select the Report Type. Based on this selection, the template fields change to fit the elements of the selected report.
Only those fields that are common to all report types are described in this section.
• Traditional-IPS Event reports
• Big Movers report • Top N Attacks report

• Executive Summary report • Trend Analysis report

• Reconnaissance Attacks report • User Defined report

• Traditional-Configuration reports
• Attack Set Profile report

• Device Summary Report

• Faults report

• Firewall Policy Definitions report

• IPS Policy Assignment report

• IPS Policy Details report

• IPS Sensor report

• Licenses

• NTBA Appliance report

• NTBA Configuration Summary report

• Performance Monitoring - Admin Domain Configuration report

• Performance Monitoring - Sensor Configuration report

• QoS Policy

• Reconnaissance Policy report

• Scanning Exceptions

• User Activity report

• Version Summary

3 For Configuration reports


• Type a Template Name.

• Type a Description that summarizes the report. The maximum length is 254 characters. This is for future reference.

• Choose a Report Frequency as either Hourly, Daily, Weekly or Monthly. The default is Weekly.

• Select a required Attack Set Profile.

• Select Report Format. The options are:


• PDF Portrait

• PDF Landscape

228 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

• Save as HTML

• Save as CSV

For IPS Events

• Type a Template Name.

• Type a Description that summarizes the report. This is for future reference.

• Choose a Report Frequency as either Hourly, Daily, Weekly or Monthly. The default is Weekly.

• Select the Admin Domain.

• Select a device in the Sensor.


• Select All Devices to displays all devices.

• Select By Device to display individual devices.

• Checking the check box for Include Child Admin Domains displays all the devices in the child domain (By default
the check box is unchecked).

• Attack Severity — Select one or more from the Informational, Low, Medium, or High severities which relate to
attack impact.

• Ranking Basis — Select one of the following:


• Percentage change in attack count

• Change in attack account value

• Direction — Select one of the following directions of how alerts occurred should be displayed:
• Upward Movers only

• Upward and Downward Movers

• Downward Movers only

• Maximum Movers — Enter the value of maximum occurred alerts to be displayed.

• Comparison Interval — Enter the time period. The time period is in days.

• Select Report Format. The options are:


• PDF Portrait

• PDF Landscape

• Save as HTML

• Save as CSV

Note
The PDF option appears disabled if you had selected the Report Frequency as Monthly.

4 Click Next. The Select Recipients page appears.

5 Select the recipients from the grid.

6 Click Finish.

Trellix Intrusion Prevention System 10.1 229


2 | Manager Administration

Add or edit scheduled report settings

When you schedule a report, you set a time and day (for weekly reports) when you want the report to be generated (to
schedule a report, select Reporting | Report Automation | Report Scheduler). The report is then generated on a recurring
basis for the set time/day. The Edit action in the Automation Settings page enables you to enable/disable and set global
generation times for your daily, weekly and monthly reports.

Note
When scheduling weekly and daily reports, make sure to give 2 hours between the times when weekly and daily reports are generated. For
example, if you schedule daily reports to run at 9:00 AM, set your weekly reports to run either before 7:00 AM or after 11:00 AM. This will
save Manager processing cycles.

To modify report schedule settings:

Task
1 Click the Manager tab from the Home page.

2 Select <Admin Domain Name> | Reporting | Report Automation | Automation Settings.

3
Click .

The Report Scheduler page is displayed.

4 Select Yes to enable hourly, daily, weekly or monthly reporting.

Note
Select No and click Save to disable daily, weekly or monthly reporting.

5 Select the Report Generation Time. For Weekly reports, also select the day of the week.
For the Monthly reports, select the day of the month. For example, if you configure monthly scheduler with date selected is
01 and the hour as 8:00, the monthly report gets generated on 1st of every month at 8:00 am in the morning.

6 Click Save.

Add recipient lists for a scheduled report

You can maintain a global list of email addresses for all scheduled reports functions. You must add email entries for all
individuals or groups you want to receive scheduled report information. After the email entry is added, you can then apply the
email address to receive a generated scheduled report.

To add a recipient email to the list, do the following:

Task
1 Click the Manager tab from the Manager Home page.

2 Select <Admin Domain Name> | Reporting | Report Automation | Recipient List.

The Recipient List page is displayed.

3
Click .

The Add Recipient page is displayed.

230 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

4 Type a First Name, Last Name, and Email address for the new recipient.

5 Select the Language from the list.

6 Click Save. The added recipient and email address appears in the Recipient List table. You can now apply a recipient to a
scheduled report.

View scheduled reports


You can view a list of reports that are generated and mailed as part of the report scheduling process. Do the following steps to
view the sent reports.

Task
1 Click the Manager tab from the Manager Home page.

2 Select <Admin Domain Name> | Reporting | Report Automation | Automatically-Generated Reports.

The Automatically-Generated Reports page is displayed.

3 Select a sent report and do one of the following:


• Click Email Now to view the recipients list in Recipient List page. For more information on Recipient list page see, Add
recipient lists for a scheduled report on page 230.

• Click View in to view the report.

• Click Delete to remove the report.

Configure preferences
You can configure header, footer, output limits, and language from the Manager or Central Manager.

Note
The fields in the Preferences sub-menu in the Central Manager are similar to the ones in the Manager.

Set headers and footers

To edit the header & footer settings:

Task
1 Select Manager | <Admin Domain Name> | Reporting | Preferences | Header and Footer.

2
Click

3 Select Text from the drop down list to add text that you want to display in the report header.

4 Click Edit Logo to change the logo in the header. The Trellix logo is displayed by default.

5 Select the text that you want to display in the report footer. The options are:
• Page Number

• Date/Time

• Text

6 Click Save.

Trellix Intrusion Prevention System 10.1 231


2 | Manager Administration

Set language preference

The Language sub-menu allows you to set the language preference.

To set the language preference:

Task
1 Select Manager | <Admin Domain Name> | Reporting | Preferences | Language.

The Language page is displayed.

2 Select a Language from the list.

3 Click Save. The selected language will be applied across all pages.

Configure Output Limits

To edit the output limits settings:

1 Select Manager | <Admin Domain Name> | Reporting | Preferences | Output Limits.

2 Set a limit for Maximum number of records return per query

3 Click Save.

Maintenance

Managing your Trellix IPS Manager database

Network security is an ongoing process that requires a long-term plan for archiving and maintaining your database for the
alerts and packet logs generated by your deployed Sensors. Archiving this information is necessary for historical analysis of
alerts that may help you better protect your network in the future.

All sizing estimates are based on tests of various alert/log generation frequencies. Multiple frequency and file size parameters
are offered to help you better prepare your database for long-term maintenance.

As alerts and packet logs gradually accumulate in your database, the disk space allotted to your Trellix IPS processes will
require thoughtful planning and maintenance to keep up with the frequency and size of incoming data. Depending on your
archiving needs, it is essential that you understand the database space required to maintain an efficient system.

One question to ask yourself is: "If my Sensors generate one alert every ten seconds for a year, how much database space will I
need to maintain all of these alerts?"

With that question in mind, the following topics are presented to help you get the most out of Trellix IPS Manager and
database:

• Capacity planning— Ensure that resource requirements are met for optimal performance.

• Database maintenance and tuning— Perform regular database tuning to ensure optimal performance.

• Database backup and recovery— Backup and archive to protect against hardware/software failure.

• Maintenance tab in Manager— File pruning of the generated log data and files.

• Using the Database Admin Tool— A standalone tool for maintaining your Manager database.

232 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

Capacity planning for Manager database

One of the first tasks to complete when you are deploying Trellix IPS is the installation and setup of your database. The
database houses the alert and packet log data generated by the Sensors. The integrity and availability of this data is essential to
a complete Trellix IPS experience.

Data archive options

The Archiving option presents actions that enable you to save alerts and packet logs from the database on demand or by a set
schedule.

You can also restore archived alerts and packet logs on the client or another Manager. The procedure for archiving data relating
to Sensor and NTBA Appliance is similar.

The archiving action for the Sensor and the NTBA Appliance is done from the Manager | <Admin Domain Name> |
Maintenance | Data Archiving option of the Manager tab tree.

Archive alerts and packet logs


The Archive Now action enables you to archive alerts and packet logs on demand into an archival file for future restoration.
This process reads alerts and packet logs for the given time range from the database and writes them into a zip file.

Note
Archive your alerts and packet logs regularly. We recommend that you archive your alert data monthly, and that you discard alert and packet
log information from your database every 90 days to manage your database size. There is a 1 GB size limitation for restoration (import of the
file in the Manager) of a single archive file. However, you can extract an archive zip file greater than 4 GB in size but in that case the archived
file cannot be restored.

Archived files less than 4GB in size are saved locally to the Manager, and can be exported to your client.

Task
1 Select Manager | <Admin Domain Name> | Maintenance | Data Archiving | IPS | Archive Now (Manager | Maintenance
| Alerts | Archiving | NTBA | Archive Now for the NTBA Appliance).
The Archive Now page is displayed.

Figure 2-57 Archive Now page

Trellix Intrusion Prevention System 10.1 233


2 | Manager Administration

2 Choose one of the following time spans in Time Range:


• A single day (yyyy/mm/dd) — Select alerts and packet logs for a single day in the format yyyy/mm/dd. Default is the
Manager system date.

• Within a specific period (yyyy/mm/dd hh:mm:ss) — Select alerts and packet logs between the begin and end dates in
the format yyyy/mm/dd hh:mm:ss. Default Begin Date is the oldest alert detected time and default End Date is the
Manager system time.

• In the past — Selects alerts from a point in the past relative to the current time. This time in the past can be months,
weeks, days (default), or hours. Select a time (yyyy/mm/dd hh:mm:ss) when the span of reporting time ends (default is
the Manager system time).

3 Click Start.
When the archival process is complete, the file is saved to <Manager_Install_Dir>\alertarchival
The files also appear in the Existing Archives page.

Note
The default Manager installation directory is %programfiles%\Trellix\IPS Manager\App.

Figure 2-58 Existing Archives page

You can click an archived file listed in the Existing Archives page to view the details in the Archived File Info page.

4 Optionally, select an archived file in the Existing Archives page and click Export to download that file from the Manager to
your client.

Note
You can import an exported file into another Manager, such as a test Manager.

Schedule automatic archival


The Automated Archival action enables you to set a schedule by which alerts and packet logs are automatically archived.

The scheduled archival process archives alerts and packet logs daily, weekly, or monthly depending on the frequency you
select.

If you choose Weekly and select a day of the week from the drop-down list, the archival begins from the previous week for the
selected day. For example, if you choose Weekly and choose Sunday as the day of the week, logs from the previous Sunday
through Saturday are archived.

If you choose Monthly, the archive frequency is the 1st of every month and the logs for the month are archived.

234 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

If you choose Daily, the logs from the hour 00:00:00 through 23.59.59 from 2 days back are archived. For example, if you set
the Scheduler to Daily on 3-Sep, then the logs from 1-Sep are archived.

Note
When scheduling archival, set a time when no other scheduled functions (backups, database tuning) are running. The time should be a
minimum of an hour after/before other scheduled actions.

Task
1 Select Manager | <Admin Domain Name> | Maintenance | Data Archiving | IPS | Automated Archival.

The Automated Archival page is displayed.

Figure 2-59 Automated Archival page

2 Select Yes against Enable Automatic Downloading to turn on the scheduling process.

3 Select values for any of the following against Frequency:


• Daily

• Weekly — Select the day of the week.

• Monthly

• Start Time — Hours: Minutes (24 hour clock)

4 Click Save. Every time the process runs, finished archival is saved to <Manager_Install_Dir>\alertarchival

Note
The default Manager installation directory is %programfiles%\Trellix\IPS Manager\App.

5 Optional:

Click to reset the settings to those last applied. This is helpful when you started to make changes but forgot what the
last settings were.

• Click View Scheduler Detail to see the present settings for all scheduled processes (including backups, database
maintenance, and file maintenance actions)

Trellix Intrusion Prevention System 10.1 235


2 | Manager Administration

How to view scheduled actions

The Report Scheduler action enables you to view the settings for the Archival Scheduler as well as the other schedulers
configurable within the Manager.

Figure 2-60 Report Scheduler page

Export an archive
The Export Archives action enables you to export an archive from the Manager to your client, or to a location reachable by
your client. You can take the exported archival and import (that is, restore) it into another Manager, such as a test Manager.

Task
1 Select Manager | <Admin Domain Name> | Maintenance | Data Archiving | IPS | Export Archives.

The Export Archives page is displayed.

Figure 2-61 Export Archives page

2 Select an archive to export from the list.

236 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

3 Click Export.

The File Download window of your client machine is displayed.

4 Click Save to save the file to a location in your client machine.

Restore an archive
The Restore action enables you to restore an archived alerts and packet log files to the Manager. When restoring an archival to
a target Manager, the archive must be copied to a directory on the target Manager or a network directory that Manager can
access. The Restore feature also enables you to filter through the alerts in the archival.

Note
To import the file in the Manager, make sure the file size is within 1 GB.

Task
1 Select Manager | <Admin Domain Name> | Maintenance | Data Archiving | IPS | Restore Archives.

The Restore page with Restore Archives option and Existing Archives list is displayed.

Figure 2-62 Restore page

2 Do one of the following:


a Click Choose File to locate the archival or enter the absolute path of the archived file and click Restore.

b Select an archival listed under Existing Archives, and then click Restore.

The Restore Filter page is displayed.

Figure 2-63 Restore Filter page

3 Filter alerts by the following parameters:


• Severity — Select one or more severities to keep.

• Result Status — Select one or more results to keep.

Trellix Intrusion Prevention System 10.1 237


2 | Manager Administration

• Start Date — Keep only the alerts and packet logs starting from the designated time.

• End Date — Keep only the alerts and packet logs up to the designated time.

4 Click Restore.

Note
Click Restore All to restore all alerts without any filtering.

Note
Manager only permits 300,000 alerts to be restored at a time if filtering is applied. If your archive contains more than 300,000 alerts, you
need to perform the restoration process multiple times. For example, if your archival still contains 750,000 alerts after filtering
parameters have been met, you will have to restore three times: 1) 300,000 2) 300,000 3) 150,000.

5 To see the alerts restored in attack log, run solr import.

Note
To run solr import, refer to Trellix Intrusion Prevention System Installation Guide.

Tasks
• Delete archives from the Manager on page 238

Delete archives from the Manager

You can delete archives from the Manager.

Task
1 Select Manager | <Admin Domain Name> | Maintenance | Data Archiving | IPS | Restore Archives.

2 Scroll down the page to the list of Existing Archives.

Figure 2-64 Existing Archives page

3 Select an archival and click .

4 Click OK to confirm deletion.

238 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

Archive alerts using dbadmin.bat


You can archive alerts and packet logs from either the Trellix IPS user interface or from the standalone database admin tool.
However, you can avoid the additional workload on Manager server by using the database admin tool. The archived data is
stored in a .zip file at %programfiles%\Trellix\IPS Manager\App\alertarchival. Note that data from the following
tables are archived:

• iv_alert

• iv_alert_data

• iv_packetlog

Note the following before attempting to archive alerts:

• You can restore alerts only if the major versions of the backed up Manager and the present Manager match. For example, a
backup from Manager 9.1.5.7 can be restored on a Manager version 9.2.3.11 or 9.2.5.6. A backup from Manager 9.2.9.8
cannot be restored on 10.1.7.4.

• You cannot restore alerts of a later version of the Manager on an earlier version of the Manager. For example, you cannot
back up alerts from Manager version 10.1.7.4 and restore it on Manager version 9.2.9.8.

To archive alerts and packet logs using the standalone Database admin tool:

Task
1 Navigate to %programfiles%\Trellix\IPS Manager\App\bin.

2 Execute the dbadmin.bat file. The standalone tool opens.

3 Select Archival | Alert Archival.

Figure 2-65 Database Admin Tools - Alert Archival Settings

Trellix Intrusion Prevention System 10.1 239


2 | Manager Administration

4 Specify the time period of the data to be archived either by using the Day Picker or by specifying the start date and time
and the end date and time.

5 Click Archive. Archive Confirmation dialog pop-up appears. Click Yes.


When the process is complete, the archived file is saved to %programfiles%\Trellix\IPS Manager\App
\alertarchival. This file will also be listed in a table when you restore files using this tool or Manager.

Restore alerts using dbadmin.bat


You can restore archived alerts and packet logs from either the Trellix IPS user interface or from the standalone Database
Admin tool. However, you can avoid the additional workload on Manager by using the Database Admin tool.

To restore data, the archived data should either be in Manager server or in a computer that is accessible from Manager server.
You can also filter data from an archived file and restore just the filtered data. Suppose that there is an archived file containing
data generated between Jan 1 and Jan 10. Then you can filter the data generated between Jan 1 and Jan 5 from the archived file
and restore just this data.

To restore alerts and packet logs using the standalone Database Admin tool:

Task
1 Navigate to %programfiles%\Trellix\IPS Manager\App\bin.

2 Execute the dbadmin.bat file. The standalone tool opens.

3 Select Archival | Alert Restore.

Figure 2-66 Database Admin Tools - Archival Alert Restore tab

240 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

4 Do the following:
a Click Browse to locate the archival or type the file's absolute path name.

b Select the archived file from the List of Archived Files and then click Restore.

Note
Archived data in the %programfiles%\Trellix\IPS Manager\App\alertarchival are listed under List of Archived Files.

5 Filter the data in the archived file by specifying the start date and time and the end date and time. Only those alerts and
packet logs generated during this time frame are restored from the archived file.

Note
The start date and time and the end date and time displayed by default in this window indicate the time frame of the archived data that
you have selected to restore. Therefore, if you choose the default dates and times, all the data in the archived file will be restored.

6 Click Restore.

7 Enter your database user name and password to complete the restoration process.

Note
Manager server only permits 300,000 alerts to be restored at a time if filtering is applied. If your archive contains more than 300,000
alerts and you set filtering parameters, you will need to perform the restoration process multiple times. For example, if your archival still
contains 750,000 alerts after filtering parameters have been met, you will have to restore three times: 1) 300,000 2) 300,000 3) 150,000.

8 To see the alerts restored in attack log, run solr import.

Note
To run solr import, refer to Trellix Intrusion Prevention System Installation Guide.

Capacity planning

Every network has slight architectural differences that make each deployment unique. When deploying a network IPS, you must
take into consideration the following factors when planning the capacity of your database:

• Aggregate Alert and Packet Log Volume From All Sensors— What is the volume in your network? A higher volume will
require additional storage capacity.

• Lifetime of Alert And Packet Log Data— How long should you archive an alert? Maintaining your data for a long period of
time (for example, one year) will require additional storage capacity to accommodate both old and new data.

The following subsections provide useful information for determining the necessary capacity for alerts and packet logs in your
database.

Trellix Intrusion Prevention System 10.1 241


2 | Manager Administration

Alert Statistics
The Alert Statistics option in Manager displays information that helps you track the historical trend of database space usage
on a weekly and monthly basis, and also the rate at which data is being inserted into your database. By analyzing the trend of
the load factors on your database and your hardware, you can set the threshold for the amount of historical data that you want
to store at any given time.

Figure 2-67 Alert Statistics page

The Manager retrieves and displays the following data from the underlying database:

• Date and Time for the Oldest Alert: displays the date and time

• Last Calculated

• Total Count for


• Alerts

• Packet Captures

• Average Size of
• Alerts

• Packet Captures

• Total Disk Space Used


• Alerts

• Packet Captures

• Daily Alerts Rate


• Past 7 days

• Past 30 days

242 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

• Daily Alert and Packet Capture Disk Usage


• Past 7 days

• Past 30 days

These data are retrieved and displayed to enable timely action for avoiding degradation in performance due to issues like
storage limitation or volume of data.

Alert and packet log sizes


Alert frequency is the first factor to consider when planning database capacity. This is separate from packet log frequency since
not every alert has an accompanying packet log by default. (Only TCP- and UDP-based attacks generate packet logs by default;
you must manually set packet logging for all other Exploit attacks.)

To help you plan your capacity needs, the following statistics have been determined from lab and live environment testing
(based on 30,000,000 alerts):

• Alert with no packet log = 200 bytes (average)

• Alert with packet log = 650 bytes (average)

Space for packet logs must also be allocated in your database. The frequency of generated logs is typically less than that of
alerts, but a packet log is generally larger in size than an alert. The average size of a packet log is approximately 450 bytes
(based on 30,000,000 logs).

Determine average alert rate-weekly


A good reference point for determining your required database capacity based on the volume of alerts and packet logs is to
find the average alert rate for a week, then multiply by a longer time frame such as 12 weeks, one year (52 weeks), and so forth.
To do this, generate an Executive Summary Report using a one-week time horizon.

Task
1 Click Analysis | Event Reporting | Traditional Reports.

2 From the IPS Events list, select Executive Summary. The Configure Executive Summary Report page is displayed.

3 Fill in the following fields to determine the average weekly alert rate:
• Admin Domain— Select the root admin domain (default).

• Sensor— Select All Devices (default if you have more than one Sensor).

• Attack Severity— Make sure all three severities (Low, Medium, High) are checked. When all three are selected,
Informational alerts are also included.

• Alert State— Select View All Alerts. Both acknowledged and unacknowledged alerts are included for the specified time
frame.

• Attacks— Choose Select Attacks in the past: 1 Week(s). You do not need to adjust the "Ending" time fields.

• Get summary of— You do not have to adjust this field.

• Report Format— Select a view of the report information from the following: HTML, PDF and Save as CSV.

4 Click Run Report once all of the above fields are set.
This report displays your alert data in a presentation-style format (that is, tables and colored pie charts). The first pie chart
details the "Total Alerts Per Sensor." Simply add the totals from each Sensor to determine the amount for one week.

Trellix Intrusion Prevention System 10.1 243


2 | Manager Administration

Database sizing requirements


Based on the average size of an alert without packet, the following graph and table are provided to help you determine the
database size required to store alert data for one year based on the number of alerts generated by your Sensors over a one
week period.

Note
For comparison, generation of 10,000 alerts per week is low, while 1,000,000 alerts per week is high. If you are generating 1,000,000 alerts
per week, it is recommended that you check your applied Trellix IPS policies to determine if you are applying a policy that is an "exact" match
for your protected network environment.

Note
The following graph and table estimate size based on alerts both with and without associated packet logs. Thus, the size of alert data has
been estimated from both lab and live environments.

Figure 2-68 Database Sizing - Graphical view

Alerts/Week DB Size (One Year) in GB

10,000 0.3

50,000 1.7

100,000 3.3

200,000 6.7

500,000 16.7

1,000,000 33.4

30,000,000 1002

Database alert threshold


By default, the Manager determines alert capacity based on the pre-defined limit of 10,000,000 alerts. When varying
percentages of this capacity is reached, a system fault is raised alerting you of the reached threshold. System faults are raised
at 80-90%, 90-95%, 95-99% of the alert capacity to let you know that you are approaching the 10,000,000 alert threshold. You

244 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

can view and configure this threshold by opening the Manager's System Configuration interface, selecting the Manager tab's
Maintenance menu. This is seen in configuration steps as Manager | <Admin Domain Name> | Maintenance | Database
Pruning | Alert Pruning.

Note
This threshold is purely for capacity planning purposes and does not re-configure the size of your database.

Alert Pruning

The Alert Pruning option enables you to manage the database space required for the alerts generated by your Trellix IPS
Sensors. Alert pruning is an important, ongoing task that must be performed for optimal Manager and database performance.
If your database were to grow unchecked with millions of stored alerts, analysis using the Attack Log page or Reports would
slowdown considerably.

The Manager uses database which has a pre-defined alert capacity of 10,000,000 alerts. This means Manager will generate
system fault messages when your database is nearing or exceeding the 10,000,000 limit by issuing warnings at 80-90%, 90-95%,
95-100%, >100% interval ranges. This value is purely for capacity planning and not an actual constraining limit on your
database. You can customize this limit to properly manage your capacity needs.

In addition, the Manager uses an open-source search application called Solr, which stores alerts within a flat file. The alert
capacity correlates directly with the amount of memory installed in the Manager server. If you have the minimum memory of
16GB, Solr supports up to 10 million alerts. If you have memory of 32 GB or higher, Solr supports up to 20 million alerts.

Note
Trellix recommends that you delete items, such as alerts and other system-generated files, at scheduled intervals to create more disk space.

Figure 2-69 Alert Pruning page

Trellix Intrusion Prevention System 10.1 245


2 | Manager Administration

To plan Manager database capacity, do the following:

Task
1 Select Manager | <Admin Domain Name> | Maintenance | Database Pruning | Alert Pruning.
• Enable Alert Pruning: Select Yes to delete all alerts and packet logs in the database that are older than the number of
days set in Maximum Alert Age for Report Data.
For Alert & Packet Log Data, Trellix strongly recommends entering a large value (such as 90, as 90 days is the default) in
Maximum Alert Age for Report Data. You may want to perform long-term analysis using the information in your
database, and having alerts and packet logs deleted, for example, every 10 days would be detrimental.

Note
The scheduled maintenance deletes all alerts older than the value entered in the Retain Alerts by Max number of days field or
exceeding the alert count specified in the Max Alert Quantity field. This helps you automate database cleaning based on the alert
threshold count.

Note
If after deleting alert and packet log by number of days, the number of alerts are still more than the set threshold value, Manager
starts deleting all old alerts till the alert count falls below the Max Alert Quantity value.

• Set the time (Pruning Start Time: At Hour and Minutes) for the selected day when you want scheduled maintenance to
occur.

2 Type a number greater than or equal to 10,000 in Maximum Alerts to Store in Solr Database (Dashboard Data).

Note
You must set this value depending on the amount of memory in your Manager server. If you have the minimum memory of 16GB, Solr
supports up to 10 million alerts. If you have memory of 32 GB or higher, Solr supports up to 20 million alerts.

3 Do one of the following for Maximum Alerts to Store in Manager Database (Report Data):
• To allocate more disk space for your calculations, type a number greater than 10,000,000 (ten million).

• To allocate less disk space for your calculations, type a number less than 10,000,000.

• To calculate disk space capacity, click Calculate. This calculator has specific fields related to determining the database
allocation space required to maintain your alerts and packet logs.

Do the following in Calculate Maximum Alert Quantity window.


a Type the gigabytes allocated to the database at Desired Disk Space Allocation.

b (Optional) Type an approximate size for each packet log in your database (at Approx Packet Log Size).

c Enter Maximum Alert Quantity.

246 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

d Click Calculate. The number of alerts your database can maintain is listed in the # of Alerts field.

e (Optional) Click Clear to start a new calculation.

Figure 2-70 Calculate Maximum Alert Quantity dialog

4 Type the age of the alerts that can be deleted (Maximum Alert Age for Report Data).

5 Do one of the following:


• Click Save to save your changes.


Click to revert back to the previously saved values, thus aborting any current changes.

Tasks
• Delete alerts and packet logs from the database using purge.bat on page 247

Delete alerts and packet logs from the database using purge.bat
An alternative to using the Alert Pruning action for alert and packet log deletion is to delete these files using purge.bat. To do
this, perform the following steps:

Task
1 Stop the Manager service.
Follow one of these methods to stop the Manager service:
• Right-click on the Manager icon at the bottom-right corner of your server and stop the service.

• Select Windows Control Panel | Administrative Tools | Services. Then right-click on Trellix IPS Manager and select Stop.

2 Do one of the following:


• Open your Trellix IPS installation folder and run purge.bat from<Manager_Install_Dir>\bin\purge.bat

Note
The default Manager installation directory is %programfiles%\Trellix\IPS Manager\App.

• Open a DOS prompt and type <Manager_Install_Dir>\bin\purge.bat

Note
Purge.bat also has the option to remove records flagged for deletion. This can significantly increase the amount of time it takes to finish,
depending on the size of the database.

Trellix Intrusion Prevention System 10.1 247


2 | Manager Administration

3 Answer the following questions:


a Is the Manager Down or Off-Line (Y/N)?

Note
The Manager service must be disabled prior to using purge.bat. If the service is not disabled, the purge will not continue.

b Do You Wish To Perform DB Tuning After The Purge Operation (Y/N)?

Tip
You can perform DB tuning separately from the purge operation.

Alert and packet log data alert


a Enter the Number of days of Alerts and Packet Log data to be preserved. For example, to delete alerts/packet logs older
than 90 days, type 90.

b Enter the Number of Alerts to be preserved.

c You Are About To Delete Alerts And PacketLog Data Older Than X Days. Type Y to continue.

d Do You Wish To Purge Alerts / Packet Logs That Have Been 'Marked For Delete' Through The Attack Manager? Type Y to
continue

Host event data


a Number of days of Host Event data to be preserved

b Number of Host Entries to be preserved

c You Are About To Delete Host Event Data Older Than X Days. Type Y to continue.

d If The Number of Remaining Hosts Is Still More Than XXX, Deletion Will Be Continued Until It Reaches XXX. Type Y to
continue.

e Do You Wish To Purge Performance Monitoring Data [Y/N]. Type Y to continue.

Sensor performance data


a Number of days of Raw performance data to be preserved

b Number of days of Hourly performance data to be preserved

c Number of days of Daily performance data to be preserved

d Number of weeks of weekly performance data to be preserved

e Number of months of monthly performance data to be preserved

f You Are About To Delete Raw Performance Data Older Than X Days, Hourly Data Older than X Days, Daily Data Older
than X Days, Weekly Data Older Than X Weeks, Monthly Data Older Than X Months. Are you sure you want to proceed
(Y/N): Type Y to delete.

Application Visualization data


a Number of days of Raw Application Visualization data to be preserved

b Number of days of Hourly Application Visualization data to be preserved

c Number of days of Daily Application Visualization data to be preserved

248 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

d Number of weeks of weekly Application Visualization data to be preserved

e Number of months of monthly Application Visualization data to be preserved

f You Are About To Delete Raw Application Visualization Data Older Than X Days, Hourly Data Older than X Days, Daily
Data Older than X Days, Weekly Data Older Than X Weeks, Monthly Data Older Than X Months. Are you sure you want to
proceed (Y/N): Type Y to delete.

a Restart the Manager service after completion.

Database backup and recovery

Protecting your database against hardware and software failures is essential for ensuring the availability and integrity of
configuration and/or forensic data. Trellix IPS provides backup functionality under the Manager | <Admin Domain Name> |
Maintenance | Database Backup within the Trellix IPS Manager Configuration page, or through a standalone tool called the
"Database Backup and Restore Tool" (%programfiles%\Trellix\IPS Manager\App\bin\dbadmin.bat).

Note
You can also use dbbackup.bat to back up and restore data. However, strongly encourages you to use dbadmin.bat for all your database
administration tasks.

In the Manager, backups can be performed by a set schedule (Automation) or on demand (Now). The standalone tool can also
perform backups, and is the only area wherein restoration of a backup can be executed.

When performing a backup, you can back up the following tables (Backup Types):

• All Tables — Back up all information, including configurations, alerts, and audits. This option is not enabled by default due
to disk space consideration. When backing up All Tables, use the Now action.

Tip
Saving your All Tables settings monthly is strongly recommended.

• Config Tables — Back up only tabled information relating to configured tasks. This option is enabled by default to occur
every Saturday night. This is set within the Schedule action.

Tip
Saving your configuration settings weekly is strongly recommended.

• Audit Tables — Back up only information on user activity and alert information. Backing up this data is useful for offline
analysis. This option is not enabled by default. Use the Now action.

• Event Tables — Back up only information on alert, packetlog, host and Sensor performance events.

• Trend Tables — Back up only information on trend patterns (daily, weekly, monthly) of alerts and Sensor performance
events. The backup also includes the first-seen attack statistics.

Database archival
Archiving your database is also recommended for protection against hardware and software failures. Once saved, the archival
is available for future or third-party (such as Crystal Reports) retrieval.

Note
An archived database can be sent to Technical Support in the event of database issues.

Trellix Intrusion Prevention System 10.1 249


2 | Manager Administration

Trellix recommends archiving your database to one of the following for added redundancy of system data, and to save
Manager server disk space:

• A network-mapped drive • Database Replication

• CD-ROM/ DVD-ROM • Secure FTP

• Multi-disc RAID storage on Manager server

Protecting your backups


To ensure the availability of a backup, Trellix recommends the following testing backup restoration on a staging or
non-production Manager server on a systematic basis.

To ensure the integrity of backups, Trellix recommends creating a digital "fingerprint" of all backup files using one-way hash
functions such as MD5/SHA– 1 to detect tampering.

The following are general rules for protecting your backups:

• Avoid creating additional database user accounts.

• Block remote access to the database.

• Restrict access to physical data files in the database install directory.

Backing up data and settings


The Database Backup menu enables you to back up your Trellix IPS data on-demand or by a set schedule. Regularly backing up
your data (alerts, saved reports, logs) and configuration settings is strongly recommended to maintain the integrity of your
system.

Note
Restoration of stored data must be performed using the standalone Database Admin tool. This tool is explained in this section.

The Database Backup menu and the standalone tool provide the following functions:

• Backing up your Manager data— Save your data to your Manager server, a network server, or a device such as a zip drive.

• Automating a backup for your Manager— Set a frequency for backing up the Manager data.

• Using the Database Admin Tool— Backup and restore via the standalone Database Admin tool.
• Backing Up Using the Database Admin Tool

• Restoring Data Using the Database Admin Tool

Note
Before an All Tables or Audit Tables backup, it is recommended that you shut down the Manager. Therefore, Trellix recommends
using the standalone Database Admin tool rather than your Manager for such backups.

Note
Data restore can only be performed using the standalone tool.

250 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

Backup and restore best practices

Note the following suggestions for successful backup and restore of Trellix IPS data:

• Protect your backups from tampering by creating a digital fingerprint of the file using a hash function such as MD5 or
SHA-1.

• Back up your configuration data after major changes, such as created admin domains, Sensor addition, port configuration,
and policy additions/modifications.

• The All Tables and Audit Tables options can be rather large in size, depending upon the amount of alert data in your
database. Trellix recommends saving these types of backups to an alternate location, preferably an alternate system.

• When scheduling backups, set a unique time when no other scheduled functions (archivals, database tuning) are running.
The time should be a minimum of an hour after/before other scheduled actions.

• When restoring your data, note that all related table information in the database is overwritten. For example, restoring a
Config Tables backup overwrites all current information in the configuration table of the database. Thus, any changes not
backed up are erased in favor of the restored backup.

• While a MariaDB backup is performed, the tables being backed up are placed in a READ LOCAL LOCK state. New records can
be inserted in these tables while the backup is in progress, although these new records will not show up in the backup.
However updates/modifications of existing records are not allowed during the backup. While a backup is in progress, you
will not be able to perform the following activities:
• Modify the configuration • Add audit log entries

• Acknowledge and delete alerts • Purge the alert and packet logs

• Acknowledge and delete faults • Perform database tuning.

• New alerts and packet logs will continue to be added to the database during the backup.

• In case of problems during database backup or restore, try after you complete the following tasks:
• Exclude the following MariaDB directories from anti-virus scanning:
• data

• innodbdata

• Create a new directory like c:\mariadbtmp, which will act as temporary directory for database. If the system has multiple
physical disks, then Trellix recommends that you create this directory on a drive different than where Trellix IPS and
MariaDB are installed to spread the load effectively.

• Include the following entry in the %programfiles%\Trellix\IPS Manager\MariaDB\my.ini file under [mariadbd]
section: tmpdir=c:/mariadbtmp

• Restart both Trellix IPS and MariaDB services.

Back up your Manager (or Central Manager) data

You can back up your Manager data to your Manager server, or another media connected to your Manager, such as a tape
drive. The backup file is saved by default within Manager program installation folder at <Manager_Install_Dir>\App
\Backups.

The above is applicable to Trellix IPS Central Manager as well.

Trellix Intrusion Prevention System 10.1 251


2 | Manager Administration

To back up your Manager data using Manager server:

Task
1 Select Manager | <Admin Domain Name> | Maintenance | Database Backup | Back Up Now.

Figure 2-71 Back Up Now page

Note
To backup your Central Manager data, select Manager | Maintenance | Database Backup | Back Up Now. The fields displayed are
similar to that of Manager described below.

2 Select one of the following Type choices.


• All Tables— Provides backup for the entire database, that is, all configurations, user activity, and alert information.

• Audit Tables— Provides backup information related to user activity and Manager Health Status.

• Config Tables— Provides backup for the Manager configuration.

• Event Tables— Will backup alert, packetlog, host and Sensor performance events.

• Trend Tables— Will backup the trend patterns (daily/weekly/monthly) of alerts and Sensor performance events. The
backup also includes the first-seen attack statistics.

Caution
Do not make modifications to existing database records while doing an All Tables or Audit Tables backup, since such modifications
are not allowed while a backup is occurring.

3 Type a Target File Name. You can use alphanumeric characters including hyphens and underscores (for example,
backup_01-10-03).

4 (Optional) Type a location different from the default to be your Alternate Target Backup Directory.

252 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

5 (Optional) Type a description of your backup in Description.

6 Click Start.
After a few moments, the following message appears: "Successfully backed-up data." The backup information appears in
the List of Previous Backups. At the backup location, an XML file with the backup file name contains the description entered
in the Details field.

Note
Previous backups can be exported to a desired location by selecting the radio button against the backup in the Previous Backups list and
clicking the Export button. The selected Backup in the Previous Backup list be deleted using the button.

Automate backup of your Manager (or Central Manager) data

The Automated Backups option enables you to schedule the backup of your system configuration. Setting a schedule also
allows you to work on other configurations without having to worry constantly about manually saving your work. Scheduled
backups are saved by default to your installation folder:

<<Manager_Install_Dir>\App\Backups\ScheduledBackups.

Note
By default, your Config Tables are scheduled for back up every Sunday at 0 Hrs 5 Min. Each scheduled backups is saved to the default
scheduled back up folder.

To schedule a backup, do the following:

Task
1 Select Manager | <Admin Domain Name> | Maintenance | Database Backup | Automated Backups.

Note
To run the database backup automation for your Central Manager data, select Manager | Maintenance | Database Backup |
Automated Backups. The fields displayed are similar to that of Manager described below.

Default Target Backup Directory: displays the location of the backup directory.

2 Note Yes is selected by default at Schedule a Backup?.


Select No at any time to turn off the scheduled backup.

Trellix Intrusion Prevention System 10.1 253


2 | Manager Administration

3 Select a backup Frequency:


• Daily— Select the daily time to backup.

• Weekly— Select the day and time to backup.

Note
If you want an immediate backup of Manager data, perform the Back Up Now action.

Note
You can click View Scheduler Detail to see the when processes are scheduled. These processes can include data backups, database
maintenance, and file maintenance actions. Based on this information, you can choose an appropriate time for the backup you are
currently scheduling.

4 Start Time — Set the time (Hour and Minutes)

5 Select the backup Type from the following:

Note
You can only set a schedule for one backup Type at any given time.

• All Tables— All configuration, audit and alert information.

• Audit Tables— Backup information related to user activity and Manager Health Status.

• Config Tables— Only tabled information for the Manager configuration.

• Event Tables— Information on alert, packet log, host and Sensor performance events.

• Trend Tables— Trend patterns (daily/weekly/monthly) of alerts and Sensor performance events. The backup also
includes the first-seen attack statistics.

Caution
Do not make modifications to existing database records while doing an All Tables or Audit Tables backup since such modifications
are not allowed.

254 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

6 (Optional) Type the location of the Alternate Target Backup Directory if different from the default directory.

7 Click Save.

Figure 2-72 Back Up Scheduler

Database maintenance and tuning

Once you have determined the necessary database capacity for archiving your alerts and packet logs, as well as other Trellix IPS
generated logs and files, you should consider a maintenance plan that keeps your database performing at an optimal level.
Deleting old, unwanted alerts, packet log entries, and other files (for example, backups, saved reports) ensures adequate
capacity for future data.

Trellix Intrusion Prevention System 10.1 255


2 | Manager Administration

For database maintenance, Trellix IPS offers two solutions:

• File pruning action (Manager | <Admin Domain Name> | Maintenance | Database Pruning | File and Database Pruning)
enables you to set a schedule by which Trellix IPS generated logs and files are deleted from Trellix IPS (Manager) and
database. File pruning allows you to delete Trellix IPS data that has reached a set age (number of days old). Data is deleted
according to a weekly schedule; this time, seen as Enable File and Database Pruning?, Recur every, and Start Time
(24-hour clock), must be enabled to operate.
If you plan to use Alert Pruning (Manager | <Admin Domain Name> | Maintenance | Database Pruning | Alert Pruning)
to delete alert and packet log data, Trellix recommends entering a value — such as 90, as in 90 days — in the Maximum
Alert Age for Report Data field. This allows for long-term analysis of alerts and packet logs without overburdening your
database with millions of records, which may affect long-term and overall database performance. By setting the value to 90
days, all alerts and packet logs older than 90 days are deleted at the scheduled time every day.

Suppose you set a value of 90 days for the Maximum Alert Age for Report Data field and a value of 10000 for the
Maximum Alerts to Store in Solr Database (Dashboard Data) field. Then at the scheduled time, Manager deletes all alerts
that are older than 90 days and then checks if the number of alerts and packet logs is less than or equal to 10000. If it is
more than 10000, it deletes the oldest alerts and packet logs until the number is less than or equal to 10000.

You can also delete alerts in the Attack Log. This, however, only marks alerts for deletion in the database. To permanently
delete these alerts from the database, you need to use the DB Purge feature in the dbadmin.bat utility or the purge.bat
utility. Scheduled alert and packet log purge as part of Alert Pruning (Manager | <Admin Domain Name> | Maintenance |
Database Pruning | Alert Pruning) has no effect on the alerts marked for deletion. Deleting alerts marked for deletion is a
time-consuming process. Therefore, to delete alerts marked for deletion that are less than the age specified in the
Maximum Alert Age for Report Data field, you need to use the dbadmin.bat or the purge.bat utility and manually delete
these alerts. Also, note that the Manager has to be stopped to run the dbadmin.bat.

Note
Entering a very large value (such as 500, as in 500 days) is not recommended due to the capacity required to archive 500 days worth of
alerts. Your requirements will determine the number of days you need to maintain alerts. If you must keep alerts for several hundred
days, ensure that you have the necessary hard drive space on your Manager server, or back up your alert tables regularly.

Tip
You can use the purge.bat utility or the dbadmin.bat utility for alert and packet log data maintenance. Thus, if possible, do not schedule disk
space maintenance with respect to alert and packet logs.

• Purge.bat utility: Provided with your Manager installation is the alert and packet log data maintenance utility named
purge.bat (%programfiles%\Trellix\IPS Manager\App\bin\purge.bat). This utility enables on-demand deletion of
alerts and packet log data from your database. Alerts and packet logs can be deleted that are older than a specified number
of days. Using purge.bat, you can automatically start the database tuning utility, dbtuning.bat, immediately after the purge
is completed. This utility ensures your database is properly maintained for optimal continued use.

Database tuning
Over time, a relational database can experience performance issues if the data is not re-tuned on a recurring basis. By regularly
diagnosing, repairing, and tuning your database internals, you can ensure optimal database performance. Trellix provides a set
of Manager interface options (Manager | <Admin Domain Name> | Maintenance | Database Tuning) and a standalone utility,
called dbadmin.bat, to maintain database performance.

Note
You can also use dbtuning.bat to tune your Trellix IPS database. However, Trellix strongly encourages you to use dbadmin.bat for all your
database administration tasks.

256 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

The database tuning feature does the following:

• Defragments tables where rows/columns are split or have been deleted

• Re-sorts indexes

• Updates index statistics

• Computes query optimizer statistics

• Checks and repairs tables

On a regular basis (minimum recommendation: one month), perform database tuning on your Manager server. Completion
time is dependent on the number of alerts/packet logs in the database and the performance of your Manager server's physical
hardware platform.

Note
When you perform off-line database tuning, you must shut down the Manager service for proper performance. Trellix recommends
scheduling this downtime for whenever you plan to re-tune the database. Your Sensor can continue to operate and generate alerts because
of built-in alert buffers.

Tuning the Manager database


The Manager | <Admin Domain Name> | Maintenance | Database Tuning options provide actions for enabling you to
schedule or initiate tuning of the database.

Trellix recommends tuning your database once per month at a minimum. For optimal performance, tuning once a week
provides best results.

Tip
Ensure at any point of time the free space available in the database directory is at least one and a half times that of the maximum size
occupied by a table (generally Event Tables and Trend Tables).

Viewing current database tuning status

The Tuning Status option (Manager | <Admin Domain Name> | Maintenance | Database Tuning | Tuning Status) provides
the current database tuning operation status for the Manager or Central Manager.

For the Central Manager, tuning status can be viewed from Manager | Maintenance | Database Tuning | Tuning Status.

This dialog box displays one or more of the following:

• Start Time— The time in-progress tuning started.

• Status— Displays if tuning has yet been initiated, is in progress, or is idle.

• End Time of Latest Tuning— Time when database was last tuned.

Trellix Intrusion Prevention System 10.1 257


2 | Manager Administration

Clicking updates the dialog to provide you with the latest status (thus if another user initiated tuning since you opened the
dialog, you could see the status after refreshing).

Figure 2-73 Database Tuning Status Dialog

Tune your database on-demand

For on-demand database tuning of Manager database, do the following:

Task
1 Select Manager | <Admin Domain Name> | Maintenance | Database Tuning | Tune Now.

Note
For on-demand database tuning of Central Manager, select Manager | Maintenance | Database Tuning | Tune Now.

2 Select which tables to tune, either All Tables or only the Event Tables.

Note
Selecting All Tables will tune the entire database, that is, all configurations, user activity, and alert information, whereas selecting Event
Tables tunes alert, host and Sensor performance events.

Note
The iv_packetlog table is not tuned in this method. You need to tune the database using dbadmin.bat or dbtuning.bat to tune this
table. For more information on tuning the database using dbadmin.bat, refer to Using the database admin tool on page 268 and Tune
your database using dbadmin.bat on page 276.

3 Click Start.

Automate database tuning

When scheduling database tuning, set a time when no other scheduled functions (archivals, backups, file maintenance) are
running. The time should be a minimum of an hour after/before other scheduled actions.

258 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

To schedule database tuning, do the following:

Task
1 Select Manager | <Admin Domain Name> | Maintenance | Database Tuning | Automated Tuning.

Note
To schedule database tuning in Central Manager, select Manager | Maintenance | Database Tuning | Automated Tuning.

Figure 2-74 Database Tuning Scheduler

2 Select Yes at Enable Scheduled Tuning?

3 Select the day of the week when database tuning will occur (Recur every).

4 Use the Hr and Min drop-down menus to select the process start time.

5 Select which tables to tune, either All Tables or only the Event Tables.
Note the Last Tuning time. This indicates the last time the database tuning process occurred.

6 Click Save.
The database tuning process is now enabled to start automatically on the configured day and time.

7
(Optional) Click to clear current changes and view the last saved configuration.

Trellix Intrusion Prevention System 10.1 259


2 | Manager Administration

8 (Optional) Click View Scheduler Detail to be redirected to the Scheduled Tasks page.
This page displays the overall scheduled tasks in the Manager.

Figure 2-75 Scheduled Task page

9 Click Back to return to the Automated Tuning page.

Database maintenance best practices

Trellix recommends the following best practices for database backup and tuning:

• Perform regular manual backups of your database using the Backup feature in the Manager software. Your configuration
tables are saved by default once a week on Sunday.

• Database backups are cumulative and the size of a backup file can become quite large. Perform regular file maintenance to
prevent disk space issues.

Caution
A database left untuned can lead to performance issues over time.

• Online database tuning operation causes the creation of temporary alerts and packet log tables; if you are using an agent
that queries the database, your agent may attempt to interact with these tables during tuning.

Tip
During tuning, the SQL query might return empty results. If this occurs, simply retry the query once the tuning is complete.

Further information on the impact of online database tuning of the Manager database will be sent to the third-party
vendors that are directly accessing this database. If you have any specific questions, contact Technical Support. Also note
that there is no change in database SQL query behavior if online database tuning is disabled.

260 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

• Make a regular practice of defragmenting the disk of the Manager server, as disk fragmentation can lead to database
inefficiency.

Tip
Ensure at any point of time the free space available in the database directory is at least one and a half times that of the maximum size
occupied by a table (generally Event Tables and Trend Tables).

• When scheduling certain Manager actions (backups, file maintenance, archives, database tuning), set a time for each that is
unique and is a minimum of an hour after/before other scheduled actions. Do not run scheduled actions concurrently.

Backup of data and configurations


For the back up of Trellix IPS data and configurations, following best practices are recommended:

• Back up Manager data either within the Manager server (%programfiles%\Trellix\IPS Manager\App\Backups folder)
or preferably on any external media.

• Back up all information, including configurations, alerts, and audits.

• Implement a schedule for backups using the Backup scheduler. Backing up config tables weekly is recommended. (Be sure
to schedule this at a time when other processes will not be running concurrently.)

• As the All Tables and Event Tables options can be rather large in size (depending upon the amount of alert data in the
database) these types of backups should be saved off the Manager server.

• Saving the All Tables settings on a monthly basis is strongly recommended.

• Protect backups from tampering by creating a digital fingerprint of the file using a hash function such as MD5 or SHA-1.

• Test restoration of backups periodically to ensure that a backup was successful and valid. The best way to do this is to
perform a "test" restore of the backup on a secondary, non-production Manager.

• The Config Tables option backs up only tabled information relating to configured tasks. This option is enabled by default to
occur every Sunday night. This is set within the Backup Scheduler action.

• Save actual configurations of Sensors (not just the config tables) using the Export option under the Sensor_Name tab. This
creates an XML file (no attempt to read this file should be made) that can be imported to any Sensor of the same type in the
future. Save actual Sensor configurations once a week.

Alerts and Disk space maintenance best practices

Disk space maintenance is an important task that must be completed to ensure efficient running of the Manager.

In order to develop best practices for database maintenance, it is important to understand the lifecycle of an alert.

Archiving alerts
Archive your alerts and packet logs regularly, using the Data Archival feature. Trellix recommends that you archive your alert
data monthly, and that you discard alert and packet log information from your database every 90 days to manage your
database size. Note that there is currently a 4 GB size limitation for a single archive file.

Scripts for disk space maintenance


If you have a large amount of data and wish to do your tuning offline, it is a best practice to use the purge and database tuning
features in the dbadmin.bat utility. To do this, you must stop the Manager and run the scripts.

A best practice suggestion is to wait for 97 days of data and then, on a recurring 7-day period, run the purge and the database
tuning features in the dbadmin.bat utility.

Trellix Intrusion Prevention System 10.1 261


2 | Manager Administration

Using File Maintenance Scheduler


Databases can be substantially overloaded with all alerts, packet logs, any incident reports that have been generated, and audit
and fault logs. Maintenance of this data can be accomplished automatically using the File Maintenance scheduler.

If automatic File Maintenance is used to delete alert and packet log data it is recommended that a large value, such as 90 (as in
90 days), is entered in the "Scheduled Deletion" column for the Alert & Packet Log Data option. This allows for long-term
analysis of alerts and logs without overloading your database with millions of alerts, which may affect long-term and overall
database performance. By setting the value to 90 days, all alerts and packet logs older than 90 days are deleted at the weekly
maintenance scheduler time.

Apart from the database data, Manager creates a group of administration files that must be maintained regularly. These
include Diagnostic files, DoS files (profiles) and Data Mining files (for Trend Reporting) among others. It is a best practice to
schedule the deletion of the oldest of these files on an on-going basis. This can be accomplished using the Maintenance
scheduler.

Viewing Manager server disk usage statistics

When the Manager database or disk space becomes full, the Manager cannot process any new alerts or packet logs. In
addition, the Manager may not be able to process any configuration changes, including policy changes and alert
acknowledgment. There is also a chance that the Manager may stop functioning completely.

Trellix therefore recommends that you monitor the disk space on a continuous basis to prevent this from happening. Health
checks can be performed by navigating to the Health Check page in Manager | <Admin Domain Name> | Troubleshooting |
Health Check. Use the Health Check page to view details, such as the percentage of space used, its total capacity, and the
amount of disk space used.

Note
A fault type warning will be generated when the Manager disk space reaches 80-90%, 90-95%, 95-100%, >100% of interval ranges. By default,
the frequency is 24 hrs.

Maintenance of system data and files

The Manager | <Admin Domain Name> | Maintenance | Database Pruning | File and Database Pruning option enables the
following:

Setting a schedule for File pruning: Schedule deletion of the system data and files (logs, diagnostics, and so on) generated by
System Configuration actions.

Set up a schedule for file pruning


The File and Database Pruning option enables you to set a schedule by which generated log data and files are deleted from
your Manager/database. These data/files are admin created through various System Configuration actions, and each details a
different aspect of system functionality. These system files get larger as more data is added over time. File pruning allows you
to delete the data in a log or an entire static file either at the next scheduled time or in a set number of days. Regular deletion
saves disk space on Manager server, thus improving overall performance.

262 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

The deletion scheduler works as follows: First, you set a daily time when you want File pruning (that is deletion) to take place;
this is under the Maintenance Scheduler setting. Next, for each file type, you set a number of days/file size (Scheduled
Deletion) after which you want a file that has reached the set age/size to be deleted. On the day a file is to be deleted, deletion
takes place at the set daily time.

Note
When scheduling File pruning, set a time when no other scheduled functions (archives, backups, database tuning) are running. The time
should be a minimum of an hour after/before other scheduled actions.

To schedule deletion for Manager and database files, do the following:

Task
1 Select Manager | <Admin Domain Name> | Maintenance | Database Pruning | File and Database Pruning.

Note
To schedule file pruning action in the Central Manager, select Manager | Maintenance | Database Pruning | File and Database
Pruning.

2 Select Yes against Enable File and Database Pruning? to enable automatic file pruning.

This overrides the enabled status of individual file types from the table.

3 Select the day (Recur every) on which automatic file pruning will occur. Saturday is the default.

4 Set the time (Start Time: At Hr and Min) for the selected day when you want scheduled maintenance to occur. The default is
23:30 hours.

5 View the list of files/logs for which you can set maintenance:

Note
The default enabled status for each file/log is listed in parentheses after each description that follows.

• Manager Files
• Diagnostics — Files created by performing the steps in Uploading a diagnostics trace from a Sensor to your
Manager. (Yes)

• Sig Files (*.bin) — Files created during signature files update from the Manager to the Sensor by performing the
steps in Updating the configuration of all Sensors. (No)

• DoS Files — Denial of service (DoS) profiles uploaded from your Sensors. These files are downloaded by performing
the steps in Managing DoS Learning Mode profiles on a Sensor. (Yes)

• Backup Files — Saved Manager configuration, audit, and/or alert data as created by performing the steps in Backing
up and restoring data. (Yes)

• Saved Reports — All saved scheduled reports created by performing the steps in Scheduling a report. (Yes)

• Daily Archival — Those archivals scheduled as Daily when Scheduling automatic archival.

• Weekly Archival — Those archivals scheduled as Weekly when Scheduling automatic archival.

• Monthly Archival — Those archivals scheduled as Monthly when Scheduling automatic archival.

Trellix Intrusion Prevention System 10.1 263


2 | Manager Administration

• Packet Capture Files — Manager can be configured to capture traffic on any port for a particular duration or size.
These captured files reside under Packet Capture Files.

• Archived Malware File Reports — All reports fetched from MVX and Intelligent Sandbox

• Archived Malware Files - Executables — All executable malware files

• Arachived Malware Files - Office Files — All the office files like Excel, Word, and so on

• Archived Malware Files - PDFs — All the PDF files

• Archived Malware Files - Flash Files — All the flash files

• Archived Malware Files - Compressed Files — All compressed files

• Archived Malware Files - APK Files — All APK files

• Archived Malware Files - JAR Files — All JAR files

• Database Data
• Audit Log — Log detailing user activity. Data is deleted by timestamp; the file itself is never deleted. This file can be
viewed by performing the steps in Generating a User Activities Audit. (Yes)

• Fault Log Data — Log detailing system faults. Data is deleted by timestamp; the file itself is never deleted. (Yes)

• Hourly Data Mining — Deletes trend data collected for trend analysis resources on an hourly basis. (No)

• Daily Data Mining — Deletes trend data collected for trend analysis on daily basis. (No)

• Performance Monitor Raw Data — Raw data relating to performance monitoring (data polled from the Sensor every
3 minutes).

• Performance Monitor Hourly Data — Data pertaining to performance monitoring. The data is captured hourly.

• Performance Monitor Daily Data — Data pertaining to performance monitoring. The data is captured daily.

• Performance Monitor Weekly Data — Data pertaining to performance monitoring. The data is captured weekly.

• Performance Monitor Monthly Data — Data pertaining to performance monitoring. The data is captured monthly.

• Application Visualisation Raw Data — Raw data relating to Application Visualisation.

• Application Visualisation Hourly Data — Data pertaining to Application Visualisation. The data is captured hourly.

• Application Visualisation Daily Data — Data pertaining to Application Visualisation. The data is captured daily.

• Application Visualisation Weekly Data — Data pertaining to Application Visualisation. The data is captured weekly.

• Application Visualisation Monthly Data — Data pertaining to Application Visualisation. The data is captured
monthly.

• Device Profile Data —Data relating to any remote computing device to decipher its operating system and device
type. The remote computing device can be any endpoint inside or outside the network.

• Incident Data — All generated incidents in the system marked as incident. The reported attacks are logged as
incidents.

6 Select Yes for those file types that you want to be deleted at the scheduled time.

7 For those file types for which you have enabled deletion, type the time duration after which you want the files to be deleted.

264 Trellix Intrusion Prevention System 10.1


2 | Manager Administration

8 Click Save when you are done with your changes.

Trellix Intrusion Prevention System 10.1 265


2 | Manager Administration

9
(Optional) Click to update the information displayed in the page. Click View Scheduler Detail to go to the Scheduled
Tasks page.

Figure 2-76 File Maintenance Scheduler Settings

Note
Data on performance monitoring is displayed only when it is enabled from Devices | <Admin Domain Name> | Global | Common
Device Settings | Performace Monitoring | Enable.

Note
By default, pruning is enabled for application visualization data, malware data, and performance monitor data and the default duration
will be 90 days, 12 weeks, and 3 months respectively.

Note
When you upgrade from earlier versions of the Manager, the default values will be applied to application visualization data, malware
data, and performance monitor data. If you had pruning enabled with a set duration in the earlier version of Manager, the values will get
266 migrated
TrellixtoIntrusion
the latest Manager. If pruning
Prevention Systemwas 10.1
not enabled in the previous version, it will be enabled after the upgrade with the default
values.
2 | Manager Administration

Archive malware files

The malware policy has configuration settings to archive downloaded files based on various characteristics. These downloaded
files are archived on the Manager server as encrypted files. You can configure the location and maximum disk space that can
be used to store the archives. The configuration for disk usage is defined at the Global Manager level. The Manager also
provides configuration to prune files that are stored for more than a specified period of time.

Perform the following steps to maintain the malware files saved to the Manager.

Task
1 Select Manager | <Admin Domain Name> | Maintenance | Malware Archive.

2 The Storage Settings are displayed for each file type. Click the Maximum Disk Space Usage Allowed to modify it as per
your requirement.

Figure 2-77 File storage settings

3 To prune the file storage, click Automatic file pruning options.


File pruning option allows you to determine the interval at which the Manager prunes older data to make sure its file
system and database have adequate space for new data.

4 Click Save.
The Manager warns you when the allocated disk space to a malware file type reaches 70%, 80%, 90%, and 100% of the
maximum allowed. When the maximum space limit is reached, new malware files of that type are not stored until space is
freed.
The default location of these files in the Manager server is %programfiles%\Trellix\IPS Manager\App\temp\tftpin
\malware. The list of files currently archived on the Manager are displayed with the following details.
• Time— Indicates the date and time when the file was saved

• Hash — Displays the MD5 hash of the file

Trellix Intrusion Prevention System 10.1 267


2 | Manager Administration

• Type — The type of the saved file

• Size — The size of the file saved

Figure 2-78 Details on stored files

5 To delete the archived files, select the required ones and click

Tasks
• Add hash values to the allow list on page 874
• Add hash values to the block list on page 877

See also
Add hash values to the allow list on page 874
Add hash values to the block list on page 877

Using the database admin tool

The database admin tool (dbadmin.bat) is a standalone tool that can:

• Backup and restore Trellix IPS data from the database.

• Archive and restore alerts and packet logs.

• Tune your Trellix IPS database and purge unwanted data from it.

• Change the password of your Trellix IPS database (this is not the database root password).

You need to shut down the Manager before performing the following tasks:

• Data backup • Database tuning

• Data backup restore • Database password change

• Data purge