HX DG V 5.3.0 PDF

ENDPOINT SECURITY
SERVER DEPLOYMENT GUIDE

RELEASE 5.3
Virtual Servers
Trellix, FireEye, and Skyhigh Security are the trademarks or registered trademarks of
Musarubra US LLC, FireEye Security Holdings US LLC, and their affiliates in the US
and/or other countries. McAfee is the trademark or registered trademark of McAfee
LLC or its subsidiaries in the US and/or other countries. Other names and brands are
the property of these companies or may be claimed as the property of others.
FireEye Security Holdings US LLC assumes no responsibility for any inaccuracies in
this document. FireEye Security Holdings US LLC reserves the right to change, modify,
transfer, or otherwise revise this publication without notice.
Copyright © 2022 FireEye Security Holdings US LLC. All rights reserved.

Endpoint Security Server Deployment Guide
Virtual Servers
Software Release 5.3.0
Revision 1
Trellix Contact Information:

Website: www.fireeye.com
Technical Support: https://www.trellix.com/en-us/support.html
Phone (US):
1.408.321.6300
1.877.347.3393
Contents
PART I: Planning 9
CHAPTER 1: About the Endpoint Security Server 11

Server Roles and Order 12
Appliance Addressing 12
CHAPTER 2: System Requirements 15

Supported Appliance Models 15
Limitations for Hyper-V Server Support 16
Endpoint Security Virtual Server Features 16
Virtual Appliance Requirements 16
VMWare ESXi Requirements 17
Windows Hyper-V Requirements 17
VMware Limitations 18
Network Requirements 18
Standalone Endpoint Security Appliances That Receive DTI Updates 18
Environments That Restrict Outbound Access to Certain IP Addresses 19
Domain-Based Proxy ACL Rules 19
FireEye Endpoint Security Malware Definitions 19
Software Requirements 20
Endpoint Security Agent and Server Compatibility 20
Licensing Requirements 21
© 2022 FireEye Security Holdings US LLC 3

Contents
PART II: Virtual Server Deployment 23
CHAPTER 3: Virtual Server Overview 25
CHAPTER 4: Virtual Server Deployment Steps 27
CHAPTER 5: Installing a Virtual Server Using VMware ESXi 31
CHAPTER 6: Installing a Virtual Server Using Microsoft Hyper-V 33
CHAPTER 7: Initial Configuration of Virtual Servers 35

Specifying Initial Settings Using the VMware ESXi Properties Screen 36
Initial Configuration Using the VMware ESXi Server Console 38
Specifying Initial Settings Using the Windows Hyper-V set_keys.ps1 PowerShell
Script 38
Initial Configuration Using the Windows Hyper-V Server Console 41
Configuration Wizard Steps 42
PART III: Configuration 45
CHAPTER 8: The Endpoint Security Server Web UI 47

Browser Support 47
Screen Resolution Requirements 47
Logging In to the Endpoint Security Web UI 48
CHAPTER 9: License Keys 49

About Trellix License Keys 49
Automatic License Updates 50
How It Works 50
Enabling Automatic License Updates 51
Enabling Automatic License Updates Using the CLI 52
Forcing License Updates 53
4 © 2022 FireEye Security Holdings US LLC

Contents
Manual License Installation 54

Installing Licenses Using the Web UI 54
Removing Licenses Using the Web UI 55
Installing Licenses Using the CLI 56
Removing Licenses Using the CLI 57
Viewing License Notifications Using the Web UI 59
CHAPTER 10: Validating DTI Access 61

Validating DTI Access Using the Web UI 61
Validating DTI Access Using the CLI 62
CHAPTER 11: Attaching and Detaching DMZ Servers 65

Attaching a DMZ Server to the Primary Endpoint Security Server 66
Detaching a DMZ Server from the Primary Endpoint Security Server 67
Endpoint Security Server Boot Order 67
Endpoint Security Server Cluster IP Address Change Guidelines 68
CHAPTER 12: Configuring the Server Address List 69

Adding a Server to the Server Address List 70
Adding a Server to the Server Address List Using the Web UI 70
Removing a Server From the Server Address List 71
Removing a Server from the Server Address List Using the Web UI 71
CHAPTER 13: Setting up Provisioning 73

Enabling Servers for Provisioning 74
Designating Provisioning Servers 74
Designating the Endpoint Security Server as a Provisioning Server Using
the Web UI 75
Designating and Enabling a DMZ Server as a Provisioning Server 76
Designating Provisioning Servers Using a Split DNS in the Web UI 77
Canceling Provisioning Servers 78

Contents
Canceling the Primary Endpoint Security Server as a Provisioning Server Using

the Web UI 79
Canceling a DMZ Server as a Provisioning Server Using the Web UI 79
PART IV: Integration 81
CHAPTER 14: How FireEye Appliance Alerts Become Endpoint Security

Alerts and Central Management Badges 83
Endpoint Security and FireEye Appliance Alert Disparity 84
Network Security and Endpoint Security Alert Matches 84
Email Security — Server Edition and Endpoint Security Alert Matches 84
CHAPTER 15: Integrating Central Management Appliances and Endpoint

Security Servers 87
Configuring a Central Management-Managed DMZ Server to Get Updates from DTI 90
CHAPTER 16: Replacing Integrated Central Management Appliances and

Endpoint Security Servers 93
Overview 93
Replacement scenarios 93
Modifying the Endpoint Security server Bookmark ID 96
CHAPTER 17: Integrating Network Security Appliances and Endpoint

Security Servers Directly 99
CHAPTER 18: SNMP Data 101

Retrieving SNMP Data 101
Providing Access to SNMP Data 102
Downloading the MIB 102
Retrieving SNMP Data Using Event OIDs 104
Sending Requests for SNMP Information 105
Sending Traps 105
Enabling and Configuring Traps 105

Contents
Logging Trap Messages 107
CHAPTER 19: Forwarding CEF Logs to Helix and SIEM Solutions 109

Configuring CEF Logging for Endpoint Events 110
Viewing the Current Logging Configuration 111
Adding a Destination 111
Removing a Destination 112
Using TCP for Remote Logging 112
Configuring the Port for a Remote Logging Target 112
Enabling Local CEF Logging 113
Disabling Local CEF Logging 113
SIEM Example: Setting Up an Endpoint Security Integration Connector with
ArcSight 113
Creating a Self-Signed Development Certificate 114
Installing the Integration Connector 115
PART V: Appendices 119
APPENDIX A: Enabling and Disabling Endpoint Security Server Quiesce

Mode 121
Enabling Quiesce Mode 122
Disabling Quiesce Mode 122
Reviewing Quiesce Mode Status 123
APPENDIX B: Managing Endpoint Security PKI Certificates 125

Reviewing Certificates and Settings 126
Exporting Certificates 127
Importing Certificates 127
Regenerating Certificates 128
Setting the PKI Certificate Prefix 128
Setting Agent Certificate Authority Duration 129
Setting Agent Certificate Length 129

Contents
Setting Agent Certificate Duration 130

Setting Endpoint Security Certificate Authority Duration 130
Setting Endpoint Security Certificate Length 131
Setting Endpoint Security Certificate Duration 131
Setting Endpoint Security CRL Duration 132
Importing an Endpoint Security CRL 132
Regenerating the Endpoint Security CRL 132
Regenerating the Endpoint Security Subordinate PKI 133
Enabling the Provisioning Certificate 134
Disabling the Provisioning Certificate 134
Technical Support 135

Documentation 135

Endpoint Security Virtual Server Deployment Guide
PART I: Planning
l About the Endpoint Security Server on page 11

l System Requirements on page 15

Endpoint Security Virtual Server Deployment Guide PART I: Planning

CHAPTER 1: About the Endpoint

Security Server
Adaptive security requires monitoring of all threat vectors, including fast, accurate
assessments of potential cyber attacks tracked to endpoint activity. The FireEye endpoint
security products allow you to detect, analyze, and respond to targeted cyber attacks and
zero-day exploits on the endpoint.
In this guide, you will see the Endpoint Security server and DMZ server referred to
as an Endpoint Security appliance or HXD appliance, respectively. These terms refer
to the same products.
Using Endpoint Security servers, you can continuously monitor endpoints for advanced
malware and indicators of compromise (IOCs) that routinely bypass signature-based and
defense-in-depth security systems. The Endpoint Security servers and DMZ servers allow
you to:
l Search for advanced attackers and advanced persistent threats (APTs)

l Investigate alerts from network devices, automatically creating IOCs and alerting
users
l Extend FireEye detection services seamlessly to your endpoints
l Use Agent Anywhere technology to analyze remote endpoints outside the corporate
network, regardless of their Internet connection type
l Acquire files, data, and triage collections from endpoints and analyze these
collections
l Confirm whether alerts seen on the network actually compromise endpoints
l Contain endpoints, isolating devices when they become compromised
This chapter covers the following topics:
l Server Roles and Order on the next page

l Appliance Addressing on the next page

Endpoint Security Virtual Server Deployment Guide CHAPTER 1: About the Endpoint Security Server
Server Roles and Order

Endpoint Security software can be deployed on the following appliance forms:
l on-premises (physical) appliances

l virtual servers (VMware ESXi or Windows Hyper-V)
l cloud servers
A single Endpoint Security ecosystem, which includes the Endpoint Security server
and its attached DMZ servers, can support up to 100,000 agents.
Your Endpoint Security (and DMZ) servers must run the same version of Endpoint
Security software. If they use different versions, communication between them will
fail.
In each Endpoint Security ecosystem, provisioning and primary servers must be identified.

Provisioning serversare the servers to which FireEye Endpoint Security Agents connect to
provision and establish their cryptographic agent identity. FireEye Endpoint Security
Agents with version numbers less than 20 can only provision against the primary server.
Agents with version numbers of 20 or later can provision against multiple servers,
including a DMZ server.
You must identify the servers that will be your provisioning servers before you
download and deploy the FireEye Endpoint Security Agent installation software to
your host endpoints. When agent installation software is downloaded, the IP
addresses or DNS names of the provisioning Endpoint Security servers are
identified in the agent download package. See Setting up Provisioning on page 73.
The Central Management platform can be used to upgrade and manage Endpoint Security
(and DMZ) servers. See Integrating Central Management Appliances and Endpoint
Security Servers on page 87 for important details.
Appliance Addressing
Your enterprise can use IP addresses or domain names (DNS) when configuring
hostnames for agent communications with Endpoint Security servers.
l Configure a single DNS address that resolves to the Endpoint Security server and
DMZ server (also known as a split DNS). This option is the most flexible
arrangement. It allows you to move and renumber appliances without reconfiguring
agents and eliminates unnecessary agent connection attempts to unreachable
appliances. However, this solution requires a more complex DNS configuration. It
may be challenging to execute consistently in large networks. See also Designating

Appliance Addressing
Provisioning Servers Using a Split DNS in the Web UI on page 77.

l Configure a unique DNS address for each Endpoint Security server and
DMZ server. This option allows you to move or renumber appliances without
reconfiguring agents. However, this option requires consistent internal DNS
resolution of the appliance name and may cause extra connection attempts by
external endpoints to internal appliances that they cannot reach.
l Configure a unique IP address for each Endpoint Security server and DMZ server.
This option provides the most reliable connections from endpoints and does not
require consistent internal DNS configuration throughout a large enterprise.
However, this option is the least flexible option. If you move or renumber
appliances, you may have to reinstall agents.
IMPORTANT: You must decide which appliances will be your

provisioning appliances before you download the installation software for your
agents. When agent installation software is downloaded, the IP addresses or DNS
names of the provisioning Endpoint Security servers are identified in the agent
download package. See Designating Provisioning Servers on page 74.

Endpoint Security Virtual Server Deployment Guide CHAPTER 1: About the Endpoint Security Server

Endpoint Security Virtual Server Deployment Guide Supported Appliance Models
CHAPTER 2: System
Requirements
Before you deploy an Endpoint Security server, make sure the following requirements are
met.
This guide does not provide information about appliance throughput, performance,
or capacity. For information on this, see your FireEye representative.
Supported Appliance Models

You can use the following server models with Endpoint Security software. The "Maximum
Number of Endpoints" column lists the maximum number of endpoints that can be
supported by the server model.
Maximum
Model Supported Endpoint
Type Number of
Number Security Software Versions
Endpoints
HX 2500DV Virtual DMZ server 3.5 and later 15,000 endpoints

(DMZ)
HX 2502V Virtual or cloud 3.5 and later 15,000 endpoints

Endpoint Security
server
HX 4500DV Virtual HXD (DMZ) 4.0 and later 100,000

(DMZ) server endpoints
HX 4502V Virtual or cloud HX 4.0 and later 100,000

server endpoints
Virtual Endpoint Security server performance will vary depending on the hardware
resources you have selected for the appliance.

Endpoint Security Virtual Server Deployment Guide CHAPTER 2: System Requirements
Virtual servers can be either VMware ESXi or Windows Hyper-V servers. Hyper-V is only
supported for the HX 2502V, HX 4502V, 2500DV, and 4500DV server models.
Limitations for Hyper-V Server Support

For virtual Endpoint Security servers running version 4.0.2 and higher, you must use
Hyper-V Server version 2016. If you are using Endpoint Security Server version 4.9.0 or
higher, you can use Hyper-V Server version 2019. The following Hyper-V Server
workflows are not supported:
l Modified virtual machine (VM) configuration that changes the number of CPUs,
amount of memory, number of NICs, or hard drive size.
l Hyper-V cluster storage mode is not supported for use with virtual Endpoint
Security instances.
l Use of checkpoints
l Replication of the VM
l Dynamic Memory1
Endpoint Security Virtual Server Features

Endpoint Security virtual appliance models must meet the following specifications.
Disk
Model Type CPU Cores Memory Virtual NICs
Space
HX 2500DV DMZ 4 16 GB 512 GB 2 vmxnet

3 interfaces
HX 2502V Regular 4 16 GB 1200 GB 2 vmxnet

3 interfaces
HX 4500DV DMZ 8 64 GB 1200 GB 2 vmxnet

3 interfaces
HX 4502V Regular 8 64 GB 3600 GB 2 vmxnet

3 interfaces
Virtual Appliance Requirements

Endpoint Security appliances can be deployed on VMware ESXi servers or on Windows
Hyper-V servers.

Virtual Appliance Requirements
VMWare ESXi Requirements

To use VMware ESXi for an Endpoint Security virtual deployment, the following VMware
resources are required:
l VMware ESXi host version 6.0 or later. Earlier ESXi versions are not supported.
l VMware vSphere Client
l VMware VCenter Server (recommended). When you use vSphere Client to add your
virtual appliances to vCenter Server, the Deploy OVG Template wizard provides an
easy way to enter your activation code. Otherwise, you must type it in the virtual
appliance console, because you cannot paste into this console.
l VMXNET 3 network drivers
l Link aggregation enabled on ESXi host
l Standard virtual switch created for the monitoring ports of the virtual appliances,
and attached to a physical network adapter on the ESXi server.
Windows Hyper-V Requirements

To use Windows Hyper-V for Endpoint Security virtual deployments, the following
Windows Hyper-V resources are required:
l Windows Server 2016 Standard or Windows Server 2019 Standard

l VMMS (Virtual Machine Management Service)/Hyper-V Manager version
10.0.14393 or later. Endpoint Security Server version 4.9 supports Hyper-V Manager
2019 (version 10.0.17763.1).
l Standard virtual switch, connected to an external network and shared by the
operating system

VMware Limitations
The following VMware features are not supported:
l Virtual SMP
l Update Manager
l Data Protection
l High Availability (HA)
l Storage APIs for Data Protection
l Memory hot add
l Endpoint
l Replication
l Fault Tolerance
l Virtual Volumes
l Offline operational mode
Network Requirements
Connectivity with FireEye's Dynamic Threat Intelligence (DTI) network (one-way or two-
way sharing) is required.
Endpoint Security appliances can download software updates (security content and system
images) from the FireEye Dynamic Threat Intelligence (DTI) network. With a two-way
content license, the appliance can also upload threat intelligence information to the DTI
network. By default, Central Management-managed appliances receive software updates
from the DTI network through the Central Management appliance.
Standalone Endpoint Security Appliances That Receive

DTI Updates
The Central Management appliance and standalone (not managed by Central
Management) appliances use the ether1 port to communicate directly with the DTI
network. In the default configuration, where you receive updates from the DTI network
(cloud.fireeye.com), allow outbound access to all IP addresses on the following ports:
l DNS (UDP/53)
l HTTPS (TCP/443)

Network Requirements
Management interface ether1 requires a static IP address or reserved DHCP address and
subnet mask.
Environments That Restrict Outbound Access to Certain

IP Addresses
If your security policy requires that you restrict outbound access to certain IP addresses,
you cannot use the DTI network. Instead, point to staticcloud.fireeye.com for DTI updates,
and allow access to the *incapdns.net domain.
To configure and access staticcloud.fireeye.com:
1. Enable CLI configuration mode.

hostname > enable
hostname # configure terminal
2. Enter the following command from the appliance CLI:

hostname (config) # fenet dti source default DTI
3. Save your configuration.

hostname (config) # write mem
4. Add the following block of IP addresses to the firewall:

l 199.16.196.0/22
To allow access to *incapdns.net:
1. Add the block of IP addresses found at https://incapsula.zendesk.com/hc/en-

us/articles/200627570-Restricting-direct-access-to-your-website-Incapsula-s-IP-
addresses-to the firewall.
2. Allow access to the *.incapdns.net domain at the proxy device.
Domain-Based Proxy ACL Rules

If your configuration includes domain-based proxy ACL rules, allow access to
*.fireeye.com.
FireEye Endpoint Security Malware Definitions

The malware protection provided with HX Series 4.0 and FireEye Endpoint Agent 26.21
(and later versions) use malware definitions to detect and identify files infected by
malware. These malware definitions are downloaded by FireEye's Dynamic Threat
Intelligence (DTI) cloud and the Endpoint Security server from avupdate.fireeye.com.
However, if your security policy makes use of a firewall to restrict access to certain IP and
web addresses, you need to configure your firewall rules to allow access to

avupdate.fireeye.com. The IP addresses associated with avupdate.fireeye.com vary

based on your environment. The following are some possible solutions.
l Use DNS names instead of IP addresses in the firewall rules. The firewall rules will
be automatically applied to the correct IP addresses as appropriate for
avupdate.fireeye.com.
l Do a DNS reverse lookup to identify the IP addresses used by

avupdate.fireeye.com in your environment and then use those IP addresses in the
firewall rules.
l Use a caching proxy server to obtain the malware definition updates from
avupdate.fireeye.com. Be sure your firewall rules allow access to *.fireeye.com.
FireEye Endpoint Security uses HTTP over port 80 to deliver antivirus (AV) content.
This allows you to use a caching proxy to distribute the contents of your download
across your endpoints. The manifest for the content is signed with a 2048-bit RSA
private key to prevent tampering. If the content is altered, validation of the content
on the endpoint agent will fail and the content is discarded.
Software Requirements
l Endpoint Security version software supported by the server type. See Supported
Appliance Models on page 15.
l Central Management version 8.0.1 or later.
l FireEye Endpoint Security Agents supported by the Endpoint Security software
version. See Endpoint Security Agent and Server Compatibility below.
Endpoint Security Agent and Server

Compatibility
Some Endpoint Security server features require specific minimum versions of the FireEye
Endpoint Security Agent. These minimum versions are described in the documentation for
each feature in the Endpoint Security Agent Administration Guide and in the Endpoint Security
Server User Guide.
The following compatibility table shows the minimum versions of Endpoint Security
server software required by Endpoint Security Agent software version 31.28.0 to obtain full
product functionality. It also identifies, at a high level, the operating system environments
supported by each agent version. For details about operating system support, see
"Operating System Requirements" in the Endpoint Security Agent Administration Guide.

Licensing Requirements
Operating System
Endpoint Security Agent Minimum Endpoint Security Environments
Version Version
Windows macOS Linux
31 5.3 Yes Yes Yes
NOTE: Trellix recommends that you upgrade and deploy your Endpoint Security
server software before you upgrade and deploy your Endpoint Security Agent
software.
Licensing Requirements
The following table shows the licenses that can be installed for Endpoint Security servers.
Server Required?2
Form
License Description
Factors Server DMZ
1 Server
FIREEYE_ Required to register your server and use the All Yes Yes
APPLIANCE product features.
FIREEYE_ Allows your system to receive software image All Yes Yes
SUPPORT updates.
CONTENT_ Allows your system to access the Dynamic All Yes No

UPDATES Threat Intelligence (DTI) network.
HX_ Provides access to Endpoint Security All No No

ADVANCED exhaustive Enterprise Search requests, data
acquisition requests, and bulk acquisition
endpoint requests via the API.
This license is optional. Without it, you have
no access to the features listed above. Your
DMZ servers do not need an HX_
ADVANCED license if the Endpoint Security
server associated with the DMZ server
already has one.

Server Required?2
Form
License Description
Factors Server DMZ
1 Server
MD_ Allows FireEye products to connect to the All No No

ACCESS Managed Defense VPN. Without this license,
Managed Defense cannot manage the
appliance.
This license is optional.
1Server form factors include on-premises, virtual (VMware ESXi and Windows Hyper-
V), and cloud Endpoint Security servers
2 Cloud Endpoint Security servers are DMZ servers.
1Trellix recommends that you convert dynamic disks to fixed disks to prevent the host
machine from running low on disk space. If the host machine runs low on disk space,
Hyper-V may pause all of the VMs.

PART II: Virtual Server

Deployment
l Virtual Server Overview on page 25

l Virtual Server Deployment Steps on page 27
l Installing a Virtual Server Using VMware ESXi on page 31
l Installing a Virtual Server Using Microsoft Hyper-V on page 33
l Initial Configuration of Virtual Servers on page 35

Endpoint Security Virtual Server Deployment Guide PART II: Virtual Server Deployment

CHAPTER 3: Virtual Server

Overview
A virtual Endpoint Security server is a virtual instance of the Endpoint Security system
image.
VMware ESXi host version 6.0 or later or Windows Hyper-V version 10.0.14393 or
later are required. Earlier versions are not supported, and virtual server installed
using those versions will not function properly. If you are using Endpoint Security
Server version 4.9, then you can use Hyper-V 2019 (version 10.0.17763.1).
This document assumes familiarity with deploying virtual machines and

administering VMware ESXi hosts or Windows Hyper-V hypervisors. This
document provides the basic steps for creating and deploying Trellix virtual
appliances. For comprehensive information about deploying virtual machines, see
the documentation provided by VMware, Inc. and Microsoft.
Endpoint Security, cloud Endpoint Security, and virtual Endpoint Security (models
HX4500DV and HX4502) appliances are rated up to 100,000 agents. Cloud Endpoint
Security servers have better performance than on-premises Endpoint Security appliances
due to their storage configurations, which are based on SSD volumes that are designed to
deliver guaranteed performance. Virtual Endpoint Security server performance will vary
depending on the hardware resources you have selected for the server.
For information on deploying a virtual server, see Virtual Server Deployment Steps on
page 27.
Prerequisites
l Deployment of an Endpoint Security server using a Windows Hyper-V hypervisor is
supported for Endpoint Security 4.0.2 and later versions. If you are using Endpoint
Security Server version 4.9, then you can use Hyper-V 2019 (version 10.0.17763.1).
Deployment of an Endpoint Security server using a VMware ESXi server is
supported for Endpoint Security 3.5 and later versions.
l Root user account on a VMware ESXi server or a Windows Hyper-V hypervisor

Endpoint Security Virtual Server Deployment Guide CHAPTER 3: Virtual Server Overview
l Familiarity with deploying virtual machines and administering VMware ESXi hosts
or Windows Hyper-V hypervisors
l Requirements in Virtual Appliance Requirements on page 16

CHAPTER 4: Virtual Server

Deployment Steps
Deploy a virtual server by completing the following steps.
Task Instructions
1. Verify that your See System Requirements on page 15.

environment meets
the necessary
requirements.
2. Gather license Get license keys from FireEye if the license update service is not
information from enabled. See About Trellix License Keys on page 49.
FireEye.
3. Gather virtual Contact FireEye to obtain:

server information
l The activation code that gives the virtual server a unique
from FireEye.
identity (its appliance ID), activates the product
(FIREEYE_APPLIANCE) license, provides access to the
license token server and to the DTI network, protects the
server from fraudulent use, and allows the server to
initialize.
l Download the ZIP file from FireEye's Dynamic Threat
Intelligence (DTI) network that contains either a single
OVA file (for VMware ESXi) or multiple files including a
VHDX file (for Microsoft’s Hyper-V).
4. Deploy your 1. Create the virtual server, as described in Installing a

Endpoint Security Virtual Server Using VMware ESXi on page 31 or
virtual server. Installing a Virtual Server Using Microsoft Hyper-V on
page 33.
2. Perform the initial configuration, as described in Initial
Configuration of Virtual Servers on page 35.

Endpoint Security Virtual Server Deployment Guide CHAPTER 4: Virtual Server Deployment Steps
Task Instructions
5. Install the required Install the FIREEYE_SUPPORT and other licenses (if the license
FireEye licenses. update feature is disabled). See License Keys on page 49.
The license update feature enables your appliance to
automatically download and apply licenses to which you are
contractually entitled. This feature is enabled with the
configuration wizard during the initial configuration and is
fully functional after the configuration wizard is completed.
6. Configure other See the FireEye System Security Guide and the Endpoint Security
system System Administration Guide.
administration
features such as
AAA, SSL certificates,
and SNMP data
access
7. Verify that the See Validating DTI Access on page 61.

server is connected to
If the validation fails, verify that the DTI configuration is set up
FireEye's Dynamic
correctly. See the Endpoint Security System Administration Guide.
Threat Intelligence
(DTI) cloud.
8. Attach your DMZ See Attaching and Detaching DMZ Servers on page 65.
servers to the virtual
Endpoint Security Your Endpoint Security and DMZ servers must run the
server. same version of Endpoint Security software. If they use
different versions, communication between them will fail.
9. Set up the server See Configuring the Server Address List on page 69.
address list.

Task Instructions
10. Identify your Agents earlier than version 20 can only provision against a
provisioning servers. single primary server. Agents version 20 or later can provision
against multiple servers. A virtual server can be used as a
provisioning server.
See Setting up Provisioning on page 73.
You must decide which servers (primary or DMZ) will be

your provisioning servers before you download the
FireEye Endpoint Security Agent installation software to
your host endpoints. When agent installation software is
downloaded, the IP addresses or DNS names of the
provisioning servers are identified in the agent download
package.
11. Obtain the agent If your Endpoint Security server is connected to DTI, the most
installation package. recent Windows, macOS and Linux agent images are
automatically downloaded to the server after the DTI connection
is established.
If your primary server is not connected to DTI or if you need an
older agent image than the ones that have been downloaded,
you will need to manually download the agent image you need.
If you obtain your agent image manually, it must be

uploaded to the server before it can be deployed to your
host endpoints. This ensures that the correct agent
configuration file and agent certificates are included in
the agent installation package and ensures that proper
agent-server communication is established after the
installation package is deployed on your endpoints.
See the appropriate version of the Endpoint Security Agent

Deployment Guide.
12. Install the agent See the appropriate version of the Endpoint Security Agent
software on your host Deployment Guide.
endpoints.
A single virtual Endpoint Security ecosystem, which
includes the virtual primary server and any attached
DMZ servers, can support up to 100,000 agents.

Endpoint Security Virtual Server Deployment Guide CHAPTER 4: Virtual Server Deployment Steps
Task Instructions
13. Optionally, After you have deployed your Endpoint Security server and
connect your installed the agent software on your endpoints, you can
Endpoint Security integrate the Endpoint Security server with Central Management
server to the Central and Network Security appliances. For more information, see
Management Integration on page 81. Additional information for managing
appliance or to a your Endpoint Security server through the Central Management
Network appliance is provided in the Endpoint Security System
Securityappliance. Administration Guide.

CHAPTER 5: Installing a Virtual

Server Using VMware ESXi
This section describes how to install a virtual server using VMware ESXi. Both Endpoint
Security and DMZ servers can be virtual servers.
This procedure uses VMware ESXi version 6.0.0 (build 3568940) and vSphere Client
version 6.0.0 (build 3562874) on VMware vCenter Server version 6.0.0 (build
3018524). The navigation instructions and user interface may vary based on your
version of these products.
This procedure covers the required settings for a Trellix virtual server. You can
accept the default values for the other settings, or specify values that are appropriate
for your setup.
To install a virtual server using VMware ESXi:
1. Log in to vSphere Client.

2. From the File menu, select Deploy OVF Template to start the wizard.
3. On the Source screen, click Browse and navigate to the OVA file containing the
Endpoint Security or Central Management Series system image. Then click Next.
4. On the OVF Template Details screen, review the information. If the information is
correct, click Next. Otherwise, click Back and enter the correct URL or path.
5. On the Name and Location screen, enter a unique name that describes the virtual
server.
6. On the Disk Format screen, click Next.
7. On the Network Mapping screen, click Next to accept the default settings.
8. On the Properties screen, you can complete fields to configure initial settings as
described in Specifying Initial Settings Using the VMware ESXi Properties Screen on
page 36. (If you do not use this screen, you must type the values into the vSphere
Client console manually, because you cannot paste into this console.)

Endpoint Security Virtual Server Deployment Guide CHAPTER 5: Installing a Virtual Server Using VMware ESXi
9. On the Ready to Complete screen:

a. Verify the information.
b. (Optional) Select the Power on after deployment checkbox.
c. Click Finish.
The server must be configured to set up its management interface, and to allow access to
the network, change the default administrator password, and so on. For complete
information, see Initial Configuration of Virtual Servers on page 35.

CHAPTER 6: Installing a Virtual

Server Using Microsoft Hyper-V
This section describes how to install a virtual server. Both Endpoint Security (primary)
servers and DMZ servers can be virtual servers.
This procedure uses Microsoft Hyper-V version 10.0.17763.1. The navigation

instructions and user interface may vary based on your version of this product.
This procedure covers the required settings for a Trellix virtual server. You can
accept the default values for the other settings, or specify values that are appropriate
for your setup.
To install a virtual server using Microsoft's Hyper-V Manager:
1. Download the Endpoint Security Hyper-V deployment .zip file from FireEye's
Dynamic Threat Intelligence (DTI) network to a Hyper-V server and extract the files
within it. These zip files have names in the format image-hx-fireeyehx<nnnn>v,
where <nnnn> is the Endpoint Security server model number.
After the file is unzipped, verify that it includes the Virtual Hard Disks and Virtual
Machines folders. If it does not, contact FireEye customer support.
2. Log in to Microsoft's Hyper-V Manager on the Hyper-V server. The Hyper-
V Manager console is displayed.
3. In the Actions list, select Import Virtual Machine to start the import wizard. On the
Before You Begin screen, click Next.
4. On the Locate Folder screen, browse to and select the folder to which you extracted
the .zip file in Step 1. You only need to select the top-level folder. Click Next.
5. On the Select Virtual Machine screen, select the virtual machine model associated
with the .zip file. Click Next.
6. On the Choose Import Type screen, select the option Copy the virtual machine
(create a new unique ID). Click Next.
7. On the Choose Folder for Virtual Machine Files screen, click Next.

Endpoint Security Virtual Server Deployment Guide CHAPTER 6: Installing a Virtual Server Using Microsoft Hyper-V
8. On the Locate Virtual Hard Disks screen, select the top-level folder into which you
unzipped the Endpoint Security Hyper-V deployment file in Step 1. This should be
the folder that includes the Virtual Hard Disks folder. Then click Next.
9. On the Choose Folders to Store Virtual Hard Disks screen, select the top-level folder
into which you unzipped the Endpoint Security Hyper-V deployment file in Step 1.
This folder should include the Virtual Hard Disks folder. Click Next.
10. On the Connect Network screen, select the virtual switch to use for your virtual
machine. Click Next.
11. On the second Connect Network screen, select a second virtual switch to use for
your virtual machine. Click Next.
12. On the Completing Import Wizard screen, verify the information. If you are
satisfied, click Finish to import the virtual machine. If you need to make changes,
click Previous.
After the machine is imported, it appears on the Hyper-V Manager console.
13. Rename the virtual machine by double-clicking its name in the Hyper-V Manager
console and entering a new name. Click Enter when done.
14. Verify that the virtual machine settings meet the specifications listed in Windows
Hyper-V Requirements on page 17. Highlight the row for the virtual machine in the
Hyper-V Manager console, right-click on the row, and select Settings. If the virtual
machine settings do not meet the documented minimum specifications, contact your
FireEye Customer Support representative.
15. The new virtual machine is turned off by default after it is imported. To turn it on,
highlight the row for the virtual machine in the Hyper-V Manager console, right-
click on the row, and select Start.
16. Connect to the new virtual machine. Highlight its row in the Hyper-V Manager
console, right-clicking on the row and select Connect
The server needs to be configured to set up its management interface, and to allow access
to the network, change the default administrator password, and so on. For complete
information, see Initial Configuration of Virtual Servers on page 35.

CHAPTER 7: Initial Configuration

of Virtual Servers
The management interface is the port through which the virtual server is managed and
administered. It is also the port through which integration of the Central Management
Series appliance and a managed server is performed. With the single-port address type, the
management interface is also the port through which a managed server requests and
downloads software updates from the DTI network.
Initial settings must be configured to set up the management interface of the server, and to
allow access to the network, change the default administrator password, and so on.
Management by VMware vCenter Server

If your virtual server is managed by VMware vCenter Server, the installation wizard
includes a Properties screen that allows you to enter some initial settings for the server,
including your activation code and initial CLI commands to configure the server. You can
also reset the password for the admin user on this screen. If your virtual server does not
include a Properties screen (or you choose not to use it), you can use the configuration
wizard in the console of the server to fully configure the server, including entering the
activation code, changing the admin password, and supplying initial startup commands.
Whether you use the Properties screen or not, the configuration wizard must be run to
fully set up the server. However, the wizard prompts will be different if you provide
settings on the Properties screen.
Management by Microsoft Hyper-V

If your virtual server is managed by Microsoft Hyper-V, you can use the set_keys.ps1
PowerShell script provided in the Endpoint Security Hyper-V deployment .zip file to
supply some initial settings for the server, including the activation code, a new admin

Endpoint Security Virtual Server Deployment Guide CHAPTER 7: Initial Configuration of Virtual Servers
password, and initial CLI commands to configure the server. You can then launch the
configuration wizard to complete the setup.
Alternatively, you can skip the set_keys.ps1 PowerShell script and use the configuration
wizard in the console of the server to fully configure the server, including entering the
activation code, changing the admin password, and supplying initial startup commands.
However, the wizard prompts will be different if you first provide settings using the set_
keys.ps1 PowerShell script.
You cannot paste the virtual server activation code in the configuration wizard
prompt in the server console. Instead, the activation code must be manually entered
into the wizard. FireEye recommends that you specify the activation code using the
Properties screen (ESXi appliances) or the set_keys.ps1 PowerShell script (Hyper-
V appliances).
This section describes:
l Specifying Initial Settings Using the VMware ESXi Properties Screen below
l Initial Configuration Using the VMware ESXi Server Console on page 38
l Specifying Initial Settings Using the Windows Hyper-V set_keys.ps1 PowerShell
Script on page 38
l Initial Configuration Using the Windows Hyper-V Server Console on page 41
l Configuration Wizard Steps on page 42
Specifying Initial Settings Using the

VMware ESXi Properties Screen
The Properties screen is included in the Deploy OVF Template wizard if you connect to
your ESXi host through VMware vCenter Server. Installing a Virtual Server Using VMware
ESXi on page 31 provides information about the wizard screens.
Trellix recommends that you use the Properties screen to do at least the following:
l Enter the activation code for your virtual server. The activation code contains many
characters. The vSphere Client prevents you from pasting the activation code into
the vSphere Client console, and it is easy to make a typing error.
l Reset the password for the admin user, if password authentication will be used to
log into the CLI or Web UI over the network. The password must be changed to a
password that is at least eight characters long.
You can also use this screen to provide commands for configuration settings that the
system will apply during the initial boot. This can be convenient if you have a large

Specifying Initial Settings Using the VMware ESXi Properties Screen
number of virtual servers to deploy, because you can create base sets of commands, and
then customize them for each deployment.
You can use the system virtual bootstrap reset command to reset the
Properties screen values after the virtual server is deployed and running.
The following table describes the fields in the Properties screen.
Field Description
Activation The code you received in a secure email from Trellix that gives the
Code virtual server its identity and access credentials.
Initial A Base64-encoded set of commands that at a minimum allow the

CLI commands server to connect to your network. To use this field, type the commands
in plain-text format, encode them to Base64, and then paste the
encoded string into this field.
Consider using this field for network connectivity only, because the
size of the string could become unwieldy. The string can be a
maximum of 65,535 bytes, and cannot be line-wrapped.
Initial A URL that points to a file on your network (for example,

CLI commands http://acme.com/operations/4500V_config.txt). To use this field,
URL create a text file that includes CLI commands that configure additional
settings in plain-text format, and store the file on an HTTP server in
your network.
The virtual server needs network connectivity (which the commands
in the Initial CLI commands field can establish) to access the file
referenced in the URL.
Reset admin A password of at least eight characters. The initial admin password
password must be reset to allow the admin user to log into the CLI or Web UI
over the network unless both of the following are true:
l The CLI commands being executed set an SSH authorized key

for the admin use, which allows the admin to log in remotely
without a password.
l You disable password login using the username admin disable
password command.
After you have specified these initial settings on the Properties screen, access the virtual
server console and run the configuration wizard to complete the configuration of the
virtual machine. See Initial Configuration Using the VMware ESXi Server Console on the
next page and Configuration Wizard Steps on page 42

Initial Configuration Using the VMware

ESXi Server Console
Trellix recommends that you use the Properties screen to provide some initial
configuration settings, because you cannot copy and paste into the vSphere Client console.
See Specifying Initial Settings Using the VMware ESXi Properties Screen on page 36.
However, if you do not use this screen, you can still complete the server configuration
using the configuration wizard in the ESXi virtual server console.
If the license update feature is not enabled, Trellix recommends that you accept the
evaluation licenses during the initial configuration. Manual entry of license keys is error
prone. After the activation code is entered and the admin user has access to the server Web
UI or CLI , you can copy and paste the license keys.
To access the VMware ESXi server console and start the configuration wizard:
1. Log in to vSphere client.

2. In the left pane, expand the ESXi IP address and then select the virtual server.
3. Click the Console tab.
4. If the console is not running, click the green arrow to launch it.
5. At the login prompt, enter admin.
6. If you did not change the admin password on the Properties screen, enter admin
(this is the distributed admin password). If you changed the admin password on the
Properties screen, enter the new admin password.
7. Start the configuration jump-start wizard:
hostname (config) # configuration jump-start
8. Answer the wizard questions as described in Configuration Wizard Steps on

page 42.
To navigate away from the vSphere Client console and return to the vSphere Client
user interface or your local machine, press Ctrl+Alt.
Specifying Initial Settings Using the

Windows Hyper-V set_keys.ps1
PowerShell Script
The set_keys.ps1 PowerShell script is included in the Endpoint Security Hyper-
V deployment package you received.

Specifying Initial Settings Using the Windows Hyper-V set_keys.ps1 PowerShell Script
Trellix recommends that you use this PowerShell script to do at least the following:
l Enter the activation code for your virtual server. The activation code contains many
characters. You cannot copy and paste the activation code into the Hyper-V console,
and it is easy to make a typing error.
l Reset the password for the admin user, if password authentication will be used to
log into the CLI or Web UI over the network. The password must be changed to a
password of at least eight characters.
You can also use this script to provide initial commands for configuration settings that the
system will apply during the initial boot. This can be convenient if you have a large
number of virtual servers to deploy, because you can create base sets of commands and
then customize them for each deployment.
To use the set_keys.ps1 PowerShell script:
1. Use Remote Desktop (RDP) to connect to your Hyper-V virtual machine. Make sure
you are logged in as an administrator.
2. Change to the directory on your virtual machine where the Endpoint Security
Hyper-V deployment .zip file was extracted during installation.
3. Open the set_keys.ps1 PowerShell script in the directory using a text editor (such
as Notepad).

4. Change appropriate settings in the set_keys.ps1 script, specifying your values in

quotation marks for each setting. The following table describes the settings in the
set_keys.ps1 script that you can change. They are all located between the
comments MODIFY THESE AS NEEDED and DON'T MODIFY ANYTHING BELOW in the file.
Do not change any other settings in the PowerShell script.
Field Description
activation_ The code you received in a secure email from Trellix that gives the
code
virtual server its identity and access credentials.
cli_cmds_ A set of commands that, at a minimum, allow the server to
init
connect to your network. Type the commands in plain-text format
and then paste the encoded string into this field.
Consider using this field for network connectivity only, because
the size of the string could become unwieldy. The string contain
multiple lines.
cli_cmds_ A URL that points to a file on your network (for example,
init_url
http://acme.com/operations/4500V_config.txt). To use this
field, create a text file that includes CLI commands that configure
additional settings in plain-text format, and store the file on an
HTTP server in your network.
The virtual server needs network connectivity (which the
commands in the cli_cmds_init setting can establish) to access
the file referenced in the URL.
reset_ A password of at least eight characters. The initial admin
admin_
password password must be reset to allow the admin user to log into the
CLI or Web UI over the network unless both of the following are
true:
l The CLI commands being executed set an SSH authorized
key for the admin use, which allows the admin to log in
remotely without a password.
l You disable password login using the username admin
disable password command.
$vmName If you changed the name of the virtual machine during

installation, specify the correct virtual machine name.
5. Save the file.

Initial Configuration Using the Windows Hyper-V Server Console
6. From the directory on your virtual machine where the Endpoint Security Hyper-V
deployment .zip file was extracted during installation, enter Windows PowerShell.
<drive>:<path> powershell
7. Run the PowerShell script.

<drive>:<path> .\set_keys.ps1
The script applies the values you specified Step 4 to your virtual server.
8. After the PowerShell script has run, access the virtual server console and run the
configuration wizard to complete the configuration of the virtual machine. See
Initial Configuration Using the Windows Hyper-V Server Console below and
Configuration Wizard Steps on the next page
Initial Configuration Using the Windows

Hyper-V Server Console
Trellix recommends that you use the set_keys.ps1 PowerShell script to provide some
initial configuration settings, because you cannot copy and paste into the server console.
See Specifying Initial Settings Using the Windows Hyper-V set_keys.ps1 PowerShell Script
on page 38. However, if you do not use this script, the complete configuration can be
performed using the configuration wizard in the Hyper-V virtual server console.
If the license update feature is not enabled, Trellix recommends that you accept the
evaluation licenses during the initial configuration, because manual entry of license keys is
error prone. After the activation code is entered and the admin user has access to the
server Web UI or CLI , you can copy and paste the license keys.
To access the Windows Hyper-V Manager console and start the configuration wizard:
1. Log in to the Windows Hyper-V Manager console.

2. Verify your virtual machine is turned on. To turn it on, highlight its row in the
Hyper-V Manager console, right-click on the row and select Start.
3. Connect to the new virtual machine. Highlighting its row in the Hyper-V Manager
console, right-click on the row and select Connect.
4. At the login prompt, enter admin.
5. If you did not change the admin password in the set_keys.ps1 PowerShell script,
enter admin (this is the distributed admin password). If you changed the admin
password in the set_keys.ps1 PowerShell script, enter the new admin password.
6. Start the configuration jump-start wizard:
hostname (config) # configuration jump-start
7. Answer the wizard questions as described in Configuration Wizard Steps below.

Configuration Wizard Steps

The following table describes the questions the configuration wizard prompts you to
answer. As noted in the table, the wizard skips some steps based on your answers to
previous steps and whether initial settings were specified on the Properties screen for ESXi
virtual servers or in the set_keys.ps1 PowerShell script for Hyper-V virtual servers.
Press Ctrl+C to exit the configuration wizard. After the management interface is
configured, an administrator can use the configuration jump-start CLI command
to run the wizard again.
Step Response
Enter Enter the activation code you obtained from Trellix.

activation
You will not be prompted for an activation code if you supplied one on the
code?
Properties screen for ESXi virtual servers or in the set_keys.ps1
PowerShell script for Hyper-V virtual servers.
Hostname? Enter the hostname for the server.

You will not be prompted for the server hostname if you supplied one in
the set_keys.ps1 PowerShell script for Hyper-V virtual servers.
Admin Enter a new administrator password. The new password must be from 8–
password? 32 characters.
You do not need to supply an updated admin password if you supplied
one on the Properties screen for ESXi virtual servers or in the set_
keys.ps1 PowerShell script for Hyper-V virtual servers.
NOTE—If you have not changed the admin password, do so now or the
administrator will be unable to log in to the server.
Confirm Re-enter the new administrator password, if you supplied one in the
admin previous step.
password?
Enable Enter yes to enable the administrator to log in to the server remotely. Enter
remote no to disable remote access.
access for
‘admin’
user?
Use DHCP Enter yes to use Dynamic Host Configuration Protocol (DHCP) to configure
on ether1 the server IP address and other network parameters. Enter no to manually
interface? configure your IP address and network settings. (If you enter yes, the
zeroconf and static IP addressing steps are skipped.)

Configuration Wizard Steps
Step Response
Use Enter yes to use zero-configuration (zeroconf) networking. Enter no to

zeroconf specify a static IP address and network mask. (If you specify yes, the next
on ether1 step is skipped.) NOTE: Do not use zeroconf on the primary interface.
interface?
Primary Enter the IP address for the management interface in A.B.C.D format and
IPv4 enter the network mask, for example: 1.1.1.2/12.
address
and
masklen?
Default Enter the gateway IP address for the management interface.

gateway?
Primary Enter the IP address of the DNS server.

DNS
server?
Domain Enter the domain for the management interface; for example: it.acme.com.
name?
Enable Enter yes to enable access to the DTI network. (If you enter no, the next
fenet three steps are skipped.)
service?
Enable Enter yes to enable the licensing service to automatically download your
fenet licenses from the DTI network and install them. (If licenses are
license downloaded and installed successfully, the wizard skips the step that
update prompts for the product license key and the step that prompts for the
service? security-content updates key.)
Sync Enter yes to synchronize the server time with the DTI server time. If you
appliance enabled the licensing service, synchronization prevents a feature from
time with being temporarily unlicensed due to a time gap. The wizard makes three
fenet? attempts to perform this step before it gives up and moves to the next step.
Update Enter yes to download and install your licenses. The wizard makes three
licenses attempts to perform this step before giving up and moving on to the next
from fenet? step.
Enable Enter yes to enable automatic time synchronization with one or more
NTP? Network Time Protocol (NTP) servers.
Enable Enter no if you want to use IPv4 for your Endpoint Security virtual server
IPv6? or enter yes to enable IPv6 for your Endpoint Security virtual server.

Step Response
Product Press Enter to install a 15-day evaluation license.

license
key?

PART III: Configuration
l The Endpoint Security Server Web UI on page 47

l License Keys on page 49
l Validating DTI Access on page 61
l Attaching and Detaching DMZ Servers on page 65
l Configuring the Server Address List on page 69
l Setting up Provisioning on page 73

Endpoint Security Virtual Server Deployment Guide PART III: Configuration

Browser Support
CHAPTER 8: The Endpoint

Security Server Web UI
The Endpoint Security Web UI uses HTTPS to provide a secure connection for configuring
the server. The Web UI functions you have access to depend on the privileges granted by
your role.
You access the Endpoint Security Web UI by directing a browser to the management port's
IP address or hostname using HTTPS. The IP address and hostname are set during the
initial configuration of the server. The hostname must be resolved by a DNS server if you
use it to access the Web UI.
The Endpoint Security Web UI includes controls for logging in and out using local,
appliance-specific credentials.
Browser Support
Use one of the following browsers to access the Endpoint Security Web UI:
l Internet Explorer 11.0 or higher and Microsoft Edge on supported versions of

Windows
l Firefox 51 or higher on supported versions of Windows
l Google Chrome 13.0 or higher on supported versions of Windows
Screen Resolution Requirements

The Endpoint Security Web UI supports the following screen resolutions:
1152 x 864 pixels 1440 x 900 pixels

1280 x 800 pixels 1600 x 900 pixels
1280 x 1024 pixels 1680 x 1050 pixels
1360 x 768 pixels 1920 x 1080 pixels
1366 x 768 pixels 1920 x 1200 pixels

Endpoint Security Virtual Server Deployment Guide CHAPTER 8: The Endpoint Security Server Web UI
Logging In to the Endpoint Security Web

UI
To log in to the Endpoint Security Web UI, you need the server IP address or hostname,
and you need the username and password that the server administrator created for you.
Prerequisites
l Before the default Admin user can log in to the appliance Web UI and create other
user accounts, the manufacturing default password (admin) must be changed to a
new password that is 8 to 32 characters long. This step is included in "Initial
Configuration" in the Endpoint Security System Administration Guide.
To log in to the Endpoint Security appliance Web UI:
1. In the appliance Web UI login page, enter the local username and password for this
appliance as provided by your administrator.

Endpoint Security Virtual Server Deployment Guide About Trellix License Keys
CHAPTER 9: License Keys

This section covers the following information:
l About Trellix License Keys below

l Automatic License Updates on the next page
l Manual License Installation on page 54
l Viewing License Notifications Using the Web UI on page 59
About Trellix License Keys

License keys are required for system operation. The Endpoint Security appliance requires
three license keys:
FIREEYE_APPLIANCE—Required to register your system and use the product features.
Endpoint Security servers refer to this license as the Endpoint Security Essentials license.
FIREEYE_SUPPORT—Allows your system to receive software image updates.
CONTENT_UPDATES—Allows your system to access the Dynamic Threat Intelligence
(DTI) network, which provides the latest intelligence on advanced cyber attacks and
malware callback destinations. This enables Trellix products to proactively recognize new
threats and block attacks. There are two versions of the content update license:
l The two-way sharing license provides your appliance with malware intelligence
from the DTI network and shares data about malware analyzed by your appliance.
l The one-way sharing license provides your appliance with malware intelligence, but
no information is submitted to the DTI cloud.
The following licenses are optional:

HX_ADVANCED —Allows access to Endpoint Security exhaustive Enterprise Search
requests, data acquisition requests, and bulk acquisition endpoint requests via the API.
This license is referred to as the Endpoint Security Power license. HXD (DMZ) appliances do
not need an HX_ADVANCED license if the Endpoint Security (master) server associated
with the DMZ server already has one.

Endpoint Security Virtual Server Deployment Guide CHAPTER 9: License Keys
MD_ACCESS—Allows Trellix products to connect to the Managed Defense VPN. Without

this license, Managed Defense cannot manage the appliance.
NOTE: The functionality provided by optional licenses is disabled if the FIREEYE_

APPLIANCE license is invalid.
If licenses have expired or will expire within 30 days, warnings are displayed on the
Appliance License Settings page. For details, see Viewing License Notifications Using the
Web UI on page 59.
Automatic License Updates
The license update feature enables the Endpoint Security appliance with basic network
connectivity to automatically download licenses from the DTI network and install them.
This feature provides the following benefits:
l Minimal initial configuration—The license update feature is enabled with the

configuration jump-start wizard during the initial system configuration. This means
the feature can be fully functional after the jump-start wizard is completed.
l Simplified license management—There is no need to contact Trellix for license keys
when new features are added or when licenses are renewed, because the new
licenses are automatically downloaded and installed.
l Scalability—Organizations, such as those with a large number of appliances, can
benefit from all appliances being updated automatically, instead of entering license
keys manually on each appliance, one at a time.
You can enable automatic license updates on the Endpoint Security appliance using the
configuration wizard or the CLI.
How It Works
The license update feature, if enabled, downloads and applies licenses to which the
customer is contractually entitled. If an active license for a feature is already installed and
the licensing service downloads an active license for the feature, the installed license is
replaced by the downloaded license only if the downloaded license offers more
functionality or a later expiry date. This process is automatic; however, you can also
explicitly update licenses.
The license update feature will not:
l Install a downloaded license that would cause a feature to become temporarily

unlicensed.
l Install a product (FIREEYE_APPLIANCE) license that changes licensed features. If
this is your intention, you must install the new license manually.

You can synchronize the system time to the DTI server time to prevent a feature from being
temporarily unlicensed due to time differences. This is a one-time synchronization, but it
can be repeated.
When an appliance is managed by the Central Management appliance, the Central
Management appliance acts as a proxy between the managed appliance and the licensing
service. The license update feature must still be enabled on the managed appliance. In
such an integrated environment, the Central Management appliance acts as the DTI server
for the managed appliances, so the licensing service uses the Central Management DTI
network credentials instead of the appliance's credentials.
For more information, see "Enabling Automatic License Updates" in the Endpoint Security
System Administration Guide.
Enabling Automatic License Updates

This section describes two ways to enable automatic license updates on the Endpoint
Security appliance.
Configuration Wizard Method

The configuration wizard is typically used to initially configure a new system. The wizard
steps, which include the following license activation steps, allow a customer to have a
functioning system with only minimal configuration.
l Enable fenet service?

l Enable fenet license update service?
l Sync appliance time with fenet?
l Update licenses from fenet?
For details about the wizard steps, see Configuration Wizard Steps on page 42.
CLI Method
The following topic describes how to use CLI commands to enable and work with the
license update feature:
l Enabling Automatic License Updates Using the CLI on the next page

Prerequisites
l An established connection between the appliance and the Internet.
l Operator or Admin access to enable the license update feature and download and
install licenses.
l DTI network access to allow the appliance to get updates directly from the
DTI network.
l (Optional) Admin access to synchronize the system clock with the DTI server clock.
Enabling Automatic License Updates Using the CLI

When the license update feature is enabled, license updates are automatic. You can also
explicitly update licenses.
To verify and enable automatic license updates:
1. Go to CLI configuration mode:
hostname > enable
2. Verify the license update feature status:

hostname (config) # show fenet license
fenet License Update Service
Licensing service: Administratively enabled
Last time licensing service was contacted: 2014/08/11 10:50:04

Last time licensing service was contacted successfully: 2014/08/11
10:50:04
Last time keys from licensing service were applied: 2014/08/07 17:50:03
3. If the license update feature service is disabled, enable it:

hostname (config) # fenet license update enable
4. Save your changes:

hostname (config) # write memory
NOTE: See "Synchronizing the System Clock to DTI Server Time Using the CLI" in
the Endpoint Security System Administration Guide for an option that prevents
potential licensing issues if there is a time gap between the two clocks.
To explicitly update licenses:
hostname > enable
2. Update licenses:
hostname (config) # fenet license update


To disable automatic license updates:
hostname > enable
2. Disable the feature:

hostname (config) # no fenet license update enable

Forcing License Updates

When you force license updates, the licensing service downloads licenses from the
DTI server, removes existing licenses if there are conflicts, and installs the downloaded
licenses in their place. The licenses are installed even if they are less functional or of a
shorter duration than the existing licenses, would change licensed features, or would cause
a feature to become temporarily unlicensed.
CAUTION! Carefully consider the implications of forcing license updates before

you perform this procedure.
To force license updates:
1. Go to CLI configuration mode.

hostname > enable
2. Download the licenses and replace existing licenses with them if there are conflicts.
The system clearly indicates which licenses were replaced.
hostname (config) # fenet license update force
3. Save your changes.

Examples
l The licensing service replaced an existing license with one that it downloaded:
Added license(s) from fenet
LK2-CONTENT_UPDATES-33XX-0X0X-0000-X000-X000-X00X-0XXX-J00
Deleted installed license(s) (superceded by license(s) shown above):
LK2-CONTENT_UPDATES-42XX-44XX-H888-X00X-000R-XX22-XYZ-0

l The licensing service installed a license that did not exist on the appliance:
Added license(s) from fenet
LK2-FIREEYE-SUPPORT-000X-XX00-0000-X000-X000-X00X-0XXX-X00X
No license(s) deleted
l All licenses were already installed and did not conflict with downloaded licenses:
All licenses fetched from fenet have already been installed
Manual License Installation

If the license update feature is not enabled, you need to install license keys manually.
Licenses need to be installed when an evaluation license expires or when a license expires
or no longer meets your needs. In addition, replacement licenses need to be installed after a
Return Material Authorization (RMA).
You can obtain your license keys from the Assets tab in the Trellix Customer Support
Portal or by sending an email that includes the MAC address of your appliance to key_
[email protected].
There are two ways to manually install licenses, described in the following topics:
l Installing Licenses Using the Web UI below

l Installing Licenses Using the CLI on page 56
Installing Licenses Using the Web UI

Use the Appliance License Settings page to install licenses on the Endpoint Security
appliance.

NOTE: Clicking the Enable VPN link in the Description column for an MD_
ACCESS license allows you to connect the appliance to Managed Defense over the
Internet using a secure SSL VPN connection. For details, see the Managed Defense
Quick Start Guide.
Prerequisites
l Admin or Operator access.
l The appliance does not already have the type of license key you are installing.
To install license keys using the Web UI:
1. Select Appliance Settings from the Admin menu.
2. Click Appliance Licenses on the sidebar.

3. Paste the license key you obtained from Trellix in the License Key box.
4. Click Add.
The page refreshes to show the license key in the table. If the key is valid, the Valid
column shows a check mark and additional information is displayed about the
license.
Removing Licenses Using the Web UI

Use the Appliance License Settings page to remove Endpoint Security licenses.

Prerequisites
l Admin or Operator access
To remove license keys:
1. Select Appliance Settings from the Admin menu.
2. Click Appliance Licenses on the sidebar.

3. Click the icon in the Delete column in the row for the license you want to remove.
4. Click Yes in the confirmation message that appears.
Installing Licenses Using the CLI

Use the CLI commands in this topic to install licenses on the Endpoint Security appliance.
Prerequisites
To install licenses:
hostname > enable
2. Install each license:

hostname (config) # license install <key1> <key2> <key3>
NOTE: You can enter the license keys sequentially separated by spaces as
shown above, or enter license install and then press Enter to be prompted
to enter the license keys one at a time.

3. Verify the licenses:

hostname (config) # show licenses
License 1: LK2-FIREEYE_APPLIANCE-<license details>
Feature: FIREEYE_APPLIANCE
Description: FireEye Appliance Type
Valid: yes
Start date: 2016/12/01 (ok)
Tied to appl ID: 8699351EB1D5 (ok)
Product: HX (ok)
Type: PROD (ok)
Tied to model: FireEyeHXVM (ok)
Agreement: EULA (ok)
Appliance role: master
Active: yes
License 2: LK2-CONTENT_UPDATES-<license details>
Feature: CONTENT_UPDATES
Description: Content updates
Valid: yes
End date: 2017/12/01 (ok)
Sharing: all (ok)
Active: yes
License 3: LK2-FIREEYE_SUPPORT-<license details>

Feature: FIREEYE_SUPPORT
Description: FireEye support
Valid: yes
End date: 2017/12/01 (ok)
Sharing: all (ok)
Active: yes
...

Removing Licenses Using the CLI

Use the CLI commands in this topic to remove licenses.
Prerequisites
To remove licenses:
hostname > enable

2. List the installed licenses:

hostname (config) # show licenses
License 1: LK2-FIREEYE_APPLIANCE-<license details>
Feature: FIREEYE_APPLIANCE
Description: FireEye Appliance Type
Valid: yes
Product: HX (ok)
Type: PROD (ok)
Tied to model: FireEyeHXVM (ok)
Agreement: EULA (ok)
Appliance role: master
Active: yes
License 2: LK2-MD_ACCESS-<license details>

Feature: MD_ACCESS
Description: Managed Defense VPN Access
Valid: yes
End date: 2017/12/01 (ok)
Active: yes
License 3: LK2-CONTENT_UPDATES-<license details>

Feature: CONTENT_UPDATES
Description: Content updates
Valid: yes
End date: 2017/12/01 (ok)
Sharing: all (ok)
Active: yes
License 4: LK2-FIREEYE_SUPPORT-<license details>

Feature: FIREEYE_SUPPORT
Description: FireEye support
Valid: yes
End date: 2017/12/01 (ok)
Sharing: all (ok)
Active: yes
3. Specify the license ID to remove an individual license. For example, 4 is the license
ID for the Support license shown in the previous example.
hostname (config) # license delete 3hostname (config) # license delete
4


Viewing License Notifications Using the Web UI
Viewing License Notifications Using the

Web UI
Functionality associated with a license stops when a license expires. For example, when
the FIREEYE_APPLIANCE license expires, the appliance will block access to all pages
except the Appliance License Settings page, and CLI commands (except those that install
licenses) are disabled or their execution fails. For example, the report generate
command will not create a report.
To prevent a gap in functionality, the Appliance License Settings page displays
notifications about expired license and licenses that will expire within 30 days. For
example:
NOTE: See Automatic License Updates on page 50 for information about enabling

the appliance to automatically download licenses from the DTI network when it is
time to renew them.


Endpoint Security Virtual Server Deployment Guide Validating DTI Access Using the Web UI
CHAPTER 10: Validating

DTI Access
Before using the features associated with the DTI network, you must establish
communication between the appliance and the DTI network. Use the following procedures
to verify this communication.
Prerequisites
l Operator or Admin access
l Access to the DTI network
Validating DTI Access Using the Web UI

Use the FireEye System Information page to validate DTI cloud communication.
To validate DTI access:
1. If the About tab is not visible, select Appliance Settings from the Admin menu.
2. Click the About tab.
3. Click Health Check on the upper left side.
4. Locate the Dynamic Threat Intelligence Cloud section.
5. Verify that the DTI Client field is Enabled.

Endpoint Security Virtual Server Deployment Guide CHAPTER 10: Validating DTI Access
Validating DTI Access Using the CLI

Use the commands in this topic to verify DTI communication.
To validate DTI access:
1. Go to CLI configuration mode.

hostname > enable
2. Check the status of the DTI service.

hostname (config) # show fenet status
Dynamic Threat Intelligence Service:
Update source : <online>

Enabled : yes
Download : [email protected]
Upload : [email protected]
Mil : [email protected]
HTTP Proxy:
Address :
Username :
User-agent :
Request Session:
Timeout : 30
Retries : 0
Speed Time : 60
Max Time : 14400
Rate Limit :
Speed Limit : 1
Dynamic Threat Intelligence Lockdown:
Enabled : no
Locked : no
Lock After : 5 failed attempts
UPDATES
Enabled Notify Scheduled Last Updated At
------- ------ -------------- ---------------
Security contents: yes no every 2020/12/03
11:40:00
Stats contents : yes none 2020/12/07
06:13:00

Validating DTI Access Using the CLI
3. Confirm the following information:

l Update source is online.
l DTI service is enabled.
l DTI service username is the name provided with DTI subscription license.
l DTI service address is one of the following:
l cloud.fireeye.com.
l The IP address of the managing Central Management appliance.
NOTE: In rare cases, your DTI service address could be a variant of

cloud.fireeye.com.

Endpoint Security Virtual Server Deployment Guide CHAPTER 10: Validating DTI Access

CHAPTER 11: Attaching and

Detaching DMZ Servers
Use the CLI commands in this topic to attach or detach DMZ servers to or from the
primary Endpoint Security server. Attaching the servers allows them to communicate.
Up to two DMZ servers can be attached to an on-premises Endpoint Security

appliance or virtual Endpoint Security server. In cloud environments, only a single
DMZ server can be connected to the Endpoint Security server.
A single Endpoint Security ecosystem, which includes the Endpoint Security server
and any installed DMZ servers, can support up to 100,000 agents.
Your servers must run the same version of Endpoint Security software. If they use
different versions, communication between them will fail.
The Central Management appliance can be used to upgrade and manage DMZ server,
with the following caveats.
l Indicator updates from the Central Management appliance or from the DTI
(Dynamic Threat Intelligence) Cloud cannot be sent directly to the DMZ server.
Instead, they are acquired from the Central Management appliance or the DTI by the
primary Endpoint Security server and transferred to the DMZ server.
l If you have problems connecting your Central Management appliance to your
DMZ server, consider the firewalls your organization has in place. In some
circumstances, the DMZ server is not accessible to the Central Management
appliance because a firewall is blocking the connection.
Prerequisites
l Admin or fe_services access

Endpoint Security Virtual Server Deployment Guide CHAPTER 11: Attaching and Detaching DMZ Servers
Attaching a DMZ Server to the Primary

Endpoint Security Server
Follow the instructions below to attach a DMZ server to the primary Endpoint Security
server.
To attach a DMZ server to the primary Endpoint Security server:
1. On the DMZ server, enable CLI configuration mode:

hostname > enable
2. Verify the server's current role:

hostname (config) # show hx ecosystem
The DMZ server displays:

Appliance Role: dmz
3. Generate a passphrase for the DMZ server:

hostname (config) # hx ecosystem dmz attach-initiate
The system displays a passphrase that you must use on the primary Endpoint
Security server by the expiration time shown.
For example:
Attach passphrase: $J^N%n@rsZ6F
This passphrase will expire at 2014-11-20 21:29:54 UTC.
If you do not use it in that time, you will need to re-initiate the
listener.
Reinitiating the listener means repeating this step to generate a new

passphrase.
4. On the primary Endpoint Security server, enable CLI configuration mode:

hostname > enable
5. Attach the DMZ server to the primary Endpoint Security server:

hostname (config) # hx ecosystem dmz attach <dmz-hostname-or-IP>
passphrase <passphrase>
6. Verify that the DMZ server is attached.

l View ecosystem roles:
A primary Endpoint Security server configuration with an attached

DMZ server displays:

Detaching a DMZ Server from the Primary Endpoint Security Server
Appliance Role: master

DMZ Appliance: {<IP address or domain name of DMZ appliance>}
l View the DMZ server attachment in the PKI settings:

hostname (config) # show hx pki
The response includes certification and ping times, which should be the same
for both servers.
Detaching a DMZ Server from the

Primary Endpoint Security Server
Follow the instructions below to detach a DMZ server from the primary Endpoint Security
server.
To detach a DMZ server from the primary Endpoint Security server:
1. On the primary Endpoint Security server, enable CLI configuration mode:

hostname > enable
2. Detach the DMZ server:

hostname (config) # no hx ecosystem dmz <dmz-hostname-or-IP>
3. Verify that the DMZ server is no longer attached to the primary Endpoint Security
server.
l View the ecosystem roles:
The list of current HX ecosystem configuration roles no longer contains the

DMZ server that you detached.
l View the PKI settings:
The response no longer includes the information about the DMZ server that
you detached.
Endpoint Security Server Boot Order

Error messages appear and log messages are written if an Endpoint Security server or
DMZ server is started and the attached server is not started.
If your Endpoint Security server is attached to DMZ server, FireEye recommends that they
be started (booted) in the following order:

Endpoint Security Virtual Server Deployment Guide CHAPTER 11: Attaching and Detaching DMZ Servers
1. Start the DMZ server first.

2. Start the Endpoint Security server second.
For best results, the appliances should be rebooted one right after the other.
Endpoint Security Server Cluster

IP Address Change Guidelines
An Endpoint Security server cluster is an environment in which an Endpoint Security
server and one or more DMZ servers are installed.
If you are running an Endpoint Security cluster environment at your site and you need to
change the IP address of the Endpoint Security server, follow these guidelines. If you do
not follow these guidelines, your agents might not recognize the IP address of the Endpoint
Security server and will no longer respond to it.
1. Add the new IP address before changing the existing one.

2. Add the new IP address to the Agent Settings page of the Web UI and wait for the
agents to download the update from the Endpoint Security server. This will ensure
that their server address lists are updated.
After you have performed these steps, it is safe to assign the new IP address to your
Endpoint Security server.

CHAPTER 12: Configuring the

Server Address List
The server address list is a list of Endpoint Security (primary and DMZ) servers installed
in your enterprise. If your enterprise deploys both primary and DMZ servers on the
network, you need to consider the deployment topology when you configure agent
communication. For example, if a host endpoint will be used outside the enterprise
network and its agent is expected to communicate with a DMZ server, the DMZ server’s
address must be included in the server address list. FireEye recommends that the first
server in the server address list be the most accessible to the largest number of hosts.
l Server Address Order

Agents attempt to connect to the first Endpoint Security server listed in the server
address list. If the first server is unavailable, the agent then attempts to reach the
second server, and so on.
The address order is set by the order in which you add the servers to the
server address list. The first server added is the first one in the list. The
second server added is the second in the list.
l Provisioning Server
HX and HXD Series (Endpoint Security) releases before version 3.0 support the use
of a single provisioning appliance, identified as the primary appliance. HX Series
version 3.0 and later support the use of multiple provisioning appliances for
endpoints running FireEye Endpoint Agent software version 20 or later and a single
provisioning appliance for endpoints running FireEye Endpoint Agent software
version 11 or earlier. FireEye Endpoint Security Agents use provisioning servers to
connect and complete their installation by establishing their cryptographic agent
identity. Any Endpoint Security server, including a DMZ server, can be enabled to
do provisioning. Endpoint Security provisioning servers must be accessible by
agents within your company's network. DMZ provisioning servers must be
accessible inside and outside your company's network.

Endpoint Security Virtual Server Deployment Guide CHAPTER 12: Configuring the Server Address List
l Primary Server
If the endpoints in your environment have agent software versions earlier than
version 20 installed, a single Endpoint Security server must be designated as the
primary appliance. This appliance must be accessible within the network by all
agents when they are initially installed on hosts. The primary server manages the
initial provisioning of the agents. You can use either your internal Endpoint Security
server or a DMZ server as your primary server.
Endpoint Security server administrators and operators can add or remove servers on the
server address list.
l Adding a Server to the Server Address List Using the Web UI

l Removing a Server from the Server Address List Using the Web UI
Prerequisites
l The Endpoint Security server is physically installed on the network for agent access
Adding a Server to the Server Address

List
You can add an Endpoint Security server to the server address list using the Web UI.
l Adding a Server to the Server Address List Using the Web UI
Adding a Server to the Server Address List Using the Web

UI
To add a server to the server address list using the Web UI:
1. Log into the Web UI as an administrator or an operator.

2. Select Policies on the Admin menu.
3. Click Agent Default policy.
The Edit Policy page opens.
4. Select the Server Addresses tab.

Removing a Server From the Server Address List
5. In the Enter server address of appliance text box on the Server Addresses tab, enter
the hostname or the IP address of the Endpoint Security server, and click Add.
All available servers appear in the list shown in the Enable Provisioning section of
the page.
6. In the Enable Provisioning section, indicate which Endpoint Security server will be
the provisioning server by selecting the Enable Provisioning checkbox in the row
containing the server name or IP address. At least one server must be designated as
a provisioning server. See Designating Provisioning Servers on page 74.
(Optional) If the endpoints in your environment have agent software versions earlier
than version 20 installed, select the Set as primary checkbox in the row containing
the server name or IP address if the added server will be doing provisioning. This
specifies the server as the primary server for your network. Primary servers are used
to provision agents older than version 20. Only a single server can be designated as
a primary server. See Designating Provisioning Servers on page 74.
7. Click Save.
Removing a Server From the Server

Address List
You can remove an Endpoint Security server from the server address list using the Web UI.
l Removing a Server from the Server Address List Using the Web UI
Removing a Server from the Server Address List Using the

Web UI
To delete a server from the server address list using the Web UI:
1. Log into the Web UI as an administrator or an operator.

2. Select Policies on the Admin menu, and then select the Server Addresses tab.
3. Select the remove icon next to the IP address or host to delete.
4. Click Save.

Endpoint Security Virtual Server Deployment Guide CHAPTER 12: Configuring the Server Address List

CHAPTER 13: Setting up

Provisioning
Provisioning establishes unique cryptographic identities for the agents installed on your
host endpoints. To complete the FireEye Endpoint Security Agent installation on a host
endpoint, the agent connects to a provisioning Endpoint security server that then
determines the cryptographic identity for the agent. When provisioning does not occur, the
server does not know about and cannot collect data from the host endpoint on which the
agent is installed.
Any Endpoint Security server, including a DMZ server, can be enabled to do provisioning.
Both physical and virtual Endpoint Security appliances can be enabled to do provisioning.
If the endpoints in your environment have agent software versions earlier than version 20
installed, they can only provision against a single Endpoint Security server, identified as
the primary server. By default, the provisioning server is the first server listed in the agent
server address list, which is usually your internal (non-DMZ) server.
If the endpoints in your environment have agent software version 20 or later installed, they
can provision against multiple Endpoint Security servers. By default, your internal
Endpoint Security server is a provisioning server.
Provisioning Endpoint Security servers must be accessible by agents within your
company's internal network. Provisioning DMZ servers must be accessible by agents
inside and outside your company's network.
You must identify the servers that will be your provisioning servers before you
download the FireEye Endpoint Security Agent installation software to your host
endpoints. When agent installation software is downloaded, the IP addresses or
DNS names of the provisioning Endpoint Security servers are identified in the agent
download package.
To set up provisioning:
1. Enable provisioning on the servers you might want to use for provisioning. See
Enabling Servers for Provisioning on the next page.

Endpoint Security Virtual Server Deployment Guide CHAPTER 13: Setting up Provisioning
2. Designate which provisioning-enabled server you want to use. See Designating

Provisioning Servers below. This must be done before you download agent software
to your host endpoints.
You can cancel a server as a provisioning server. See Canceling Provisioning
Servers on page 78.
Prerequisites
Enabling Servers for Provisioning

Before you can designate a server as a provisioning server in your environment, you must
enable the server to do provisioning.
Prerequisites
To enable a server for provisioning:
1. Log in to the Endpoint Security Server Web UI.

2. From the Admin menu, select Agent Versions.
3. In the upper right corner of the page, select Assign Server Addresses to open the
Policies page.
4. From the Policies table, click the Agent Default policy link.
6. From the Enable Provisioning section, locate the server you want to use for
provisioning.
7. Select the Enable Provisioning checkbox associated with the server you identified in
step 6.
8. Click Save.
Designating Provisioning Servers

After enabling provisioning on a server, you must designate it to do provisioning.

The provisioning server address can be a split DNS that resolves differently depending on
whether an agent is operating inside or outside your company’s internal network. When
the agent is inside the network, the DNS resolves to the primary Endpoint Security server;
when the agent is outside the network, the DNS resolves to the DMZ server.
This section covers the following topics:
l Designating the Endpoint Security Server as a Provisioning Server Using the Web UI

below
l Designating and Enabling a DMZ Server as a Provisioning Server on the next page
l Designating Provisioning Servers Using a Split DNS in the Web UI on page 77
Prerequisites
Designating the Endpoint Security Server as a

Provisioning Server Using the Web UI
For agents version 20 or later, the primary (non-DMZ) Endpoint Security server is
designated as a provisioning server by default. It cannot be canceled as a
For agents earlier than version 20, you must manually designate the primary
Endpoint Security server for provisioning.
To designate the primary Endpoint Security server as a provisioning server using the
Web UI:
1. Log in to the Endpoint Security Server Web UI.

3. In the upper right corner of the page, select Assign Server Addresses to open the
Policies page.
6. From the Enable Provisioning section, locate the server that you want to use for
provisioning.

7. If endpoints in your environment have agent software versions 20 or later installed,

select Set as Primary to designate the Endpoint Security server as the primary
server.
If endpoints in your environment have agent software version 20 or later installed,
select Enable Provisioning to designate the Endpoint Security server as a
provisioning server. At least one server must be designated as a provisioning
server.
If your environment includes endpoints with agent software versions both earlier
and later than version 20 installed, select Set as Primary and Enable Provisioning
for the provisioning server. Only one server can be designated the primary server.
8. Click Save.
Designating and Enabling a DMZ Server as a Provisioning

Server
When you use the Web UI to enable provisioning on your DMZ server, your Endpoint
Security agents receive the new configuration setting but the provisioning server does not
start on your DMZ server. To start the provisioning server on your DMZ server, you must
also enable provisioning on your DMZ server through the CLI or provisioning will fail.
To designate a DMZ server as a provisioning server using the Web UI:
NOTE: After you use the Web UI to designate the DMZ server as a

provisioning server, you must also enable provisioning for the DMZ server in
the CLI.
1. Log in to the Web UI for your DMZ server.

3. In the upper right corner of the page, select Assign Server Addresses to go to the
Policies page.
6. From the Enable Provisioning section, locate the DMZ server that you want to use
for provisioning.

7. If the endpoints in your environment have agent software versions earlier than
version 20 installed, select Set as Primary to designate the DMZ server as the
provisioning server. This will deselect any other server on the Server Addresses tab
as the primary server.
If the endpoints in your environment have agent software version 20 or later
installed, select Enable Provisioning to designate the DMZ server as a provisioning
server.
8. Click Save.
To use the Endpoint Security server CLI to enable provisioning for a DMZ server:
1. On your Endpoint Security appliance, enable CLI configuration mode.

hostname > enable
2. Enable provisioning on your DMZ server:

hostname (config) # hx ecosystem dmz <dmz-ip> provisioning-enabled
where <dmz-ip> is the IP address of the DMZ server for which you are enabling
provisioning.
4. Verify that the DMZ server is a provisioning appliance.

The server configuration should show an attached DMZ server with provisioning
enabled:
Appliance Role: master
DMZ Appliance: {<IP address> or <domain name of DMZ appliance>}

Provisioning: enabled
Designating Provisioning Servers Using a Split DNS in the

Web UI
The provisioning server address can be a split DNS that resolves differently depending on
whether the host on which the agent is installed is operating inside or outside your
company’s internal network. When the agent is inside the network, the DNS resolves to the
internal Endpoint Security server; when the agent is outside the network, the DNS resolves
to the DMZ server.

Prerequisites
l A split DNS set up to resolve to your internal Endpoint Security server when the
agent is inside the network and to the DMZ server when the agent is outside the
network.
To designate the provisioning server using a split DNS name:
1. Using the Web UI, enable both your primary Endpoint Security server and your
DMZ server for provisioning. See Designating the Endpoint Security Server as a
Provisioning Server Using the Web UI on page 75 and Designating and Enabling a
DMZ Server as a Provisioning Server on page 76.
2. In the Web UI, select Settings on the FireEye menu. The Agent Versions page
appears.
4. Enter the DNS name and click Add.
5. If the endpoints in your environment have agent software versions earlier than
version 20 installed, select Set as Primary to designate the DNS as the provisioning
server. This will deselect any other appliance on the Server Addresses page as the
primary server.
If the endpoints in your environment have agent software version 20 or later
installed, select Enable Provisioning to designate the DNS server as a provisioning
server.
6. Click Save.
Canceling Provisioning Servers

You can cancel a server as the provisioning server.
You must have at least one provisioning server.
This section covers the following topics:
l Canceling the Primary Endpoint Security Server as a Provisioning Server Using the
Web UI on the facing page
l Canceling a DMZ Server as a Provisioning Server Using the Web UI on the facing
page

Canceling Provisioning Servers
Prerequisites
Canceling the Primary Endpoint Security Server as a

Provisioning Server Using the Web UI
For agents version 20 or later, the Endpoint Security server is designated as a
provisioning server by default. You cannot cancel it as a provisioning server.
For agents earlier than version 20, you can cancel the Endpoint Security server as a
To cancel the Endpoint Security server as a provisioning server using the Web UI:
1. In the Web UI, select Agent Versions on the Admin menu.

The Agent Versions page appears.
2. Select Assign Server Addresses in the upper right corner of the page.
The Edit Policy page for the Agent Default policy appears.
3. Select the Server Address tab.
4. Locate your server in the server list in the Enable Provisioning section of the page.
5. For agents earlier than version 20, locate another server in the list of servers and
select Set as Primary to designate it as the provisioning server. This will cancel the
primary Endpoint Security server as the provisioning server.
You cannot cancel the primary Endpoint Security server as a provisioning server for
version 20 or later agents.
6. Click Save.
Canceling a DMZ Server as a Provisioning Server Using

the Web UI
To cancel a DMZ server as a provisioning server using the Web UI:
1. In the Web UI, select Agent Versions on the Admin menu.

The Agent Versions page appears.
2. Select Assign Server Addresses.
The Edit Policy page for the Agent Default policy appears.
3. Select the Server Address tab.

4. Locate the DMZ server in the Enable Provisioning section of the page.
For agents earlier than version 20, locate another server in the list of servers and
select Primary Server to designate it as the provisioning server. This will cancel the
DMZ server as the provisioning server.
For agents version 20 or later, deselect Enable Provisioning to cancel the DMZ
server as a provisioning appliance.
5. Click Save.

PART IV: Integration
l How FireEye Appliance Alerts Become Endpoint Security Alerts and Central
Management Badges on page 83
l Integrating Central Management Appliances and Endpoint Security Servers on
page 87
l Integrating Network Security Appliances and Endpoint Security Servers Directly on
page 99
l SNMP Data on page 101
l Forwarding CEF Logs to Helix and SIEM Solutions on page 109

Endpoint Security Virtual Server Deployment Guide PART IV: Integration

CHAPTER 14: How FireEye

Appliance Alerts Become
Endpoint Security Alerts and
Central Management Badges
The Endpoint Security server generates endpoint alerts based on indicators of compromise
(IOCs). It uses the following types of IOCs: Mandiant intelligence, FireEye appliance alerts,
and custom intelligence. The Central Management appliance does not aggregate all of the
Endpoint Security alerts, but only Endpoint Security alerts that are generated from a
FireEye appliance IOC.
The following steps describe the process by which a FireEye appliance alert becomes an
Endpoint Security alert and a Central Management badge:
1. A FireEye appliance triggers an alert for a web infection, malware object, or malware
callback.
2. The FireEye appliance reports the alert to the Central Management appliance.
3. The Central Management appliance determines if an IOC for the Endpoint Security
server should be created and, if so, publishes it.
4. The Endpoint Security server transforms the Central Management indicator into an
Endpoint Security IOC and publishes it for the Endpoint Security agents.
5. The Endpoint Security agents search their hosts for any indicator of compromise. If
a match is found, the agent reports back to the Endpoint Security server. The
Endpoint Security server creates an alert, which is aggregated to the Central
Management appliance if that alert was based upon an IOC from a managed
appliance.
6. The Central Management appliance correlates the Endpoint Security alert with the
managed appliance alerts and creates badges for the appropriate alerts. Network
Security alerts will have an endpoint compromised badge. Email Security — Server
Edition alerts will have a related endpoint badge.

Endpoint Security Virtual Server CHAPTER 14: How FireEye Appliance Alerts Become Endpoint Security Alerts
Deployment Guide and Central Management Badges
Endpoint Security and FireEye Appliance Alert Disparity

There is rarely a one-to-one relationship between Endpoint Security alerts and other FireEye
appliance alerts.
Indicators that are passed to the Endpoint Security server may not produce alerts if the
FireEye appliance blocks the malware download, if the combination of platform and
application version do not expose the required vulnerability, or if the endpoint is no longer
present in the network.
Network appliances evaluate possible infections within the network rather than actual
infections. If a user accesses an infected website but the browser and system are not
vulnerable to that infection, no infections are downloaded to their endpoint. But the
network appliance still fully evaluates the infected site, running various browsers and
versions to do so. It will likely generate multiple alerts for the infected site even though
none of the infections occurred on the actual endpoint host and no Endpoint Security alerts
have been generated.
Here are some other reasons why Endpoint Security and the other FireEye appliance alert
counts differ:
l Not all FireEye appliance alerts provide the kind of data from which an Endpoint
Security indicator can be created.
l Only alerts originating from FireEye appliance IOCs are aggregated to the Central
Management appliance.
l By default, only alerts that are classified as major severity alerts or higher are sent to
the Endpoint Security server, resulting in only high-fidelity endpoint alerts.
Network Security and Endpoint Security Alert Matches

Network Security malware object and malware callback alerts are translated into Endpoint
Security IOCs. An Endpoint Security alert is generated when an IOC condition is detected
on an endpoint host. The Central Management appliance then aggregates the Endpoint
Security alert and badges the original Network Security alert as endpoint compromised. It
matches the endpoint host IP address with the Network Security alert source IP address
and malware artifacts, confirming that evidence of the malware that triggered the Network
Security alert was found on the endpoint host.
Email Security — Server Edition and Endpoint Security

Alert Matches
Email Security — Server Edition malware object and malware callback alerts are translated
into Endpoint Security IOCs. An Endpoint Security alert is generated when an IOC
condition is detected on an endpoint host. The Central Management appliance then
aggregates the Endpoint Security alert and badges the original Email Security — Server

Edition alert as a related endpoint. It matches endpoint host malware artifacts with the
Email Security — Server Edition alert malware artifacts, confirming that evidence of the
malware that triggered the Email Security — Server Edition alert was found on the
endpoint host.
Email Security — Server Edition alerts do not contain a source IP address that can be
matched directly to the endpoint host IP address. The Central Management badge indicates
the most probable source of origin of the compromise.

Endpoint Security Virtual Server CHAPTER 14: How FireEye Appliance Alerts Become Endpoint Security Alerts
Deployment Guide and Central Management Badges

CHAPTER 15: Integrating Central

Management Appliances and
Endpoint Security Servers
FireEye recommends that you use a Central Management appliance to manage your
Endpoint Security server to ensure that your server receives the highest-fidelity indicators
available. Central Management of an Endpoint Security server can be set up using the
Central Management Web UI. See the appendix "Configuring a Managed Appliance" in the
FireEye System Security Guide.
Errors result if you attempt to use the Central Management CLI to set up
management of an Endpoint Security server. Use the Web UI only.
If your Endpoint Security server and other FireEye appliances are managed by a Central
Management appliance, the Endpoint Security server automatically receives indicators
from the other FireEye appliances. The Central Management appliance streamlines
management of multiple appliances and enhances detection by correlating indicators. See
How FireEye Appliance Alerts Become Endpoint Security Alerts and Central Management
Badges on page 83.
The Central Management platform can be used to upgrade and manage an Endpoint
Security DMZ server, with the following caveats.
l Indicator updates from the Central Management appliance or from the DTI
(Dynamic Threat Intelligence) Cloud to the DMZ server must be configured
separately. See Configuring a Central Management-Managed DMZ Server to Get
Updates from DTI on page 90. If these steps are not performed, indicator updates are
acquired from the Central Management appliance and the DTI by the Endpoint
Security server and transferred to the DMZ server.
l If you have problems connecting your Central Management appliance to your
DMZ server, consider the firewalls your organization has in place. In some
circumstances, the DMZ server is not accessible to the Central Management
appliance because a firewall is blocking the connection.

Endpoint Security Virtual Server CHAPTER 15: Integrating Central Management Appliances and Endpoint
Deployment Guide Security Servers
Central Management releases earlier than Release 7.6 do not support integration with
Endpoint Security servers. Endpoint Security releases earlier than Release 2.6 do not
support integration with Central Management appliances. If you are running a Central
Management release earlier than Release 7.6, see Integrating Network Security Appliances
and Endpoint Security Servers Directly on page 99.
Do not attempt to integrate your Endpoint Security server with a Central

Management appliance if you have already integrated with other FireEye appliances
as described in Integrating Network Security Appliances and Endpoint Security
Servers Directly on page 99. Using both types of integration will cause errors in the
Central Management integration.
The configuration of your Endpoint Security server with the Central Management
appliance happens automatically after they are both installed. Use the instructions in this
section to ensure the settings on each appliance are correct.
When you remove a managed appliance from the Central Management platform,
all data (including alert information) associated with the appliance is removed. If
you add the appliance again later, the data is restored, but all alerts generated by
the appliance are assigned new IDs. Because the alerts have new IDs, Endpoint
Security links for alerts will break if the alerts were generated by the appliance
before it was removed from the Central Management platform.
To configure Central Management 7.6 or later and Endpoint Security server integration:
1. On your Central Management appliance, enable CLI configuration mode.

hostname > enable
2. Determine the latest alert ID on the Central Management appliance.

hostname (config) # show log matching "alert id"
The output from this command lists log file entries that include the CM Series alert
ID.
Mar 16 18:02:51 FireEye_CM notifyd[9696]: tid 5175: [notifyd.INFO]:
[inform_fireeye_hx] processing alert id=5762 infection-id=2291
infection-type=malware-object began at:2017-03-17 01:02:51, finish
at:2017-03-17 01:02:51 time cost:0 micro-seconds sequence-
id=140655883976776
3. Review the log file and choose a CM Series alert ID. The Endpoint Security server
will start collecting CM Series IOC data for this alert ID after the server attaches to
the Central Management appliance.
In Endpoint Security, the CM Series alert ID is called a bookmark.
4. On your Endpoint Security server, enable CLI configuration mode.
hostname > enable

5. Set the starting CM Series alert ID for the integration.
hostname (config) # hx server detection inbound bookmark <CM-alert ID>
where <CM-alert ID> is the starting CM Series alert ID you chose earlier in these
steps. The default is 0 (zero), which downloads all of the CM Series alerts to the
Endpoint Security server after the products are integrated.
FireEye does not recommend selecting a CM Series alert ID of 0 because of

the performance impact this may have on your Endpoint Security server after
the initial integration with the Central Management appliance.
If you accidentally set the CM Series alert ID to 0 and you want to delete all
or many of the IOCs downloaded from the Central Management appliance,
temporarily change the Endpoint Security indicator and alert aging threshold
in the Web UI to just a few days. The Endpoint Security server will
automatically delete IOCs that exceed this threshold. See "Managing Real-
Time Indicator Detection" in the Endpoint Security Agent Administration Guide.
Alternatively, you can manually remove the IOCs from the Endpoint Security
server using the Indicators page in the Endpoint Security Web UI.
6. View detection-related settings for the Endpoint Security server:

hostname (config) # show hx server detection
Sample output from this command is shown below:

HX Server Detection Configuration:
Generated Indicator Aging: enabled
Generated Indicator Aging Period: 14 days
Alert Aging Period: 30 days
False Positive Alert Aging Period: 1 day
Intel Matching: enabled
Legacy notification listener active: no
Malicious.URL Indicator Generation (legacy): yes
Suspicious (noisy) Indicator Generation (legacy): no
Inbound alert poll interval: 5 minutes
Inbound alert minimum severity: majr
No ignored alert types.
Last bookmark ID: 5762
If the Legacy notification listener active field is set to no, Central

Management integration with the Endpoint Security server is operational and no
further steps are necessary. This is the default configuration for Endpoint Security
2.6 and later appliances.
If the Legacy notification listener active setting is not set to no, proceed with
the remaining steps in this procedure.

7. Disable FireEye legacy appliance support:

hostname (config) # no hx server detection legacy enable
Do not attempt to integrate your Endpoint Security server with a Central

Management appliance if you have already integrated with other FireEye
appliances as described in Integrating Network Security Appliances and
Endpoint Security Servers Directly on page 99. Using both types of
integration will cause errors in the Central Management integration.

hostname (config # write mem
9. Log in to the Central Management Web UI and select CMS Settings.

10. Select Notifications in the left navigation pane.
11. Click the http table heading to access HTTP notification configuration fields. These
fields allow you to access the HTTP connection definitions set up for your FireEye
appliance.
12. If an Endpoint Security server HTTP connection has been defined, disable HTTP
notifications to the Endpoint Security appliance by clearing the checkbox in the
Enabled column of the Endpoint Security connection definition.
For more information about Central Management requirements for integration with the
Endpoint Security server, see the Central Management Administration Guide.
Configuring a Central Management-

Managed DMZ Server to Get Updates
from DTI
You can configure a Central Management-managed DMZ server to obtain updates from
DTI rather than from the Central Management.
To configure a Central Management-managed DMZ server to get update from DTI:
1. On the DMZ server, go to CLI configuration mode:

hostname > enable
2. Override the downloads from the Central Management:

hostname (config) # fenet dti source override enable
3. Apply a custom DTI source:

hostname (config) # fenet dti source default CDN

Configuring a Central Management-Managed DMZ Server to Get Updates from DTI
4. Verify the configuration:

hostname (config) # show fenet dti configuration
5. When the configuration is correct, save your changes:



Overview
CHAPTER 16: Replacing

Integrated Central Management
Appliances and Endpoint Security
Servers
To successfully replace an integrated Central Management appliance or Endpoint Security
server, you must manually configure the Endpoint Security server Bookmark ID. This
manual configuration ensures retrieval of relevant IOCs in a timely manner from the
Central Management appliance.
Overview
When an Endpoint Security server is managed by a Central Management appliance, the
Central Management appliance sends a notification of the latest Alert ID to the Endpoint
Security server. The Endpoint Security server then polls the Central Management appliance
for the Alert ID and retrieves Indicators Of Compromise (IOC) details for the specified alert.
The Endpoint Security server then updates the Bookmark ID to identify the next Alert ID to
use when polling the Central Management appliance.
A newly manufactured Endpoint Security server has a Bookmark ID equal to zero. When
the Endpoint Security server is attached to the Central Management appliance, the Central
Management appliance will send the latest Alert ID to the Endpoint Security server. The
Endpoint Security server will then poll the Central Management appliance for all the Alert
IDs from zero through to the latest Alert ID. The delta between the Endpoint Security server
Bookmark ID and the Central Management appliance latest Alert ID can be in the
thousands, resulting in a performance impact on the Endpoint Security server as it gathers
all the IOCs.
Replacement scenarios
The following scenarios are explained in detail.
1. New Central Management appliance, New Endpoint Security server, existing

Network Security/Email Security — Server Edition/File Protect/Malware Analysis

Endpoint Security Virtual Server CHAPTER 16: Replacing Integrated Central Management Appliances and
Deployment Guide Endpoint Security Servers
with a large history of alerts: In this scenario, a large delta may accrue for all of the
historic and incoming alerts on the FireEye detection devices.
2. New Central Management appliance, existing Endpoint Security server, existing
with a high volume of alerts: In this scenario, a large delta may accrue while the
Central Management appliance is offline with a large influx of alerts.
3. New Central Management appliance, existing Endpoint Security server, existing
with a low volume of alerts: The Bookmark ID may be greater than the actual latest
Alert ID which can potentially result in missed alert IOCs.
4. Existing Central Management appliance, New Endpoint Security server, existing
with a large history of alerts: A large delta may accrue for all of the historic and
incoming alerts on the FireEye detection devices.
Replacement scenario 1: New Central Management

appliance, New Endpoint Security server, existing
Network Security/Email Security — Server Edition/File
Protect/Malware Analysis with a large history of alerts
When a customer installs a new Central Management appliance (new purchase, model
upgrade or RMA) and a new Endpoint Security server (new purchase, model upgrade or
RMA) in an existing Network Security/Email Security — Server Edition/File
Protect/Malware Analysis environment:
l The Central Management appliance Alert ID is zero

l The Endpoint Security server Bookmark ID zero
l The Network Security/Email Security — Server Edition/File Protect/Malware
Analysis latest alert ID is a large number
The Central Management appliance will aggregate all of the existing alert data and send
notifications for all of the Alert IDs to the managed Endpoint Security server. The Endpoint
Security server will poll the Central Management appliance for all of the alerts between
zero and the latest Alert ID. This could result in a large delta and could impact the
performance of the Endpoint Security server. The process of the Endpoint Security server
Bookmark ID catching up to the latest Alert ID can take many hours or days depending on
the amount of alert data present on the Central Management appliance. This can result in
a signification delay in the Endpoint Security server receiving the latest, most relevant
IOCs, causing missed malware detection on the endpoints. To prevent this, advance the
Endpoint Security server Bookmark ID to a recent Alert ID (see steps below) before
attaching the Endpoint Security server to the Central Management appliance.


appliance, existing Endpoint Security server, existing
Protect/Malware Analysis with a high volume of alerts
upgrade or RMA) in an existing Endpoint Security server and Network Security/Email
Security — Server Edition/File Protect/Malware Analysis high volume environment:

l The Endpoint Security server Bookmark ID is a large number
Analysis latest alert ID is a larger number
notifications for all of the Alert IDs to the managed Endpoint Security server. The Endpoint
Security server will poll the Central Management appliance for all of the alerts between the
last Bookmark ID and the latest Alert ID. For a high-volume alert environment, this delta
can be large depending upon how long the Central Management appliance is offline and
the rate of alert influx. This could result in a large delta and could impact the performance
of the Endpoint Security server. The process of the Endpoint Security server Bookmark ID
catching up to the latest Alert ID can take several hours depending on the amount of alert
data. This can result in a delay in the Endpoint Security server receiving the latest, most
relevant IOCs.

appliance, existing Endpoint Security server, existing
Protect/Malware Analysis with a low volume of alerts
upgrade or RMA) in an existing Endpoint Security server and Network Security/Email
Security — Server Edition/File Protect/Malware Analysis low volume environment:

l The Endpoint Security server Bookmark ID is a larger number
notifications for all of the Alert IDs to the managed Endpoint Security server. In rare cases,
the Endpoint Security server Bookmark ID could be greater than the latest Central

Management appliance Alert ID. The Endpoint Security server will poll the Central
Management appliance for the larger Bookmark ID and will not receive an IOC from the
Central Management appliance until the Central Management appliance Alert ID
advances to equal the Bookmark ID. This could result in missing IOCs from alerts with
Alert IDs below the Endpoint Security server Bookmark ID, as well as missing malware
detection on the endpoints. You can modify the Endpoint Security server Bookmark ID to
equal a recent Alert ID (see steps below) before attaching the Endpoint Security server to
the Central Management appliance to prevent this.
Replacement scenario 4: Existing Central Management

appliance, New Endpoint Security server, existing
Protect/Malware Analysis with a large history of alerts
When a customer installs a new Endpoint Security server (new purchase, model upgrade
or RMA) in an existing Central Management appliance and Network Security/Email
Security — Server Edition/File Protect/Malware Analysis environment:
l The Central Management appliance latest Alert ID is a large number

l The Endpoint Security server Bookmark ID zero
The Central Management appliance will send notifications for all of the Alert IDs to the
managed Endpoint Security server. The Endpoint Security server will poll the Central
Management appliance for all of the alerts between zero and the latest Alert ID. This could
result in a large delta and could impact the performance of the Endpoint Security server.
The process of the Endpoint Security server Bookmark ID catching up to the latest Alert ID
can take many hours (or days) depending on the amount of alert data present on the
Central Management appliance. This can result in a signification delay in the Endpoint
Security server receiving the latest, most relevant IOCs, causing missed malware detection
on the endpoints. To prevent this, you should advance the Endpoint Security server
Bookmark ID to a recent Alert ID (see steps below) before attaching the Endpoint Security
server to the Central Management appliance.
Modifying the Endpoint Security server Bookmark ID

For Scenarios 1,3 and 4, the Endpoint Security server Bookmark ID should be set to a recent
Central Management appliance Alert ID before adding the Endpoint Security server to the
Central Management appliance. To determine the most recent Alert ID on the Central
Management appliance, run the following CLI Command:
l sh log matching \bnotifyd\b.*\bdone_notify_alerts\b

In the example below, the Endpoint Security server Bookmark ID can be set to '5071' to
receive the latest IOC from the Central Management appliance. However, depending on the
scenario, the Endpoint Security server could have a large delta or could be missing out on
recent IOCs. To get a better Bookmark ID starting point, log into the Central Management
appliance UI, navigate to the Alerts/Alerts page, set the inline filter Date Range to 'Past 1
Week' (or any desired time-frame), and apply the filter. The total number of alerts for this
time-frame can be found in the upper left-hand corner of the alerts display. Subtract this
number from the most recent Alert ID and set the Endpoint Security server Bookmark ID to
this number to gather the past weeks IOCs. For instance, if the Central Management
appliance displays 50 alerts for the selected date range, the Bookmark ID can be set to
'5021'. The Endpoint Security server should be added to the Central Management
appliance. The Endpoint Security server will begin to gather the IOCs from the alerts from
5021 through the current Central Management appliance Alert ID as soon as it receives the
first Alert notification of the most current Alert ID from the Central Management appliance.
Example
dresden # sh log matching \bnotifyd\b.*\bdone_notify_alerts\b
Jul 11 12:51:51 dresden notifyd[28468]: tid 28468: [notifyd.INFO]: SQL:select
* from done_notify_alerts('{5069} ')


CHAPTER 17: Integrating

Network Security Appliances and
Endpoint Security Servers Directly
If your Endpoint Security server is not managed by a Central Management appliance, you
must configure the Network Security appliance to communicate with the Endpoint Security
server.
The procedure described in this section is for Endpoint Security version 2.6 or later servers.
If you upgrade to Endpoint Security 2.6 or later without upgrading to Central Management
7.6 or later, you need to perform these steps.
Do not use this procedure if you have already integrated your Endpoint Security
server with a Central Management appliance (see Integrating Central
Management Appliances and Endpoint Security Servers on page 87). Using both
types of integration will cause errors in the Central Management integration.
Alerts can only be sent from Malware Analysis or Email Security — Server
Edition appliance to the Endpoint Security server through a Central Management
appliance. Attempts to send Malware Analysis or Email Security — Server Edition
alerts to the Endpoint Security server using the direct connection set up between a
Network Security appliance and the server will fail. FireEye only provides the
direct connection between Network Security and Endpoint Security. Use the
Central Management appliance connection with the Endpoint Security server for
Malware Analysis and Email Security — Server Edition alerts.
To configure Endpoint Security integration with Network Security appliances directly

when the Endpoint Security server is not managed by a Central Management appliance:
1. On your Endpoint Security server, enable CLI configuration mode.

hostname > enable
2. Enable FireEye legacy appliance support for the Endpoint Security server:
hostname (config) # hx server detection legacy enable

Endpoint Security Virtual Server CHAPTER 17: Integrating Network Security Appliances and Endpoint
Deployment Guide Security Servers Directly

hostname (config) # write mem
4. Log in to the Web UI of the Network Security appliance and then click Settings. (On
a Central Management appliance, click CMS Settings).
5. Click Notifications in the left navigation pane.
6. Verify that all HTTP event types are selected for the appliance.
7. Click the http table heading to access HTTP notification configuration fields. These
fields allow you to define the HTTP connection with your Endpoint Security
appliance.
8. Type a name for the Network Security appliance's direct connection to the Endpoint
Security appliance in the Name box and then click Add HTTP Server.
9. Enter the Endpoint Security URL in the Server Url box:
https://<DNS-name-or-Endpoint-Security-IP>/alerts
For example: https://123.456.78.90/alerts

10. Select the check box in the Enabled column for the Endpoint Security server
connection. This enables HTTP notifications between the Network Security
appliance and the Endpoint Security server.
11. Leave the Username and Password boxes for the Endpoint Security server
connection empty.
12. Select All Events from the list in the Notifications column for the Endpoint Security
server connection.
13. In the Delivery list for the Endpoint Security server connection, select Per Event.
14. Select the SSL Enable box. Do not select the SSL Verify box for the Endpoint
Security server connection.
15. In the Default Provider list, select Generic.
16. In the Message Format list, select JSON Extended.
17. Click Update to save the Endpoint Security server connection.

Endpoint Security Virtual Server Deployment Guide Retrieving SNMP Data
CHAPTER 18: SNMP Data

Trellix appliances send Simple Network Management Protocol (SNMP) data to convey
abnormal conditions to administrative computers that monitor and control them. The
administrative computers are called SNMP managers.
SNMP data includes the following:
l Information that is retrieved (pulled) by the SNMP manager. This information is

sent in response to requests the SNMP manager sends to the appliance. See
Retrieving SNMP Data below.
l Events (known as traps) that are sent (pushed) by the appliance to the
SNMP manager. Traps typically report alarm conditions such as a disk failure or
excessive temperature. They are unsolicited; that is, they are not sent in response to
requests from the SNMP manager. See Sending Traps on page 105.
Retrieving SNMP Data
This section describes how to retrieve SNMP information from the Endpoint Security
appliance.
A Management Information Base (MIB) is a text file written in a specific format in which
all of the manageable features of a device are arranged in a tree. Each branch of the tree
contains a number and a name, and the complete path from the top of the tree down to the
point of interest forms the Object Identifier, or OID. The OID is a string of values separated
by periods, such as .1.3.6.1.2.1.1.3.0.
You can send requests for data on an object using the OID, but it can be simpler to use the
symbolic name for the object instead. A MIB allows SNMP tools to translate the symbolic
names into OIDs before sending the requests to the managed device. Symbolic names for
objects in the Trellix MIB include feSerialNumber.0, feHardwareModel.0,
feProductLicenseActive0, feFanIsHealthy.1, and so on.
The Trellix MIB, named FE-FIREEYE-MIB, needs to be downloaded from the Endpoint
Security appliance to the SNMP manager so it can be loaded into an SNMP browser or
other tool. A typical SNMP browser can retrieve the values the appliance supports, and

Endpoint Security Virtual Server Deployment Guide CHAPTER 18: SNMP Data
then display them in a hierarchy so you can navigate to the value you need to include in
the request.
This section contains the following topics:
l Providing Access to SNMP Data below

l Downloading the MIB below
l Retrieving SNMP Data Using Event OIDs on page 104
l Sending Requests for SNMP Information on page 105
Providing Access to SNMP Data

To allow access to SNMP v3 data, configure a username and password.
Prerequisites
To enable access to SNMP data:
hostname > enable
2. Verify that SNMP is enabled:

hostname (config) # show snmp
If the output shows SNMP enabled: no, enter the snmp-server enable command.
3. SNMP v3: Specify the SNMP user and password:
hostname (config) # snmp-server user <username> v3 enable
hostname (config) # snmp-server user <username> v3 auth sha <password>

Downloading the MIB

You can download the MIB from the command prompt.
This section describes how to download the FE-FIREEYE-MIB to SNMP managers that run
on Microsoft Windows, Linux, and Apple devices. The MIB file is retrieved using a
program that connects using port 22, which is normally used for protocols such as SSH,
SCP, and PSCP. Because file-level access is denied by policy, the direct path to the MIB file
needs to be specified.

Retrieving SNMP Data
Prerequisites
l Analyst, Operator, or Admin access
To download the FireEye MIB to Windows devices:
1. Download the pscp.exe tool (available from PuTTY download page).

2. Navigate to a command prompt window.
3. Change to the directory in which you downloaded the pscp.exe tool:
cd Downloads
4. Copy the MIB file from the appliance:

pscp.exe -r -scp
admin@<appliance><applianceIPAddress>:/usr/share/snmp/mibs \Temp\mibs\
5. When prompted for the password, enter admin.

The files are copied to the \Temp\mibs directory on the Windows device.
6. Change to the mibs directory:
cd C:\Temp\mib
7. Load the MIB into an SNMP browser or tool, or open the MIB file:
vi FE-FIREEYE-MIB.txt
To download the FireEye MIB to Linux devices:
1. Copy the MIB file from the appliance using the OpenSSH client:
scp -r admin@<appliance><applianceIPAddress>:/usr/share/snmp/mibs
/usr/<userDirectoryName>
2. When prompted for the password, type admin.

The files are copied to the mibs directory that resides in the
/usr/<userDirectoryName> directory.
3. Change to the mibs directory:

cd mibs
To download the FireEye MIB to Apple devices:
1. Navigate to the terminal emulator.

2. Copy the MIB files from the appliance:
scp -r admin@<applianceIPAddress>:/usr/share/snmp/mibs ~/
3. When prompted for the password, type admin.

The files are copied to the mibs directory that resides in the user directory.

Retrieving SNMP Data Using Event OIDs

You can retrieve SNMP data using event object IDs (OIDs) after the MIB file has been
downloaded.
Prerequisites
l The MIB file must be downloaded. See Downloading the MIB on page 102.
To retrieve SNMP data using event OIDs:
hostname > enable
2. SNMP is enabled by default. Verify that it is enabled:

3. Enable the appliance to send notifications to the SNMP manager:
hostname (config) # snmp-server enable notify
4. Specify the IP address of the SNMP manager:

hostname (config) # snmp-server host <IPAddress> traps public
5. Enable SNMP communities:
hostname (config) # snmp-server enable communities
6. Add an SNMP community:

hostname (config) # snmp-server community <community>
where <community> is the string needed by the SNMP server to query the appliance.
The default community string is public.
7. Limit SNMP access to the listen interface called ether1:
hostname (config) # snmp-server listen interface ether1
8. Enable access to the listen interface:

hostname (config) # snmp-server listen enable


Sending Traps
Sending Requests for SNMP Information

This topic describes two ways to retrieve SNMP information.
l The snmpget command retrieves the value of a specific object.

l The snmpwalk command walks through the object hierarchy, automatically
retrieving the values of objects for the subtree or node that you specified.
Examples of basic commands that retrieve SNMP data follow. The commands are entered
from the SNMP manager application. The IP address in the commands is the appliance
IP address.
SNMP v3 commands:
snmpmgr # snmpget -m +FE-FIREEYE-MIB -v 3 -u myname -a MD5 -A mypassword -l
authNoPriv 172.0.0.0 feTemperatureValue.0
snmpmgr # snmpwalk -m +FE-FIREEYE-MIB -v 3 -u myname -a MD5 -A mypassword -l
authNoPriv 172.0.0.0 enterprises.25597
SNMP v2c commands:
snmpmgr # snmpget -m +FE-FIREEYE-MIB -v 2c -c public 172.0.0.0
feSupportLicenseActive.0
snmpmgr # snmpwalk -m +FE-FIREEYE-MIB -v 2c -c public 172.0.0.0 fireeye
snmpmgr # snmpwalk -v 2c -c public 172.0.0.0 enterprises.25597
To retrieve license expiration dates formatted in a table, use a command similar to the
following (different commands are required by different SNMP manager applications):
snmpmgr # snmptable -c public -Of -v 2c localhost feLicenseFeatureTable
Check the number of days in the rightmost column. If the value is less than 30, contact
your system administrator.
Sending Traps
This section describes how to configure basic SNMP support on the Endpoint Security
appliance, enable and configure traps, and set up trap logging. For detailed information
about SNMP commands and options for more advanced configurations, see the Trellix CLI
Command Reference.
Enabling and Configuring Traps

Various events can trigger the appliance to send traps to the SNMP manager. Most of the
events are enabled by default. This topic describes how to enable the appliance to send
traps, configure the IP address of the SNMP manager that receives the traps, and disable
and enable individual events.

Prerequisites
To enable traps and events:
hostname > enable
2. SNMP is enabled by default. Verify that it is enabled:

3. Enable the appliance to send notifications to the SNMP manager:

hostname (config) # snmp-server enable notify
4. Specify the IP address of the SNMP manager:

hostname (config) # snmp-server host <IPAddress> traps public
5. Save your changes

To view the events that can be enabled or are currently enabled:

hostname > enable
2. View a list of all events that can be enabled:

hostname (config) # snmp-server notify event ?
3. View the events that are currently enabled:

hostname (config) # show snmp events
To disable or enable specific events:

hostname > enable
2. Disable an event:
hostname (config) # no snmp-server notify event <event>
For example, the following command stops a trap from being sent when the
temperature of the appliance is normal:
hostname (config) # no snmp-server notify event normal-temperature

Sending Traps
3. Enable an event:
hostname (config) # snmp-server notify event <event>
For example, the following command enables the appliance to send a trap when
there is a change in an interface link:
hostname (config) # snmp-server notify event if-link-change

4.
Logging Trap Messages

The snmptrapd service receives and logs trap messages.
To set up trap logging:
1. Log into the SNMP manager application.

2. Enable the snmptrapd service:
snmptrapd
3. Specify the log location:

/var/log/snmptrapd.log


CHAPTER 19: Forwarding

CEF Logs to Helix and SIEM
Solutions
You can forward CEF logs from on-premises or virtual Endpoint Security servers to Helix
using a Cloud Collector or Communications Broker (Comm Broker). This allows you to
view, but not manage, on-premises and virtual Endpoint Security log data in Helix.
In addition, the Endpoint Security server can be integrated with a variety of Security
Information and Event Management (SIEM) solutions to exchange requests and
information automatically, reducing time spent navigating between product interfaces. For
example, integrating these products helps you perform the following actions.
l You can send common event format (CEF) logs from the Endpoint Security server to
one or more remote SIEMs. This includes hits (referred to as alerts), containment
state events, and triage status. For more information, see Configuring CEF Logging
for Endpoint Events on the next page. For information on the data that is logged, see
"CEF Logs and Output" in the Endpoint Security Server User Guide.
l You can perform two-way communications with SIEM solutions, such as acquiring
triage collections.
l With SIEM solutions, you can execute analyst actions initiated in a URL context.
Specifically, you can:
o Listen for traffic from SIEMs that initiate analyst actions via URL requests.
o Parse the arguments in these requests.
o Format and execute commands.
The integration between the Endpoint Security server and most SIEM solutions can be
accomplished using an external integration connector and an API Analyst user account.
See "Roles for Local User Accounts" in the System Security Guide. For an example of setting
up an integration connector with a SIEM solution, see SIEM Example: Setting Up an
Endpoint Security Integration Connector with ArcSight on page 113.

Endpoint Security Virtual Server Deployment Guide CHAPTER 19: Forwarding CEF Logs to Helix and SIEM Solutions
An integration connector can only be used for communications from the SIEM
solution to the Endpoint Security server, not from the Endpoint Security server to the
SIEM solution.
Similar integration can be accomplished using the Endpoint Security API. See the
Endpoint Security REST API Guide.
Configuring CEF Logging for Endpoint

Events
Use the CLI commands in this topic to configure logging for CEF-formatted log messages
for endpoint events. These CEF log messages can be sent from the Endpoint Security
appliance to your Helix environment or Security Information and Event Management
(SIEM) solution.
To forward logs to Helix, create a destination for the Cloud Collector or Communications
Broker (Comm Broker). The Cloud Collector or Comm Broker will aggregate and forward
Endpoint Security CEF logs to Helix.
To integrate with a SIEM solution, create a destination for the remote syslog server.
l Viewing the Current Logging Configuration on the facing page

l Adding a Destination on the facing page
l Removing a Destination on page 112
l Using TCP for Remote Logging on page 112
l Configuring the Port for a Remote Logging Target on page 112
l Enabling Local CEF Logging on page 113
l Disabling Local CEF Logging on page 113
Descriptions of the collected CEF log data can be found in "CEF Logs and Output" in the
Endpoint Security Server User Guide.
Prerequisites
l To forward CEF logs to Helix, a FireEye Cloud Collector or Comm Broker must be
installed. See the Cloud Collector Installation Guide or the Unmanaged Communications
Broker Installation Guide for details.

Configuring CEF Logging for Endpoint Events
Viewing the Current Logging Configuration

To view the current logging configuration:
1. Enable the CLI configuration mode:

hostname > enable
2. View the configuration:

hostname # show logging
Here is sample output from this command:

Local logging level: notice (OVERRIDES DISABLED)
Override for class cef: none
Remote syslog default level: notice
No remote syslog servers configured.
Receive remote messages via UDP: no
Receive remote messages via TCP: no
Receive remote messages via TLS: no
Log file rotation:
Log rotation size threshold: 256 megabytes
Archived log files to keep: 40
Log format:
Subsecond timestamp field: disabled
Secure channel logs: yes
In this example, CEF logging is actually disabled because the Override for class
cef setting is not set to info. All CEF logging occurs for messages logged at the
info system log level. If this level is set to anything other than info, CEF logging
will not occur. See Enabling Local CEF Logging on page 113.
Adding a Destination
Define a Cloud Collector or Comm Broker destination to forward CEF log messages to
Helix. Define a remote syslog server destination to integrate Endpoint Security with your
SIEM solution.
To add a destination:

hostname > enable
2. Add the destination:

hostname # logging <IP-address> trap none
hostname # logging <IP-address> trap override class cef priority info
where <IP-address> is the IP address of the Cloud Collector or the remote syslog
server destination.
3. Save your settings:
hostname # write mem

Removing a Destination
To remove a destination:

hostname > enable
2. Remove a remote syslog server destination:

hostname # no logging <IP-address>
where <IP-address> is the IP address of the Cloud Collector or the remote syslog
server destination.
Using TCP for Remote Logging

To use TCP for remote logging instead of UDP:

hostname > enable
2. Request TCP instead of UDP for a remote logging target:

hostname # logging <remote-IP-address> protocol tcp

Configuring the Port for a Remote Logging Target

To change the port for a remote logging target from port 514:

hostname > enable
2. Change the port number:

hostname # logging <remote-IP-address> port <new-port-number>


SIEM Example: Setting Up an Endpoint Security Integration Connector with ArcSight
Enabling Local CEF Logging

To enable local CEF logging:

hostname > enable
2. Enable CEF logging:
hostname # logging local override class cef priority info
All CEF logging occurs for messages logged at the info system log level. If you set
this to any other system log level, CEF logging will not occur.
Disabling Local CEF Logging

To disable local CEF logging:

hostname > enable
2. Disable CEF logging:
hostname # logging local override class cef priority none

SIEM Example: Setting Up an Endpoint

Security Integration Connector with
ArcSight
The SIEM example in this section describes how to integrate the Trellix Endpoint Security-
specific integration connector with ArcSight's Flex CounterACT SDK (SmartConnector).
After this integration has been established, it can be used for communication from the
ArcSight Security Information and Event Management (SIEM) solution to the Endpoint
Security appliance.
Follow the steps below, along with your vendor documentation, to install and configure
the integration connector. If you need help setting up an integration connector with your
SIEM, contact Fire Customer Support.

This guide refers to ArcSight and its ESM manager or console as examples of SIEM
integration methods and objectives. For example, analysts can use the ArcSight ESM
console's Integration Command menu or rules to automate the process of requesting
acquisitions for a SIEM event. Your ArcSight vendor can provide information about
creating and using ArcSight integration commands. FireEye Support can provide you with
information about using the integration connector with other SIEM solutions.
FireEye supports the use of the ArcSight Smart Connector type 10.0.5. The ArcSight
to Endpoint Security connector port must be 3000 (TCP). The Endpoint Security to
ArcSight syslog port is configurable.
FireEye recommends that you use Java 7 or later with ArcSight and that your Java
class path is updated to point to this Java version. If you use an earlier version of
Java, SSL errors may occur.
Prerequisites
l Administrative permissions to the machine on which you are installing the
integration connector.
l An Endpoint Security Admin or Operator account.
l An Endpoint Security API Analyst account you have created specifically for the
connector.
l A copy of the integration connector installation package
(FireEye\ArcSight\Connector\Install\10.0.5.zip available on SFDC).
l Either of the following types of certificates:
o A self-signed development certificate created using OpenSSL (according to the
procedure described in Creating a Self-Signed Development Certificate).
o A valid certificate that you have purchased from your chosen provider.
Creating a Self-Signed Development Certificate

Follow these steps to create a self-signed development certificate for installing the
integration connector.
The certificate must be in .pem format, and it must match the hostname of the
Endpoint Security server.

To create a self-signed development certificate:
1. On a machine on which you have installed OpenSSL, enter the following command:
C:\OpenSSL\bin> openssl req -x509 -nodes -newkey rsa:2048 -keyout
key.pem -out cert.pem -days 3000
2. At the end of each line, enter the appropriate information for your enterprise in the
format indicated. For example:
Country Name (2 letter code) [XX]: US
State or Province Name (full name) []: Virginia
Locality Name (e.g., city) [Default City]: Bristol
Organization Name (e.g., company) [Default Company Ltd]: FireEye
Organizational Unit Name (e.g., section) []: IT
Common Name (e.g., your name or your server's hostname) []: dti-hx-dev
Email Address []: [email protected]
OpenSSL generates two files: a self-signed certificate (named cert.pem) and a key
(named key.pem).
3. Download and save the certificate and key files.
Installing the Integration Connector

Follow these steps to install and configure the integration connector.
To install and configure the integration connector:
1. On the machine where you are installing the connector, extract the files from the HX
Connector Installer .zip package to a local folder.
2. Copy the certificate and key files that you generated, or the ones supplied by your
chosen provider into the same folder as the installer files.
3. Rename the certificate: certname.pem.
4. Log in to the server Web UI as an administrator.
5. On the Admin menu, select Appliance Settings.
6. Select Certificates on the sidebar. The Certificate Management page appears.
7. On the Certificate Management page, install the certificate:
l To install the self-signed certificate that you created in Creating a Self-Signed
Development Certificate, upload the Certificate and Private Key.
l To install a certificate provided by your chosen provider, upload the
Certificate, Private Key, and CA Certificate.
8. Click Update.

You are logged out of the Endpoint Security server, and the login screen reloads
with the following message:
1 notice
l The Web Server is currently restarting
l Please wait for about 20 seconds and try again
l If this condition persists, please Contact FireEye Support
9. On the machine where you installed the connector, edit the fireeye-
connector.properties file, and enter the appropriate parameters for the Endpoint
Security target:
appliance HX
hostname The hostname of the Endpoint Security server
username The username of the API Analyst account
password The password of the API Analyst account
cert certname.pem
The hostname you enter must match the hostname in the certificate.
If the hostname you enter is not registered in the DNS, then you must connect
the hostname and IP address in your operating system's host file on the
machine where you are installing the connector.
10. Run the ArcSight SmartConnector installation package installer.
Record the full path of the directory and folder that you use for this
installation. You will need it later. If your enterprise will be using more than
one ArcSight SmartConnector, make sure to choose a unique folder name.
When the installation is complete, the SmartConnector Configuration Wizard

opens.
11. Before you configure the SmartConnector, run the install.bat file located in the
HX Connector Installer package. Enter the full path for the ArcSight SmartConnector
installation folder that you recorded in Step 9.
12. Enter 2, when you are asked which Connector type you are installing.
13. If you are using ArcSight ESM 6, export an ArcSight certificate from your ESM
server and transfer the certificate to the server where the ArcSight SmartConnector is
installed.

14. If you are using ArcSight ESM 6, import the certificate.

a. In Windows environments, run cmd.exe using an account with read/write
access to the directory where you are installing the certificate.
In Linux environments, open a command terminal using an account with
read/write access to the directory where you are installing the certificate.
b. In the SmartConnector's bin directory, execute the appropriate command:
arcsight.bat agent keytoolgui (Windows)
./arcsight agent keytoolgui (Linux)
c. Open the keystore under jre/lib/security/cacerts.
The default password is changeit.
d. Import the certificate, navigate to the certificate file, and then save the
keystore.
15. Return to the ArcSight SmartConnector Configuration Wizard.
16. In the Configuration File box, enter HXFlexConnector, and then click Next.
17. Finish performing the steps in the ArcSight SmartConnector Configuration Wizard,
choosing default settings or customizing for your enterprise's SIEM solution, as
appropriate.
If you want the SmartConnector to run as a service, choose the following options:
l Select Yes to start the service automatically when you restart the server on
which it is running.
l Enter unique names for Service Internal Name and Service Display Name, if
your enterprise will have more than one SmartConnector on the server where
you are installing this Connector.
If you want to run the SmartConnector service before the server restarts, you
must start the service manually.
You can validate the success of the installation by using your SIEM console to view events
or perform other actions, such as requesting a triage collection.


PART V: Appendices
l Enabling and Disabling Endpoint Security Server Quiesce Mode on page 121

l Managing Endpoint Security PKI Certificates on page 125

Endpoint Security Virtual Server Deployment Guide PART V: Appendices

APPENDIX A: Enabling and

Disabling Endpoint Security Server
Quiesce Mode
If you need to update an operational Endpoint Security environment by adding, removing,
upgrading or restoring a backup to an appliance, enable quiesce mode to make sure you do
not lose any server-generated tasks.
Enabling quiesce mode causes the Endpoint Security server to stop generating tasks and
aborts any queued tasks that have not yet completed on the agent, including file, data, and
triage acquisitions. It also stops the server from accepting new alerts. Enabling quiesce
mode improves the speed of a server upgrade and is most useful for rollbacks and
restoring an appliance from a backup.
After quiesce mode is enabled, the Endpoint Security server enters a quiescing state first,
during which it aborts tasks and processes the output of tasks that have already
completed. When that processing is finished, the server enters a quiesced state.
After updating the Endpoint Security environment, remember to disable quiesce

mode to ensure that the appliance resumes generating tasks and accepting new
alerts.
Enabling and disabling quiesce mode is performed using CLI commands. By default,

quiesce mode is disabled.
l Enabling Quiesce Mode on the next page

l Disabling Quiesce Mode on the next page
l Reviewing Quiesce Mode Status on page 123
Prerequisites

Endpoint Security Virtual Server Deployment APPENDIX A: Enabling and Disabling Endpoint Security Server
Guide Quiesce Mode
Enabling Quiesce Mode

To enable quiesce mode:

hostname > enable
2. Enable quiesce mode:

hostname (config) # hx server quiesce

4. Check the result:

hostname (config) # show hx server general
The following snippet represents the quiesce information from the output of this
show command:
Quiesce Mode:
App Proc: enabled
Message Bus: enabled
Remember to disable quiesce mode after you finish maintaining Endpoint

Security appliances to ensure they resume generating tasks and accepting
alerts.
Disabling Quiesce Mode

To disable quiesce mode:

hostname > enable
2. Disable quiesce mode:

hostname (config) # no hx server quiesce

4. Check the result:

This is a sample result:

Quiesce Mode:
App Proc: disabled
Message Bus: disabled

Reviewing Quiesce Mode Status
Reviewing Quiesce Mode Status

If an Endpoint Security server is quiesced, the following message appears at the top of the
Web UI.
You can review the complete quiesce mode status of an Endpoint Security server or the
separate quiesce mode status for the server application processor and message bus using
the CLI.
To review the quiesce mode status of an Endpoint Security server:

hostname > enable
2. Review the complete quiesce mode status of the server:

The following snippet from the output of this command shows that quiesce mode is
enabled for both the application processor and the message bus.
Quiesce Mode:
App Proc: enabled
Message Bus: enabled

Endpoint Security Virtual Server Deployment APPENDIX A: Enabling and Disabling Endpoint Security Server
Guide Quiesce Mode
3. Review the quiesce mode status of the server application processor:

hostname (config) # show hx app-proc
The following output from this command displays when quiesce mode enabling is
in process for the application processor:
HX App Proc Configuration:
Quiesce Mode: enabled

State: quiescing
The following output from this command displays when the application processor
is fully quiesced:
Quiesce Mode: enabled

State: quiesced
The following output from this command displays when quiesce mode disabling is
in process for the application processor:
Quiesce Mode: disabled

State: quiesced
The following output from this command displays when the application processor
is not in quiesce mode:

State: running
4. Review the quiesce mode status of the server message bus:

hostname (config) # show hx messagebus
The following sample output from this command shows that quiesce mode is
disabled for the appliance message bus:
HX Message Bus Configuration:

APPENDIX B: Managing Endpoint

Security PKI Certificates
Endpoint Security public key infrastructure (PKI) certificates are the PKI keys needed to
communicate with the FireEye Endpoint Security Agents.
You can manage Endpoint Security PKI certificates using the CLI.
l Reviewing Certificates and Settings on the next page

l Exporting Certificates on page 127
l Importing Certificates on page 127
l Regenerating Certificates on page 128
l Setting the PKI Certificate Prefix on page 128
l Setting Agent Certificate Authority Duration on page 129
l Setting Agent Certificate Duration on page 130
l Setting Agent Certificate Length on page 129
l Setting Endpoint Security Certificate Authority Duration on page 130
l Setting Endpoint Security Certificate Duration on page 131
l Setting Endpoint Security Certificate Length on page 131
l Setting Endpoint Security CRL Duration on page 132
l Importing an Endpoint Security CRL on page 132
l Regenerating the Endpoint Security CRL on page 132
l Regenerating the Endpoint Security Subordinate PKI on page 133
l Enabling the Provisioning Certificate on page 134
l Disabling the Provisioning Certificate on page 134
Prerequisites

Endpoint Security Virtual Server Deployment Guide APPENDIX B: Managing Endpoint Security PKI Certificates
Reviewing Certificates and Settings

To review Endpoint Security certificates and settings:

hostname > enable
2. Review the certificates and certificate settings:

The following is sample output from this command:

HX PKI Configuration:
Prefix: <prefix>
Agent CA days: 7300
Agent CA key bits: 2048
Agent cert days: 1825
Server CA days: 7300
Server cert key bits: 2048
Server cert days: 1825
Server CRL days: 30
Provisioning cert use enabled: yes
CA: comms
valid from: <timestamp> to <timestamp>
subject: <subject>
fingerprint: <fingerprint>
CA: distro
subject: <subject>
CA: agent
subject: <subject>
CRL: comms
issued: <timestamp> and expires on <timestamp>
number: <comms_CRL_number>
CRL: distro
issued: <timestamp> and expires on <timestamp>
number: <distro_CRL_number>
host: <HX_appliance_hostname>
role: ca
last ping: <timestamp>

Exporting Certificates
Exporting Certificates
You can export Endpoint Security public key infrastructure (PKI) certificates to a file. This
is recommended before you upgrade the Endpoint Security server.
To export Endpoint Security PKI certificates:

hostname > enable
2. Export the certificates to the file identified by <fileURL>:

hostname (config) # hx pki export file <fileURL> passphrase
<passphrase>
For example:
hostname (config) # hx pki export file scp://user@host/path/to/file
passphrase abc123
Importing Certificates
You can import Endpoint Security public key infrastructure (PKI) certificates from a backup
file. If there were any problems upgrading your appliance that required you to reimage it or
to fully reinstall the software, import the Endpoint Security certificates you exported earlier
so you do not have to reinstall all of your agents.
To import Endpoint Security PKI certificates:

hostname > enable
2. Import the certificates from the file containing your exported certificates, identified
by <fileURL>:
hostname (config) # hx pki import file <fileURL> passphrase
<passphrase>
For example:
hostname (config) # hx pki import file scp://user@host/path/to/file
passphrase abc123
Importing certificates automatically detaches any DMZ server from the

Endpoint Security server. You need to reattach them after the certificates are
imported. See the Endpoint Security Server Deployment Guide.

Regenerating Certificates
You can reset the FireEye Endpoint Security Agent and Endpoint Security communications
server public key infrastructure (PKI), including a certificate authorities (CA).
Using this command orphans any existing agents connected to the

Endpoint Security PKI.
Regenerating certificates automatically detaches any DMZ server from the Endpoint
Security server. You need to reattach them after the certificates are regenerated. See
the Endpoint Security Server Deployment Guide.
To regenerate the PKI and certificate authorities:

hostname > enable
2. Regenerate the PKI and certificate authorities:

hostname (config) # hx pki regenerate

Setting the PKI Certificate Prefix

You can specify the Endpoint Security PKI certificate prefix.
To specify the PKI certificate prefix:

hostname > enable
2. Import the CRL:

hostname (config) # hx pki subject-prefix <prefix>
where <prefix> is the prefix

For example:
hostname (config) # hx pki subject-prefix companyname


Setting Agent Certificate Authority Duration
Setting Agent Certificate Authority

Duration
To set the duration of the FireEye Endpoint Security Agent certificate authority (CA):

hostname > enable
2. Specify the CA duration, in days:

hostname (config) # hx pki agent ca-days <days>
where <days> is the number of days that the agent CA remains active. Valid values
range from 0 and 65535 days. The default is 7300 days.
To set the duration back to the default, use the no form of this command:
hostname (config) # no hx pki agent ca-days

Setting Agent Certificate Length

To set the length of FireEye Endpoint Security Agent certificates:

hostname > enable
2. Specify the certificate length, in bits:

hostname (config) # hx pki agent cert-bits <bits>
where <bits> is the number of bits for the agent certificates. Valid values range
from 1024 and 4096 bits. The default is 2048 bits.
To set the length back to the default, use the no form of this command:
hostname (config) # no hx pki agent cert-bits


Setting Agent Certificate Duration

To set the duration of FireEye Endpoint Security Agent certificates:

hostname > enable
2. Specify the certificate duration, in days:

hostname (config) # hx pki agent cert-days <days>
where <days> is the number of days that the agent certificate remains active. Valid
values range from 0and 65535 days. The default is 1825 days (5 years).
hostname (config) # no hx pki agent cert-days

Setting Endpoint Security Certificate

Authority Duration
To set the duration of the Endpoint Security certificate authority (CA):

hostname > enable
2. Specify the CA duration, in days:

hostname (config) # hx pki server ca-days <days>
where <days> is the number of days that the Endpoint Security CA remains active.
Valid values range from 0 and 65535 days. The default is 7300 days.
hostname (config) # no hx pki server ca-days

hostname (config) # write memor

Setting Endpoint Security Certificate Length

Length
To set the length of Endpoint Security certificates:

hostname > enable
2. Specify the certificate length, in bits:

hostname (config) # hx pki server cert-bits <bits>
where <bits> is the number of bits for the Endpoint Security certificates. Valid
values range from 1024 and 4096 bits. The default is 2048 bits.
To set the length back to the default, use the no form of this command:
hostname (config) # no hx pki server cert-bits


Duration
To set the duration of Endpoint Security certificates:

hostname > enable
2. Specify the certificate duration, in days:

hostname (config) # hx pki server cert-days <days>
where <days> is the number of days that the Endpoint Security certificate remains
active. Valid values range from 0 and 65535days. The default is 1825 days (5 years).
hostname (config) # no hx pki server cert-days


Setting Endpoint Security CRL Duration

When the certificate revocation list (CRL) exceeds this duration setting, the CRL expires.
To set the duration of Endpoint Security certficate revocation list (CRL):

hostname > enable
2. Specify the CRL duration, in days:

hostname (config) # hx pki server crl-days <days>
where <days> is the number of days that the Endpoint Security CRL remains active.
Valid values range from 0 and 65535days. The default is 30 days.
hostname (config) # no hx pki server crl-days

Importing an Endpoint Security CRL

You can import an Endpoint Security certificate revocation list (CRL) from a URL.
To import an Endpoint Security certficate revocation list (CRL):

hostname > enable
2. Import the CRL:

hostname (config) # hx pki server crl-upload distro <url>
where <url> is the URL from which the CRL should be uploaded.
For example:
hostname (config) # hx pki server crl-upload distro
https://10.42.138.20

Regenerating the Endpoint Security CRL

You can reset the Endpoint Security communications server revocation list (CRL).

Regenerating the Endpoint Security Subordinate PKI
An invalid CRL should correct itself automatically within 30 minutes of the date or
time discrepancy. This command forces the correction to occur immediately.
Using this command detaches any DMZ server from the Endpoint Security server.
You need to reattach them after running this command.
To regenerate the Endpoint Security CRL:

hostname > enable
2. Regenerate the CRL:

hostname (config) # hx pki regenerate crl

Regenerating the Endpoint Security

Subordinate PKI
You can reset the Endpoint Security communications server subordinate public key
infrastructure (PKI). Do this to resolve a date or configuration discrepancy that causes the
subordinated PKI to become invalid.
Using this command invalidates any existing agent tasks.
Using this command detaches any DMZ server from the Endpoint Security server.
You need to reattach them after running this command.
To regenerate the Endpoint Security subordinate PKI:

hostname > enable
2. Regenerate the subordinate PKI:

hostname (config) # hx pki regenerate subordinate


Enabling the Provisioning Certificate

To enable the use of a provisioning certificate:

hostname > enable
2. Enable the use of a provisioning certificate:

hostname (config) # hx pki provisioning enabled

Disabling the Provisioning Certificate

To disable the use of a provisioning certificate:

hostname > enable
2. Disable the use of a provisioning certificate:

hostname (config) # no hx pki provisioning enabled


Technical Support
For technical support, contact Trellix through the Support portal:

https://www.trellix.com/en-us/support.html
Documentation
Documentation for all Trellix products is available on the Trellix Documentation Portal
(login required):
https://docs.fireeye.com/

Trellix | 601 McCarthy Blvd. | Milpitas, CA | 1.408.321.6300 | 1.877.347.3393 | www.fireeye.com
© 2022 FireEye Security Holdings US LLC. All rights reserved.Trellix, FireEye, and Skyhigh Security are the trademarks or
registered trademarks of Musarubra US LLC, FireEye Security Holdings US LLC, and their affiliates in the US and/or other
countries.

HX DG V 5.3.0 PDF

Uploaded by

Document Informationclick to expand document information

Document Informationclick to expand document information

Copyright:

Available Formats

HX DG V 5.3.0 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

HX DG V 5.3.0 PDF

Uploaded by

Copyright:

Available Formats

ENDPOINT SECURITY

SERVER DEPLOYMENT GUIDE

Copyright © 2022 FireEye Security Holdings US LLC. All rights reserved.

Trellix Contact Information:

CHAPTER 1: About the Endpoint Security Server 11

CHAPTER 2: System Requirements 15

© 2022 FireEye Security Holdings US LLC 3

PART II: Virtual Server Deployment 23

CHAPTER 3: Virtual Server Overview 25

CHAPTER 4: Virtual Server Deployment Steps 27

CHAPTER 5: Installing a Virtual Server Using VMware ESXi 31

CHAPTER 6: Installing a Virtual Server Using Microsoft Hyper-V 33

CHAPTER 7: Initial Configuration of Virtual Servers 35

PART III: Configuration 45

CHAPTER 8: The Endpoint Security Server Web UI 47

CHAPTER 9: License Keys 49

4 © 2022 FireEye Security Holdings US LLC

Manual License Installation 54

CHAPTER 10: Validating DTI Access 61

CHAPTER 11: Attaching and Detaching DMZ Servers 65

CHAPTER 12: Configuring the Server Address List 69

CHAPTER 13: Setting up Provisioning 73

© 2022 FireEye Security Holdings US LLC 5

Canceling the Primary Endpoint Security Server as a Provisioning Server Using

PART IV: Integration 81

CHAPTER 14: How FireEye Appliance Alerts Become Endpoint Security

CHAPTER 15: Integrating Central Management Appliances and Endpoint

CHAPTER 16: Replacing Integrated Central Management Appliances and

CHAPTER 17: Integrating Network Security Appliances and Endpoint

CHAPTER 18: SNMP Data 101

6 © 2022 FireEye Security Holdings US LLC

Logging Trap Messages 107

CHAPTER 19: Forwarding CEF Logs to Helix and SIEM Solutions 109

PART V: Appendices 119

APPENDIX A: Enabling and Disabling Endpoint Security Server Quiesce

APPENDIX B: Managing Endpoint Security PKI Certificates 125

© 2022 FireEye Security Holdings US LLC 7

Setting Agent Certificate Duration 130

Technical Support 135

8 © 2022 FireEye Security Holdings US LLC

l About the Endpoint Security Server on page 11

© 2022 FireEye Security Holdings US LLC 9

10 © 2022 FireEye Security Holdings US LLC

CHAPTER 1: About the Endpoint

l Search for advanced attackers and advanced persistent threats (APTs)

This chapter covers the following topics:

l Server Roles and Order on the next page

© 2022 FireEye Security Holdings US LLC 11

Server Roles and Order

l on-premises (physical) appliances

In each Endpoint Security ecosystem, provisioning and primary servers must be identified.

12 © 2022 FireEye Security Holdings US LLC

Provisioning Servers Using a Split DNS in the Web UI on page 77.

IMPORTANT: You must decide which appliances will be your

© 2022 FireEye Security Holdings US LLC 13

14 © 2022 FireEye Security Holdings US LLC

Supported Appliance Models