1. Manuals
  2. Brands
  3. Fidelis Manuals
  4. Security System
  5. XPS
  6. User manual

Fidelis XPS User Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

User Guide

Version 6.0

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the XPS and is the answer not in the manual?

Questions and answers

Summary of Contents for Fidelis XPS

  • Page 1: User Guide

    User Guide Version 6.0...
  • Page 2 While we have done our best to ensure that the material found in this document is accurate, Fidelis Security Systems, Inc. makes no guarantee that the information contained herein is error free. Fidelis XPS includes GeoLite data created by MaxMind, available from http://www.maxmind.com/. Fidelis Security Systems 4416 East West Highway, Suite 310 Bethesda, MD 20814...

  • Page 3: Table Of Contents

    Access the Guides ........................8 Lock Icon ............................. 8 CommandPost Navigation ......................8 System Status..........................8 Logout............................10 Using Non-ASCII Characters in Fidelis XPS................10 Chapter 2 The Dashboard ......................11 The Radar Page .........................11 What is an event? ........................11 What is an alert? ........................11 What is alert radar? ........................11...
  • Page 4 Download Text File.........................44 Find Similar Alerts ........................44 Manage Label ........................45 Purge this Alert........................45 Alert Compression........................45 Decoding Path and Channel Attributes ..................45 Forensic Data.........................47 Recorded TCP Session......................47 Tune Rules from an Alert ......................49 Fidelis XPS User Guide Version 6.0 Table of Contents...
  • Page 5 Chapter 8 Network Reports ......................75 TCP Resets ..........................77 Application Protocols ........................78 IP Defragmenter .........................79 Inline Module ..........................80 Network Statistics ........................81 TCP Processor ...........................82 Proxy............................83 Mail .............................84 Connect ............................85 Web Walker ..........................85 Fidelis XPS User Guide Version 6.0 Table of Contents...
  • Page 6 Delete an Alert Management Group..................93 Define User Roles........................93 Access Roles .........................94 Add or Edit a Custom Role.....................95 Delete a Custom Role ......................96 Chapter 10 Configure Fidelis XPS Components .................97 The Component Page.........................97 Component Information ......................97 Status Lights ..........................97 Details ............................97 License Messages........................98...
  • Page 7 Accessing the Command Line Interface ...................144 Backup and Restore CommandPost..................144 Backup CommandPost......................144 Restore CommandPost ......................145 Backup and Restore a Sensor ....................146 Chapter 15 Archive ........................147 Export Archive Data ......................147 Import Archive Data......................147 Fidelis XPS User Guide Version 6.0 Table of Contents...
  • Page 8 Table 20. Proxy parameters ......................122 Table 21. Mail parameters ......................124 Table 22. Web Walker parameters ....................125 Table 23. Connect: General parameters..................127 Table 24. Alert Export keywords ....................137 Table 25. Audit Log columns ......................142 Fidelis XPS User Guide Version 6.0 Table of Contents viii...

  • Page 9: Preface

    The network IT manager will be the first to touch the CommandPost, but is expected to rarely use Fidelis XPS after initial installation. The IT manager might need to adjust sensor network settings and CommandPost to sensor communications, manage CommandPost users and their credentials, and monitor network statistics to verify connectivity.

  • Page 10: Technical Support

    The Guide to Creating Policies describes how to define policies and the rules and fingerprints that policies contain. The Guide to Prebuilt Policies describes policies that ship with Fidelis XPS and the rules and fingerprints that these policies contain. This guide also indicates which rules and fingerprints might need to be configured for your enterprise.

  • Page 11: Fidelis Xps™ Overview

    Built on a patented deep session inspection™ platform, Fidelis XPS is the industry's only next-generation data leakage prevention solution with the power to deliver comprehensive prevention over all 65,535 ports and all channels, complete visibility and control, and the lowest total cost-of-ownership to stop network data leakage on gigabit-speed networks.

  • Page 12: Commandpost

    The Internal provides prevention on all ports and all protocols. Fidelis XPS offers products with Internal modules ranging from 25 Mb/s to 2.5 Gb/s. For more details, refer to Direct and Internal.

  • Page 13: Mail

    Policies. C o m pl i a nc e Fidelis XPS can be used to enforce policies to comply with federal and state privacy laws and industrial security standards. Such laws and standards include HIPAA, GLBA, PCI and many others. The following policies use rules that can prevent inappropriate transmission of this information: •...

  • Page 14: Custom Policies

    M a n a gi n g I ns i der U s e o f t he I nt e r n et Fidelis XPS can be used to enforce corporate policy pertaining to the acceptable use of Internet resources.

  • Page 15: Chapter 1 Getting Started

    Chapter 1 Getting Started Fidelis XPS is a real-time, extrusion prevention system that detects and prevents network abuse and extrusions. It reassembles and analyzes traffic on your computer network. Fidelis XPS accomplishes this though its sensors and the CommandPost management console. CommandPost enables you to manage and configure the sensors that detect network abuse and extrusions.

  • Page 16: Access The Guides

    Access the Guides Click the help icon at the top of the CommandPost GUI. The Fidelis XPS WebHelp system displays. Click the PDF Downloads link in the Table of Contents to display the Guides page with its links to the PDF files for the guides, the release notes, and the redistribution notice.

  • Page 17: Table 1. Critical Conditions

    Condition Description High stress levels Fidelis XPS sensors reassemble packets into sessions in the sensor memory.Stress is an indication of the amount of memory currently consumed by the sensor for reassembly. As stress increases, the sensor's ability to analyze all traffic diminishes. There are several reasons for increased stress: 1.

  • Page 18: Logout

    Note: If inactive for 15 minutes, CommandPost will log you out. Using Non-ASCII Characters in Fidelis XPS Fidelis XPS supports the use of non-ASCII characters in most input fields.The fields that do not allow Unicode are: e-mail addresses, host names, domain names, login names, and server directory names.

  • Page 19: Chapter 2 The Dashboard

    Chapter 2 The Dashboard The Dashboard enables you to access either the Fidelis XPS Radar page or the Information Flow Map page. All users can access the Radar or the Information Flow Map page. Both the Radar and the Information Flow Map pages require the Adobe Flash Player. Refer to Getting Started for details.

  • Page 20: Uses Of Alert Radar

    Go. Moving the mouse out from the radar’s center allows you to examine data within that time horizon. As the mouse moves out, the number of alert clusters displayed by severity changes in real time. Fidelis XPS User Guide Version 6.0 Dashboard...

  • Page 21: Current Status Frame

    More link appears in the bar at the table’s foot. Current Status Frame The Current Status frame, located on the left of the Radar page, displays the following information, updated in real-time. Fidelis XPS User Guide Version 6.0 Dashboard...

  • Page 22: Information Flow Map™ Page

    Low Severity Information Flow Map™ Page The Information Flow Map™ feature within Fidelis XPS takes data leakage prevention (DLP) beyond alerts to an actual understanding of how information flows across your network. A Direct sensor automatically collects information about the network it monitors and displays all levels of communication, from the transport protocol through to the content involved in network communications.

  • Page 23: The Information Flow Map

    CommandPost by approximately 5 - 10 Mbps. If your system uses an administrative network of 100 Mbps or higher for Fidelis system component communication, Information Flow Map should not present a problem. Refer to the Enterprise Setup Guide.

  • Page 24: Table 3. Controls

    Click to open or close the Watch List in the left panel. Adding a node to the Watch List instructs the sensor to collect information from that node regardless of filter and sort settings. Fidelis XPS User Guide Version 6.0 Dashboard...

  • Page 25: Controls In The Left Panel

    Click an accordion bar to view the associated chart. You can mouse over the graph to see specific information such as the number of sessions, packets, and bytes. Fidelis XPS User Guide Version 6.0 Dashboard...
  • Page 26 Ignore List. Nodes in the Ignore List are not displayed on the map and the sensor will not collect information on these nodes. The controls for adding or removing nodes from the list operate in the same manner as the Watch List. Fidelis XPS User Guide Version 6.0 Dashboard...

  • Page 27: Filtering And Sorting Criteria

    64 nodes. You can filter this information by selecting specific criteria from the filter lists available at the top of the page. This Fidelis XPS User Guide Version 6.0 Dashboard...

  • Page 28: Table 4. Filter Lists

    The Sync icon changes to indicate that information is being retrieved from the sensor. Synchronization takes about 1 minute to complete. Sample uses of Filtering and Sorting: Fidelis XPS User Guide Version 6.0 Dashboard...
  • Page 29 To show all nodes sharing Sensitive Data over Facebook, define a rule that defines this condition. Filter the Information Flow Map based on this rule. • To show the least active nodes, change the sorting criteria to low-to-high. Fidelis XPS User Guide Version 6.0 Dashboard...

  • Page 30: Chapter 3 Understand And Manage Alert Workflows

    To find all alerts currently assigned to you, use the My Alerts view on the Alert Report page. Refer System Reports for Alerts. To find all alerts owned by a specific user: Fidelis XPS User Guide Version 6.0 Alert Workflows...

  • Page 31: The Alert Workflow Log

    Click Add comment to add comments to the ticket log without changing the ticket status or ownership. After you submit the change, information entered in the Subject and Details text boxes will be appended to the comment. Fidelis XPS User Guide Version 6.0 Alert Workflows...

  • Page 32: Change Alert Group

    These functions do not impact the ticketing system and are described in Understand and Manage Alerts. From the Quarantine Management page you can discard or deliver selected quarantine e-mails. Refer to Deliver or Discard Quarantine E-Mail. Fidelis XPS User Guide Version 6.0 Alert Workflows...

  • Page 33: Chapter 4 Understand And Manage Alerts

    Figure 7. Alert Report The Alert Report contains the following major elements: • Alert Report—a list of all alerts displayed according to the selected report and actions taken at controls on the Alert Report page. Fidelis XPS User Guide Version 6.0 Alerts...

  • Page 34: Alert Report

    You can also choose to filter alerts based on the value of the available information. The Quick Summary of an alert shown below is from the Default Report. Figure 8. Alert Report: Quick Summary Fidelis XPS User Guide Version 6.0 Alerts...

  • Page 35: Filter Alerts

    Click the < or > arrow buttons to move to the next page in either direction. Click << or >> to advance to the first or last page. These buttons may be disabled when you are currently at the beginning or the end of the alert report. Fidelis XPS User Guide Version 6.0 Alerts...

  • Page 36: Alert Actions

    Export selected alerts to a comma separated file, which can be opened in Microsoft Excel or a similar application. If your alerts are grouped, this function will export the group summary information, not the individual alerts within the group. Fidelis XPS User Guide Version 6.0 Alerts...

  • Page 37: Purge Alerts

    Alert Report. Refer to Create PDF Reports Alerts. • E-mail—Enables you to send the Alert Report via e-mail. • Trending—Enables you to view and control alert trend charts. Refer to Trending. Fidelis XPS User Guide Version 6.0 Alerts...

  • Page 38: System Reports For Alerts

    The violation report is focused on the policy, rule, and action taken by the sensor. It is useful for users most concerned with the actions taken by Fidelis XPS sensors. This report will display all alerts sorted by Alert ID.
  • Page 39 Placing a minus sign (-) before a word or a literal phrase changes the meaning to “match all alerts that do not contain” the specified word or phrase. Any combination of positive (no Fidelis XPS User Guide Version 6.0 Alerts...

  • Page 40: Table 7. Alert Search Fields

    Searches for an alert label. The label search has one special feature: A search for the term unassigned (with or without quotes) will display all alerts that have not been assigned a label Fidelis XPS User Guide Version 6.0 Alerts...
  • Page 41 Searches the value of the extracted To field. User Searches the value of the extracted User field. UUID Enables you to search for a specific alert UUID number. This is an exact search. Fidelis XPS User Guide Version 6.0 Alerts...
  • Page 42 In the case of a range, the search will revert to a single address search using the one legal address or will return nothing if both ends of the range are malformed. Fidelis XPS User Guide Version 6.0 Alerts...

  • Page 43: Duration

    You can change this behavior by clicking the Include Incoming Alerts in the Search dialog box. By default, this option is checked, meaning new alerts will be considered in all alert actions. To change the behavior: Click Search or Duration. Uncheck the Include Incoming Alerts box and click Search. Fidelis XPS User Guide Version 6.0 Alerts...

  • Page 44: Customize Alert Report

    Note: Group by can take several minutes depending on the size of the alert database. Select how the results will display at the View Results as list. You can select from Tabular, Pie Chart, Bar Chart, and Stacked Bar Chart options. Click Apply Group By. Fidelis XPS User Guide Version 6.0 Alerts...
  • Page 45 GOOGLEMAIL. Of these 25 alerts, you can learn that all are from the same sensor, two rules were violated with a low severity and the alerts were from multiple sources to multiple destinations. Fidelis XPS User Guide Version 6.0 Alerts...

  • Page 46: Group Details

    The alerts on the selected page. If you are on page 2 of the Alert Report, those alerts are in the PDF report, not alerts from other pages. To create a PDF report: Click Select to open the PDF report or to save it. The PDF is available for your use. Fidelis XPS User Guide Version 6.0 Alerts...

  • Page 47: Trending

    7-day period is selected, then each trend line displays the trend for each violated rule. Trending charts match colors with the group by charts and vary depending on the groups selected. If one group is selected, then one color displays in the trending chart. Fidelis XPS User Guide Version 6.0 Alerts...
  • Page 48 Figure 18. Display of alert trends Fidelis XPS User Guide Version 6.0 Alerts...

  • Page 49: Alert Details

    The same information is presented in both views. Click the appropriate icon to change the view. The icon related to the alternate page view will be highlighted. Fidelis XPS User Guide Version 6.0 Alerts...

  • Page 50: Table 8. Sections In Alert Details

    Refer to chapter 1 in the Guide to Creating Policies for more information about how Fidelis XPS decodes and analyzes network traffic. When related alerts exist, a list appears showing the severity, alert ID, summary, and time of the alert.

  • Page 51: Alert Highlighting

    Each line in the Decoding Path represents the output of a Fidelis XPS decoder. These decoders also extract attributes from the protocol or file that is being decoded. The Channel Attributes present a table, per decoder, listing all extracted attributes.

  • Page 52: Scroll Through Alert Details

    This action will apply the selected values as filters and return you to the Alert Report page showing the result of these filters. For example, clicking the Find Similar link next to the Rule displays a list of alerts that violated the same rule. Fidelis XPS User Guide Version 6.0 Alerts...

  • Page 53: Manage Label

    Decoding Path and Channel Attributes The Decoding Path displays each level of decoding performed by Fidelis XPS during analysis of a data transmission. Many levels of the decoding path can be clicked to provide a file of the decoded transfer from that stage of the decoding process.

  • Page 54: Table 9. Decoding Paths

    It is important to note that whether an entire file can be downloaded depends on how much of the intercepted session is recorded in the Fidelis XPS alert database. The maximum amount of the session that is recorded is specified in the TCP session forensics limit setting. Refer to...

  • Page 55: Forensic Data

    In cases where the session is not complete or there is some other kind of session corruption, this link will not appear. The recorded TCP Session contains session information and verbatim transcripts of both the client and server halves of the session. Fidelis XPS User Guide Version 6.0 Alerts...
  • Page 56 Client and Session Server Transcripts The client and server session transcripts are shown exactly as reassembled by Fidelis XPS. If the total size of the session exceeds the Alert Recorded Object Limit setting, the transcript sizes may be less than the total session.

  • Page 57: Tune Rules From An Alert

    Refer to Create an Expression in the section: Define a Rule. Select at least one attribute and click Next. The Modify Rule screen displays with the current rule and its expression. Fidelis XPS User Guide Version 6.0 Alerts...
  • Page 58 The fingerprint will be added to the rule expression as an exception. Click Next. The tuning summary displays with the revised rule expression and a list of attributes that will be added to the selected fingerprint. Fidelis XPS User Guide Version 6.0 Alerts...
  • Page 59 Update on the last page of the wizard or by going through the Policies link on the main navigation bar. Refer to chapter 9 in the Guide to Creating Policies. Fidelis XPS User Guide Version 6.0 Alerts...

  • Page 60: Chapter 5 Understand And Manage Quarantined E-Mails

    Most other Fidelis sensors operate on data in flight. They cannot analyze an entire transfer, but are operating on data as it passes through the analyzer. This is an important difference in understanding how a Mail sensor works and how managing quarantined e-mail differs from managing alerts from other types of sensors.

  • Page 61: The Quarantine Report

    Alerts and quarantined e-mail are managed independently. E-mail actions will remove an e- mail from quarantine and if All is selected, can remove all associated alerts. Removing all alerts associated with a quarantined e-mail purges these alerts from Fidelis XPS. Selecting None keeps associated alerts available at Alert Report. Refer to...

  • Page 62: Take Actions On Quarantined E-Mails

    Enter search terms in the Search For: text box. Refer to Enter Search Terms for Alerts specific search guidelines. Select a search field at the In: pull down menu. Fidelis XPS User Guide Version 6.0 Quarantine E-Mails...

  • Page 63: Table 10. Quarantined E-Mail: Search Fields

    By default, this option is checked, meaning new quarantined e-mails will be considered. To change this behavior, uncheck the Include Incoming Alerts box. Click Search. You can search without specifying a time period. Fidelis XPS User Guide Version 6.0 Quarantine E-Mails...

  • Page 64: Search Quarantined E-Mails Using Duration

    This reduces your messages to those that occurred during the specified date range, including the start and stop dates. Dates must be entered in the form of mm/dd/yyyy. Include or exclude Incoming quarantined e-mails. Click Search. Fidelis XPS User Guide Version 6.0 Quarantine E-Mails...

  • Page 65: Advanced Search For Quarantined E-Mails

    T a b l e 1 1 . Q u a r a n t i n e d E - m a i l : a d v a n c e d s e a r c h f i e l d s Field name Description Sensor(s) From the sensor box, choose a Fidelis XPS sensor or Ctrl-click to choose multiple sensors. Interval Specify a time interval to search: 1 hour to 96 days.

  • Page 66: Quarantine Details

    Users with ticketing privileges can access the Message Workflow Log to make changes to alerts associated with the quarantined e-mail. The alerts may be assigned to individuals or groups, closed, or commented. Any ticket action applies to all alerts associated with the quarantined e-mail. Fidelis XPS User Guide Version 6.0 Quarantine E-Mails...

  • Page 67: Chapter 6 Manage Reports

    • System Reports – These reports ship with Fidelis XPS and include: Default, Summary Violation, Alert Management, Network, Label, and My Alerts. You can run these reports or use them as the basis for a new custom report.

  • Page 68: Create Custom Reports

    Enter a single alert ID, a comma-separated list of alert ID’s or a range. Ranges are entered by a hyphen between the start and end of the range UUID Enter a specific alert UUID number. This is an exact search. Fidelis XPS User Guide Version 6.0 Manage Reports...
  • Page 69 Policies for details about protocol or file formats and their attributes. Note: Search terms entered for Summary, Forensic Data, and Session Attributes follow the same syntax as described in Search for Alerts. Fidelis XPS User Guide Version 6.0 Manage Reports...

  • Page 70: Filters

    Select one or more sensors. This refers to the name of the sensor that detected the violation. Protocols Protocol refers to the network protocol over which the violation was detected. Source Country Select one or more source countries. Fidelis XPS User Guide Version 6.0 Manage Reports...

  • Page 71: Duration

    Dates must be entered in the form of mm/dd/yyyy. Click Trending to graphically display the trend for all alerts in your report Trending is based on the time periods entered at Duration. Fidelis XPS User Guide Version 6.0 Manage Reports...

  • Page 72: Columns

    UUID will not clash with the current set of CommandPost alert IDs, however the Alert Id may. Compression Indicates the number of additional events represented by an alert. Refer to Alert Compression. Fidelis XPS User Guide Version 6.0 Manage Reports...
  • Page 73 In many network configurations, the IP address may be an internal address corresponding to a local NAT server or proxy, whereas the target represents the intended destination of the data. Time Displays the time when the alert was detected. Fidelis XPS User Guide Version 6.0 Manage Reports...

  • Page 74: Group By

    Run–runs the report after it is saved. • Save–enables you to save the report with a unique name. • Save & Schedule–enables you to save and schedule the report. Refer to Save and Schedule Custom Reports. Fidelis XPS User Guide Version 6.0 Manage Reports...

  • Page 75: Run Custom Reports

    Also, If the report being shared has a sensor or group selected, the user must have access to the same sensor and alert management group. Refer to Manage User Roles and Groups. To copy a custom report: Click Reports>Manage. Select the appropriate report and click Copy. Fidelis XPS User Guide Version 6.0 Manage Reports...

  • Page 76: Save And Schedule Reports

    However, if you choose Last 24 hours, 7 days, or 30 days, the time frame of the report will change with each execution. Enter an e-mail address for report delivery. Fidelis XPS User Guide Version 6.0 Manage Reports...

  • Page 77: Delete Reports

    Delete Reports To delete a report: Click Reports>Manage. Click Delete next to the appropriate report. Click OK at the confirmation dialog box. The report is removed from the Manage page. Fidelis XPS User Guide Version 6.0 Manage Reports...

  • Page 78: Chapter 7 Create And Use Quick Reports

    Include the number of results to be considered. The graphics will display the top nine results individually and sum the remaining results into a tenth result. • Traffic Summary reports provide a view of violating network traffic compared to the total traffic analyzed by Fidelis XPS sensors. • Choose from available data filters. •...
  • Page 79 The Executive Summary provides a snapshot of your data Summary Summary leakage violations by showing the percentage of traffic in violation, and the policies, rules, and network protocols contributing to the violations. Fidelis XPS User Guide Version 6.0 Quick Reports...
  • Page 80 Protocol The Alerts by Protocol report shows the total number of alerts generated during the selected time range summarized by application protocol. Fidelis XPS User Guide Version 6.0 Quick Reports...

  • Page 81: Create Quick Reports

    Click Customize. The Custom Report page displays with any criteria entered at the Quick report page.Once you make the required changes you can save the report and manage and schedule it as a Custom Report from Reports>Manage. Refer to Create Custom Fidelis XPS User Guide Version 6.0 Quick Reports...

  • Page 82: Create Pdfs For Quick Reports

    Report Frequency only determines the delivery schedule for the report and does not change any times entered when creating the report. Enter an e-mail address for report delivery. Click Submit. The report can be managed at Reports>Manage with all other saved reports. Fidelis XPS User Guide Version 6.0 Quick Reports...

  • Page 83: Chapter 8 Network Reports

    Select the sensor. Click Go. The following reports are available depending on the type of Fidelis XPS sensors connected to CommandPost. If a module you select is not present for the selected sensor, a message appears stating that the module is disabled.
  • Page 84 You can also move to another part of the performance graph. The time changes in the button and time measurements on the graph also change. Click to switch the graph to linear or to logarithmic scale. Fidelis XPS User Guide Version 6.0 Network Reports...

  • Page 85: Tcp Resets

    Resets • Recent Resets • Runtime (shows packets per minute transferred and reset) Figure 43. Active Mode statistics The legend contains controls to remove or restore the associated information from the graph Fidelis XPS User Guide Version 6.0 Network Reports...

  • Page 86: Application Protocols

    Figure 44. Application Protocol statistics The legend contains controls to remove or restore the associated information from the graph Fidelis XPS User Guide Version 6.0 Network Reports...

  • Page 87: Ip Defragmenter

    Runtime (information about the IP defragmentation alerts per minute over the selected time period) Figure 45. IP Defragmenter statistics The legend contains controls to remove or restore the associated information from the graph. Fidelis XPS User Guide Version 6.0 Network Reports...

  • Page 88: Inline Module

    Throttle TCP window cut: the number of bytes in packets on which the TCP window size was reduced Figure 46. Inline Module statistics The legend contains controls to remove or restore the associated information from the graph. Fidelis XPS User Guide Version 6.0 Network Reports...

  • Page 89: Network Statistics

    Volume of packets by size, graphically • Wire statistics (NIC errors, dropped and invalid packets) Figure 47. Network statistics The legend contains controls to remove or restore the associated information from the graph. Fidelis XPS User Guide Version 6.0 Network Reports...

  • Page 90: Tcp Processor

    Configuration (shows current configuration and capacity of TCP Session module) • Runtime (TCP sessions per minute over the past 12 hours) Figure 48. TCP Processor statistics The legend contains controls to remove or restore the associated information from the graph. Fidelis XPS User Guide Version 6.0 Network Reports...

  • Page 91: Proxy

    Proxy Traffic: a graphical display and a numerical breakdown, Proxy traffic per minute Figure 49. Proxy server statistics The legend contains controls to remove or restore the associated information from the graph. Fidelis XPS User Guide Version 6.0 Network Reports...

  • Page 92: Mail

    Mail sensor.The Postfix Queue size indicates how much space is available for quarantined messages. The Postfix Queue graphic displays a breakdown of the postfix queue size. Refer to the Postfix web site for more information. Fidelis XPS User Guide Version 6.0 Network Reports...

  • Page 93: Connect

    The Network report reveals the Web Walker activity in terms of local disk space used to store downloaded files Figure 52. Web Walker Statistics The legend contains controls to remove or restore the associated information from the graph. Fidelis XPS User Guide Version 6.0 Network Reports...

  • Page 94: Chapter 9 Manage Users, Roles, And Groups

    Change this password immediately after you first log in. Fidelis XPS enables you to manage local user access by assigning each user to: Fidelis XPS User Guide Version 6.0 Users, Roles, Groups...

  • Page 95: Access Control In Commandpost

    It also helps to split the workflow involved with alert management across one or more teams of individuals. Fidelis XPS User Guide Version 6.0 Users, Roles, Groups...

  • Page 96: Small Security Teams

    Small Security Teams Many enterprises may be too small to need access control. This is especially true of enterprises with a single network security office. To simplify access control, Fidelis Security Systems has set up default configurations: • The System Administrator role provides full access to the system.

  • Page 97: Add Or Edit A Local User

    Those with a role that allows user management can add, edit, or delete local CommandPost users. Adding a user involves the following: • Provide identifying information for the user to Fidelis XPS. This information includes user name, password, and e-mail address. This information is stored and managed within CommandPost.

  • Page 98: Table 16. Determine User Access

    The following table provides an overview of how to make role, group, and sensor assignments so that a user has access to the more frequently used Fidelis XPS features. T a b l e 1 6 . D e t e r m i n e u s e r a c c e s s...

  • Page 99: Delete A User

    Click Delete. Click OK at the confirmation dialog box. The user is deleted from the list on the Users>Profiles page. Fidelis XPS User Guide Version 6.0 Users, Roles, Groups...

  • Page 100: Define Alert Management Groups

    Enter an e-mail address for the group. When an alert changes from one group to another, a notice is sent to this e-mail. Similarly, notifications of quarantined e-mails are sent to this Fidelis XPS User Guide Version 6.0 Users, Roles, Groups...

  • Page 101: Delete An Alert Management Group

    Figure 57. User Roles page Predefined roles cannot be edited or deleted. These are indicated with a Fidelis logo next to a role name. Multiple users can share a role, but each user can only have one assigned role. You can customize user access by creating a custom role.

  • Page 102: Access Roles

    The No Role role prevents access to all Fidelis XPS features. A role’s (and a user’s) access to each Fidelis XPS feature is determined by the access levels specified for that feature: Full, View, or None. The following table describes each access level.

  • Page 103: Add Or Edit A Custom Role

    Figure 59 . New role Enter a name and a description for the new role. Specify an access level for each Fidelis XPS permission. None is the default value; you can select Full or View access. Note: You can also base your role on an existing role. Select from the list next to Base Role On.

  • Page 104: Delete A Custom Role

    After you delete a custom role, any users assigned to it are reassigned to the No Role role. This means that these users will not have access to any Fidelis XPS features until they are assigned to a new role.

  • Page 105: Chapter 10 Configure Fidelis Xps Components

    Chapter 10 Configure Fidelis XPS Components The Components page allows you to view, manage, and configure Fidelis XPS components including CommandPost and all sensors. The Component Page To access this page: click System>Components. Note: The Components page is only visible to users with the correct privileges. Refer User Roles for details on user privileges.

  • Page 106: License Messages

    Decoder Version – Provides the decoder version installed on the sensor. In response to application protocol changes, Fidelis is able to release decoder updates without the need for a new version of software. The most recent decoder release will offer the best product performance.

  • Page 107: Add A Sensor

    License shows the Host ID information, the current license key, and an expiration date. Each component requires a separate license. When you initially install and register a Fidelis XPS sensor the License Key field displays <demo mode>. When you initially install Fidelis XPS on CommandPost, CommandPost will run in demo mode. A...

  • Page 108: Expiration

    If there is a problem with the license, you will receive an error and the License Key field will display <Invalid>. Expiration Fidelis XPS begins displaying notices that your license will expire starting 60 days before the expiration date. If you receive this notice, contact Technical Support to obtain a new license.
  • Page 109 SNMP traps may be sent to an external system which may be specified by a host name or IP address. Choose the alert information to include in these traps.To enable Fidelis SNMP traps, a MIB is available with sample use instructions at. www.fidelissecurity.com/support.

  • Page 110: Logs

    Fidelis Technical Support. After retrieving a log file, you can send it via e-mail. Fidelis support is the default email recipient of all log files. To retrieve logs: Click System>Components>Config>Logs. You can select another at the Component list.

  • Page 111: Configure Commandpost

    If the user name is not local, then CommandPost checks AutoLogin to see if it is enabled and if a profile is set up for the user whose name appears in the HTTP header. The AutoLogin authentication requires a network infrastructure to capture the user request, authenticate the Fidelis XPS User Guide Version 6.0 Components...
  • Page 112 This can be obtained by utilizing your favorite LDAP/AD browser software. Note: You also need to configure CommandPost to LDAP communication. Refer to LDAP Configuration. To enable LDAP Authentication: Click Enable LDAP authentication. Fidelis XPS User Guide Version 6.0 Components...
  • Page 113 • (&(mail=joe*) (sn=b*)) This entry would return users with an e-mail beginning with joe and a last name starting with b. Note: Please see rfc4515 (http://www.rfc-editor.org/rfc/rfc4515.txt) for more examples of LDAP filter expressions. Fidelis XPS User Guide Version 6.0 Components...
  • Page 114 • Your network authentication must intercept the HTTP request, authenticate, and insert an HTTP header in the form: headername:username where the header name string is set up in the AutoLogin profile. Fidelis XPS User Guide Version 6.0 Components...

  • Page 115: Email Configuration

    CommandPost. CommandPost will only grant auto login when the sender matches on of the entered IP addresses. Fidelis strongly recommends that you utilize this feature to avoid security problems that may arise due to unauthorized accesses granted by the AutoLogin feature.

  • Page 116: User Notification

    Add domain. Only users in the specified domain receive the notification. If you do not enter a domain e-mail is sent for every e-mail alert. This may cause notification messages to leave the local network. Fidelis XPS User Guide Version 6.0 Components...

  • Page 117: Ldap Configuration

    • Check the LDAP server before configuring LDAP at the CommandPost. Fidelis XPS systems that use LDAP request all records for a given base/filter combination and cache the records locally on the CommandPost with a periodic refresh functionality built in. By default, LDAP directories limit the number of objects that can be returned from a single search filter.
  • Page 118 Human Resources, where Human Resources refers to a group established in your directory. To create policies based on your directory attributes refer to chapter 3 in the Guide to Creating Policies. Fidelis XPS User Guide Version 6.0 Components...

  • Page 119: Ldap Reports

    Enter the attribute. For example if you enter Name for the GUI name, a corresponding attribute would be cn. If you enter Department, a corresponding attribute would be ou. Enter more attributes and corresponding GUI names as needed. Click Update. Fidelis XPS User Guide Version 6.0 Components...

  • Page 120: Alert Storage

    Enter a time to specify when the daily purge is performed. Alerts and recorded objects older than the number of retention days are deleted once a day at this time. Fidelis recommends you choose a time when network activity is minimal.

  • Page 121: Commandpost Language Configuration

    ASCII mode. • International mode will recognize Unicode (UTF-8, UTF-16, and UTF-32) characters as well as all supported extended ASCII character sets. When International mode is Fidelis XPS User Guide Version 6.0 Components...

  • Page 122: Diagnostics

    Check operation. Click Repair. A notice displays telling you that this process might take longer than expected. Click OK to proceed. Repair indicates the progress of the repair within a running dialog box. Fidelis XPS User Guide Version 6.0 Components...

  • Page 123: Archive

    Enter a directory name on the remote server where the archive file will be stored. The entry must be a fully specified path. For example, on a Unix or Linux server: /home/Fidelis/archive. If the remote directory does not exist, it will be created.

  • Page 124: Configure Sensors

    When you click Go the component changes. Sensor Config Page The sensor configuration page provides access to the configuration tabs listed below. License Sensor configuration. The label indicates the sensor product type. System Monitor Email Relayhost Language Config Logs Fidelis XPS User Guide Version 6.0 Components...

  • Page 125: Direct And Internal

    You can configure your module to operate in either inline or out-of-band mode. Refer to chapter 5 in the Enterprise Setup and Configuration Guide for more information about these modes and how to set up and connect hardware to the network. Figure 77. Direct/Internal connectivity: out of band mode Fidelis XPS User Guide Version 6.0 Components...
  • Page 126 Figure 78. Direct/Internal connectivity: Inline Mode Fidelis XPS User Guide Version 6.0 Components...

  • Page 127: Table 18. General Parameters

    /eth3, indicate full duplex mode. Information Flow Map Click to enable Information Flow Map. This option displays if you have a Direct module on a module capable of supporting Information Flow Map. Refer to Information Flow Map. Fidelis XPS User Guide Version 6.0 Components...

  • Page 128: Table 19. Advanced Parameters

    Important: You must set a network border for the Internal sensor. You can install up to three Class A networks on the border list. Fidelis XPS User Guide Version 6.0 Components...
  • Page 129 Once valid addresses are available in the Border text box, they may be deleted. Select one or more IP addresses or ranges (using control click) and click . Your changes will take effect when you click Save. Fidelis XPS User Guide Version 6.0 Components...

  • Page 130: Proxy

    Restrict interface By default, the Proxy module listens to all ports for ICAP traffic, including the admin port used for communication to CommandPost. Click Restrict interface to choose a single interface for ICAP traffic. Fidelis XPS User Guide Version 6.0 Components...

  • Page 131: Mail

    Milter mode. Refer to chapter 7 in the Enterprise Setup and Configuration Guide. Figure 82. Mail Configuration The Mail page enables you to configure Mail. The following table describes configurable Mail parameters. Fidelis XPS User Guide Version 6.0 Components...

  • Page 132: Table 21. Mail Parameters

    It is important to keep in mind that a Limit (1-16384): larger limit might substantially increase the size of your database, which will require more available disk space on CommandPost. The default is set at 4096 Fidelis XPS User Guide Version 6.0 Components...

  • Page 133: Web Walker

    When Web Walker is first configured, URLs are scanned in their entirety. After the initial scanning, periodic scans are done only for files that have changed. Leave this option unchecked, unless there is a need to force Web Walker to scan all URLs again. Fidelis XPS User Guide Version 6.0 Components...
  • Page 134 It is important to keep in mind that a larger limit might substantially increase the size of your database, which will require more available disk space on CommandPost. The default is set at 4096 KB. Fidelis XPS User Guide Version 6.0 Components...

  • Page 135: Connect

    It is important to keep in mind that Limit (1-16384) a larger limit might substantially increase the size of your database, which will require more available disk space on CommandPost. The default is set at 4096 KB. Fidelis XPS User Guide Version 6.0 Components...
  • Page 136 If a Connect client experiences timeout, you might want to increase the inactivity timeout value to allow the Connect module more time to respond. To do this: Access the /FSS/etc/scipd.cf file. Change the <session-timeout> value. Fidelis XPS User Guide Version 6.0 Components...

  • Page 137: Email Relayhost

    Note: Fingerprints generated on CommandPost are based on the CommandPost language configuration. For proper performance of these fingerprints when installed on a sensor, the sensor should be configured as the CommandPost was for fingerprint generation. Fidelis XPS User Guide Version 6.0 Components...
  • Page 138 The order is used when the sensor attempts to decode a file or protocol whose character encoding cannot be determined. Click Save. Repeat as needed for each sensor. Fidelis XPS User Guide Version 6.0 Components...

  • Page 139: Chapter 11 Version Control

    CommandPost before updating sensors can result in some features not behaving correctly. • If the CommandPost is at an older version of Fidelis XPS and the sensors are at a newer version, everything will function at the older version. Only after the entire Fidelis XPS system is upgraded will new version be usable.

  • Page 140: Update Fidelis Xps

    Update Fidelis XPS Update enables you to update CommandPost and its registered sensors to a more recent version of Fidelis XPS. The Update version must be later than the version currently installed on your systems. Depending on your system and network traffic, running Update for a sensor may take a few minutes to complete.

  • Page 141: Update Progress

    Figure 88. Update Fidelis XPS Select CommandPost and the sensors registered to CommandPost. Fidelis recommends that you update all sensors before updating CommandPost. Click Update Now to proceed with Update or enter a date and time and click Schedule Update to schedule the Update.

  • Page 142: Schedule Update

    Note: You might want to schedule an update during off peak hours, especially for CommandPost. Click Schedule Update. Click OK at the confirmation dialog box. Clicking Cancel stops the procedure. The check boxes go away and the status box indicates that your Update is scheduled. Fidelis XPS User Guide Version 6.0 Version Control...

  • Page 143: Cancel Scheduled Jobs

    Figure 90. Scheduled Jobs Click Cancel next to the appropriate job. Click OK at the confirmation dialog box. Clicking Cancel stops the procedure. You can now perform an Update or schedule another job. Fidelis XPS User Guide Version 6.0 Version Control...

  • Page 144: Chapter 12 Configure Exports

    Export enables you to integrate with a third party system by transferring alert and recorded object data from CommandPost to a remote system. You can also export data in a Fidelis Archive format which can later be imported to CommandPost (either the original CommandPost or another).The following export methods are available.

  • Page 145: Table 24. Alert Export Keywords

    Source port number Numeric %SUMMARY% Displays summary text associated with String the rule. %TIME% Time when the alert was detected. String in the format: YYYY-MM-DD hh:mm:ss %TO% E-mail address destination String %USER% Protocol user String Fidelis XPS User Guide Version 6.0 Exports...

  • Page 146: Snmp Trap And Arcsight

    SNMP traps may be sent to an external system specified by a host name or IP address entered at Destination. To enable Fidelis SNMP traps, a MIB is available with sample use instructions at. www.fidelissecurity.com/support.

  • Page 147: Define Exports

    Select criteria as needed to determine the alerts you want to export. You can select multiple entries. For Duration, you can select a specific time such as 24 hours or 7 days or enter a date or Fidelis XPS User Guide Version 6.0 Exports...

  • Page 148: Available Export Buttons

    Select the Export Frequency. • Manually–exports alerts only when you run the export by clicking the Run Now button. This method is useful to test communication with the external system and for Fidelis Archive. It is less useful for other export methods. •...

  • Page 149: Chapter 13 Audit

    You can access the Audit Log from the CommandPost GUI to find audit entries. Note: Fidelis recommends that you restrict audit log access to system administrators and network security personnel. A user with Audit access can see all auditable actions.

  • Page 150: Search For Audit Entries

    “stop secrets.” Multiple phrases such as a “literal phrase 1” and a “literal phrase 2” can be included in the Find field. This will match any audit entries containing all of the phrases listed. Fidelis XPS User Guide Version 6.0 Audit...

  • Page 151: Notes About Search Options

    To specify a new time period, select a value from the During Last list, select hours or days, and click Go. Options range from 1 hour to 96 days and also include the default value of all. Fidelis XPS User Guide Version 6.0 Audit...

  • Page 152: Chapter 14 Backup And Restore

    SSH client such as PuTTY or Open SSH. Backup and Restore CommandPost Fidelis XPS provides backup and restore capabilities from the command line which may be useful in certain environments. Performing a backup is recommended in the following situations: •...

  • Page 153: Restore Commandpost

    # NOTE: above files are placed in /var/lib/mysql because of space requirements # NOTE: above does not restore spool files and log files, but audit data is saved in the database Restart key services: Fidelis XPS User Guide Version 6.0 Backup and Restore...

  • Page 154: Backup And Restore A Sensor

    IP address, net mask, gateway, NTP, DNS, and the license key. To Restore a sensor: Use the recovery disk supplied by Fidelis Security Systems to restore the Fidelis XPS software for the model of sensor indicated on the hardware.

  • Page 155: Chapter 15 Archive

    The ftp account should have the ability to create directories and put/get files. Export the files. To export archive files, use ssh to send the command as the fidelis user. Additionally, the command itself needs a CommandPost user with CommandPost admin, Alert Reports, and alert details permissions.
  • Page 156 When complete, import returns a message similar to the following to tell you what was exported. Status: 200 OK Content-type: text/tab-separated-values Content-disposition: filename="import_archive.tsv" x-rows: 2 111 alerts rejected with no hash 42 sessions rejected with no hash Fidelis XPS User Guide Version 6.0 Archive...

  • Page 157: Index

    78, 82 Configuration page, 87 user roles, 83 configure XPS Mail, 112 access control in CommandPost, 77 connect an XPS ICAP sensor, 117 active mode statistics, 67 create alert management groups, 82 add a user, 79 create custom roles, 85...
  • Page 158 Sniffing Mode and Active Mode, 109 XPS ICAP statistics, 73 SSL, 8 XPS Mail, 112 Stats XPS Mail sensor active mode, 67 and quarantine, 42 application protocols, 68 XPS Mail statistics, 74 inline module, 70 Fidelis XPS User Guide Version 6.0 Index...

Table of Contents