1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Firewall
  5. amp threat grid
  6. Setup and configuration manual

Cisco amp threat grid Setup And Configuration Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
Cisco AMP Threat Grid Appliance
Setup and Configuration Guide
Version 2.2
Last Updated: March 8, 2017
Cisco Systems, Inc. www.cisco.com
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the
Cisco website at www.cisco.com/go/offices.

Advertisement

Table of Contents
loading

Related Manuals for Cisco amp threat grid

Summary of Contents for Cisco amp threat grid

  • Page 1 Cisco AMP Threat Grid Appliance Setup and Configuration Guide Version 2.2 Last Updated: March 8, 2017 Cisco Systems, Inc. www.cisco.com Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at www.cisco.com/go/offices.
  • Page 2 IP addresses or phone numbers in illustrative content is unintentional and coincidental. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks.

  • Page 3: Table Of Contents

    LDAP   A uthentication   ..........................   2   Cisco   U CS   C 220   M 4   S erver   ........................   2   FireAMP   P rivate   C loud   I ntegration   ......................   2  ...
  • Page 4 OpAdmin   a nd   S hell   u ser   ........................   1 0   CIMC   ( Cisco   I ntegrated   M anagement   C ontroller)   ................   1 0     ....................   1 0 ETUP  ...

  • Page 5: List Of Figures

    Figure 25 - Appliance Build Number ........................37   Figure 26 - Threat Grid Portal Login Page ......................41   Figure 27 - The Cisco screen – F8 to enter the CIMC Configuration Utility ............43   Figure 28 - CIMC Configuration Utility ........................44  ...

  • Page 6: Introduction

    By maintaining a Cisco AMP Threat Grid Appliance on- premises, organizations are able to send suspicious documents and files to it to be analyzed without leaving the network.

  • Page 7: New

    Cisco AMP Threat Grid Appliance Setup and Configuration Guide INTRODUCTION What’s New For a full description of new features always check the Release Notes and other release documentation such as Migration Notes and Data Retention Notes. Major highlights are included here.

  • Page 8: Version   2 .0

    Email. Send email to support@threatgrid.com with your query. Open a Support Case. You will need your Cisco.com ID (or to generate one) to open a support case. You will also need your service contract number, which was included on the order invoice. Enter your support case here: https://tools.cisco.com/ServiceRequestTool/scm/mgmt/case...

  • Page 9: Support Servers

    Cisco AMP Threat Grid Appliance Setup and Configuration Guide INTRODUCTION once (after November 14th, 2015), in order for your license to be accepted. The connection does not need to be ongoing or active at the time of the license validation.

  • Page 10: Planning

    Threat Grid snapshot server. PLANNING A Cisco AMP Threat Grid Appliance is a Linux server with Threat Grid software installed by Cisco Manufacturing prior to shipping. Once a new appliance is received, it must be set up and configured for your on-premises network environment.

  • Page 11: Hardware Documentation

    Installation and Service Guide for Cisco UCS C220 M3 Server: http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/c/hw/C220/install/C220.html Spec Sheet for Cisco UCS C220 M3 High-Density Rack Server (Small Form Factor Disk Drive Model): http://www.cisco.com/c/dam/en/us/products/collateral/servers-unified-computing/ucs-c-series-rack- servers/C220M3_SFF_SpecSheet.pdf Cisco has a power/cooling calculator, which you may also find useful: https://mainstayadvisor.com/Go/Cisco/Cisco-UCS-Power-Calculator.aspx...

  • Page 12: Ntp Server Access

    The NTP server needs to be accessible via the Dirty network. Integrations – ESA/WSA/FireAMP etc. Additional planning may be required if the Threat Grid Appliance is going to be used with other Cisco products, such as ESA/WSA appliances, FireAMP Private Cloud, etc.

  • Page 13: Interfaces

    Grid Appliances. There is no communication between Threat Grid Cloud service, and the Threat Grid Portal that is included with a Threat Grid Appliance. CIMC Another user interface is the Cisco Integrated Management Controller ("CIMC"), which is used to manage the server. Network Interfaces Admin Interface Connect to the Admin network.

  • Page 14: Clean Interface

    • Malware Sample-initiated Traffic • CIMC Interface Recommended. If the Cisco Integrated Management Controller (“CIMC”) interface is configured, it can be used for server management and maintenance. For more information see APPENDIX A – CIMC CONFIGURATION (RECOMMENDED). Reserved Interface The non-Admin SFP+ port is reserved for future use.

  • Page 15: Defaults

    Cisco AMP Threat Grid Appliance Setup and Configuration Guide PLANNING Login Names and Passwords - Defaults Web UI Administrator Login: admin Password: "changeme" OpAdmin and Shell user Use the initial Threat Grid/TGSH Dialog randomly generated password, and then the new password entered during the first step of the OpAdmin configuration workflow.
  • Page 16 Cisco AMP Threat Grid Appliance Setup and Configuration Guide PLANNING...

  • Page 17: Server Setup

    Cisco AMP Threat Grid Appliance Setup and Configuration Guide SERVER SETUP SERVER SETUP To begin, connect both power supplies on the back of your appliance and connect the included KVM adapter to an external monitor and keyboard and plug into the KVM port located at the front of the server, as illustrated in the figure below.

  • Page 18: Figure 4 - Cisco Ucs C220 M3 Rear View Details

    Cisco AMP Threat Grid Appliance Setup and Configuration Guide SERVER SETUP Figure 4 - Cisco UCS C220 M3 Rear View Details Note: For releases 1.0-1.2 a reboot may be needed if an interface was not plugged in at boot time. This is a pre-1.3 issue, except for any interface requiring an SFP, which will still needs to be plugged in at boot...

  • Page 19: C220 M4 Rack Server Setup

    Cisco AMP Threat Grid Appliance Setup and Configuration Guide SERVER SETUP C220 M4 Rack Server Setup Figure 5 - Cisco UCS C220 M4 SFF Rack Server Note: The details of your appliance may differ from the image above. Please contact...

  • Page 20: Figure 6 - Cisco Ucs C220 M4 Rear View Details

    Cisco AMP Threat Grid Appliance Setup and Configuration Guide SERVER SETUP Figure 6 - CIsco UCS C220 M4 Rear View Details Connections: Admin (left) Clean (right) Dirty CIMC...

  • Page 21: Diagram

    SERVER SETUP Network Interface Setup Diagram This section describes the most logical/recommended setup for an AMP Threat Grid Appliance. However, each customer's interface setup is different. Depending on your network requirements, you may well decide to connect the Dirty interface to the inside, or the Clean interface to the outside with appropriate network security measures in place, for example.

  • Page 22: Irewall Ules Uggestions

    Cisco AMP Threat Grid Appliance Setup and Configuration Guide SERVER SETUP Firewall Rules Suggestions From Protocol/Port Action Reason Dirty interface Internet SMTP Deny Prevent malware from spamming Dirty interface Internet TCP/19791 Allow Allow connectivity to Threat Grid support Dirty Interface...

  • Page 23: Power O N   A Nd

    Power On and Boot Up Once you have connected the server peripherals and the network interfaces, turn on the appliance and wait for it to boot up. The Cisco screen is displayed briefly: Figure 8 - Cisco Screen During Boot Up...

  • Page 24: Figure 9 - Tgsh Dialog

    Cisco AMP Threat Grid Appliance Setup and Configuration Guide SERVER SETUP Note: If you want to configure this interface, press F8 after the memory check is completed, and follow the instructions provided in the section, CONFIGURING CIMC (Optional). The TGSH Dialog is displayed on the console when the server has successfully booted up and connected:...

  • Page 25: Initial Network Configuration - Tgsh Dialog

    Cisco AMP Threat Grid Appliance Setup and Configuration Guide INITIAL NETWORK CONFIGURATION – TGSH DIALOG INITIAL NETWORK CONFIGURATION – TGSH DIALOG The initial network configuration is completed in the TGSH Dialog. The goal is to complete the basic configuration that will allow access to the OpAdmin interface tool to finish the remaining configuration, including the license, email host, SSL Certificates, etc.

  • Page 26: Figure 11 - Network Configuration In-Progress (Clean And Dirty)

    Cisco AMP Threat Grid Appliance Setup and Configuration Guide INITIAL NETWORK CONFIGURATION – TGSH DIALOG Figure 11 - Network Configuration In-Progress (clean and dirty) Leave the Dirty network DNS Name blank.

  • Page 27: Figure 12 - Network Configuration In-Progress (Admin)

    Cisco AMP Threat Grid Appliance Setup and Configuration Guide INITIAL NETWORK CONFIGURATION – TGSH DIALOG Figure 12 - Network Configuration In-Progress (admin) After you finish entering all the network settings, tab down and select Validate to validate your entries. If invalid values have been entered, you may see errors. If this is the case, then fix the errors and re- Validate.

  • Page 28: Figure 13 - Network Configuration Confirmation

    Cisco AMP Threat Grid Appliance Setup and Configuration Guide INITIAL NETWORK CONFIGURATION – TGSH DIALOG Figure 13 - Network Configuration Confirmation Select Apply to apply your configuration settings. Have patience. This step may take 10 minutes or more to complete.

  • Page 29: Figure 14 - Network Configuration - List Of Changes Made

    Cisco AMP Threat Grid Appliance Setup and Configuration Guide INITIAL NETWORK CONFIGURATION – TGSH DIALOG Figure 14 - Network Configuration - List of Changes Made Select OK. The Network Configuration Console refreshes again and displays the IP addresses you entered:...

  • Page 30: Figure 15 - Ip Addresses

    Cisco AMP Threat Grid Appliance Setup and Configuration Guide INITIAL NETWORK CONFIGURATION – TGSH DIALOG Figure 15 - IP Addresses You have completed the network configuration of your appliance. Note: The URL for the Clean interface will not work until the OpAdmin portal configuration is complete.

  • Page 31: Configuration Wizard - Opadmin Portal

    Cisco AMP Threat Grid Appliance Setup and Configuration Guide CONFIGURATION WIZARD - OPADMIN PORTAL CONFIGURATION WIZARD - OPADMIN PORTAL The OpAdmin Portal is the Threat Grid administrator's portal on the appliance. It is a Web user interface that can be used once an IP address has been configured on the Admin interface.

  • Page 32: Figure 16 - Opadmin Login

    Cisco AMP Threat Grid Appliance Setup and Configuration Guide CONFIGURATION WIZARD - OPADMIN PORTAL Figure 16 - OpAdmin Login Enter the default Admin Password that you copied from the TGSH Dialog and click Login. The Change Password page opens. Continue with the next section:...

  • Page 33: Dmin Password Change

    Cisco AMP Threat Grid Appliance Setup and Configuration Guide CONFIGURATION WIZARD - OPADMIN PORTAL Admin Password Change The initial administrator's password was generated randomly during the pre-ship Threat Grid installation, and is visible as plain text in the TGSH Dialog. You must change the initial Admin password before you may continue with the configuration workflow.

  • Page 34: License Agreement

    Cisco AMP Threat Grid Appliance Setup and Configuration Guide CONFIGURATION WIZARD - OPADMIN PORTAL End User License Agreement Review the End User License Agreement. Scroll down to the end, and click I HAVE READ AND AGREE. The License page opens:...

  • Page 35: License Installation

    Cisco AMP Threat Grid Appliance Setup and Configuration Guide CONFIGURATION WIZARD - OPADMIN PORTAL Continue with the next section: License Installation After the networks are configured, you are ready to install the Threat Grid license. (In versions older than v1.4.4, you will need to start Support Mode in order for your license to be accepted. See Start Support Mode - License Workaround Prior to Version 1.4.4 for more information.

  • Page 36: Server Notifications Configuration

    Cisco AMP Threat Grid Appliance Setup and Configuration Guide CONFIGURATION WIZARD - OPADMIN PORTAL Enter the name of the Upstream Host (email host). Change the port from 587 to 25. Leave the other settings at the defaults. Click Next. The Notifications page opens.
  • Page 37 Cisco AMP Threat Grid Appliance Setup and Configuration Guide CONFIGURATION WIZARD - OPADMIN PORTAL...

  • Page 38: Ntp Server Configuration

    Cisco AMP Threat Grid Appliance Setup and Configuration Guide CONFIGURATION WIZARD - OPADMIN PORTAL NTP Server Configuration This is where you identify the NTP ("Network Time Protocol") servers. Enter the NTP Server(s) IP or NTP name. If there are multiple NTP Servers, separate them with a space or a comma.

  • Page 39: Figure 21 - Appliance Is Installing

    Cisco AMP Threat Grid Appliance Setup and Configuration Guide CONFIGURATION WIZARD - OPADMIN PORTAL Figure 21 - Appliance is Installing After successful installation, the State changes from the orange Running to a green Successful message confirming success. The Reboot button changes to green, and the configuration output is...

  • Page 40: Figure 22 - Successful Appliance Installation

    Cisco AMP Threat Grid Appliance Setup and Configuration Guide CONFIGURATION WIZARD - OPADMIN PORTAL Figure 22 - Successful Appliance Installation Click Reboot after the successful installation. You will see the message that "The appliance is rebooting". Rebooting may take up to 5 minutes.

  • Page 41: Figure 24 - Appliance Is Configured

    Cisco AMP Threat Grid Appliance Setup and Configuration Guide CONFIGURATION WIZARD - OPADMIN PORTAL Once the appliance has successfully rebooted, you will see the following confirmation that the Appliance is configured: Figure 24 - Appliance Is Configured Your appliance is now setup and the initial configuration is complete.

  • Page 42: Installing Threat Grid Appliance Updates

    Cisco AMP Threat Grid Appliance Setup and Configuration Guide INSTALLING THREAT GRID APPLIANCE UPDATES INSTALLING THREAT GRID APPLIANCE UPDATES After you complete the initial Threat Grid Appliance setup we recommend that you install any available updates before continuing. Threat Grid Appliance updates are applied through the OpAdmin Portal.

  • Page 43: Appliance Build Number/Version Lookup Table

    Cisco AMP Threat Grid Appliance Setup and Configuration Guide INSTALLING THREAT GRID APPLIANCE UPDATES Appliance Build Number/Version Lookup Table The build number of an Appliance can be viewed on the Updates page (OpAdmin Operations > Update Appliance), as illustrated above. Appliance build numbers correspond to the following version numbers:...
  • Page 44 Cisco AMP Threat Grid Appliance Setup and Configuration Guide INSTALLING THREAT GRID APPLIANCE UPDATES Build Number Release Release Date Notes Version 2015.08.20160131061029.8b6bc1d6 2/11/2016 Force update to 2.0.1 from here 2014.10.20160115122111.1f09cb5f 1.4.6 1/27/2016 Starting point for the 2.0.4 update 2014.10.20151123133427.898f70c2 v1.4.5 11/25/2015 2014.10.20151116154826.9af96403...
  • Page 45 Cisco AMP Threat Grid Appliance Setup and Configuration Guide INSTALLING THREAT GRID APPLIANCE UPDATES Note: Updating from 1.0 to 1.0+hotfix2 takes approximately 15 minutes. Applying a full update from 1.0 to 1.3 (without data migration) takes about 30 minutes.

  • Page 46: Test The Appliance Setup - Submit A Sample

    Once the Threat Grid Appliance is updated to the current version, the final test that your appliance has been configured properly is to submit a malware sample using the Threat Grid software. Sign into the AMP Threat Grid Portal by visiting the address you configured as the Clean interface. The Threat Grid login page opens:...

  • Page 47: Appliance Administration

    Cisco AMP Threat Grid Appliance Setup and Configuration Guide APPLIANCE ADMINISTRATION APPLIANCE ADMINISTRATION Once the Threat Grid Appliance has been setup and initial configuration is completed, it is ready for the appliance administrator. Release notes, Updates, SSL Certificates, adding users, and other administrator tasks and topics are...

  • Page 48: Appendix A - Cimc Configuration (Recommended)

    APPENDIX A – CIMC CONFIGURATION (RECOMMENDED) APPENDIX A – CIMC CONFIGURATION (RECOMMENDED) The first window displayed as the server is booting is the Cisco window, which allows you to enter the Cisco Integrated Management Controller (“CIMC”) Configuration Utility. The CIMC interface can be used for remote server management.

  • Page 49: Figure 28 - Cimc Configuration Utility

    Cisco AMP Threat Grid Appliance Setup and Configuration Guide APPENDIX A – CIMC CONFIGURATION (RECOMMENDED) Figure 28 - CIMC Configuration Utility In the CIMC configuration utility, set up an IP address that will be used for remote server management. When complete, Save, and then Exit.

  • Page 50: Figure 29 - Cisco Integrated Management Controller (Cimc) Interface

    Cisco AMP Threat Grid Appliance Setup and Configuration Guide APPENDIX A – CIMC CONFIGURATION (RECOMMENDED) Figure 29 - Cisco Integrated Management Controller (CIMC) Interface The CIMC interface can now be used to view the server health as well as open a KVM to complete the...

Table of Contents