1. Manuals
  2. Brands
  3. Trellix Manuals
  4. Security Sensors
  5. NS Series
  6. Product manual

Trellix NS Series Product Manual

Intrusion prevention system sensor
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
Trellix Intrusion Prevention System
NS-series Sensor Product Guide

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the NS Series and is the answer not in the manual?

Questions and answers

Related Manuals for Trellix NS Series

Summary of Contents for Trellix NS Series

  • Page 1 Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 2: Table Of Contents

    Contents NS9500 Sensors..............16 About Sensors.
  • Page 3 4-port 10/1 GigE MM 62.5 µm with internal fail-open Network Interface Module......31 4-port RJ-45 10 Gbps/1 Gbps/100 Mbps Network Interface Module........32 6-port RJ-45 10/100/1000 Mbps Network Interface module.
  • Page 4 Managing licenses for NS9500 Sensors............50 Add license to the Manager.
  • Page 5 Usage restrictions................94 Safety measures.
  • Page 6 Connect the cables for tap mode............110 Port Clustering for an NS9300 Sensor in tap mode.
  • Page 7 Install the slide rails and rack mount the Sensor..........133 NS-series interface modules.
  • Page 8 License requirement for NS7500 Sensors............153 License requirement for NS7500 Sensor failover.
  • Page 9 NS7x50 Network Interface modules..............182 Installation of the Interface Module.
  • Page 10 Before you install................. . 203 Usage restrictions.
  • Page 11 Connect the cables for SPAN or hub mode........... 219 Connect the cables for Sensor Fail-Open.
  • Page 12 Install a new power supply..............244 Remove the power supply.
  • Page 13 NS3500 Sensor physical description..............265 Components of an NS3500 Sensor.
  • Page 14 Deployment of NS-series Sensors............. . . 286 NS3x00 Sensor physical description.
  • Page 15 Verify successful installation..............304 You're up and running!.

  • Page 16: Ns9500 Sensors

    After you deploy a Sensor successfully, you configure and manage it using the Trellix Intrusion Prevention System Manager. The process of configuring a Sensor and establishing communication with the Manager is described in subsequent chapters of this guide.

  • Page 17: Ns-Series Physical Description

    Deployment of an IPS Sensor requires knowledge of your network to help determine the level of configuration and the number of installed Sensors. You also need to determine the number of Trellix ePolicy Orchestrator - On-prem servers required to protect your network.

  • Page 18: Sensor Leds

    (MM and SM) and SFP Copper. Sensor rear panel 1. Power supply A/B (Pwr A/Pwr B) 2. USB ports (2) 3. RJ-45 1000/10000 Management port (Mgmt) (1) 4. RJ-45 1000/10000 Response port (R1) (1) Sensor LEDs Trellix Intrusion Prevention System NS-series Sensor Product Guide...
  • Page 19 Gigabit Ports Link Green The link is up. The link is down. RJ45 FailOpen/Bypass Green The port pair is in Inline Fail- Open/Inline Fail-Close/SPAN/Tap Mode. The Port Pair is in the Bypass Mode. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 20: Before You Install

    This chapter describes the best practices for deployment of Sensors in your network. Topics include the safety considerations for handling the Sensor, usage restrictions that apply to the Sensor model, and the contents that are shipped along with the Sensor. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 21: Usage Restrictions

    Trellix prohibits the use of the Sensor appliance for anything other than operating Trellix IPS. • Trellix prohibits the modification or installation of any hardware or software on the Sensor appliance that is not part of the normal operation of Trellix IPS.

  • Page 22: About Fiber-Optic Ports

    The following accessories are shipped in the NS-series Sensor crate: • Sensor • Power supply (x2) • Power cords (Trellix provides a standard and international power cables) • Set of rack mounting rails • Printed Quick Start Guide • Serial Console Cable (DB9-DB9) •...

  • Page 23: Unpack The Sensor

    2. Install the supported interface modules as per your requirement. 3. Attach power, network, and monitoring cables. 4. Turn on the Sensor. 5. Configure the Sensor after you have set up and turned it on. How to position the Sensor Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 24: Install The Slide Rails And Rack Mount The Sensor

    Follow this procedure to assemble the slide rails and position the Sensor on it. Note Due to the weight of the appliance, Trellix recommends that two people place the chassis into the rail cabinet. 1. Disassemble the inner slide rails from the rail assemblies.
  • Page 25 Place each inner rail on both sides of the chassis unit. Position the three key holes of the inner rails with the mounting holes on the chassis unit. b. Slide the rails forward to lock it. Trellix Intrusion Prevention System NS-series Sensor Product Guide...
  • Page 26 4. Mount the chassis unit into the rack. a. Pull the middle rail out, extend it until the lock position. Note Ensure ball bearing retainer is located at the front of the middle rail. Trellix Intrusion Prevention System NS-series Sensor Product Guide...
  • Page 27 | NS9500 Sensors b. Insert the chassis unit into the middle rails. c. Pull or push the blue release tab on both sides and continue to push the chassis unit until fully closed. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 28: Ns-Series Interface Modules

    The NS9500 Sensors support the 2-port, 4-port, 6-port, and 8-port Network Interface Modules. These modules need to be installed in the respective slots on the Sensor. For more information, refer to the NS-series Interface Modules section in Trellix Intrusion Prevention System NS-series Reference Guide.

  • Page 29: 2-Port Qsfp+ 40 Gigabit Network Interface Module

    2-port 100/40 Gigabit SR MTP/MPO passive fail-open interface module The 2-port 100/40 Gigabit SR MTP/MPO passive fail-open interface module provides internal fail-open capability with 100/40 Gigabit Ethernet performance on each port. 2-port 100/40 Gigabit SR MTP/MPO passive fail-open interface module Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 30: 4-Port Qsfp+ 40 Gigabit Network Interface Module

    4-port 10/1 GigE SM 8.5 µm with internal fail-open Network Interface Module The 4-port SM 8.5 µm Network Interface Module provides internal fail-open capability with 10/1 Gigabit Ethernet performance on each port. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 31: 4-Port 10/1 Gige Mm 50 Μm With Internal Fail-Open Network Interface Module

    The 4-port MM 50 µm Network Interface Module provides internal fail-open capability with 10/1 Gigabit Ethernet performance on each port. 4-port 10/1 GigE SM 50 µm with internal fail-open interface module 4-port 10/1 GigE MM 62.5 µm with internal fail-open Network Interface Module Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 32: 4-Port Rj-45 10 Gbps/1 Gbps/100 Mbps Network Interface Module

    4-port RJ-45 10 Gbps/1 Gbps/100 Mbps Network Interface Module The 4-port RJ-45 Network Interface Module provides 10 Gbps/1 Gbps/100 Mbps Ethernet performance on each port. 4-port RJ-45 10 Gbps/1 Gbps/100 Mbps interface module Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 33: 6-Port Rj-45 10/100/1000 Mbps Network Interface Module

    6-port RJ-45 10/100/1000 Mbps interface module 8-port SFP/SFP+ 1/10 Gigabit Network Interface Module The 8‑Port SFP/SFP+ (Small Form‑Factor Pluggable Plus) Network Interface Module provides 1/10 Gigabit Ethernet performance on each port. 8-Port SFP+/SFP 10/1G Gigabit interface module Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 34: Installation Of The Interface Module

    1. Remove the module from its protective packaging. Note It is assumed that the Sensor is yet to be powered on, and trust between the Sensor and the Trellix Intrusion Prevention System Manager has not been established. 2. Grip the sides of the module with your thumb and forefinger and insert the module into the slot.

  • Page 35: Install The Interface Module On An Up And Running Sensor

    Small form-factor pluggable transceiver modules The NS-series Sensors use four types of small form-factor pluggable transceiver modules as shown in the following table. For more information, see the section NS-series Transceiver Modules in Trellix Intrusion Prevention System NS-series Reference Guide. Type...

  • Page 36: Sfp Transceiver Modules

    | NS9500 Sensors To ensure compatibility, Trellix supports only those SFP, SFP+, QSFP+ and QSFP28 modules purchased through Trellix or from a Trellix-approved vendor. For a list of approved vendors, locate the relevant KnowledgeBase article at https:// supportm.trellix.com. Enter the relevant KnowledgeBase article in Search the Support Knowledge Center and click Search to locate the article.

  • Page 37: Qsfp+ Transceiver Modules

    Serial Attached SCSI, 40G Ethernet, 20G/40G Infiniband, and other communications standards. 850nm (short reach - SR) and 1310 nm (long reach - LR) QSFP+ transceiver modules are supported. 850nm QSFP+ transceiver module Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 38: Qsfp28 Transceiver Modules

    QSFP28 transceivers are specifically designed to support 100G Ethernet. This module transmits on long reach (LR), short reach (SR), and Copper (CU). 850nm QSFP28 transceiver module Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 39: Install A Transceiver Module

    100 Gbps DAC to 40 Gbps DAC or vice versa • 100 Gbps Fiber transceiver to 40 Gbps Fiber transceiver or vice versa Remove a transceiver module Perform these tasks if you need to remove a module. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 40: Attaching Cables To The Sensor

    The Console port on the NS-series Sensor is used for setup and configuration of the Sensor. Steps: 1. For console connections, plug the DB9 Console cable supplied by Trellix into the Console port on the Sensor.This port is labeled Console in the Sensor front panel.

  • Page 41: Connect The Cable To The Response Port

    2. Plug the other end of the cable into the network device connected to your Manager server. Note To isolate and protect your management traffic, Trellix strongly recommends you to use a separate, dedicated management subnet to interconnect the Sensors and the Manager.
  • Page 42 G2/3 and G2/4 NS9500 G2/5 and G2/6 NS9500 G2/7 and G2/8 NS9500 G3/1 and G3/2 NS9500 4-port QSFP+ 40 Gigabit Network Interface Module G3/3 and G3/4 NS9500 6-port RJ-45 10/100/1000 Mbps Network Interface module Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 43: Cable Types For Routers, Switches, Hubs, And Computers

    In-line Gigabit Ethernet ports can be configured as fail-open or fail-closed. The RJ-45 monitoring ports are built-in and include an built-in fail-open functionality as well. All other monitoring ports require the use of either Trellix's 4-port 1/10 Gigabit Modular Passive Fail-Open kit or external active fail-open (AFO) kits for In-Line Fail-Open Active configuration.

  • Page 44: Connect The Cables For Span Or Hub Mode

    If you need to configure HA pair between sensors kept at distance greater than 1m, consider the following options: • For distances up to 3m, purchase QSFP28 DAC from Trellix. • For distances greater than 3m, purchase 40G QSFP transceivers from Trellix and fiber cables from external vendor. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 45: Connect The Cables For Sensor Fail-Open

    Except the built-in RJ-45 ports which come with built-in fail-open functionality, you use either the optional Trellix's 4-port 1/10 Gigabit Modular Passive Fail-Open kit or external bypass switch provided in an Active Fail-Open Kit for the Monitoring ports to fail-open.

  • Page 46: Turning The Sensor On And Off

    The NS9500 Sensor requires a license to activate the baseline throughput. You must first purchase a license to enable traffic inspection in the NS9500 Sensor. To obtain a license, contact Trellix Sales. Additional license is required to increase the throughput of the Sensor.
  • Page 47 NS95X2030CAE-DT 20 to 30 Gbps 1 NS9500 Sensor NS95X2040CAE-DT 20 to 40 Gbps 2 NS9500 Sensor NS95X2060CAE-DT 20 to 60 Gbps 2 NS9500 Sensors NS95X20100CAE-DT 20 to 100 Gbps 4 NS9500 Sensors Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 48: License Requirement For Ns9500 Sensor Failover

    Sensors. License requirement for NS9500 Sensor failover Based on the throughput, the NS9500 Sensor requires an additional license for Sensor failover. To obtain a license, contact Trellix Sales. The license is provided as a .zip or .jar file. The Manager supports both formats. The license procured contains the details of the throughput for the Sensor.
  • Page 49 2 * 4 NS9500 Sensors NS95XF3040CAE-DT 30 to 40 Gbps 2 * 2 NS9500 Sensor NS95XF3060CAE-DT 30 to 60 Gbps 2 * 2 NS9500 Sensors NS95XF30100CAE-DT 30 to 100 Gbps 2 * 4 NS9500 Sensors Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 50: Managing Licenses For Ns9500 Sensors

    You can upload the license from the Licenses page in the Manager. In the Manager, select Manager → <Admin Domain Name> → Setup → Licenses. The following details are displayed in the Capacity tab: Upload license capacity for Sensor Trellix Intrusion Prevention System NS-series Sensor Product Guide...
  • Page 51 Name of the Sensor assigned to the license. License Details Customer – Customer for whom the license file was generated Grant ID – The Trellix Grant ID of the corresponding customer Key – The license key number. Expiration – Applicable only for demo and subscription licenses •...

  • Page 52: Add License To The Manager

    Assign a license to a Sensor • Unassign a license from a Sensor • Remove a license from the Manager Add license to the Manager To upload the license, perform the following steps: Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 53: Assign A License To A Sensor

    To assign the license, perform the following steps: 1. Navigate to Manager → <Admin Domain Name> → Setup → Licenses. 2. Click the System tab. 3. Choose the license that suits your requirement and click Assign. Trellix Intrusion Prevention System NS-series Sensor Product Guide...
  • Page 54 In case you are replacing an existing license, a Confirmation dialog-box opens. To confirm license replacement, click OK, else, click Cancel. 6. Upon successful license assignment, an Informational dialog-box opens stating the license has been successfully assigned. Click OK to close it. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 55: Unassign A License From A Sensor

    To unassign the license, perform the following steps: 1. Go to Manager → <Admin Domain Name> → Setup → Licenses. 2. Click the System tab. 3. Select the license you wish to unassign. 4. Click Unassign. 5. Click Ok. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 56: Upgrade An Existing Capacity License

    If the Sensor also has an existing SSL proxy decryption license assigned and its capacity is same as the old system license, then you must purchase an SSL proxy decryption license with the same capacity as the upgraded system license, to enable signature file push to the Sensor. Trellix Intrusion Prevention System NS-series Sensor Product Guide...
  • Page 57 2. Click the System tab.The system tab with existing licenses: 3. Click The Add License pop-up window opens. 4. Click Browse.Navigate to the location where the upgrade license is saved. Select the license and click Open. Trellix Intrusion Prevention System NS-series Sensor Product Guide...
  • Page 58 An informational message window appears. Click OK. b. <Sensor name> System license upgrade (from x Gbps to x+y Gbps) window appears which displays all the licenses present in the Manager for that particular Trellix Intrusion Prevention System NS-series Sensor Product Guide...
  • Page 59 A warning message that the existing system license will be removed and replaced with a new license appears. Click if you are upgrading from a standalone Sensor to a stack Sensor, the following warning message is displayed. Click OK. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 60: Remove A License From The Manager

    To remove a license, perform the following steps: 1. Go to Manager → <Admin Domain Name> → Setup → Licenses. 2. Click the Capacity tab. 3. Select the license you wish to unassign. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 61: Stacking Ns9500 Sensors

    Capacity Number of Sensors License SKU 40 Gbps 2 NS9500 Sensors NS95X40CAE-AT 60 Gbps 2 NS9500 Sensors NS95X60CAE-AT 100 Gbps 4 NS9500 Sensors NS95X100CAE-AT • Unsupported features list: SSL resumption for stack Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 62: Cable The Sensors In A Standalone Stack

    6. On the rear panel of each NS9500 Sensor, plug a RJ-45 cable in the Management port (labeled MGMT). 7. Plug the other end of the cable into the network device connected to your Manager server. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 63: Add A Stack To The Manager

    3. To add stacked Sensors in the Manager, click Devices → <Admin Domain> → Global → Device Manager, then click Manage Stacks.The Manage Stacks window opens. 4. Click to add a new stack. The Stack Details window opens. Trellix Intrusion Prevention System NS-series Sensor Product Guide...
  • Page 64 Capacity — The throughput for the Stack. Based on the throughput, the number of Sensors will also differ. See the table below: Capacity Number of Sensors 40 Gbps 60 Gbps 100 Gbps Trellix Intrusion Prevention System NS-series Sensor Product Guide...
  • Page 65 The new stack in displayed in the Manage Stacks window. 7. Close the Manage Stacks window. In the Device Manager page, the member Sensor instances are displayed as <Stackname-node id> (for example, <Stackname-1>, <Stackname-2>, etc.) depending on the capacity. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 66: Configure Sensor Information

    1. Log in to the Sensor using the terminal connected to the Console port. 2. At the prompt, log in using the default Sensor username and password (admin) (admin123) Trellix Intrusion Prevention System NS-series Sensor Product Guide...
  • Page 67 The Sensor name is a case-sensitive character string up to 25 characters. The string can include hyphens, underscores, and periods, and must begin with a letter. You reset the Sensor to change the mode using the command. resetconfig Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 68: Considerations For Failover In Stacked Sensors

    Both the stacks must be identical to each other with identical connections, network modules, and capacity. • Ensure you have the correct license to configure failover for a stack. The licenses required are as follows: Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 69: Cable The Sensors In A Stack For High Availability

    2. Connect the other end of the cable into the corresponding port labeled G1/1 or G1/2 of the first Sensor in the secondary stack. 3. Repeat steps 1 and 2 for the other Sensors in the primary and secondary stack. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 70: Scenarios For Stacked Ns9500 Sensors

    In the event of a single or multiple node failure in a stack, the remaining Sensors continue to scan traffic and a fault is generated in the System Faults page in the Manager. You can view the status of the nodes in the stack in the Device Manager page. Example 1: Single node failure Trellix Intrusion Prevention System NS-series Sensor Product Guide...
  • Page 71 In this scenario, Node 2 in the stack becomes unresponsive. The remaining Sensors will continue to process traffic at a reduced throughput of 75 Gbps. Monitoring ports connected to the failed sensor will also experience failure. Trellix recommends you to use an Active Fail Open kit in such a scenario.
  • Page 72 3. When the active stack processes this information, the monitoring ports in the active stack is deactivated. 4. The standby stack takes over traffic inspection from the active stack. Example 2: Single node failure in active and standby stacks Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 73: Configure The Sensor And Manager For Deployment

    Configure the Sensor and Manager for deployment Install the Manager Software Following steps briefly explain the Manager installation: Note You must have administrator privileges on the target Windows or Linux server to install the Manager software. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 74: Add The Sensor To The Manager

    The Manager installation files available for download are listed. 8. Click on the required Manager installation file and the download starts. 9. Refer to Trellix Intrusion Prevention System Installation Guide for detailed procedure to install the Manager application. Add the Sensor to the Manager Steps: 1.
  • Page 75 Selecting Direct enables online Sensor update. Direct is the default mode. • Contact Information — (Optional) Type the contact information. • Location — (Optional) Type the location. • Comment — (Optional) Type the comment. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 76: Configure Sensor Information

    Note A password must contain between 8 to 25 characters, is case-sensitive, and can consist of any alphanumeric character or symbol. Trellix Intrusion Prevention System NS-series Sensor Product Guide...
  • Page 77 10. Set the shared secret key value for the Sensor. At the prompt, type the following command: set sensor The Sensor then prompts you to enter and, subsequently, confirm the shared secret key value. sharedsecretkey Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 78: Verify Successful Installation

    Trust Established 2. Return to the Manager. In the Manager Home page, view the Manager status in the System Faults section.The Manager status should be up and Sensor status should be active. Trellix Intrusion Prevention System NS-series Sensor Product Guide...
  • Page 79 Domain> → Intrusion Prevention → Policy Types → IPS Policies.The Default Prevention policy contains attacks already configured with a "blocking" Sensor response action. If any attack in the policy is triggered, the Sensor automatically Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 80: You're Up And Running

    | NS9500 Sensors blocks the attack. To tune this or any other Trellix IPS-provided policies, you can clone the policy and then customize it as described in Trellix Intrusion Prevention System Product Guide. 6. Click Device List → <Device_Name> → Port Settings.

  • Page 81: Sensor Technical Specifications

    Check the Active Fail-Open Kit appears in the Manager Status disconnected. and make sure it is properly page. connected to the Sensor. Sensor technical specifications The following table lists the specifications of for NS9500 Sensors. Trellix Intrusion Prevention System NS-series Sensor Product Guide...
  • Page 82 Operating: 0° to 35° C , Non-operating: - 40° to 70° C Relative humidity (non-condensing) Operational: 10% to 90%, Non-operational: 5% to Altitude 0 to 10,000 feet Safety Certification UL 60950-1 (USA); CSA 22.1.No. 60950-1 (Canada); EN 60950-1 (Europe); CNS 14336-1 (Taiwan), GB Trellix Intrusion Prevention System NS-series Sensor Product Guide...
  • Page 83 EN 55024, EN61000-3-2, EN61000-3-3 (Europe and International); VCCI Class A (Japan); AS/NZS CISPR 32 (Australia and New Zealand); CNS 13438 (Taiwan); GB 9254-2008 (China); KN32 and KN35 (South Korea); GB 17625.1 (China) Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 84: Ns9X00 Sensors

    After you deploy a Sensor successfully, you configure and manage it using the Manager. The process of configuring a Sensor and establishing communication with the Manager is described in subsequent chapters of this guide. For the details about the Manager, see the Manager Administration section in Trellix Intrusion Prevention System Product Guide. Functions of an NS-series Sensor The NS-series Sensors are a third-generation hardware platform for Sensors designed for high bandwidth links to offer Next Generation IPS (NGIPS) capability and provide high aggregate throughput across various Sensor models.

  • Page 85: Deployment Of An Ns-Series Sensor

    Deployment of a Sensor requires knowledge of your network to help determine the level of configuration and the number of installed Sensors. You also need to determine the number of Trellix ePolicy Orchestrator - On-prem servers required to protect your network. The Sensor is purpose-built for the monitoring of traffic across one or more network segments.
  • Page 86 RJ-45 10/100/1000 Mbps Ethernet Monitoring ports (6) 4. RJ-45 10/100/1000 Mbps Ethernet Monitoring ports (8) The supported transceiver modules are QSFP+, SFP+ (M2M and SM), SFP Fiber (MM and SM) and SFP Copper. Sensor rear panel Trellix Intrusion Prevention System NS-series Sensor Product Guide...
  • Page 87 3. Power supply B (Pwr B) 4. RJ-45 100/1000/10000 Management port (Mgmt) (1) 5. RJ-45 100/1000/10000 Response port (R1) (1) 6. RJ-45 Auxiliary port (Aux) (1) The NS9300 Sensor model Sensor front panel Trellix Intrusion Prevention System NS-series Sensor Product Guide...
  • Page 88 5. RJ‑45 100/1000/10000 Response port (R1) (2). R1 on NS9300P Sensor is used as an interconnect port. 6. RJ‑45 Auxiliary ports (Aux) (2) The NS9100 and NS9200 Sensors have seven fan units on the front panel and four fan units on the top. Fan units-NS9100/NS9200 Trellix Intrusion Prevention System NS-series Sensor Product Guide...
  • Page 89 Sensors on the top. The direction of airflow in all the Sensors is front to back. Cold air enters through the front of the chassis. Fan units-NS9300 Trellix Intrusion Prevention System NS-series Sensor Product Guide...
  • Page 90 RJ-45 10/100/1000 Management port, which is used for communication with the Manager server. You can assign an IP address to this port during installation. These ports have built-in fail-open function. • Console port, which you use to set up and configure the Sensor using the CLI. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 91: Sensor Leds

    Power Supply-B (included). Power supply B is a hot-swappable, redundant power supply. This power supply also uses a standard IEC320-C13 port, and you can use the Trellix-provided cable or acquire one that meets your specific needs. The NS-series Sensor does not have internal taps; you must use it with a third-party external tap to run it in tapped mode.
  • Page 92 Gigabit Ports Link Green The link is up. The link is down. RJ45 FailOpen/Bypass Green The port pair is in Inline Fail- Open/Inline Fail-Close/SPAN/Tap Mode. The Port Pair is in the Bypass Mode. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 93: Before You Install

    This chapter describes the best practices for deployment of Sensors in your network. Topics include the safety considerations for handling the Sensor, usage restrictions that apply to the Sensor model, and the contents that are shipped along with the Sensor. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 94: Usage Restrictions

    Trellix prohibits the use of the Sensor appliance for anything other than operating Trellix IPS. • Trellix prohibits the modification or installation of any hardware or software on the Sensor appliance that is not part of the normal operation of Trellix IPS.

  • Page 95: About Fiber-Optic Ports

    The following accessories are shipped in the NS-series Sensor crate: • Sensor • Power supply (x2) • Power cords (Trellix provides a standard and international power cables) • Set of rack mounting rails • Printed quick start guide • 40G Direct Attach cable...

  • Page 96: Setting Up The Sensor

    Sensor as described in the subsequent sections of this guide. Install the slide rails and rack mount the Sensor Trellix recommends rack-mounting your Sensor. For maintenance purposes, you must have access to the front and rear of the Sensor. Trellix Intrusion Prevention System NS-series Sensor Product Guide...
  • Page 97 Before you mount the Sensor on the rack, make sure that the power is off. Remove the power cable and all network interface cables from the Sensor. Note Due to the weight of the appliance, Trellix recommends that two people place the chassis into the rail cabinet. 1. Pull the release button to remove inner member from slides. Slides components: •...
  • Page 98 | NS9x00 Sensors 3. Align the inner member key holes to the standoffs on the chassis, then move the inner member toward the front of the chassis. Trellix Intrusion Prevention System NS-series Sensor Product Guide...
  • Page 99 6. Fully extend the slides until it is in the locked position, then pull the release button to release the lock and disconnect the inner member from the slides. 7. Press the safety locking pin to release the inner member from the chassis. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 100: Redundant Power Supply

    The basic configuration of a Sensor includes two hot-swappable power supplies. Each of these modules has one handle for insertion or extraction from the unit as well as a release latch. If you have purchased an additional power supply from Trellix, refer to the following sections to remove and install the new power supply.

  • Page 101: Remove The Power Supply

    4. Slide in the power supply until it makes contact with the backplane, then push firmly to mate the connectors solidly with the backplane. Note For true redundant operation with the power supply, Trellix recommends that you plug each supply into a different power circuit. For optimal protection, use uninterruptable power sources. Remove the power supply Perform this task if you want to remove the power supply to the Sensor.

  • Page 102: Installation Of The Interface Module

    | NS9x00 Sensors For more information, refer to the NS-series Interface Modules section in Trellix Intrusion Prevention System NS-series Reference Guide. Installation of the interface module This section provides instructions on how to install the interface module based on the following scenarios: •...

  • Page 103: Install The Interface Module On An Up And Running Sensor

    Small form-factor pluggable transceiver modules The NS-series Sensors use three types of small form-factor pluggable transceiver modules as shown in the following table. For more information, see the NS-series Transceiver Modules section in Trellix Intrusion Prevention System NS-series Reference Guide. Type...

  • Page 104: Install A Transceiver Module

    | NS9x00 Sensors To ensure compatibility, Trellix supports only those SFP, SFP+ and QSFP+ modules purchased through Trellix or from a Trellix- approved vendor. For a list of approved vendors, locate the relevant KnowledgeBase article at https://supportm.trellix.com. Click Search the Support Knowledge Center.

  • Page 105: Remove A Transceiver Module

    The Console port on the NS-series Sensor is used for setup and configuration of the Sensor. Steps: 1. For console connections, plug the DB9 Console cable supplied by Trellix into the Console port on the Sensor.This port is labeled Console in the Sensor front panel.

  • Page 106: Connect The Cable To The Auxiliary Port

    2. Connect the other end of the cable to the network device such as a hub, switch, or a router, through which you want to respond to attacks. Connect the cable to the Management port The Sensor communicates with the Manager using the Management port. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 107: Connect The Cables To The Interconnect Ports

    2. Plug the other end of the cable into the network device connected to your Manager server. Note To isolate and protect your management traffic, Trellix strongly recommends you to use a separate, dedicated management subnet to interconnect the Sensors and the Manager.
  • Page 108 G2/7 and G2/8 NS9100/NS9200/NS9300P G3/1 and G3/2 NS9100/NS9200/NS9300P G3/3 and G3/4 NS9100/NS9200/NS9300P G3/5 and G3/6 NS9100/NS9200/NS9300P G3/7 and G3/8 NS9100/NS9200/NS9300P G4/1 and G42 NS9300S G5/1 and G5/2 NS9300S G5/3 and G5/4 NS9300S Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 109: Cable Types For Routers, Switches, Hubs And Computers

    Sensor to external active fail-open kits. For instructions, see the subsequent sections of this chapter. This section provides the steps to connect the Sensor's Gigabit Ethernet ports so they fail-close. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 110: Connect The Cables For Tap Mode

    To deploy the Sensor in tap mode, you must use a Sensor's Gigabit Ethernet Monitoring port pair with a third-party external tap. Note For a list of Trellix-approved third party vendors, see the KnowledgeBase at https://supportm.trellix.com. Enter the relevant KnowledgeBase article in Search the Support Knowledge Center and click Search to locate the relevant KnowledgeBase article.
  • Page 111 (G1/3, G1/4) and (G5/1, G5/2) port pairs of the current configuration and add two new port pairs (G1/7, G1/8) and (G5/5, G5/6) to ensure traffic distribution happens at the S-Unit (Secondary Sensor) of NS9300 Sensor. Trellix Intrusion Prevention System NS-series Sensor Product Guide...
  • Page 112 Even port pairs: G1: (G1/3, G1/4) G2: (G2/3, G2/4) G5: (G5/3, G5/4) G6: (G6/3, G6/4) Fixed Gigabit Ethernet-Copper Ports Odd port pairs: G3: (G3/1, G3/2) and (G3/5, G3/6) G7: (G7/1, G7/2) and (G7/5, G7/6) Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 113: Connect The Cables For Span Or Hub Mode

    Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 114: Connect The Cable For Sensor Failover

    Trellix ships the cable required for failover pair creation, along with the Sensor hardware. The length of this cable is 3 meters. If you need to configure a failover pair between Sensors kept at distance greater than 3...

  • Page 115: Turning The Sensor On And Off

    Failover between 3 meters - 100 meters: Purchase fiber Active Optical Cable (AOC) or QSFP+ SR4 transceiver module from Trellix or QSFP+ SR4 transceiver module from an external source. • Failover between 100 meters - 300 meters: Purchase QSFP+ SR4 transceivers from Trellix or QSFP+ SR4 transceiver from an external source. •...

  • Page 116: Install The Manager Software

    The Manager installation files available for download are listed. 8. Click on the required Manager installation file and the download starts. 9. Refer to Trellix Intrusion Prevention System Installation Guide for detailed procedure to install the Manager application. Add the Sensor to the Manager Steps: 1.
  • Page 117 Device Type — Specifies the type of device to be added. Select IPS Sensor. • Deployment Mode — Select Direct or Indirect. Note Selecting Direct enables online Sensor update. Direct is the default mode. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 118: Configure Sensor Information

    (admin) (admin123) 3. (Optional, but recommended) Change the Sensor password. At the prompt, type . The Sensor prompts you to enter passwd the new password and asks you for the old password. Trellix Intrusion Prevention System NS-series Sensor Product Guide...
  • Page 119 Sensor on the network. At the prompt, type the following command: If the ping is successful, ping <manager IP address> continue with the following steps. If not, type to verify your configuration settings and check that the information is show correct. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 120: Verify Successful Installation

    Trust Established 2. Return to the Manager. In the Manager Home page, view the Manager status in the System Faults section.The Manager status should be up and Sensor status should be active. Trellix Intrusion Prevention System NS-series Sensor Product Guide...
  • Page 121 Domain> → Intrusion Prevention → Policy Types → IPS Policies.The Default Prevention policy contains attacks already configured with a "blocking" Sensor response action. If any attack in the policy is triggered, the Sensor automatically Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 122: You're Up And Running

    | NS9x00 Sensors blocks the attack. To tune this or any other Trellix IPS-provided policies, you can clone the policy and then customize it as described in Trellix Intrusion Prevention System Product Guide. 6. Click Device List → <Device_Name> → Port Settings.

  • Page 123: Sensor Technical Specifications

    Check the Active Fail-Open Kit appears in the Manager Status disconnected. and make sure it is properly page. connected to the Sensor. Sensor technical specifications The following table lists the specifications of for NS9x00 Sensors. Trellix Intrusion Prevention System NS-series Sensor Product Guide...
  • Page 124 UL 1950, CSA-C22.2 No. 950, EN-60950, IEC 950, EN 60825, 21CFR1040 CB license and report covering all national country deviations. EMI Certification FCC Part 15, Class A (CFR 47) (USA) ICES-003 Class A (Canada), EN55022 Class A (Europe), CISPR22 Class A (Int’l) Trellix Intrusion Prevention System NS-series Sensor Product Guide...
  • Page 125 | NS9x00 Sensors Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 126: Ns7500 Sensor

    After you deploy a Sensor successfully, you configure and manage it using the Manager. The process of configuring a Sensor and establishing communication with the Manager is described in subsequent chapters of this guide. For the details about the Manager, see the Manager Administration section in Trellix Intrusion Prevention System Product Guide. Functions of an NS-series Sensor The NS-series Sensors are a third-generation hardware platform for Sensors designed for high bandwidth links to offer Next Generation IPS (NGIPS) capability and provide high aggregate throughput across various Sensor models.

  • Page 127: Ns-Series Physical Description

    Deployment of a Sensor requires knowledge of your network to help determine the level of configuration and the number of installed Sensors. You also need to determine the number of Trellix ePolicy Orchestrator - On-prem servers required to protect your network. The Sensor is purpose-built for the monitoring of traffic across one or more network segments.

  • Page 128: Sensor Leds

    4. RJ-45 1000/10000 Response port (R1) (1) Sensor LEDs The front and rear panel LEDs provide status information for the health of the Sensor and the activity on its ports. The following table describes the NS-series LEDs. Trellix Intrusion Prevention System NS-series Sensor Product Guide...
  • Page 129 Green The link is up . The link is down. RJ-45 Fail Open/Bypass Green The port pair is in Inline Fail- Open/Inline Fail-Close/SPAN/Tap Mode. The Port Pair is in the Bypass Mode. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 130: Before You Install

    This chapter describes the best practices for deployment of Sensors in your network. Topics include the safety considerations for handling the Sensor, usage restrictions that apply to the Sensor model, and the contents that are shipped along with the Sensor. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 131: Usage Restrictions

    Trellix prohibits the use of the Sensor appliance for anything other than operating Trellix IPS. • Trellix prohibits the modification or installation of any hardware or software on the Sensor appliance that is not part of the normal operation of Trellix IPS.

  • Page 132: About Fiber-Optic Ports

    The following accessories are shipped in the NS-series Sensor crate: • Sensor • Power supply (x2) • Power cords (Trellix provides a standard and international power cables) • Set of rack mounting rails • Printed Quick Start Guide • Serial Console Cable (DB9-DB9)

  • Page 133: Setting Up The Sensor

    Follow this procedure to assemble the slide rails and position the Sensor on it. Note Due to the weight of the appliance, Trellix recommends that two people place the chassis into the rail cabinet. Trellix Intrusion Prevention System NS-series Sensor Product Guide...
  • Page 134 Click and pull the white tab (lock on inner rail) forward to disconnect inner rail from the middle rail. The Inner rail is disconnected. c. Push tab (a) to slide the middle rail back into the outer rail. Trellix Intrusion Prevention System NS-series Sensor Product Guide...
  • Page 135 Place each inner rail on both sides of the chassis unit. Position the three key holes of the inner rails with the mounting holes on the chassis unit. b. Slide the rails forward to lock it. 3. Mount the outer slide rails/brackets to the rack posts. Trellix Intrusion Prevention System NS-series Sensor Product Guide...
  • Page 136 Pull the middle rail out, extend it until the lock position. Note Ensure ball bearing retainer is located at the front of the middle rail. b. Insert the chassis unit into the middle rails. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 137: Ns-Series Interface Modules

    The NS7500 Sensors support the 4-port, 6-port, and 8-port Network Interface Modules. These modules need to be installed in the respective slots on the Sensor. For more information, refer to the NS-series Interface Modules section in Trellix Intrusion Prevention System NS-series Reference Guide.

  • Page 138: 4-Port 10/1 Gige Sm 8.5 Μm With Internal Fail-Open Network Interface Module

    4-port 10/1 GigE MM 50 µm with internal fail-open Network Interface Module The 4-port MM 50 µm Network Interface Module provides internal fail-open capability with 10/1 Gigabit Ethernet performance on each port. 4-port 10/1 GigE SM 50 µm with internal fail-open interface module Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 139: 4-Port 10/1 Gige Mm 62.5 Μm With Internal Fail-Open Network Interface Module

    The 4-port MM 62.5 µm Network Interface Module provides internal fail-open capability with 10/1 Gigabit Ethernet performance on each port. 4-port 10/1 GigE SM 62.5 µm with internal fail-open interface module 4-port RJ-45 10 Gbps/1 Gbps/100 Mbps with internal fail-open Network Interface Module Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 140: 6-Port Rj-45 1 Gbps/100 Mbps/10 Mbps With Internal Fail-Open Network Interface Module

    6-port RJ-45 1 Gbps/100 Mbps/10 Mbps with internal fail-open Network Interface Module The 6-port RJ-45 with internal fail-open Network Interface Module provides 1 Gbps/100 Mbps/10 Mbps Ethernet performance on each port. 6-port RJ-45 1 Gbps/100 Mbps/10 Mbps with internal fail-open interface module Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 141: 8-Port Sfp/Sfp+ 1/10 Gigabit Network Interface Module

    It is assumed that the Sensor is yet to be powered on, and trust between the Sensor and the Manager has not been established. 2. Grip the sides of the module with your thumb and forefinger and insert the module into the slot. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 142: Install The Interface Module On An Up And Running Sensor

    1. Disconnect the network fiber optic cable from the module. 2. Remove the transceivers from the module. 3. Unscrew the interface modules to detach them from the Sensor. 4. Place the module into its protective packaging. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 143: Small Form-Factor Pluggable Transceiver Modules

    SFP optical interfaces are less than half the size of GBIC interfaces. To ensure compatibility, Trellix supports only those SFP, SFP+, QSFP+ and QSFP28 modules purchased through Trellix or from a Trellix-approved vendor. For a list of approved vendors, locate the relevant KnowledgeBase article at https:// supportm.trellix.com.

  • Page 144: Sfp+ Transceiver Modules

    The enhanced small form-factor pluggable ( SFP+ ) is an enhanced version of the SFP that supports data rates up to 10 Gbps. 850nm SFP+ 1310nm SFP+Transceiver modules are supported. 850nm SFP+ transceiver module 1310nm SFP+ transceiver module Install a transceiver module 1. Remove the module from its protective packaging. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 145: Remove A Transceiver Module

    4. Insert the module plug into the module optical bore for protection. Attaching cables to the Sensor Follow the steps outlined in this chapter to connect the cables to the various ports of your Sensor. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 146: Connect The Cable To The Console Port

    The Console port on the NS-series Sensor is used for setup and configuration of the Sensor. Steps: 1. For console connections, plug the DB9 Console cable supplied by Trellix into the Console port on the Sensor.This port is labeled Console in the Sensor front panel.

  • Page 147: Connect The Cable To The Management Port

    2. Plug the other end of the cable into the network device connected to your Manager server. Note To isolate and protect your management traffic, Trellix strongly recommends you to use a separate, dedicated management subnet to interconnect the Sensors and the Manager.

  • Page 148: Cable Types For Routers, Switches, Hubs, And Computers

    Use a straight/crossover Ethernet RJ-45 cable to connect a router port to computer to the Sensor Management port. • Use a straight/crossover Ethernet RJ-45 cable to connect a computer to the Sensor monitoring port. Connect the cables for in-line mode Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 149: Connect The Cables For Tap Mode

    In-line Gigabit Ethernet ports can be configured as fail-open or fail-closed. The RJ-45 monitoring ports are built-in and include an built-in fail-open functionality as well. All other monitoring ports require the use of either Trellix's 4-port 1/10 Gigabit Modular Passive Fail-Open kit or external active fail-open (AFO) kits for In-Line Fail-Open Active configuration.

  • Page 150: Connect The Cables For Span Or Hub Mode

    Purchase two 10G SFP+ and use the standard cables. Failover cables are additional hardware required to support failover communication between two NS7500 Sensors. Note Trellix does not ship the transceiver modules and cables with the NS7500 Sensors. Please purchase the same separately for failover setup. Refer to the following table before you configure a HA pair:...

  • Page 151: Connect The Cables For Sensor Fail-Open

    Except the built-in RJ-45 ports which come with built-in fail-open functionality, you use either the optional Trellix's 4-port 1/10 Gigabit Modular Passive Fail-Open kit or external bypass switch provided in an Active Fail-Open Kit for the Monitoring ports to fail-open.

  • Page 152: Turning The Sensor On And Off

    If you are installing a redundant power supply, you should install it as described in Install a new power supply section. For true redundant operation with the optional redundant power supply,Trellix recommends that you plug each supply into a different power circuit.

  • Page 153: License Requirement For Ns7500 Sensors

    The NS7500 Sensor requires a license to activate the baseline throughput. You must first purchase a license to enable traffic inspection in the NS7500 Sensor. To obtain a license, contact Trellix Sales. Additional or upgraded license is required to increase the throughput of the Sensor.

  • Page 154: License Requirement For Ns7500 Sensor Failover

    3 Gbps to 5 Gbps or 7.5 Gbps. The license is provided as a .zip or .jar file. Note You must first purchase a license to enable traffic inspection in the NS7500 Sensor. To obtain a license, contact Trellix Sales. Trellix Intrusion Prevention System NS-series Sensor Product Guide...
  • Page 155 Name of the Sensor assigned to the license License Details Customer – Customer for whom the license file was generated Grant ID – Trellix Grant ID of the corresponding customer Key – License key number of the customer. Expiration – Applicable only for demo and...
  • Page 156 The following actions can be performed on the System tab: • Add license to the Manager • Assign a license to a Sensor • Unassign a license from a Sensor • Upgrade an existing license for a Sensor Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 157: Add License To The Manager

    It is recommended to add subscription license from Manager version 10.1.7.44 and later. Upload license to the Manager 5. Click Add. The license is uploaded to the Manager. 6. (Optional) Click Save as CSV to export the license usage details as .csv file. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 158: Assign A License To A Sensor

    3. Choose the license that suits your requirement and click Assign. 4. The Assign License pop-up window opens, click the Assign To drop-down menu and select the Sensor. 5. Click Assign to assign the license to the Sensor. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 159: Unassign A License From A Sensor

    To unassign the license, perform the following steps: 1. Go to Manager → <Admin Domain Name> → Setup → Licenses. 2. Click the System tab. 3. Select the license you wish to unassign. 4. Click Unassign. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 160: Upgrade An Existing Capacity License

    To upgrade an existing capacity license, perform the following steps: Steps: 1. Go to Manager → <Admin Domain Name> → Setup → Licenses. 2. Click the System tab.The system tab with existing licenses: Trellix Intrusion Prevention System NS-series Sensor Product Guide...
  • Page 161 4. Click Browse.Navigate to the location where the upgrade license is saved. Select the license and click Open. Note The supported license formats are .zip and .jar. Upload license to the Manager 5. Click Add. Trellix Intrusion Prevention System NS-series Sensor Product Guide...
  • Page 162 Double-click on the license you wish to upgrade the capacity license for. c. A warning message that the existing system license will be removed and replaced with a new license appears. Click Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 163: Remove A License From The Manager

    The existing system capacity license is replaced with the new capacity license. 6. (Optional) Click Save as CSV to export the license usage details as .csv file. Remove a license from the Manager Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 164: Troubleshooting The Sensor

    Manager. traffic on the ports unless the ports are enabled in the Manager. Ports are disabled in case of Sensor failure; you must re-enable them for Sensor monitoring to resume. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 165: Sensor Technical Specifications

    Dimensions 17.31" (W) x 1.75" (H) x 29.13" (D) Weight 25.5 lbs Storage 240 GB M.2 drive System Heat Dissipation Maximum BTU 1023 BTU/hr Typical BTU 852 BTU/hr Maximum Power Consumption 300W Trellix Intrusion Prevention System NS-series Sensor Product Guide...
  • Page 166 EN 55024, EN61000-3-2, EN61000-3-3 (Europe and International); VCCI Class A (Japan); AS/NZS CISPR 32 (Australia and New Zealand); CNS 13438 (Taiwan); GB 9254-2008 (China); KN32 and KN35 (South Korea); GB 17625.1 (China) Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 167: Ns7X50 Sensors

    After you deploy a Sensor successfully, you configure and manage it using the Manager. The process of configuring a Sensor and establishing communication with the Manager is described in the subsequent chapters of this guide. For the details about the Manager, see the Manager Administration section in Trellix Intrusion Prevention System Product Guide. Functions of an NS-series Sensor The NS-series Sensors are a third-generation hardware platform for Sensors designed for high bandwidth links to offer Next Generation IPS (NGIPS) capability and provide high aggregate throughput across various Sensor models.

  • Page 168: Deployment Of An Ns-Series Sensor

    Deployment of a Sensor requires knowledge of your network to help determine the level of configuration and the number of installed Sensors. You also need to determine the number of Trellix ePolicy Orchestrator - On-prem servers required to protect your network. The Sensor is purpose-built for the monitoring of traffic across one or more network segments.
  • Page 169 SFP/SFP+ 10/1 GigE MM 62.5 micron with internal fail-open Monitoring ports (4) 5. RJ-45 10/100/1000 Mbps Ethernet Monitoring ports (8) The supported transceiver modules are SFP+ Fiber (MM and SM), SFP Fiber (MM and SM) and SFP Copper. Sensor rear panel Trellix Intrusion Prevention System NS-series Sensor Product Guide...
  • Page 170 Network I/O modules 4-port 10/1 GigE SM 8.5 micron with internal fail- open 4-port 10/1 GigE MM 50 micron with internal fail- open 4-port 10/1 GigE MM 62.5 micron with internal fail- open Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 171: Sensor Leds

    Power Supply — Power supply is included with an NS7x50 Sensor. The supply uses a standard IEC port (IEC320-C13). Trellix provides a standard, 2m NEMA 5-15P (US) power cable (3 wire). International customers must procure a country- appropriate power cable.
  • Page 172 Gigabit Ports Link Green The link is up. The link is down. Normal/Bypass Green The port pair is in Inline Fail- Open/Inline Fail-Close/SPAN/Tap Mode. The Port Pair is in the Bypass Mode. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 173: Before You Install

    You should not remove the outer shell of the Sensor. If you do so, this will invalidate your warranty. • The Sensor appliance is not a general purpose workstation. • Trellix prohibits the use of the Sensor appliance for anything other than operating Network Security Platform. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 174: Safety Measures

    | NS7x50 Sensors • Trellix prohibits the modification or installation of any hardware or software on the Sensor appliance that is not part of the normal operation of Network Security Platform. Safety measures Please read the following warnings before you install the Sensor. These safety measures apply to all Sensor models unless otherwise noted.

  • Page 175: Contents Of The Box

    The following accessories are shipped in the NS-series Sensor crate: • Sensor • Power supply (x2) • Power cords (Trellix provides a standard and international power cables) • Set of rack mounting rails • Printed Quick Start Guide Unpack the Sensor Steps: 1.

  • Page 176: Setting Up The Sensor

    Follow this procedure to assemble the slide rails and position the Sensor on it. Note Due to the weight of the appliance, Trellix recommends that two people place the chassis into the rail cabinet. 1. Disassemble the inner slide rails from the rail assemblies.
  • Page 177 Click and pull the white tab (lock on inner rail) forward to disconnect inner rail from the middle rail. The Inner rail is disconnected. c. Push tab (a) to slide the middle rail back into the outer rail. The middle rail is pushed back into the outer rail. Trellix Intrusion Prevention System NS-series Sensor Product Guide...
  • Page 178 Place each inner rail on both sides of the chassis unit. Position the three key holes of the inner rails with the mounting holes on the chassis unit. b. Slide the rails forward to lock it. 3. Mount the outer slide rails/brackets to the rack posts. Trellix Intrusion Prevention System NS-series Sensor Product Guide...
  • Page 179 Pull the middle rail out, extend it until the lock position. Note Ensure ball bearing retainer is located at the front of the middle rail. b. Insert the chassis unit into the middle rails. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 180: Redundant Power Supply

    The basic configuration of a Sensor includes two hot-swappable power supplies. Each of these modules has one handle for insertion or extraction from the unit as well as a release latch. If you have purchased an additional power supply from Trellix, refer to the following sections to remove and install the new power supply.

  • Page 181: Install A New Power Supply

    4. Slide in the power supply until it makes contact with the backplane, then push firmly to mate the connectors solidly with the backplane. Note For true redundant operation with the power supply, Trellix recommends that you plug each supply into a different power circuit. For optimal protection, use uninterruptible power sources. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 182: Remove The Power Supply

    6-port RJ-45 10/100/1000 Mbps with internal fail-open interface module • 8-port SFP/SFP+ 1/10 Gigabit interface module For more information, refer to the NS-series Interface Modules section in Trellix Intrusion Prevention System NS-series Reference Guide. Installation of the Interface Module This section provides instructions on how to install the interface module based on the following scenarios:...

  • Page 183: Install The Interface Module During A Fresh Installation Of The Sensor

    5. Establish trust between the Sensor and the Manager. Install the interface module on an up and running Sensor This section provides the steps to install the interface module on a Sensor which is up and running. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 184: Remove An Interface Module

    SFP optical interfaces are less than half the size of GBIC interfaces. To ensure compatibility, Trellix supports only those SFP, SFP+, QSFP+ and QSFP28 modules purchased through Trellix or from a Trellix-approved vendor. For a list of approved vendors, locate the relevant KnowledgeBase article at https:// supportm.trellix.com.

  • Page 185: Install A Transceiver Module

    2. Release the module from the slot by pulling the bail clasp out of its locked position. 3. Slide the module out of the slot. 4. Insert the module plug into the module optical bore for protection. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 186: Attaching Cables To The Sensor

    The Console port on the NS7x50 Sensor is used for setup and configuration of the Sensor. Steps: 1. For console connections, plug the DB9 Console cable supplied by Trellix into the Console port on the Sensor.This port is labeled Console in the Sensor front panel.

  • Page 187: Connect The Cable To The Response Port

    2. Plug the other end of the cable into the network device connected to your Manager server. Note To isolate and protect your management traffic,Trellix strongly recommends you to use a separate, dedicated management subnet to interconnect the Sensors and the Manager.

  • Page 188: How To Use Peer Ports

    Port Pairs Sensor G0/1 and G0/2 NS7350/NS7250/NS7150 G1/1 and G1/2 NS7350/NS7250/NS7150 G1/3 and G1/4 NS7350/NS7250/NS7150 G1/5 and G1/6 NS7350/NS7250/NS7150 G2/1 and G2/2 NS7350/NS7250/NS7150 G2/3 and G2/4 NS7350/NS7250/NS7150 G2/5 and G2/6 NS7350/NS7250/NS7150 Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 189: Cable Types For Routers, Switches, Hubs, And Computers

    This section provides the steps to connect the Sensor's Gigabit Ethernet ports so they fail-close. 1. Plug the cable appropriate for use with your transceiver module into one of the Monitoring ports, for example G1/1. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 190: Connect The Cables For Tap Mode

    To deploy the Sensor in tap mode, you must use a Sensor's Gigabit Ethernet Monitoring port pair with a third-party external tap. Note For a list of Trellix-approved third party vendors, see the KnowledgeBase at https://supportm.trellix.com. Enter the relevant KnowledgeBase article in Search the Support Knowledge Center and click Search to locate the relevant KnowledgeBase article.
  • Page 191 The 8-port module supports active fail-open using a Copper and Fiber 1/10 Gigabit AFO kit. • G3 supports both internal fail-open and active fail-open mode when connected to an Active Fail-Open (AFO) kit Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 192: Connect The Cable For Sensor Failover

    Purchase two 10G SFP+ and use the standard cable. Failover cables are additional hardware required to support failover communication between two NS7x50 Sensors. Note Trellix does not ship the transceiver modules and cables with the NS7x50 Sensors. Please purchase the same separately for failover setup. Refer to the following table before you configure a HA pair:...

  • Page 193: Turning The Sensor On And Off

    If you are installing a redundant power supply, you should install it as described in Install a new power supply section. For true redundant operation with the power supply,Trellix recommends that you plug each supply into a different power circuit.

  • Page 194: Sensor Technical Specifications

    Check the Active Fail-Open Kit appears in the Manager Status disconnected. and make sure it is properly page. connected to the Sensor. Sensor technical specifications The following table lists the specifications of an NS7x50 Sensor: Trellix Intrusion Prevention System NS-series Sensor Product Guide...
  • Page 195 IEC 60825 and 21CFR1040 EMI Certification FCC Part 15 Subpart B Class A (USA); CAN ICES-3 Class A (Canada); EN 55022, EN 55032, EN 55024, EN61000-3-2, EN61000-3-3 (Europe and International); Trellix Intrusion Prevention System NS-series Sensor Product Guide...
  • Page 196 | NS7x50 Sensors Sensor Specifics NS7350 NS7250 NS7150 VCCI Class A (Japan); AS/NZS CISPR 32 (Australia and New Zealand); CNS 13438 (Taiwan); GB 9254-2008 (China) Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 197: Ns7X00 Sensors

    After you deploy a Sensor successfully, you configure and manage it using the Manager. The process of configuring a Sensor and establishing communication with the Manager is described in the subsequent chapters of this guide. For details about the Manager, see the Manager Administration section in Trellix Intrusion Prevention System Product Guide. Functions of an NS-series Sensor The NS-series Sensors are a third-generation hardware platform for Sensors designed for high bandwidth links to offer Next Generation IPS (NGIPS) capability and provide high aggregate throughput across various Sensor models.

  • Page 198: Deployment Of An Ns-Series Sensor

    Deployment of a Sensor requires knowledge of your network to help determine the level of configuration and the number of installed Sensors. You also need to determine the number of Trellix ePolicy Orchestrator - On-prem servers required to protect your network. The Sensor is purpose-built for the monitoring of traffic across one or more network segments.
  • Page 199 10/1 GigE MM 62.5 micron with internal fail-open Monitoring ports (4) 5. RJ-45 10/100/1000 Mbps Ethernet Monitoring ports (8) The supported transceiver modules are SFP+ (MM and SM), SFP Fiber (MM and SM) and SFP Copper. Sensor rear panel Trellix Intrusion Prevention System NS-series Sensor Product Guide...
  • Page 200 The following table gives the details of the supported ports. Ports NS7100/NS7200/NS7300 Fixed Gigabit Ethernet—Copper ports (internal fail- open) Fixed 10 GigE/1 GigE (SFP+) ports Network I/O slots Network I/O modules 4-port 10/1 GigE SM 8.5 micron with internal fail- open Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 201: Sensor Leds

    Power Supply — Power supply is included with an NS7x00 Sensor. The supply uses a standard IEC port (IEC320-C13). Trellix provides a standard, 2m NEMA 5-15P (US) power cable (3 wire). International customers must procure a country- appropriate power cable.
  • Page 202 Gigabit Ports Link Green The link is up. The link is down. Normal/Bypass Green The port pair is in Inline Fail- Open/Inline Fail-Close/SPAN/Tap Mode. The Port Pair is in the Bypass Mode. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 203: Before You Install

    The following restrictions apply to the use and operation of a Sensor: • You should not remove the outer shell of the Sensor. If you do so, this will invalidate your warranty. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 204: Safety Measures

    Trellix prohibits the use of the Sensor appliance for anything other than operating Trellix IPS. • Trellix prohibits the modification or installation of any hardware or software on the Sensor appliance that is not part of the normal operation of Trellix IPS.

  • Page 205: Contents Of The Box

    The following accessories are shipped in the NS-series Sensor crate: • Sensor • Power supply (x2) • Power cords (Trellix provides a standard and international power cables) • Set of rack mounting rails • Printed Quick Start Guide Unpack the Sensor Steps: 1.

  • Page 206: Setting Up The Sensor

    To mount the Sensor on a rack, you will attach two mounting rails to the Sensor as described in the subsequent sections of this guide. Install the slide rails and rack-mount the Sensor Trellix recommends rack-mounting your Sensor. For maintenance purposes, you must have access to the front and rear of the Sensor. Caution Before you mount the Sensor on the rack, make sure that the power is off.
  • Page 207 Install the front end of each slide cabinet section to the rack using the slide tool-less features. The tool-less latch rotates when the bracket is pressed up against the rack rails. b. Align, adjust, and attach the rear brackets to the rack rail. Trellix Intrusion Prevention System NS-series Sensor Product Guide...
  • Page 208 With the chassis unit in a fully closed position, secure using two truss head screws. b. Drive the screws through the inner member flange and through the rack rails. The screws thread directly to the cabinet slide members. Tighten the screws. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 209: Redundant Power Supply

    A basic configuration of the Sensor includes one hot-swappable power supply. You can install a second hot-swappable power supply for redundancy. You will have to purchase this redundant power supply separately from Trellix. Each of these modules have one handle for insertion or extraction from the unit as well as a release latch.

  • Page 210: Remove The Power Supply

    4. Slide in the power supply until it makes contact with the backplane, then push firmly to mate the connectors solidly with the backplane. Note For true redundant operation with the optional redundant power supply, Trellix recommends that you plug each supply into a different power circuit. For optimal protection, use uninterruptible power sources. Remove the power supply Perform this task if you want to remove the power supply to the Sensor.

  • Page 211: Installation Of The Interface Module

    • 8-port SFP/SFP+ 1/10 Gigabit interface module For more information, see the NS-series Interface Modules section in Trellix Intrusion Prevention System NS-series Reference Guide. Installation of the Interface Module This section provides instructions on how to install the interface module based on the following scenarios: •...

  • Page 212: Install The Interface Module On An Up And Running Sensor

    1. Disconnect the network fiber optic cable from the module. 2. Remove the transceivers from the module. 3. Unscrew the interface modules to detach them from the Sensor. 4. Place the module into its protective packaging. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 213: Small Form-Factor Pluggable Transceiver Modules

    SFP optical interfaces are less than half the size of GBIC interfaces. To ensure compatibility, Trellix supports only those SFP, SFP+, QSFP+ and QSFP28 modules purchased through Trellix or from a Trellix-approved vendor. For a list of approved vendors, locate the relevant KnowledgeBase article at https:// supportm.trellix.com.

  • Page 214: Remove A Transceiver Module

    The Console port on the NS7x00 Sensor is used for setup and configuration of the Sensor. Steps: 1. For console connections, plug the DB9 Console cable supplied by Trellix into the Console port on the Sensor.This port is labeled Console in the Sensor front panel.

  • Page 215: Connect The Cable To The Response Port

    1. Plug a Cat-5e Ethernet cable into the Response port.This port is labeled R1 on the Sensor rear panel. 2. Connect the other end of the cable to the network device, such as a hub, switch, or a router, through which you want to respond to attacks. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 216: Connect The Cable To The Management Port

    2. Plug the other end of the cable into the network device connected to your Manager server. Note To isolate and protect your management traffic,Trellix strongly recommends you to use a separate, dedicated management subnet to interconnect the Sensors and the Manager.
  • Page 217 G2/1 and G2/2 NS7300/NS7200/NS7100 G2/3 and G2/4 NS7300/NS7200/NS7100 G2/5 and G2/6 NS7300/NS7200/NS7100 G2/7 and G2/8 NS7300/NS7200/NS7100 G3/1 and G3/2 NS7300/NS7200/NS7100 G3/3 and G3/4 NS7300/NS7200/NS7100 G3/5 and G3/6 NS7300/NS7200/NS7100 G3/7 and G3/8 NS7300/NS7200/NS7100 Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 218: Cable Types For Routers Switches Hubs And Computers

    1 to the router and the one connected to 2 to the switch. Connect the cables for tap mode To deploy the Sensor in tap mode, you must use a Sensor's Gigabit Ethernet Monitoring port pair with a third-party external tap. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 219: Connect The Cables For Span Or Hub Mode

    | NS7x00 Sensors Note For a list of Trellix-approved third party vendors, see the KnowledgeBase at https://supportm.trellix.com. Enter the relevant KnowledgeBase article in Search the Support Knowledge Center and click Search to locate the relevant KnowledgeBase article. Steps: 1. Plug the cable appropriate for use with your transceiver module into one of the Monitoring ports, for example, G1/1.

  • Page 220: Connect The Cable For Sensor Failover

    Optical kits, see the 1 Gigabit Optical Active Fail-Open Bypass Kit Guide and 10 Gigabit Optical Active Fail-Open Bypass Kit Guide. Connect the cable for Sensor failover Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 221: Turning The Sensor On And Off

    Purchase two 10G SFP+ and use the standard cables. Failover cables are additional hardware required to support failover communication between two NS7x00 Sensors. Note Trellix does not ship the transceiver modules and cables with the NS7x00 Sensors. Please purchase the same separately for failover setup. Refer to the following table before you configure a HA pair:...

  • Page 222: Configure The Sensor And Manager For Deployment

    If you are installing a redundant power supply, you should install it as described in Install a new power supply section. For true redundant operation with the optional redundant power supply,Trellix recommends that you plug each supply into a different power circuit.

  • Page 223: Add The Sensor To The Manager

    | NS7x00 Sensors 9. Refer to Trellix Intrusion Prevention System Installation Guide for detailed procedure to install the Manager application. Add the Sensor to the Manager Steps: 1. Log on to the Manager using the default user name and password...

  • Page 224: Configure Sensor Information

    Steps: 1. Log on to the Sensor using the terminal connected to the Console port. 2. At the prompt, log on using the default Sensor username and password (admin) (admin123) Trellix Intrusion Prevention System NS-series Sensor Product Guide...
  • Page 225 <A.B.C.D> set sensor gateway 192.168.3.68 6. Set the IP address of the Manager server. Type at the prompt.Example: set manager ip <A.B.C.D> set manager ip 192.168.2.8 Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 226: Verify Successful Installation

    Check that all information is correct. show 12. Type to exit the session. exit Verify successful installation Steps: 1. Type in the Sensor CLI.The status report appears. status Trellix Intrusion Prevention System NS-series Sensor Product Guide...
  • Page 227 3. From the Manager Home page, click Configure to open the Configuration page. 4. Select your added Sensor: Device List → <Device_Name>. The ports for this Sensor appear under the <Device_Name> node. Note <Device_Name> indicates the name of the Sensor you added. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 228: You're Up And Running

    "blocking" Sensor response action. If any attack in the policy is triggered, the Sensor automatically blocks the attack. To tune this or any other Trellix IPS-provided policies, you can clone the policy and then customize it as described in Trellix Intrusion Prevention System Product Guide.

  • Page 229: Troubleshooting The Sensor

    Runts or giants errors on switch Improper cabling or port Make sure that the transmitting and routers configuration and receiving cables are properly connected to the bypass switch. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 230: Sensor Technical Specifications

    1298 BTU/hr 1298 BTU/hr 927 BTU/hr Typical BTU 1113 BTU/hr 1113 BTU/hr 816 BTU/hr Maximum Power 350 W 350 W 250 W Consumption Redundant Power Optional Optional Optional Supply Power 100-240 VAC (50/60Hz) Trellix Intrusion Prevention System NS-series Sensor Product Guide...
  • Page 231 UL 1950, CSA-C22.2 No. 950, EN-60950, IEC 950, EN 60825, 21CFR1040 CB license and report covering all national country deviations. EMI Certification FCC Part 15, Class A (CFR 47) (USA) ICES-003 Class A (Canada), EN55022 Class A (Europe), CISPR22 Class A (Int’l) Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 232: Ns5X00 Sensors

    After you deploy a Sensor successfully, you configure and manage it using the Manager. The process of configuring a Sensor and establishing communication with the Manager is described in the subsequent chapters of this guide. For details about the Manager, see the Manager Administration section in Trellix Intrusion Prevention System Product Guide. Functions of NS-series Sensors The NS-series Sensors are a third-generation hardware platform Sensors designed for high bandwidth links to offer Next Generation IPS (NGIPS) capability and provide high aggregate throughput across various Sensor models.

  • Page 233: Deployment Of Ns-Series Sensors

    Deployment of a Sensor requires knowledge of your network to help determine the level of configuration and the number of installed Sensors. You also need to determine the number of Trellix ePolicy Orchestrator - On-prem servers required to protect your network. The Sensor is purpose-built to monitor traffic across one or more network segments.
  • Page 234 1. Power supply inlet (2) 2. USB ports (2) 3. RJ-45 10/100/1000 Management port (MGMT) (1) 4. RJ-45 10/100/1000 Response port (R1) (1) The NS5x00 Sensors have four fan units on the top. Fan units-NS5100/NS5200 Trellix Intrusion Prevention System NS-series Sensor Product Guide...
  • Page 235 RJ-11 port — Controls the SFP/SFP+ 1/10 Gigabit Ethernet port pair in passive fail-open mode • SFP/SFP+ 1/10 gigabit ethernet ports — Enables you to monitor two SPAN ports or one in-line segment Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 236: Sensor Leds

    Power Supply — Power supply is included with an NS5x00 Sensor. The supply uses a standard IEC port (IEC320-C13). Trellix provides a standard, 2 m NEMA 5-15P (US) power cable (3 wire). International customers must procure a country- appropriate power cable.
  • Page 237 The port speed is 100 Mbps. The port speed is 10 Mbps. Management Port Link Green The link is up. The link is down. Response Port Speed Green The port speed is 1000 Mbps. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 238: Before You Install

    Trellix prohibits the use of the Sensor appliance for anything other than operating Trellix IPS. • Trellix prohibits the modification or installation of any hardware or software on the Sensor appliance that is not part of the normal operation of Trellix IPS.

  • Page 239: About Fiber-Optic Ports

    Only FDA registered, EN 60825-1 and IEC 60825-1 certified Class 1 SFP/SFP+/ laser transceivers are acceptable for use with the Sensor. Contents of the box The following accessories are shipped in the NS-series Sensor crate: • Sensor Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 240: Unpack The Sensor

    | NS5x00 Sensors • Power supply (x2) • Power cords (Trellix provides a standard and international power cables) • Set of rack mounting rails • Printed Quick Start Guide Unpack the Sensor Steps: 1. Open the crate. 2. Remove the first accessory box.

  • Page 241: Install The Slide Rails And Rack-Mount The Sensor

    Before you mount the Sensor on the rack, make sure that the power is off. Remove the power cable and all network interface cables from the Sensor. Important Due to the weight of the appliance, Trellix recommends that one person holds the chassis and the other person fixes it to the rail cabinet. Steps: 1.
  • Page 242 Pull inner member of the slide rail out until it comes to a lock position. To push the inner member into the rack, lift the latch, and push the inner member. b. Position both inner members. 3. Mount inner members to the chassis unit. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 243: Redundant Power Supply

    The basic configuration of a Sensor includes two hot-swappable power supplies. Each of these modules has one handle for insertion or extraction from the unit as well as a release latch. If you have purchased an additional power supply from Trellix, refer to the following sections to remove and install the new power supply.

  • Page 244: Install A New Power Supply

    4. Slide in the power supply until it makes contact with the backplane, then push firmly to mate the connectors solidly with the backplane. Note For true redundant operation with the power supply, Trellix recommends that you plug each supply into a different power circuit. For optimal protection, use uninterruptible power sources. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 245: Remove The Power Supply

    SFP optical interfaces are less than half the size of GBIC interfaces. To ensure compatibility, Trellix supports only those SFP, SFP+, QSFP+ and QSFP28 modules purchased through Trellix or from a Trellix-approved vendor. For a list of approved vendors, locate the relevant KnowledgeBase article at https://...

  • Page 246: Install A Transceiver Module

    | NS5x00 Sensors supportm.trellix.com. Enter the relevant KnowledgeBase article in Search the Support Knowledge Center and click Search to locate the article. These installation instructions provide information for installing SFP and SFP+ modules that use a bail clasp for securing the module in place in the Sensor.

  • Page 247: Remove A Transceiver Module

    The Console port on the NS5x00 Sensor is used for setup and configuration of the Sensor. Steps: 1. For console connections, plug in the DB9 Console cable supplied by Trellix into the Console port on the Sensor.This port is labeled Console in the Sensor front panel.

  • Page 248: Connect The Cable To The Response Port

    1. Plug a Category 5e Ethernet cable into the Management port.This port is labeled MGMT in the rear panel of the NS5x00 Sensor. 2. Plug the other end of the cable into the network device connected to your Manager server. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 249: About Connecting Cables To The Monitoring Ports

    | NS5x00 Sensors Note To isolate and protect your management traffic, Trellix strongly recommends you to use a separate, dedicated management subnet to interconnect the Sensors and the Manager. About connecting cables to the Monitoring ports Connect to network devices that will send traffic to the Sensor monitoring ports. You can deploy Sensors in the following operating modes: •...

  • Page 250: Cable Types For Routers, Switches, Hubs, And Computers

    All other monitoring ports require the use of external active or passive fail-open kits for Inline Fail Open - Active and Inline Fail Open - Passive configurations. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 251: Connect The Cables For Tap Mode

    To deploy the Sensor in tap mode, you must use a Sensor's gigabit ethernet monitoring port pair with a third-party external tap. Note For a list of Trellix-approved third party vendors, see the KnowledgeBase at https://supportm.trellix.com. Enter the relevant KnowledgeBase article in Search the Support Knowledge Center and click Search to locate the relevant KnowledgeBase article.

  • Page 252: Connect The Cables For Sensor Fail-Open

    You can find the installation and troubleshooting instructions for the kit in the guide that accompanies the kit. For example, for more information on the Optical kits, see the 1 Gigabit Optical Active Fail-Open Bypass Kit Guide. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 253: Connect The Cable For Sensor Failover

    NS5x00 Sensors. Note Trellix does not ship the transceiver modules and cables with the NS5x00 Sensors. Please purchase the same separately for failover setup. Refer to the following table before you configure a HA pair:...

  • Page 254: Configure The Sensor And Manager For Deployment

    If you are installing a redundant power supply, you should install it as described in Install a new power supply section. For true redundant operation with the power supply,Trellix recommends that you plug each supply into a different power circuit.

  • Page 255: Add The Sensor To The Manager

    | NS5x00 Sensors 9. Refer to Trellix Intrusion Prevention System Installation Guide for detailed procedure to install the Manager application. Add the Sensor to the Manager Steps: 1. Log on to the Manager using the default user name and password...

  • Page 256: Configure Sensor Information

    Steps: 1. Log on to the Sensor using the terminal connected to the Console port. 2. At the prompt, log on using the default Sensor username and password (admin) (admin123) Trellix Intrusion Prevention System NS-series Sensor Product Guide...
  • Page 257 <A.B.C.D> set sensor gateway 192.168.3.68 6. Set the IP address of the Manager server. Type at the prompt.Example: set manager ip <A.B.C.D> set manager ip 192.168.2.8 Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 258: Verify Successful Installation

    Check that all information is correct. show 12. Type to exit the session. exit Verify successful installation Steps: 1. Type in the Sensor CLI.The status report appears. status Trellix Intrusion Prevention System NS-series Sensor Product Guide...
  • Page 259 3. From the Manager Home page, click Configure to open the Configuration page. 4. Select your added Sensor: Device List → <Device_Name>. The ports for this Sensor appear under the <Device_Name> node. Note <Device_Name> indicates the name of the Sensor you added. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 260: You're Up And Running

    "blocking" Sensor response action. If any attack in the policy is triggered, the Sensor automatically blocks the attack. To tune this or any other Trellix IPS-provided policies, you can clone the policy and then customize it as described in Trellix Intrusion Prevention System Product Guide.

  • Page 261: Troubleshooting The Sensor

    Runts or giants errors on switch Improper cabling or port Make sure that the transmitting and routers configuration and receiving cables are properly connected to the bypass switch. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 262: Sensor Technical Specifications

    Sensor. For more information on troubleshooting steps and faults generated in the Manager, see the Troubleshooting section in Trellix Intrusion Prevention System Product Guide. Sensor technical specifications The following table lists the specifications of an NS5x00 Sensor:...
  • Page 263 UL 1950, CSA-C22.2 No. 950, EN-60950, IEC 950, EN 60825, 21CFR1040 CB license and report covering all national country deviations. EMI Certification FCC Part 15, Class A (CFR 47) (USA) ICES-003 Class A (Canada), EN55022 Class A (Europe), CISPR22 Class A (Int’l) Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 264: Ns3500 Sensors

    After you deploy a Sensor successfully, you configure and manage it using the Manager. The process of configuring a Sensor and establishing communication with the Manager is described in the subsequent chapters of this guide. For details about the Manager, see the Manager Administration section in Trellix Intrusion Prevention System Product Guide. Functions of NS-series Sensors The NS-series Sensors are a third-generation hardware platform Sensors designed for high bandwidth links to offer Next Generation IPS (NGIPS) capability and provide high aggregate throughput across various Sensor models.

  • Page 265: Ns3500 Sensor Physical Description

    Sensors. The Sensor is purpose-built to monitor traffic across one or more network segments. Following is an example of a network topology using Gigabit Ethernet throughput. In the illustration, Trellix Intrusion Prevention System provides IPS protection to outsourced servers. High port-density and virtualization provides a highly scalable solution, while Trellix IPS protects against web and eCommerce mail server exploits.
  • Page 266 5. RJ-45 10/100/1000 Management port (MGMT) (1) 6. RJ-45 10/100/1000 Response port (R1) (1 - currently not supported) 7. RJ-45 10/100/1000 Mbps Ethernet Monitoring ports (4) The following table gives the details of the supported ports. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 267: Sensor Leds

    • Power Supply — Power supply is included with an NS3500 Sensor. The supply uses a 12V DC IN. Trellix provides 12V DC adapter with power cord. International customers must procure a country-appropriate power cable.
  • Page 268 The port speed is 1000 Mbps. Green The port speed is 100 Mbps. The port speed is 10 Mbps. Management Port Link Amber The link is up. Blinking Amber Data is being received or transmitted. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 269: Before You Install

    Trellix prohibits the use of the Sensor appliance for anything other than operating Trellix IPS. • Trellix prohibits the modification or installation of any hardware or software on the Sensor appliance that is not part of the normal operation of Trellix IPS.

  • Page 270: Contents Of The Box

    8. Pull out the packing material surrounding the Sensor. 9. Remove the Sensor from the antistatic bag. 10. Save the box and packing materials for later use in case you need to move or ship the Sensor. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 271: Setting Up The Sensor

    The Console port on the NS3500 Sensor is used for setup and configuration of the Sensor. Steps: 1. For console connections, plug in the RJ-45 cable supplied by Trellix into the Console port on the Sensor.This port is labeled CONSOLE in the Sensor front panel.

  • Page 272: Connect The Cable To The Management Port

    The Sensor communicates with the Manager using the Management port. Steps: 1. Plug a RJ-45 cable into the Management port.This port is labeled MGMT in the front panel of the NS3500 Sensor. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 273: About Connecting Cables To The Monitoring Ports

    2. Plug the other end of the cable into the network device connected to your Manager server. Note To isolate and protect your management traffic, Trellix strongly recommends you to use a separate, dedicated management subnet to interconnect the Sensors and the Manager.

  • Page 274: Connect The Cables For In-Line Mode

    1 to the router and the one connected to 2 to the switch. Connect the cables for tap mode To deploy the Sensor in tap mode, you must use a Sensor's ethernet monitoring port pair with a third-party external tap. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 275: Connect The Cables For Span Or Hub Mode

    2. Connect the power cable to a power source.Trellix recommends that you use the CLI command to halt the Sensor shutdown before turning it off. For more information on CLI commands, see the CLI commands section in Trellix Intrusion Prevention System Product Guide. 3. Press the power button to turn on the Sensor.
  • Page 276 Note You must first purchase a license to enable traffic inspection in NS3500 Sensor. To obtain a license, contact Trellix Sales. You can upload the license from the Licenses page in the Manager. In the Manager, select Manager → <Admin Domain Name> →...

  • Page 277: Add License To The Manager

    1. Go to Manager → <Admin Domain Name> → Setup → Licenses. 2. Click the System tab. 3. Click The Add License pop-up window opens. 4. Click Browse.Navigate to the location where the license is saved. Select the license and click Open. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 278: Assign A License To A Sensor

    To assign the license, perform the following steps: 1. Navigate to Manager → <Admin Domain Name> → Setup → Licenses. 2. Click the System tab. 3. Choose the license that suits your requirement and click Assign. Trellix Intrusion Prevention System NS-series Sensor Product Guide...
  • Page 279 In case you are replacing an existing license, a Confirmation dialog-box opens. To confirm license replacement, click OK, else, click Cancel. 6. Upon successful license assignment, an Informational dialog-box opens stating the license has been successfully assigned. Click OK to close it. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 280: Unassign A License From A Sensor

    To unassign the license, perform the following steps: 1. Go to Manager → <Admin Domain Name> → Setup → Licenses. 2. Click the System tab. 3. Select the license you wish to unassign. 4. Click Unassign. 5. Click Ok. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 281: Remove A License From The Manager

    Troubleshooting the Sensor This section lists some common installation problems, the possible causes, and the corresponding solutions. Problem Possible Cause Solution LED is off. The Sensor is turned off. Restore Sensor power. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 282: Sensor Technical Specifications

    Sensor. For more information on troubleshooting steps and faults generated in the Manager, see the Troubleshooting section in Trellix Intrusion Prevention System Product Guide. Sensor technical specifications Trellix Intrusion Prevention System NS-series Sensor Product Guide...
  • Page 283 IEC 60950-1 (International)-CB Scheme certificate and test report covering all applicable country deviations EMI Certification FCC Part 15 Subpart B Class B (USA); CAN ICES-3 Class B (Canada); EN 55022, EN 55032, Trellix Intrusion Prevention System NS-series Sensor Product Guide...
  • Page 284 Sensor Specifics NS3500 EN 55024, EN61000-3-2, EN61000-3-3 (Europe and International) KN32 and KN35 (South Korea); VCCI Class B (Japan); AS/NZS CISPR 32 (Australia and New Zealand); CNS 13438 (Taiwan); GB 9254-2008 (China) Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 285: Ns3X00 Sensors

    After you deploy a Sensor successfully, you configure and manage it using the Manager. The process of configuring a Sensor and establishing communication with the Manager is described in the subsequent chapters of this guide. For the details about the Manager, see the Manager Administration section in Trellix Intrusion Prevention System Product Guide. Functions of NS-series Sensors The NS-series Sensors are a third-generation hardware platform Sensor designed for high bandwidth links to offer Next Generation IPS (NGIPS) capability and provide high aggregate throughput across various Sensor models.

  • Page 286: Deployment Of Ns-Series Sensors

    Deployment of a Sensor requires knowledge of your network to help determine the level of configuration and the number of installed Sensors. You also need to determine the number of Trellix ePolicy Orchestrator - On-prem servers required to protect your network. The Sensor is purpose-built to monitor traffic across one or more network segments.
  • Page 287 The direction of airflow in all the Sensors is from front to back. Cold air enters through the front of the chassis. The following table gives the details of the supported ports. Ports NS3100/NS3200 8 (10/100/1000 Mbps) Fixed RJ-45 ports (internal fail-open) Console port Dedicated Response ports (RJ-45) 1 (10/100/1000 Mbps) Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 288: Sensor Leds

    Power Supply — Power supply is included with an NS3x00 Sensor. The supply uses a standard IEC port (IEC320-C13). Trellix provides a standard, 2 m NEMA 5-15P (US) power cable (3 wire). International customers must procure a country- appropriate power cable.
  • Page 289 Green The link is up. The link is down. Ethernet Ports Speed Green The port speed is 1000 Mbps. Amber The port speed is 100 Mbps. The port speed is 10 Mbps. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 290: Before You Install

    Trellix prohibits the use of the Sensor appliance for anything other than operating Trellix IPS. • Trellix prohibits the modification or installation of any hardware or software on the Sensor appliance that is not part of the normal operation of Trellix IPS.

  • Page 291: Contents Of The Box

    Contents of the box The following accessories are shipped in the NS3x00 Sensor crate: • Sensor • Power cords (Trellix provides a standard and international power cables) • Printed Quick Start Guide Unpack the Sensor Steps: 1. Open the crate.

  • Page 292: How To Position The Sensor

    Before you mount the Sensor on the rack, make sure that the power is off. Remove the power cable and all network interface cables from the Sensor. Important Due to the weight of the appliance, Trellix recommends that one person holds the chassis and the other person fixes it to the rail cabinet. Install the Sensor into a rack.

  • Page 293: Attaching Cables To The Sensor

    The Console port on the NS3x00 Sensor is used for setup and configuration of the Sensor. Steps: 1. For console connections, plug in the DB9 Console cable supplied by Trellix into the Console port on the Sensor.This port is labeled Console in the Sensor front panel.

  • Page 294: Connect The Cable To The Response Port

    The Sensor communicates with the Manager using the Management port. Steps: 1. Plug a Category 5e or 6a Ethernet cable into the Management port.This port is labeled MGMT in the front panel of the NS3x00 Sensor. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 295: About Connecting Cables To The Monitoring Ports

    2. Plug the other end of the cable into the network device connected to your Manager server. Note To isolate and protect your management traffic, Trellix strongly recommends using a separate, dedicated management subnet to interconnect the Sensors and the Manager.

  • Page 296: Cable Types For Routers, Switches, Hubs, And Computers

    This section provides steps to connect the Sensor's ethernet ports so they fail-close. 1. Plug the cable into one of the monitoring ports, for example 1. 2. Plug the cable into the other monitoring port, for example 2. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 297: Connect The Cables For Tap Mode

    To deploy the Sensor in tap mode, you must use a Sensor's ethernet monitoring port pair with a third-party external tap. Note For a list of Trellix-approved third party vendors, see the KnowledgeBase at https://supportm.trellix.com. Enter the relevant KnowledgeBase article in Search the Support Knowledge Center and click Search to locate the relevant KnowledgeBase article.

  • Page 298: Connect The Cable For Sensor Failover

    Cable requirements for Sensor Model Port to connect the HA pair failover NS3100/NS3200 Ethernet copper cable (minimum Category 5e) Steps: 1. Plug the cable into port 1 of the active NS3x00 Sensor. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 299: Turning The Sensor On And Off

    CLI command to halt the shutdown Sensor before turning it off. For more information on CLI commands, see the CLI commands section in Trellix Intrusion Prevention System Product Guide. Configure the Sensor and Manager for deployment...

  • Page 300: Add The Sensor To The Manager

    The Manager installation files available for download are listed. 8. Click on the required Manager installation file and the download starts. 9. Refer to Trellix Intrusion Prevention System Installation Guide for detailed procedure to install the Manager application. Add the Sensor to the Manager Steps: 1.
  • Page 301 Selecting Direct enables online Sensor update. Direct is the default mode. • Contact Information — (Optional) Type the contact information. • Location — (Optional) Type the location. • Comment — (Optional) Type the comment. Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 302: Configure Sensor Information

    Note A password must contain between 8 to 25 characters, is case-sensitive, and can consist of any alphanumeric character or symbol. Trellix Intrusion Prevention System NS-series Sensor Product Guide...
  • Page 303 10. Set the shared secret key value for the Sensor. At the prompt, type the following command: set sensor The Sensor then prompts you to enter and, subsequently, confirm the shared secret key value. sharedsecretkey Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 304: Verify Successful Installation

    Trust Established 2. Return to the Manager. In the Manager Home page, view the Manager status in the System Faults section.The Manager status should be up and Sensor status should be active. Trellix Intrusion Prevention System NS-series Sensor Product Guide...
  • Page 305 Domain> → Intrusion Prevention → Policy Types → IPS Policies.The Default Prevention policy contains attacks already configured with a "blocking" Sensor response action. If any attack in the policy is triggered, the Sensor automatically Trellix Intrusion Prevention System NS-series Sensor Product Guide...

  • Page 306: You're Up And Running

    | NS3x00 Sensors blocks the attack. To tune this or any other Trellix IPS-provided policies, you can clone the policy and then customize it as described in Trellix Intrusion Prevention System Product Guide. 6. Click Device List → <Device_Name> → Port Settings.

  • Page 307: Sensor Technical Specifications

    Sensor. For more information on troubleshooting steps and faults generated in the Manager, see the Troubleshooting section in Trellix Intrusion Prevention System Product Guide. Sensor technical specifications Trellix Intrusion Prevention System NS-series Sensor Product Guide...
  • Page 308 UL 1950, CSA-C22.2 No. 950, EN-60950, IEC 950, EN 60825, 21CFR1040 CB license and report covering all national country deviations. EMI Certification FCC Part 15, Class A (CFR 47) (USA) ICES-003 Class A (Canada), EN55022 Class A (Europe), CISPR22 Class A (Int’l) Trellix Intrusion Prevention System NS-series Sensor Product Guide...
  • Page 309 Copyright © 2024 Musarubra US LLC. Trellix and FireEye are the trademarks or registered trademarks of Musarubra US LLC, FireEye Security Holdings US LLC and their affiliates in the US and /or other countries. McAfee is the trademark or registered trademark of McAfee LLC or its subsidiaries in the US and /or other countries.

This manual is also suitable for:

Ns3200Ns3100

Table of Contents

Save PDF