manualshive.com logo in svg

Cisco amp threat grid, Setup And Configuration Manual

The Cisco AMP Threat Grid Setup and Configuration manual is an essential resource for effectively utilizing this powerful security product. This comprehensive manual provides step-by-step instructions with detailed configurations to ensure optimal performance. Download the manual for free from manualshive.com to maximize your knowledge and protect your network.

Share
Download
background image

Cisco AMP Threat Grid Appliance Setup and Configuration Guide

 

PLANNING 
 

 

By default, DNS uses the Dirty interface. The Clean interface is used for FireAMP Private Cloud 
integrations. If the FireAMP Private Cloud hostname cannot be resolved over the Dirty interface, then a 

separate DNS server that uses the Clean interface can be configured in the OpAdmin interface. 

See the 

Threat Grid Appliance Administrator’s Guide

 for additional information. 

NTP Server Access 

The NTP server needs to be accessible via the Dirty network. 

Integrations – ESA/WSA/FireAMP etc.  

Additional planning may be required if the Threat Grid Appliance is going to be used with other Cisco 

products, such as ESA/WSA appliances, FireAMP Private Cloud, etc.  

DHCP 

If you are connected to a network configured to use DHCP, then follow the instructions provided in the 

Using DHCP

 section of the 

Threat Grid Appliance Administrator's Guide

License 

You will receive a license and password from Cisco AMP Threat Grid. 

For questions about licenses, please contact [email protected]

Organization and Users 

Once you have completed the appliance setup and network configuration, you will need to create the initial 
Threat Grid Organizations and user account(s), so people can login and begin submitting malware samples 
for analysis. This task may require planning and coordination among multiple organizations and users, 

depending on your requirements.  

Managing Threat Grid Organizations and users is documented in the 

Threat Grid Appliance Administrator’s 

Guide

Updates 

The initial appliance setup and configuration steps 

must be completed

 before installing any Threat Grid 

appliance updates.  

We recommend that you check for updates immediately after completing the initial configuration described 

in this guide. 

Updates must be done in sequence. Threat Grid Appliance updates cannot be downloaded until the license 
is installed, and the update process requires the initial appliance configuration to be completed. 

Instructions for updating the appliance are located in the 

Threat Grid Appliance Administrator's Guide

Note:

 Verify that SSH is specified for updates. 

Summary of Contents for amp threat grid

Page 1: ...p and Configuration Guide Version 2 2 Last Updated March 8 2017 Cisco Systems Inc www cisco com Cisco has more than 200 offices worldwide Addresses phone numbers and fax numbers are listed on the Cisco website at www cisco com go offices ...

Page 2: ...ALING USAGE OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT SPECIAL CONSEQUENTIAL OR INCIDENTAL DAMAGES INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES Any Internet Protocol IP addresses and phone number...

Page 3: ... Version 2 0 3 SUPPORT CONTACTING THREAT GRID 3 Support Mode 3 Start Support Mode License Workaround Prior to Version 1 4 4 3 Support Servers 4 Support Snapshots 4 PLANNING 5 USER DOCUMENTATION AND ONLINE HELP 5 ENVIRONMENTAL REQUIREMENTS 5 HARDWARE REQUIREMENTS 5 HARDWARE DOCUMENTATION 6 NETWORK REQUIREMENTS 6 DNS Server Access 6 NTP Server Access 7 INTEGRATIONS ESA WSA FIREAMP ETC 7 DHCP 7 LICEN...

Page 4: ...UGGESTIONS 17 POWER ON AND BOOT UP 18 INITIAL NETWORK CONFIGURATION TGSH DIALOG 20 CONFIGURATION WIZARD OPADMIN PORTAL 26 CONFIGURATION WORKFLOW 26 LOGIN TO THE OPADMIN PORTAL 26 ADMIN PASSWORD CHANGE 28 END USER LICENSE AGREEMENT 29 NETWORK CONFIGURATION SETTINGS 29 Network Configuration and DHCP 29 LICENSE INSTALLATION 30 EMAIL HOST CONFIGURATION 30 SERVER NOTIFICATIONS CONFIGURATION 31 NTP SERV...

Page 5: ...irty 21 Figure 12 Network Configuration In Progress admin 22 Figure 13 Network Configuration Confirmation 23 Figure 14 Network Configuration List of Changes Made 24 Figure 15 IP Addresses 25 Figure 16 OpAdmin Login 27 Figure 17 OpAdmin Change Password 28 Figure 18 License Page 29 Figure 19 License Information After Successful Installation 30 Figure 20 Notifications Configuration 31 Figure 21 Appli...

Page 6: ...characteristics can quickly be correlated against millions of other samples to fully understand its behaviors within an historical and global context This ability helps security teams to effectively defend the organization against threats and attacks from advanced malware Who This Guide Is For Before a new appliance can be used for malware analysis it must be set up and configured for the organiza...

Page 7: ...ion Cisco UCS C220 M4 Server Released on November 17 2016 the C220 M4 server includes a hardware refresh as well as the Secure Boot feature Please contact us at support threatgrid com to discuss any questions you may have about upgrading Note Threat Grid will continue to provide support for M3s until after the expiration of their contracted lifespan All the same M4 features are available as over t...

Page 8: ...umbers see http www cisco com c en us support index html When requesting support from Threat Grid please send the following information with your request Appliance version OpAdmin Operations Update Appliance Full service status service status from the shell Network diagram or description if applicable Support Mode Shell or Web interface Support Request Details Support Mode If you require support f...

Page 9: ...pport Session Support Servers Establishing a support session requires that the TG appliance reach the following servers support snapshots threatgrid com rash threatgrid com Both servers should be allowed by the firewall during an active support session Support Snapshots A support snapshot is basically a snapshot of the running system which contains logs ps output etc to help Support staff troubles...

Page 10: ... Install and Upgrade page on Cisco com Threat Grid Portal UI Online Help Threat Grid Portal user documentation including Release Notes Using Threat Grid Online Help API documentation and other information is available from the Help menu located in the navigation bar at the top of the user interface Environmental Requirements The Threat Grid Appliance is deployed on a UCS C220 M3 or C220 M4 server ...

Page 11: ...fic to the appliance requests This includes integrated appliances For example the Cisco Email Security appliances and Web Security appliances ESA WSA connect to the IP address of the Clean interface Note The following specific restricted kinds of network traffic can be outbound from Clean Remote syslog connections Email messages sent by the Threat Grid Appliance itself Disposition Update Service c...

Page 12: ... AMP Threat Grid For questions about licenses please contact support threatgrid com Organization and Users Once you have completed the appliance setup and network configuration you will need to create the initial Threat Grid Organizations and user account s so people can login and begin submitting malware samples for analysis This task may require planning and coordination among multiple organizat...

Page 13: ...e initial randomly generated password which is visible initially in the TGSH Dialog or the new Admin password you create during the first step of the OpAdmin Portal Configuration which is described in the next section OpAdmin Portal This is the primary Threat Grid GUI configuration tool Much of the appliance configuration can ONLY be done via OpAdmin including licenses email host SSL Certificates ...

Page 14: ...outbound Dirty Interface Connect to the Dirty network Requires Internet access Outbound Only DNS Note If you are setting up an integration with a FireAMP Private Cloud and the FireAMP appliance hostname cannot be resolved over the Dirty interface then a separate DNS server that uses the Clean interface can be configured in OpAdmin NTP Updates Support Session in Normal Operations Mode Support Snaps...

Page 15: ...ial configuration steps are described in this document Server Setup Network Interface Connections Setup Admin Clean Dirty Initial Network Configuration TGSH Dialog Main Configuration OpAdmin Portal Install Updates Test the Appliance setup Submit a Sample for Analysis Admin Configuration Complete the remaining administrative configuration tasks license installation email server SSL Certificates etc...

Page 16: ...Cisco AMP Threat Grid Appliance Setup and Configuration Guide PLANNING 11 ...

Page 17: ...vironmental setup information Links to product documentation are provided in the Hardware Documentation section above Network Interface Connections Setup Find the SFP ports there are two and the three Ethernet ports on the back of the appliance and attach the network cables as illustrated below C220 M3 Rack Server Setup Figure 3 Cisco UCS C220 M3 SFF Rack Server The interfaces must be properly con...

Page 18: ...Rear View Details Note For releases 1 0 1 2 a reboot may be needed if an interface was not plugged in at boot time This is a pre 1 3 issue except for any interface requiring an SFP which will still needs to be plugged in at boot time post 1 3 The network cable plugged into the SFP may be hot plugged safely ...

Page 19: ...and Configuration Guide SERVER SETUP 14 C220 M4 Rack Server Setup Figure 5 Cisco UCS C220 M4 SFF Rack Server Note The details of your appliance may differ from the image above Please contact support threatgrid com if you have any questions ...

Page 20: ...Cisco AMP Threat Grid Appliance Setup and Configuration Guide SERVER SETUP 15 Figure 6 CIsco UCS C220 M4 Rear View Details Connections 1 Admin 8 left Clean 8 right Dirty 6 CIMC ...

Page 21: ...recommended setup for an AMP Threat Grid Appliance However each customer s interface setup is different Depending on your network requirements you may well decide to connect the Dirty interface to the inside or the Clean interface to the outside with appropriate network security measures in place for example Figure 7 Network Interfaces Setup Diagram ...

Page 22: ... Internet DNS Allow Allow outbound DNS Dirty interface Internet NTP UDP 123 Allow Allow outbound traffic to access NTP Clean interface SMTP Server SMTP Allow The appliance uses the clean interface to initiate SMTP connections to the configured mail server The Clean interface does not need outbound connectivity to the Internet Clean interface Internet TCP 19791 Allow Allow connectivity to Thread Gr...

Page 23: ...n interface FireAMP Private Cloud TCP 443 Allow Optional only required if FireAMP Private Cloud integration is used Clean Interface LDAP Allow Optional only required if LDAP is configured Dirty Interface OpenDNS TitaniumCloud VirusTotal HTTPS Allow Connect with 3rd party detection and enrichment services Power On and Boot Up Once you have connected the server peripherals and the network interfaces...

Page 24: ... and connected Figure 9 TGSH Dialog The Admin URL shows as unavailable the network interface connections are not yet configured and the OpAdmin Portal cannot be reached yet to perform this task Note Make a note of the administrator Password into a separate text file for convenience copy paste during the OpAdmin Portal configuration steps IMPORTANT The TGSH Dialog displays the initial administrator...

Page 25: ...ing DHCP to obtain your IPs then please see the Threat Grid Appliance Administrator s Guide for more information 1 In the TGSH Dialog interface select CONFIG_NETWORK The Network Configuration console opens Figure 10 TGSH Dialog Network Configuration Console 2 Complete the blank fields according to the settings provided by your network administrator for the clean dirty and admin interfaces 3 Change...

Page 26: ...co AMP Threat Grid Appliance Setup and Configuration Guide INITIAL NETWORK CONFIGURATION TGSH DIALOG 21 Figure 11 Network Configuration In Progress clean and dirty 6 Leave the Dirty network DNS Name blank ...

Page 27: ...ration In Progress admin 7 After you finish entering all the network settings tab down and select Validate to validate your entries If invalid values have been entered you may see errors If this is the case then fix the errors and re Validate After validation the Network Configuration Confirmation displays the values you ve entered ...

Page 28: ...ation 8 Select Apply to apply your configuration settings Have patience This step may take 10 minutes or more to complete The console will become a blank grey box and the screen may display scrolling configuration information as the settings are applied and then it will list detailed information about the configuration changes that have been made ...

Page 29: ... Setup and Configuration Guide INITIAL NETWORK CONFIGURATION TGSH DIALOG 24 Figure 14 Network Configuration List of Changes Made 9 Select OK The Network Configuration Console refreshes again and displays the IP addresses you entered ...

Page 30: ...twork configuration of your appliance Note The URL for the Clean interface will not work until the OpAdmin portal configuration is complete Next Setup Step The next step in the appliance setup is to complete the remaining configuration tasks using the workflow in the OpAdmin portal as described in the following section OPADMIN PORTAL CONFIGURATION WIZARD ...

Page 31: ...dmin Portal administrator s password Email servers DNS servers NTP servers SSL Certificates Other server settings https adminIP OR https adminHostname Note Not all of these settings are completed in the initial OpAdmin portal configuration wizard workflow Some such as SSL Certificates are configured in separate steps as described in the Threat Grid Appliance Administrator s Guide Configuration Wor...

Page 32: ...p and Configuration Guide CONFIGURATION WIZARD OPADMIN PORTAL 27 Figure 16 OpAdmin Login 2 Enter the default Admin Password that you copied from the TGSH Dialog and click Login The Change Password page opens Continue with the next section ...

Page 33: ...igure 17 OpAdmin Change Password 1 Enter the password from the TGSH Dialog into the Old Password field You should have this in a text file for use at this moment 2 Enter and confirm a new password 3 Click Change Password The password is updated The End User License Agreement page opens Note The new password will NOT be displayed in visible text in the TGSH Dialog so be sure to note it down somewhe...

Page 34: ... described in the next section Network Configuration Settings Network Configuration Settings If you configured your static network settings in the TGSH Dialog the IP addresses displayed in the Network Configuration page will reflect the values you entered in the TGSH Dialog during the appliance network configuration Network Configuration and DHCP If you used DHCP for your initial connection and no...

Page 35: ...mation 1 Click on License in the left column The License page opens No license has been installed 2 Under Install New License click Browse and select the license from your file manager 3 Enter the license password you were given into the Passphrase field 4 Click Upload to install The page refreshes and you should see your license information Figure 19 License Information After Successful Installat...

Page 36: ...esses System notifications are displayed in the Threat Grid portal interface but this page allows you to set up notifications that are also sent via email Note Update v1 3 includes a page to configure a Syslog server to receive syslog messages and Thread Grid notifications See the Threat Grid Appliance Admin Guide for more information Figure 20 Notifications Configuration 1 First set the Critical ...

Page 37: ...Cisco AMP Threat Grid Appliance Setup and Configuration Guide CONFIGURATION WIZARD OPADMIN PORTAL 32 ...

Page 38: ...r 3 Click Next The Review and Install page opens with checkboxes next to all of the Configuration steps Continue with the next section Review and Install Configuration Settings Now that you have entered your network configuration settings you must install them as described below 1 In the Review and Install page click Start Installation Configuration scripts are installed and you see the message Th...

Page 39: ...IGURATION WIZARD OPADMIN PORTAL 34 Figure 21 Appliance is Installing 2 After successful installation the State changes from the orange Running to a green Successful message confirming success The Reboot button changes to green and the configuration output is displayed ...

Page 40: ... PORTAL 35 Figure 22 Successful Appliance Installation 3 Click Reboot after the successful installation You will see the message that The appliance is rebooting Rebooting may take up to 5 minutes Please do not make any changes while the Appliance is rebooting Figure 23 Appliance is Rebooting ...

Page 41: ...e CONFIGURATION WIZARD OPADMIN PORTAL 36 Once the appliance has successfully rebooted you will see the following confirmation that the Appliance is configured Figure 24 Appliance Is Configured Your appliance is now setup and the initial configuration is complete ...

Page 42: ...iance The updates page opens displaying the current build of the appliance 2 Click Check Download Updates The software checks to see if there is a more recent update version of the Threat Grid Appliance software and if so it is downloaded This may take some time 3 Once the updates have been downloaded click Run Update to install them For more information about installing updates see the Threat Gri...

Page 43: ...70105200233 32f70432 rel 2 1 6 1 7 2017 LDAP Authentication support for OpAdmin tgsh dialog 2016 05 20161121134140 489f130d rel 2 1 5 11 21 2016 ElasticSearch5 CSA performance fix 2016 05 20160905202824 f7792890 rel 2 1 4 9 5 2016 Primarily of interest to Manufacturing 2016 05 20160811044721 6af0fa61 rel 2 1 3 8 11 2016 Offline update support key M4 wipe support 2016 05 20160715165510 baed88a3 rel...

Page 44: ...01138 8934fa1d v1 4 2014 10 20150805134744 4ce05d84 v1 3 2014 10 20150709144003 b4d4171c v1 2 1 2014 10 20150326161410 44cd33f3 v1 2 2014 10 20150203155143 hotfix1 b06f7b4f v1 1 hotfix1 2014 10 20150203155142 b06f7b4f v1 1 2014 10 20141125162160 hotfix2 8afc5e2f v1 0 hotfix2 NOTE The 1 0 hotfix2 is a mandatory update that fixes the update system itself to be able to handle large files without brea...

Page 45: ...ce Setup and Configuration Guide INSTALLING THREAT GRID APPLIANCE UPDATES 40 Note Updating from 1 0 to 1 0 hotfix2 takes approximately 15 minutes Applying a full update from 1 0 to 1 3 without data migration takes about 30 minutes ...

Page 46: ... Threat Grid login page opens Figure 26 Threat Grid Portal Login Page 2 Enter the default Login and Password admin changeme 3 Click Login The main Threat Grid Sample Analysis page opens 4 In the Submit a Sample box located in the upper right corner to select a sample file or enter a URL to submit for malware analysis 5 Click Upload Sample The Threat Grid sample analysis process is launched You sho...

Page 47: ...ADMINISTRATION Once the Threat Grid Appliance has been setup and initial configuration is completed it is ready for the appliance administrator Release notes Updates SSL Certificates adding users and other administrator tasks and topics are documented in the Threat Grid Appliance Administrator s Guide ...

Page 48: ...ch allows you to enter the Cisco Integrated Management Controller CIMC Configuration Utility The CIMC interface can be used for remote server management You will need a monitor and keyboard attached directly to the appliance 1 Power on the server The Cisco screen opens Figure 27 The Cisco screen F8 to enter the CIMC Configuration Utility 2 After the memory check is completed press F8 to enter the ...

Page 49: ...MC Configuration Utility 3 In the CIMC configuration utility set up an IP address that will be used for remote server management 4 When complete Save and then Exit At this point the server can be managed remotely by using a Web browser to https CIMC IP address 5 The initial user name is admin with a password of password ...

Page 50: ...ration Guide APPENDIX A CIMC CONFIGURATION RECOMMENDED 45 Figure 29 Cisco Integrated Management Controller CIMC Interface The CIMC interface can now be used to view the server health as well as open a KVM to complete the remaining setup steps remotely ...

Reviews:

No comments

Related manuals for amp threat grid

H3C H3C SecPath F1800-A Operation Manual preview
H3C SecPath F1800-A
Brand: H3C Pages: 30
H3C SecPath Series Operation Manual preview
SecPath Series
Brand: H3C Pages: 41
H3C F100-C-A3-W Installation Manual preview
F100-C-A3-W
Brand: H3C Pages: 46
ZyXEL Communications ZyWALL USG 100 Series Manual preview
ZyWALL USG 100 Series
Brand: ZyXEL Communications Pages: 1157
Check Point M2 Brochure & Specs preview
M2
Brand: Check Point Pages: 4
Uplogix 32-port Installation Manual preview
32-port
Brand: Uplogix Pages: 46
Trend Micro CR100 Series Installation And Manual preview
CR100 Series
Brand: Trend Micro Pages: 69

Brands by name

Popular brands

Load more brands