Source fire Sourcefire 3D System Installation Manual Download Page 274

Page: 274 / 280

Version 5.2

Sourcefire 3D System User Guide

274

policy

reputation (IP address)

Glossary

policy

A mechanism for applying settings, most often to an

, correlation policy,

preprocessor

A feature that normalizes traffic inspected by an

intrusion policy

and that helps

identify network layer and transport layer protocol anomalies by identifying

inappropriate header options, defragmenting IP datagrams, providing TCP stateful

inspection and stream reassembly, and validating checksums. Preprocessors can

also render specific types of packet data in a format that the system can analyze;

these preprocessors are called data normalization preprocessors, or application

layer protocol preprocessors. Normalizing application layer protocol encoding

allows the system to effectively apply the same content-related intrusion rules to

packets whose data is represented differently and obtain meaningful results.

Preprocessors generate

preprocessor rules

whenever packets trigger

preprocessor options that you configure.

preprocessor rule

intrusion rule

associated with a

preprocessor

or with the portscan flow

detector. You must enable preprocessor rules if you want them to generate

event

s. Preprocessor rules have a preprocessor-specific GID (generator ID).

protected network

Your organization’s internal network that is protected from users of other

networks by a device such as a firewall. Many of the

intrusion rules

delivered with

the Sourcefire 3D System use variables to define the protected network and the

unprotected (or outside) network.

Protection license

A license for

Series 3

and

virtual devices

that allows you to perform

intrusion

detection and prevention

file control

, an d

Security Intelligence

filtering. Without a

license,

Series 2

devices automatically have Protection capabilities, with the

exception of Security Intelligence.

RADIUS

authentication

Remote Authentication Dial In User Service, a service used to authenticate,

authorize, and account for user access to network resources. You can create an

external authentication object to allow Sourcefire 3D System users to

authenticate through a RADIUS server.

remediation

An action that mitigates potential attacks on your system. You can configure

remediations and, within a correlation policy, associate them with correlation

rules and compliance white lists so that when they trigger, the

Defense Center

launches the remediation. This can not only automatically mitigate attacks when

you are not immediately available to address them, but can also ensure that your

system remains compliant with your organization’s

security policy

. The Defense

Center ships with predefined remediation modules, and you also can use a

flexible API to create custom remediations.

reputation (IP

address)

See

Security Intelligence

Summary of Contents for Sourcefire 3D System

Page 1: ...Version 5 2 Sourcefire 3D System Installation Guide 1 Sourcefire 3D System Installation Guide Version 5 2...

Page 2: ...ademarks or registered trademarks of Sourcefire Inc in the United States and other countries Other company product and service names may be trademarks or service marks of others 2004 2013 Sourcefire I...

Page 3: ...Sourcefire 3D System Components 16 Licensing the Sourcefire 3D System 19 Using Legacy RNA Host and RUA User Licenses 22 Security Internet Access and Communication Ports 23 Internet Access Requirements...

Page 4: ...i Site Environments 53 Integrating Managed Devices within Complex Networks 55 Chapter 3 Installing a Sourcefire 3D System Appliance 57 Included Items 58 Security Considerations 58 Identifying the Mana...

Page 5: ...lti Function Keys 113 Idle Display Mode 114 Network Configuration Mode 115 Allowing Network Reconfiguration Using the LCD Panel 117 System Status Mode 118 Information Mode 119 Error Alert Mode 121 Cha...

Page 6: ...Rules During Restore 211 Downloading the ISO and Update Files and Mounting the Image 212 Invoking the Restore Process 213 Saving and Loading Restore Configurations 215 Restoring a DC1000 or DC3000 Usi...

Page 7: ...249 Appendix B Using SFP Transceivers on a 3D7115 or 3D7125 251 3D7115 and 3D7125 SFP Sockets and Transceivers 251 Inserting an SFP Transceiver 253 Removing an SFP Transceiver 254 Appendix C Inserting...

Page 8: ...lled on network segments monitor traffic for analysis Devices in a passive deployment monitor traffic flowing across a network for example using a switch SPAN virtual switch or mirror port Passive sen...

Page 9: ...c sensing managed device or a managing Defense Center Physical devices are fault tolerant purpose built network appliances available with a range of throughputs and capabilities Defense Centers serve...

Page 10: ...ices with a Defense Center Depending on model and license managed devices gather detailed information about your organization s hosts operating systems applications users files networks and vulnerabil...

Page 11: ...aging resets devices in inline deployments to a non bypass configuration and disrupts traffic on your network For more information see Traffic Flow During the Restore Process on page 199 When running...

Page 12: ...elivered with Version 5 2 The following table lists the appliances that Sourcefire delivers with Version 5 2 of the Sourcefire 3D System Although Sourcefire does not deliver Version 5 2 on Series 2 ap...

Page 13: ...el on page 13 and Licensing the Sourcefire 3D System on page 19 The Defense Center column for device based capabilities such as stacking switching and routing indicates whether that Defense Center can...

Page 14: ...AMP DC1000 DC3000 FireAMP integration n a n a n a fast path rules 3D9900 8000 Series strict TCP enforcement configurable bypass interfaces except where hardware limited tap mode 3D9900 switching and...

Page 15: ...ns and safety 7000 Series Chassis Designations The 7000 Series Chassis Models table lists the chassis designations for the 7000 Series models available world wide device clustering clustered stacks 3D...

Page 16: ...Resource Sharing The redundancy and resource sharing features of the Sourcefire 3D System allow you to ensure continuity of operations and to combine the processing resources of multiple physical dev...

Page 17: ...access control and modify intrusion rule states Access Control Access control is a policy based feature that allows you to specify inspect and log the traffic that traverses your network As part of ac...

Page 18: ...allow the file FireAMP is Sourcefire s enterprise class endpoint based AMP solution If your organization has a FireAMP subscription individual users install FireAMP Connectors on their computers and m...

Page 19: ...is required to perform host application and user discovery The FireSIGHT license on your Defense Center also determines how many individual hosts and users you can monitor with the Defense Center and...

Page 20: ...It also allows you to view trajectories which track files transmitted over your network A Malware license requires a Protection license VPN A VPN license allows you to build secure VPN tunnels among t...

Page 21: ...nted by that license such as switching or routing Although the DC500 can manage devices with Protection and Control licenses you cannot perform Security Intelligence filtering or user control For deta...

Page 22: ...ning Version 5 2 gives you the higher limit For your convenience the web interface displays only the licenses that represent the higher limits IMPORTANT Because FireSIGHT license limits are matched to...

Page 23: ...f the Sourcefire 3D System require this direct connection and others support use of a proxy server Additionally the system requires that certain ports remain open for basic intra appliance communicati...

Page 24: ...primary failure you must switch roles URL filtering data download cloud based URL category and reputation data for access control and perform lookups for uncategorized URLs The primary Defense Center...

Page 25: ...ectional allow the RSS Feed dashboard widget to connect to a remote web server use for auto update Adding inbound access allows the Defense Center to update custom and third party Security Intelligenc...

Page 26: ...re 3D System User Guide 3306 Sourcefire User Agent TCP Inbound allow communication between the Defense Center and Sourcefire User Agents 8302 eStreamer TCP Bidirectional use for an eStreamer client 83...

Page 27: ...or attacks that might affect the availability integrity or confidentiality of hosts on the network A device can be deployed in an inline switched routed or hybrid Layer 2 Layer3 environment To learn m...

Page 28: ...ces on page 28 for more information How will you connect the managed devices to the network Hubs Taps Spanning ports on switches Virtual switches See Connecting Devices to Your Network on page 32 for...

Page 29: ...hysical ports on a managed device as passive interfaces For more information see Connecting Devices to Your Network on page 32 Inline Interfaces LICENSE Any SUPPORTED DEVICES Any You configure an inli...

Page 30: ...ass to stop traffic if the device fails Note that reimaging resets appliances in bypass mode to a non bypass configuration and disrupts traffic on your network until you reconfigure bypass mode For mo...

Page 31: ...tructions for Setting Up Virtual Switches in the Sourcefire 3D System Guide Routed Interfaces LICENSE Control SUPPORTED DEVICES Series 3 You can configure routed interfaces on a managed device in a La...

Page 32: ...responds to the traffic depending on the destination IP address If the system receives any other traffic it handles it as Layer 2 traffic and switches it appropriately To create a hybrid interface yo...

Page 33: ...interface set to the span port you can monitor the combined traffic from all ports generally both incoming and outgoing If you already have a switch that includes this feature on your network in the...

Page 34: ...ifferent network cards Note that some 8000 Series NetMods do not allow bypass configuration The network interface cards NICs in the device support a feature called Auto Medium Dependent Interface Cros...

Page 35: ...tions Note that a Layer 2 port functions as a straight through MDI endpoint in the deployment and a Layer 3 port functions as a crossover MDIX endpoint in the deployment The total crossovers cables an...

Page 36: ...f you allow the network interfaces to auto negotiate If your network environment requires that you turn off the Auto Negotiate option on the Network Interface page then you must specify the correct MD...

Page 37: ...each virtual switch the system switches traffic only to the set of ports configured as switched interfaces For example if you configure a virtual switch with four switched interfaces when the system r...

Page 38: ...virtual switch indicated by the blue line and from computer B to computer A through the same virtual switch indicated by the green line Similarly traffic can pass to and from the file and web servers...

Page 39: ...system receives a VLAN tagged packet and you have not configured a logical routed interface it also drops the packet Virtual routers have the advantage of scalability Where physical routers limit the...

Page 40: ...figured as a virtual switch to pass traffic on a local network and virtual routers to route traffic to networks either private or public To create a hybrid interface you first configure a virtual swit...

Page 41: ...PORTED DEVICES Series 3 You can create a gateway virtual private network gateway VPN connection to establish a secure tunnel between a local gateway and a remote gateway The secure tunnel between the...

Page 42: ...tion s network Mesh deployments connect all endpoints together by means of VPN tunnels This offers redundancy in that when one endpoint fails the remaining endpoints can still communicate with each ot...

Page 43: ...nt See the Sourcefire 3D System User Guide for more information on this feature An access control policy determines how the system handles traffic on your network You can add access control rules to y...

Page 44: ...te locations or on mobile devices Inside the Firewall Managed devices inside the firewall monitor inbound traffic allowed by the firewall or traffic that passes the firewall due to misconfiguration Co...

Page 45: ...s such as mail relay and web proxy to users on the internal network Content stored in the DMZ is static and changes are planned and executed with clear communication and advance notice Attacks in this...

Page 46: ...es a strict access control policy for all internal traffic in addition to outbound traffic Add access control rules to tightly control traffic between users and applications On the Core Network Core a...

Page 47: ...ccess to the primary network Mobile devices and the use of personal devices for business purposes for example using a smart phone to access corporate email are becoming increasingly common These netwo...

Page 48: ...PORTANT Although each port is capable of receiving the full throughput for which the device is rated the total traffic on the managed device cannot exceed its bandwidth rating without some packet loss...

Page 49: ...t with a gigabit optical tap as shown in the illustration below both sets of ports on the managed device are used by the connectors from the tap You can use the virtual switch to replace both the tap...

Page 50: ...s you can use the virtual switch capability of the device to replace both switches in your deployment Complex Network Deployments Your enterprise s network may require remote access such as using a VP...

Page 51: ...the terminating endpoints of the VPN connections ensures that all packet information can be accessed The following diagram illustrates how managed devices can be deployed in a VPN environment You can...

Page 52: ...2 Sourcefire 3D System Installation Guide 52 Understanding Deployment Complex Network Deployments Chapter 2 how managed devices can be installed at key locations on a complex network with multiple ent...

Page 53: ...he Sourcefire 3D System supports this by offering the Defense Center which aggregates and correlates events from managed devices deployed throughout the organization s many locations Unlike deploying...

Page 54: ...urcefire 3D System Installation Guide 54 Understanding Deployment Complex Network Deployments Chapter 2 the managed devices over a VPN or with some other secure tunneling protocol as shown in the foll...

Page 55: ...tworks You can deploy managed devices in more complex network topologies than a simple multi sector network This section describes the issues surrounding network discovery and vulnerability analysis w...

Page 56: ...ing system changes and cannot deliver a static operating system identification with a high confidence value Depending on the number of different operating systems on the affected hosts the system may...

Page 57: ...ense Center which manages one or more devices to correlate data across your full deployment and coordinate and respond to threats to your security See the following sections for more information about...

Page 58: ...Place a desktop device 3D500 1000 2000 within a secure location that prevents access by unauthorized personnel Allow only trained and qualified personnel to install replace administer or service the S...

Page 59: ...pliance The following illustration of the rear of the chassis indicates the location of the management interface on a DC750 Rev 1 DC750 Rev 1 The following illustration of the rear of the chassis indi...

Page 60: ...es the location of the management interface Sourcefire 3D500 1000 2000 The 3D500 1000 2000 is available as a desktop appliance The following illustration indicates the location of the management inter...

Page 61: ...the management interface The 3D8250 is available as a 2U appliance The 3D8260 8270 8290 is available as a 2U appliance with one two or three secondary 2U appliances The following illustration of the...

Page 62: ...interfaces to passively sense up to four separate network segments You also can use paired interfaces in inline or inline with bypass mode which allows you to deploy the device as an intrusion preven...

Page 63: ...urable bypass capability The following illustration of the front of the chassis indicates the location of the sensing interfaces Eight Port 1000BASE T Copper Configurable Bypass Interfaces You can use...

Page 64: ...y monitor up to eight separate network segments You can also use paired interfaces in inline or inline with bypass mode to deploy the device as an intrusion prevention system on up to four networks If...

Page 65: ...d performance If you want to take advantage of the device s automatic bypass capability you must connect either the two interfaces on the left or the two interfaces on the right to a network segment A...

Page 66: ...rfaces as an inline set and enable bypass mode on the inline set SFP Interfaces When you install Sourcefire SFP transceivers into the SFP sockets you can passively monitor up to eight separate network...

Page 67: ...ing modules contain configurable bypass sensing interfaces a quad port 1000BASE T copper interface with configurable bypass capability a quad port 1000BASE SX fiber interface with configurable bypass...

Page 68: ...ce with configurable bypass capability See Quad Port 1000BASE T Copper Configurable Bypass NetMod on page 69 for more information a quad port 1000BASE SX fiber interface with configurable bypass capab...

Page 69: ...3D8250 and is provided in the 3D8260 8270 8290 stacked configurations See 8000 Series Stacking Module on page 73 for more information Quad Port 1000BASE T Copper Configurable Bypass NetMod You can use...

Page 70: ...ou must also use the web interface to configure a pair of interfaces as an inline set and enable bypass mode on the inline set Dual Port 10GBASE MMSR or SMLR Fiber Configurable Bypass NetMod The dual...

Page 71: ...pable device displays 3D 8250 40G on the LCD Panel You can use this configuration to passively monitor up to two separate network segments You also can use the paired interface in inline or inline wit...

Page 72: ...1000BASE SX Fiber Non Bypass NetMod The quad port 1000BASE SX fiber non bypass configuration uses LC type Local Connector optical transceivers You can use these connections to passively monitor up to...

Page 73: ...Stacking Module A stacking module combines the resources of two or more identically configured appliances The stacking module is optional on the 3D8140 and 3D8250 and is provided in the 3D8260 8270 82...

Page 74: ...hey are not used You can stack devices in the following configurations two 3D8140s up to four 3D8250s a 3D8260 a 10G capable primary device and a secondary device a 3D8270 a 40G capable primary device...

Page 75: ...ary device installed below the primary device To connect a 3D8140 secondary device Use an 8000 Series stacking cable to connect the left stacking interface on the primary device to the left stacking i...

Page 76: ...each secondary device directly to the primary device as required for the number of secondary devices in the configuration 3D8250 Primary Device with One Secondary Device The following example shows a...

Page 77: ...8270 which includes a 40G capable 3D8250 primary device and two dedicated secondary devices One secondary device is installed above the primary device and the other is installed below the primary devi...

Page 78: ...ing module on the primary device to the left interface on the stacking module on the secondary device 2 Use a second 8000 Series stacking cable to connect the right interface on the stacking module on...

Page 79: ...an 8000 Series stacking cable To insert the cable hold the cable end with release tab facing up then insert the keyed end into the port on the stacking module until you hear the latch click into plac...

Page 80: ...following s IP address 192 168 45 2 netmask 255 255 255 0 default gateway 192 168 45 1 Using an Ethernet cable connect the network interface on the local computer to the management interface on the ap...

Page 81: ...want to analyze using the appropriate cables for your interfaces Copper Sensing Interfaces If your device includes copper sensing interfaces make sure you use the appropriate cables to connect them to...

Page 82: ...e Deployments on Copper Interfaces on page 34 7 Continue with the next chapter Setting Up a Sourcefire 3D System Appliance on page 86 Redirecting Console Output By default Sourcefire appliances direct...

Page 83: ...ter or Series 2 managed device type sudo su and provide the password again On a Series 3 managed device type expert to display the shell prompt Then type sudo su and provide the password again The roo...

Page 84: ...ing Inline Sets in the Sourcefire 3D System User Guide for instructions on configuring an interface set for inline bypass mode 2 Set all interfaces on the switch the firewall and the device sensing in...

Page 85: ...ardware bypass 9 Wait 30 seconds Verify that your ping traffic resumes 10 Power the device back on and verify that your ping traffic continues to pass 11 For appliances that support tap mode you can t...

Page 86: ...tem creates and applies The purpose of these initial configurations and policies is to provide an out of the box experience and to help you quickly set up your deployment not to restrict your options...

Page 87: ...o set up an appliance without powering it down However if you need to power down for any reason use the procedure in the Managing Devices chapter in the Sourcefire 3D System User Guide the system shut...

Page 88: ...management and analysis tasks for your deployment Physical managed devices have a restricted web interface that you can use only to perform basic administration For more information see Next Steps on...

Page 89: ...omplete the setup of a managed device using its web interface see Initial Setup Page Devices on page 93 To complete the setup of a Defense Center using its web interface see Initial Setup Page Defense...

Page 90: ...faults are listed in square brackets such as y Press Enter to confirm a choice Note that the script prompts you for much of the same setup information that the appliance s setup web page does For more...

Page 91: ...llowing the setup prompts options are listed in parentheses such as y n Defaults are listed in square brackets such as y Press Enter to confirm a choice Note that the CLI prompts you for much of the s...

Page 92: ...d on how you deployed the device For more information see Detection Mode on page 98 The console may display messages as your settings are implemented When finished the device reminds you to register t...

Page 93: ...me IPv4_address IPv6_address DONTRESOLVE reg_key nat_id where hostname IPv4_address IPv6_address DONTRESOLVE specifies either the fully qualified host name or IP address of the Defense Center If the D...

Page 94: ...or a device where network settings are already configured use a computer on your management network to browse to the IP address of the device s management interface The login page appears 2 Log in usi...

Page 95: ...t interface to the management network If you need to access the device s web interface at any time direct a browser on a computer on the management network to the IP address or host name that you conf...

Page 96: ...otocol IPv4 IPv6 or Both Depending on your choice the setup page displays various fields where you must set the IPv4 or IPv6 management IP address netmask or prefix length and default gateway For IPv4...

Page 97: ...u must manage a Sourcefire device with a Defense Center For your convenience the setup page allows you to preregister the device to the Defense Center that will manage it Leave the Register This Devic...

Page 98: ...evice determines how the system initially configures the device s interfaces and whether those interfaces belong to an inline set or security zone The detection mode is not a setting you can change la...

Page 99: ...cation user and URL control A device configured to perform access control usually fails closed and blocks non matching traffic Rules explicitly specify the traffic to pass You should also choose this...

Page 100: ...lure As part of the initial setup you can Enable Automatic Backups Enabling this setting creates a scheduled task that creates a weekly backup of the configurations on the device End User License Agre...

Page 101: ...nce Model on page 13 and Licensing the Sourcefire 3D System on page 19 To complete the initial setup on a Defense Center using its web interface ACCESS Admin 1 Direct your browser to https mgmt_ip whe...

Page 102: ...address or host name that you just configured and complete the rest of the procedures in this guide 4 Use the Task Status page System Monitoring Task Status to verify that the initial setup was succes...

Page 103: ...k protocol IPv4 IPv6 or Both Depending on your choice the setup page displays various fields where you must set the IPv4 or IPv6 management IP address netmask or prefix length and default gateway For...

Page 104: ...trusion rules and preprocessor rules modified states for existing rules and modified default intrusion policy settings Rule updates may also delete rules and provide new rule categories and system var...

Page 105: ...eployment Sourcefire recommends that you Enable Recurring Weekly Updates You can specify the weekly update frequency for the GeoDB Click the time zone to change it using a pop up window To download th...

Page 106: ...e licenses your organization has purchased If you do not add licenses now any devices you register during initial setup are added to the Defense Center as unlicensed you must license each of them indi...

Page 107: ...urrently supported by the Sourcefire 3D System You can add most pre registered devices see Remote Management on page 97 to the Defense Center during the initial setup process However if a device and t...

Page 108: ...chitecture and resource limitations not all licenses can be applied to all managed devices However the setup page does not prevent you from enabling unsupported licenses on managed devices or enabling...

Page 109: ...ify its success Sourcefire recommends that you complete various administrative tasks that make your deployment easier to manage You should also complete any tasks you skipped during the initial setup...

Page 110: ...ail relay host preferences and time synchronization settings Sourcefire recommends that you use the Defense Center to apply the same system policy to itself and all the devices it manages By default t...

Page 111: ...12 explains how to identify the components of the LCD panel and display the panel s main menu Using the LCD Multi Function Keys on page 113 explains how to use the multi function keys on the LCD panel...

Page 112: ...in the Sourcefire 3D System User Guide Understanding LCD Panel Components The LCD panel on the front of a Series 3 device has a display and four multi function keys The display contains two lines of t...

Page 113: ...ying system information see Information Mode on page 119 IMPORTANT Pressing a multi function key as the LCD panel enters Idle Display mode can cause the panel to display an unexpected menu Using the L...

Page 114: ...als between displaying the CPU utilization and free memory available and the chassis serial number A sample of each display might look like this CPU 50 FREE MEM 1024 MB or Serial Number 3D99 101089108...

Page 115: ...t the ability to change s using the LCD panel is disabled You can enable it during the initial setup process or using the device s web interface For more information see Allowing Network Reconfigurati...

Page 116: ...o the next digit in the IP address To edit the digit press the minus or plus keys on the top row to decrease or increase the digit by one To move to the next digit in the IP address press the right ar...

Page 117: ...risk the ability to change s using the LCD panel is disabled by default You can enable it during the initial setup process see Setting Up a Series 3 Device on page 89 or using the device s web interf...

Page 118: ...and free memory available Note that Idle Display mode also shows this information Link State Displays a list of any inline sets currently in use and the link state status for that set The first line...

Page 119: ...hrough the options by pressing the down arrow key until the LCD panel displays the LCD Brightness and LCD Contrast options LCD Brightness LCD Contrast 2 Press the right arrow key in the row next to th...

Page 120: ...y on the bottom row to access Information mode 4 Scroll through the options by pressing the down arrow key Press the right arrow key in the row next to the information you want to view Depending on th...

Page 121: ...ll through the list of error alerts For more information see the LCD Panel Multi Function Keys table on page 114 To exit Error Alert mode Press the appropriate multi function key as indicated on the L...

Page 122: ...re Series 2 Devices on page 142 Sourcefire 7000 Series Devices on page 146 Sourcefire 8000 Series Devices on page 172 Rack and Cabinet Mounting Options You can mount Sourcefire appliances in racks and...

Page 123: ...delivered on two different chassis Rev 1 and Rev 2 Specifications vary but the appliances function identically See the following sections for more information about the appliance DC750 Chassis Front...

Page 124: ...2 3 and 4 activity status and the power button are also the LEDs DC750 Rev 2 Front Panel Components Rev 1 A USB port E Fixed disk drive status LED B Power button F NIC 1 activity status LED C System s...

Page 125: ...s the system is operating normally No light indicates the system is off A blinking green light indicates the system is sleeping The sleep indication is maintained on standby by the chipset If the syst...

Page 126: ...processors or processor incompatibility critical event logging errors including System Memory Uncorrectable ECC error and fatal uncorrectable bus errors such as PCI SERR and PERR Non critical A non c...

Page 127: ...stem Components Rear View FEATURE DESCRIPTION Power supply Provides power to the Defense Center through an AC power source Serial port VGA port USB ports Allows you to attach a monitor keyboard and mo...

Page 128: ...120 VAC 9 5 Ampere maximum at 110 volts 50 60 Hz 4 75 Ampere maximum at 220 volts 50 60 Hz Operating temperature 50 F to 95 F 10 C to 35 C with the maximum rate of change not to exceed 18 F 10 C per h...

Page 129: ...n x 1 67 in 55 37 cm x 43 82 cm x 4 24 cm Max weight 33 lbs 15 kg Power supply 250 W power supply for 120 VAC 6 0 Ampere maximum at 110 volts 50 60 Hz 3 0 Ampere maximum at 220 volts 50 60 Hz Operatin...

Page 130: ...operating state The DC1500 Front Panel LEDs table describes the LEDs on the front panel Front Panel Controls Hard Drives RAID 1 Front Panel Components A NIC 2 activity LED G ID LED B NIC 1 activity LE...

Page 131: ...e fault No light indicates there is no drive activity or the system is powered off or sleeping Drive activity is determined from the onboard hard disk controllers The server board also provides a head...

Page 132: ...or processor incompatibility critical event logging errors including System Memory Uncorrectable ECC error and fatal uncorrectable bus errors such as PCI SERR and PERR Non critical A non critical cond...

Page 133: ...nagement interface is used for maintenance and configuration purposes only and is not intended to carry service traffic Alternate eStreamer interface Provides an alternate interface for the eStreamer...

Page 134: ...nments PIN SIGNAL DESCRIPTION 1 DCD Carrier detect 2 RD Received data 3 TD Transmitted data 4 DTR Data terminal ready 5 GND Ground 6 DSR Data set ready 7 RTS Request to send 8 CTS Clear to send 9 RI R...

Page 135: ...f the appliance includes controls and LED displays for the front panel Non operating humidity 90 non condensing at 82 4 F 28 C Acoustic noise 7 0 dBA rack mount in an idle state at typical office ambi...

Page 136: ...ot have power System status Indicates the system status A green light indicates the system is operating normally A blinking green light indicates the system is operating in a degraded condition A blin...

Page 137: ...or processor incompatibility critical event logging errors including System Memory Uncorrectable ECC error and fatal uncorrectable bus errors such as PCI SERR and PERR Non critical A non critical con...

Page 138: ...e appliance to its original factory delivered state using the thumb drive delivered with the appliance RJ45 serial port Allows you to establish a direct workstation to appliance connection using an RJ...

Page 139: ...t activity Indicates activity on the port A blinking light indicates activity No light indicates there is no activity Right link Indicates whether the link is up A light indicates the link is up No li...

Page 140: ...nments PIN SIGNAL DESCRIPTION 1 DCD Carrier detect 2 RD Received data 3 TD Transmitted data 4 DTR Data terminal ready 5 GND Ground 6 DSR Data set ready 7 RTS Request to send 8 CTS Clear to send 9 RI R...

Page 141: ...x 1 7 in 66 5 cm x 43 0 cm x 4 3 cm Weight 38 lbs 17 2 kg Power supply Dual 650 W redundant power supplies for 120 VAC 8 5 Amp max at 110 volts 50 60 Hz 4 2 Amp max at 220 volts 50 60 Hz Operating te...

Page 142: ...devices Optionally you can rack mount the device using a 1U rack mounting kit See the following sections for more information about the appliance 3D500 3D1000 or 3D2000 Chassis Front View on page 142...

Page 143: ...the device as an intrusion prevention system The 3D500 can monitor one network as an IPS while the 3D1000 and 3D2000 can monitor two networks as an IPS If you want to take advantage of the device s au...

Page 144: ...workstation to appliance connection This gives you direct access to all of the appliance s management services VGA port Allows you to attach a monitor to the appliance as an alternative to using the s...

Page 145: ...D2000 Physical and Environmental Parameters PARAMETER DESCRIPTION Form factor 1U rack mounted or desktop device Dimensions D x W x H 6 7 in x 11 8 in x 1 25 in 17 cm x 30 cm x 3 2 cm Power Adapter AC...

Page 146: ...3D7030 The 3D7010 3D7020 and 3D7030 also called the 70xx Family are 1U appliances one half the width of the rack tray and delivered with eight copper interfaces each with configurable bypass capabilit...

Page 147: ...111 Sensing interfaces Contain the sensing interfaces that connect to the network For information see Sensing Interfaces on page 149 10 100 1000 Ethernet management interface Provides for an out of ba...

Page 148: ...is powered up and operating normally or powered down and attached to AC power An amber light indicates a system fault See the 70xx Family System Status table on page 149 for more information Hard dri...

Page 149: ...power up due to incorrectly installed processors or processor incompatibility critical event logging errors including System Memory Uncorrectable ECC error and fatal uncorrectable bus errors such as P...

Page 150: ...r The speed of the traffic on the interface is 10Mb or 100Mb Link green The speed of the traffic on the interface is 1Gb Activity blinking green The interface has link and is passing traffic 70xx Fami...

Page 151: ...USB Ports 70xx Family System Components Rear View FEATURE DESCRIPTION System ID LED Helps identify a system installed in a high density rack with other similar systems The blue LED indicates that the...

Page 152: ...ASE T Gigabit copper ethernet bypass capable interfaces in a paired configuration Cable and distance Cat5E at 50 m Power supply 200 W AC power supply Voltage 100 VAC to 240 VAC nominal 90 VAC to 264 V...

Page 153: ...sical and Environmental Parameters on page 161 3D7110 and 3D7120 Chassis Front View The front of the chassis contains the LCD panel USB port front panel and either copper or fiber sensing interfaces 3...

Page 154: ...he LCD Panel on a Series 3 Device on page 111 Front panel USB 2 0 port Allows you to attach a keyboard to the device Front panel Houses LEDs that display the system s operating state as well as variou...

Page 155: ...m Status on page 156 for more information Reset button Allows you to reboot the appliance without disconnecting it from the power supply Hard drive activity Indicates the hard drive status A blinking...

Page 156: ...a threshold crossing associated with the following events temperature voltage or fan non critical threshold crossing chassis intrusion Set fault indication command from system BIOS the BIOS may use th...

Page 157: ...faces Link LED Activity LED Bypass LED 3D7110 and 3D7120 Copper Link Activity LEDs STATUS DESCRIPTION Both LEDs off The interface does not have link Link amber The speed of the traffic on the interfac...

Page 158: ...ESCRIPTION Top activity For an inline interface the light is on when the interface has activity If dark there is no activity For a passive interface the light is non functional Bottom link For an inli...

Page 159: ...o attach a monitor keyboard and mouse to the device to establish a direct workstation to appliance connection 10 100 1000 Ethernet management interface Provides for an out of band management network c...

Page 160: ...activity on the port A blinking light indicates activity No light indicates there is no activity Right link Indicates whether the link is up A light indicates the link is up No light indicates there...

Page 161: ...Fiber bypass capable interfaces with LC connectors Cable and distance SX is multimode fiber 850 nm at 550 m standard Power supply 450 W dual redundant 1 1 AC power supplies Voltage 100 VAC to 240 VAC...

Page 162: ...d Environmental Parameters on page 170 3D7115 and 3D7125 Chassis Front View The front of the chassis contains the LCD panel USB port front panel copper sensing interfaces and SFP sockets 3D7115 and 3D...

Page 163: ...eries 3 Device on page 111 Front panel USB 2 0 port Allows you to attach a keyboard to the device Front panel Houses LEDs that display the system s operating state as well as various controls such as...

Page 164: ...page 165 for more information Reset button Allows you to reboot the appliance without disconnecting it from the power supply Hard drive activity Indicates the hard drive status A blinking green light...

Page 165: ...ctable ECC error and fatal uncorrectable bus errors such as PCI SERR and PERR Non critical A non critical condition is a threshold crossing associated with the following events temperature voltage or...

Page 166: ...ployments See Using SFP Transceivers on a 3D7115 or 3D7125 on page 251 Link LED Activity LED Bypass LED 3D7115 and 3D7125 Copper Link Activity LEDs STATUS DESCRIPTION Both LEDs off The interface does...

Page 167: ...Fiber Sample Copper Front with Bale Rear with Contacts Link LED Activity LED 3D7115 and 3D7125 SFP Socket Activity Link LEDs STATUS DESCRIPTION Top activity For an inline interface the light is on whe...

Page 168: ...cal connectors LC duplex LC duplex Bit rate 1000Mbps 1000Mbps Baud rate encoding tolerance 1250Mbps 8b 10b encoding 1250Mbps 8b 10b encoding Optical interface Multimode Single mode only Operating dist...

Page 169: ...sed for maintenance and configuration purposed only and is not intended to carry service traffic System ID LED Helps identify a system installed in a high density rack with other similar systems The b...

Page 170: ...le failure a blown fuse or a fan failure the power supply shuts down Blinking red A power supply warning event such as high temperature or a slow fan the power supply continues to operate Blinking gre...

Page 171: ...er supply 1 5A maximum for 187 VAC to 264 VAC per supply Frequency range 47 Hz to 63 Hz Operating temperature 5o C to 40o C 41o F to 104o F Non operating temperature 20oC to 70oC 29oF to 158oF Operati...

Page 172: ...es You can add up to three stacking kits for a total 8U configuration 3D8260 part of the 82xx Family is a 4U configuration with two 2U chassis The primary chassis contains one stacking module and up t...

Page 173: ...eries chassis can be in the 81xx Family or 82xx Family See Sourcefire Series 3 Information on page 232 for safety considerations for 81xx Family and 82xx Family appliances 81xx Family Chassis Front Vi...

Page 174: ...amily Front Panel 8000 Series System Components Front View FEATURE DESCRIPTION Module slots Contain the modules For information on available modules see 8000 Series Modules on page 185 LCD panel Opera...

Page 175: ...re 8000 Series Devices Chapter 6 82xx Family Front Panel 8000 Series Front Panel Components A NIC activity LED F Reset button B Reserved G ID button C Hard drive activity LED H Power button and LED D...

Page 176: ...een indicates the system is operating normally Blinking green indicates the system is operating in a degraded condition Blinking amber indicates the system is in a non critical condition Amber indicat...

Page 177: ...is a threshold crossing associated with the following events temperature voltage or fan non critical threshold crossing chassis intrusion Set Fault Indication command from system BIOS the BIOS may us...

Page 178: ...ment interface and the power supplies 81xx Family Chassis CHAS 1U AC DC Rear View 82xx Family Chassis Rear View The rear view of the chassis contains power supplies connection ports and the management...

Page 179: ...ess to all of the management services on the device The RJ45 serial port is used for maintenance and configuration purposes only and is not intended to carry service traffic See the 8000 Series RJ45 t...

Page 180: ...eries Power Supply LEDs LED DESCRIPTION Off The power supply is not plugged in Amber No power supplied to this module OR A power supply critical event such as module failure a blown fuse or a fan fail...

Page 181: ...Cat5E at 50 m Fiber 10GBASE configurable bypass MMSR or SMLR NetMod Dual port fiber configurable bypass interfaces with LC connectors Cable and distance LR is single mode at 5000 m available SR is mul...

Page 182: ...0 m Cooling requirements 1725 BTU hour You must provide sufficient cooling to maintain the appliance within its required operating temperature range Failure to do this may cause a malfunction or damag...

Page 183: ...lable SR is multimode fiber 850 nm at 550 m standard Fiber 1000BASE SX configurable bypass NetMod Quad port fiber configurable bypass interfaces1000BASE SX with LC connectors Cable and distance SX is...

Page 184: ...Cooling requirements up to 2225 BTU hour You must provide sufficient cooling to maintain the appliance within its required operating temperature range Failure to do this may cause a malfunction or dam...

Page 185: ...pability See Dual Port 10GBASE MMSR or SMLR Fiber Configurable Bypass NetMod on page 188 for more information a dual port 40GBASE SR4 fiber interface with configurable bypass capability 2U devices onl...

Page 186: ...opper interfaces Link LED Activity LED Bypass LED Copper Link Activity LEDs STATUS DESCRIPTION Both LEDs off The interface does not have link and is not in bypass mode Link amber The speed of the traf...

Page 187: ...Link LED Ports Bypass LED Activity LED Fiber Link Activity LEDs STATUS DESCRIPTION Top For an inline or passive interface A blinking light indicates the interface has activity No light indicates ther...

Page 188: ...d contains two fiber ports and link activity and bypass LEDs 1000BASE SX NetMod Optical Parameters PARAMETER 1000BASE SX Optical connectors LC duplex Bit rate 1000Mbps Baud rate encoding tolerance 125...

Page 189: ...passive interface A blinking light indicates the interface has activity No light indicates there is no activity Bottom For an inline interface A light indicates the interface has activity No light in...

Page 190: ...100 ppm Optical interface Multimode Single mode only Operating distance 840 860 nm 850 nm typical 26m 85 ft to 33 m 108 ft for 62 5 m 125 m fiber modal BW 160 to 200 respectively 66 m 216 ft to 82 m 2...

Page 191: ...interface on a device that is not 40G capable the 40G interface screen on its managing Defense Center web interface displays red A 40G capable device displays 3D 8250 40G on the LCD panel See 8000 Se...

Page 192: ...affic Steady amber The interface has been intentionally brought down Blinking amber The interface is in bypass mode that is it has failed open 40GBASE SR4 NetMod Optical Parameters PARAMETER 40GBASE S...

Page 193: ...ity LEDs table to understand copper LEDs Maximum average power at receiver 2 4 dBm Receiver sensitivity 9 5 dBm 40GBASE SR4 NetMod Optical Parameters Continued PARAMETER 40GBASE SR4 Link LED Activity...

Page 194: ...ers of the fiber interfaces Link LED Activity LED Ports Non Bypass Fiber Link Activity LEDs STATUS DESCRIPTION Top Activity For an inline or passive interface the light flashes when the interface has...

Page 195: ...o understand the link and activity LEDs on fiber interfaces Transmitter wavelength 770 860 nm 850 nm typical Maximum average launch power 0 dBm Minimum average launch power 9 5 dBm Maximum average pow...

Page 196: ...00 ppm Optical interface Multimode Single mode only Operating distance 840 860 nm 850 nm typical 26 m 85 ft to 33 m 108 ft for 62 5 m 125 m fiber modal BW 160 to 200 respectively 66 m 216 ft to 82 m 2...

Page 197: ...le to understand the stacking LEDs Note that the stacking module is available for the 3D8140 and 3D8250 and is included in the 3D8260 3D8270 and 3D8290 Link LED Activity LED Stacking LEDs STATUS DESCR...

Page 198: ...anding the Restore Process on page 199 Obtaining the Restore ISO and Update Files on page 201 Beginning the Restore Process on page 203 Using the Interactive Menu to Restore an Appliance on page 207 R...

Page 199: ...ed configuration disrupting traffic on your network Traffic is blocked until you configure bypass enabled inline sets on the device For more information about editing your device configuration to conf...

Page 200: ...ble you can restore Series 3 appliances and the 3D9900 without having physical access Serial Connection Laptop You can use a serial cable to connect a computer to any Sourcefire appliance except the 3...

Page 201: ...ds that you always use the most recent ISO image available for your appliance Most Sourcefire appliances use an external USB or internal flash drive to boot the appliance so you can run the restore ut...

Page 202: ...ins downloading 5 Optionally download system software and intrusion rule updates System software updates are on the same page of the Support Site as the ISO images You can click one of the links on th...

Page 203: ...agement on page 205 explains how use LOM to start the restore process for a Series 3 appliance via an SOL connection Restoring a DC1000 or DC3000 Using a CD on page 217 explains how to restore a DC100...

Page 204: ...fire splash screen appears 4 Monitor the reboot status On a DC500 Defense Center or 3D500 1000 2000 device press Ctrl U slowly and repeatedly when the splash screen appears For all other appliances th...

Page 205: ...ting the Restore Utility Using Lights Out Management SUPPORTED DEVICES Series 3 SUPPORTED DEFENSE CENTERS Series 3 If you need to restore a Series 3 appliance to factory defaults and do not have physi...

Page 206: ...System_Restore 4 At the boot prompt start the restore utility by typing System_Restore The boot prompt appears after the following choices 0 Load with standard console 1 Load with serial console 5 Typ...

Page 207: ...in the following table Restore Menu Options OPTION DESCRIPTION FOR MORE INFORMATION SEE 1 IP Configuration Specify network information about the management interface on the appliance you want to rest...

Page 208: ...sion currently installed on the appliance a two pass restore process is required The first pass updates the operating system and the second pass installs the new version of the system software If this...

Page 209: ...dentify the management interface on the appliance you want to restore so that the appliance can communicate with the server where you copied the ISO and any update files If you are using LOM remember...

Page 210: ...and Update Files on page 201 and stored on a web server FTP server or SCP enabled host The interactive menu prompts you to enter any necessary information to complete the download as listed in the fol...

Page 211: ...sion Rules During Restore If no continue with Downloading the ISO and Update Files and Mounting the Image on page 212 Note that you can use the system s web interface to manually install updates after...

Page 212: ...are using SCP enter your password when prompted to display the list 3 Select the rule update if any you want to use You do not have to select an update press Enter without selecting an update to cont...

Page 213: ...ferent major version a first pass by the restore utility updates the appliance s operating system and if necessary the restore utility itself IMPORTANT If you are restoring an appliance to the same ma...

Page 214: ...s 0 Load with standard console 1 Load with serial console 5 Select a display mode for the restore utility s interactive menu For a keyboard and monitor connection type 0 and press Enter For a serial o...

Page 215: ...e restore process begins When it completes if prompted confirm that you want to reboot the appliance WARNING Make sure you allow sufficient time for the restore process to complete On appliances with...

Page 216: ...he best time to save a restore configuration is after you provide the information listed above but before you download and mount the ISO image Note that if you update a restore USB drive to be compati...

Page 217: ...e Centers you cannot install updates as part of the restore process on those appliances Instead update the appliances afterward To restore a DC1000 or DC3000 using a CD ACCESS Admin 1 Place the restor...

Page 218: ...cluding bypass configurations for devices deployed inline For more information see Traffic Flow During the Restore Process on page 199 After you restore an appliance you must complete an initial setup...

Page 219: ...nstraints WARNING Scrubbing your hard drive results in the loss of all data on the appliance which is rendered inoperable To scrub the hard drive ACCESS Admin 1 Follow the instructions in one of the f...

Page 220: ...refore for IPMItool ipmitool I lanplus H IP_address U username command Or for ipmiutil ipmiutil command V4 J3 N IP_address U username P password LOM Command Syntax IPMITOOL LINUX MAC IPMIUTIL WINDOWS...

Page 221: ...rial port For more information see the following sections Enabling LOM and LOM Users on page 221 Installing an IPMI Utility on page 222 Redirecting Console Output on page 82 Enabling LOM and LOM Users...

Page 222: ...y the LOM IP address netmask and default gateway or use DHCP to have these values automatically assigned On 7000 Series devices select Lights Out Management to configure LOM settings 7000 Series devic...

Page 223: ...evelopment and System Tools in newer versions or Command Line Support in older versions Finally install MacPorts and IPMItool For more information use your favorite search engine or see these sites ht...

Page 224: ...lines when working with the appliance Sourcefire strongly recommends that you follow industry guidelines for general safety and electromagnetic emissions The following sections include more informatio...

Page 225: ...the machine 7 Keep your tool case away from walk areas so that other people do not trip over it 8 Do not wear loose clothing that can be trapped in the moving parts of a machine Ensure that your slee...

Page 226: ...outlet Connect to properly wired outlets any equipment that will be attached to this product When possible use one hand only to connect or disconnect signal cables Never turn on any equipment when th...

Page 227: ...covers of the laser product could result in exposure to hazardous laser radiation There are no serviceable parts inside the device Use of controls or adjustments or performance of procedures other tha...

Page 228: ...quirements do not exceed the branch circuit protection requirements Statement 9 CAUTION Hazardous voltage current and energy levels might be present Only a qualified service technician is authorized t...

Page 229: ...urcefire 3D500 Information on page 230 Sourcefire Series 3 Information on page 232 Sourcefire Defense Center 750 1500 3500 Information This product complies with the following safety standards and cer...

Page 230: ...B 9254 CNCA Certification China GB 17625 Harmonics CNCA Certification China Certifications Registrations Declarations The following information applies to the DC750 1500 3500 UL Certification US Canad...

Page 231: ...or by unauthorized changes or modifications to this equipment Unauthorized changes or modifications could void the user s authority to operate the equipment This device complies with Part 15 of the F...

Page 232: ...s is a Class A product In a domestic environment this product may cause radio interference in which case the user may be required to take adequate measures Sourcefire Series 3 Information The followin...

Page 233: ...regulatory compliance of the Series 3 appliances 70xx Family Appliances The following information applies to all 70xx Family appliances Emissions FCC 47 CFR Part 15 Class A digital device EN 55022 201...

Page 234: ...PR22 2022 Information Technology Equipment Radio Disturbance Characteristics FCC 47 CFR Part 15 Class A digital device Radio Frequency Devices Subpart B Unintentional Radiators ICES 003 Issue 4 Feb 20...

Page 235: ...able lists the chassis designations for the 7000 Series models available world wide and in the Republic of Korea EC Council Directive 2006 95 EC LVD EC Council Directive 2004 108 EC Electromagnetic co...

Page 236: ...HARDWARE CHASSIS CODE 3D8120 3D8130 3D8140 AC power CHAS 1U AC 3D8120 3D8130 3D8140 DC power CHAS 1U DC 3D8250 3D8260 3D8270 3D8290 AC power CHAS 2U AC 3D8250 3D8260 3D8270 3D8290 DC power CHAS 2U DC...

Page 237: ...t 2 NM R2 0 or blank 1 Slot 3 NM C4 0 or blank Slot 4 NM FX4 0 or blank Slot 5 NM FX4 0 or blank Slot 6 NM R2 0 or blank 1 Slot 7 NM C4 0 or blank 3D8250 3D8260 3D8270 3D8290 DC power CHAS 2U DC 0005...

Page 238: ...fety Notice for Korea Required statement indicating that Sourcefire s equipment is Class A Safety Notice for Japan Safety Notice for Taiwan Waste Electrical and Electronic Equipment Directive WEEE Sou...

Page 239: ...fety and Regulatory Information Waste Electrical and Electronic Equipment Directive WEEE Chapter 8 For more information contact Sourcefire EMEA C O Seko Benelux BV Operations Valkweg 1 1118 EC Schipho...

Page 240: ...age Cautions are requirements for proper function Failure to follow cautions may result in improper operation Interface Connections WARNING The intra building ports of the equipment or subassembly are...

Page 241: ...wing sections See Installation on page 241 for circuit installation voltage current frequency range and power cord information See Grounding Earthing Requirements on page 242 for bonding locations rec...

Page 242: ...ation A ground bonding location is provided on the rear of the chassis An M4 stud is provided An outside toothed lock washer is provided for attaching a ring terminal A standard ground symbol is avail...

Page 243: ...nstalled in accordance with the requirements of Article 250 of NFPA 70 National Electric Code NEC Handbook and local electrical codes Separate circuits are required to create redundant power sources U...

Page 244: ...of the AC power supply is 47 Hz to 63 Hz Frequencies outside this range may cause the appliance to not operate or to operate incorrectly Power Cords The power connections on the power supplies are IEC...

Page 245: ...ction are 3D8120 8130 8140 CHAS 1U AC CHAS 1U DC or CHAS 1U AC DC 3D8250 8260 8270 8290 CHAS 2U AC CHAS 2U DC or CHAS 2U AC DC These Sourcefire devices are suitable for installation by qualified perso...

Page 246: ...Same Circuit Installation If the same circuit is used to feed both supplies then the power rating of one supply applies to the whole box This configuration only provides protection from a power suppl...

Page 247: ...installed Separate Circuit Installation If separate circuits are used each circuit must be rated to the full rating of the appliance This configuration provides for circuit failure and power supply f...

Page 248: ...rovided The circuit breaker must meet the following requirements UL Recognized CSA Approved Recommended VDE Approved Recommended Support the maximum load 20A Support the installation voltage 40V to 72...

Page 249: ...s the bonding locations on the 2U chassis Recommended Terminals You must use UL Approved terminals for the ground connection Ring terminals with a clearance hole for 4mm or 8 studs may be used For 10...

Page 250: ...lies The DC power supplies have additional ground connections on each supply This allows the hot swappable supply to be connected to power return and ground so that it may be safely inserted This grou...

Page 251: ...sockets and transceivers in a 3D7115 and 3D7125 3D7115 and 3D7125 SFP Sockets and Transceivers on page 251 Inserting an SFP Transceiver on page 253 Removing an SFP Transceiver on page 254 3D7115 and...

Page 252: ...gh 12 in a vertical pattern and oriented in a tab to center configuration the upper row faces up and the lower row faces down The accompanying LEDs to the left of the sockets display information on ac...

Page 253: ...loyment you can use any combination of transceivers in up to eight sockets to monitor up to eight network segments For an inline deployment you can use any combination copper fiber or mixed of transce...

Page 254: ...discharge ESD procedures when removing the transceiver Avoid touching the contacts at the rear and keep the contacts and ports free of dust and dirt To remove an SFP transceiver 1 Disconnect all cabl...

Page 255: ...ppliance The following sections describe how to insert remove or replace an 8000 Series module Module Slots on the 8000 Series Appliances on page 255 Included Items on page 257 Identifying the Module...

Page 256: ...ing module see Using Devices in a Stacked Configuration on page 74 81xx Family The 81xx Family appliances can use the modules in the following slots Stacking Configuration Considerations Configure the...

Page 257: ...Copper Configurable Bypass NetMod on page 186 quad port 1000BASE SX fiber configurable bypass NetMod For more information see Quad Port 1000BASE SX Fiber Configurable Bypass NetMod on page 187 dual po...

Page 258: ...more information see Stacking Module on page 197 If you install a NetMod in an incompatible slot on your appliance or a NetMod is otherwise incompatible with your system an error or warning message a...

Page 259: ...ng Devices in a Stacked Configuration on page 74 3D8140 slot 3 3D8250 8260 primary slot slot 5 3D8270 primary slots slots 5 and 1 3D8290 primary slots slots 5 1 and 4 3D82xx secondary slot S Confirm t...

Page 260: ...and reserve the T8 Torx screw from the lever of the module using the included screwdriver 2 Pull the lever away from the module to release the latch 3 Slide the module out of the slot Inserting a Mod...

Page 261: ...C To insert a module or slot cover 1 Remove and reserve the T8 Torx screw from the lever of the module using the included screwdriver 2 Pull the lever away from the module to open the latch The near e...

Page 262: ...ever toward the module so that the latch engages and pulls the module into the slot WARNING Do not use excessive force If the latch does not engage remove and realign the module and then try again Nea...

Page 263: ...nserting a Module or Slot Cover Appendix C 5 Press firmly on the screw hole to push the lever fully against the module to secure the latch The lever is fully against the module and the module is flush...

Page 264: ...evention file control and advanced malware protection features and also determines the traffic you can inspect with the discovery feature access control policy A policy that you apply to managed devic...

Page 265: ...fic event You can alert based on intrusion events including their impact flags discovery events malware events correlation policy violations health status changes and connections logged by specific ac...

Page 266: ...on about your monitored network using intrusion connection file geolocation malware and discovery policy Distinct sections present information in the form of vivid line bar pie and donut graphs accomp...

Page 267: ...onent of intrusion detection and prevention that places sniffed packets into a format that can be understood by a preprocessor default action As part of an access control policy determines how to hand...

Page 268: ...about the changing health status of appliances your use of the web interface rule updates and launched remediations Finally the system presents certain other information as events even though these ev...

Page 269: ...tion based FireAMP deployment FireAMP subscription A separately purchased subscription that allows your organization to use FireAMP as an advanced malware protection AMP solution Compare with a Malwar...

Page 270: ...A feature that allows you to import data from third party sources using scripts or command line files to augment the information in the network map The web interface also provides some host input fun...

Page 271: ...iolations and security breaches The system compares packets against rule conditions If the packet data matches the conditions the rule triggers and generates an intrusion event Intrusion rules include...

Page 272: ...s the file or allows its upload or download Compare this functionality with FireAMP Sourcefire s endpoint based AMP tool that requires a FireAMP subscription malware event An event generated by one of...

Page 273: ...data the system collects for specific network segments including networks monitored by NetMod enabled devices The network discovery policy also manages import resolution preferences and active detect...

Page 274: ...specific GID generator ID protected network Your organization s internal network that is protected from users of other networks by a device such as a firewall Many of the intrusion rules delivered wi...

Page 275: ...rules shared object rules and preprocessor rules A rule update may also delete rules modify default intrusion policy settings and add or delete system variables and rule categories scheduled task An...

Page 276: ...tures Series 2 devices include the 3D500 3D1000 3D2000 3D2100 3D2500 3D3500 3D4500 3D6500 and 3D9900 Series 2 Defense Centers include the DC500 DC1000 and DC3000 Series 3 The third series of Sourcefir...

Page 277: ...database table When performing event analysis you can use drill down pages to constrain the events you want to investigate before moving to the table view that shows you the details about the events y...

Page 278: ...r awareness A feature that allows your organization to correlate threat endpoint and network intelligence with user identity information and that allows you to perform user control user control A feat...

Page 279: ...VLAN In Layer 2 and Layer 3 deployments you can configure virtual switches and virtual routers on managed devices to appropriately handle VLAN tagged traffic VPN A feature that allows you to build se...

Page 280: ...efire 3D System User Guide 280 web application to zone Glossary web application A type of application that represents the content of or requested URL for HTTP traffic widget See dashboard widget zone...

Search results

Summary of Contents for Sourcefire 3D System

Reviews:

Brands by name

Popular brands

Source fire Sourcefire 3D System, Installation Manual

Search results

Summary of Contents for Sourcefire 3D System

Reviews:

Brands by name

Popular brands