The Enforcers tab displays all Enforcers that have been activated to your threatER account.
Navigate to Enforce > Enforcers in the left-hand navigation menu to view your organization's Enforce instances.
Enforcers
The following details display for each Enforcer:
Column Name | Description |
Enforcer Name | The name that is generally provided during activation time, but can be changed as needed. If no such name is available, a unique identifier is displayed. |
Subscription | Enforce software subscription assigned to the Enforcer |
Bridge State | Three options including: Normal, Hardware Bypass and Unknown. Hardware Bypass indicates an Enforcer that is in hardware bypass mode. Unknown is displayed for any Enforcer running legacy software, or if the Enforcer's current state is unknown. |
Build | Displays the Enforce software build the Enforcer is currently running. If the Enforcer is not on the latest build, the build number will display in red and a label will display indicating the number of builds the instance is behind. |
Last Connection | Indicates the date and time the Enforcer last connected to the Theater Portal. This should normally be within a few minutes of the present time. |
Location |
The location of the Enforcer if available. A "-" will show if no location is provided. |
Click on the hyperlinked Enforcer Name in the table to view additional details of the individual Enforce Instance. The additional data will display:
Name | Description |
Subscription Throughput | Refers the Subscription Throughput section and see below for more details. |
Admin IP | Available to find administration IP to locally access Enforce or to troubleshoot with the Customer Success team |
Configuration | Refers the Configuration section and coming soon. |
Networks | The list of Networks managed by the specific Enforcer |
Updating Enforce Software
The Portal provides customers the ability to install the latest Enforce software build onto their Enforcer(s). Users can access the latest build by selecting Enforce > Enforcers in the left-hand navigation menu.
Users have the option to perform an immediate update, or to schedule an update at a later time. Installing new software will force a reboot of the Enforce instance. The instance will be offline and in bypass mode during the install. If a new build becomes available between now and the Scheduled Date, the latest available build will be installed.
Note that unless otherwise stated in our threatER Enforce release notes, the Enforcer will always be updated from the existing version to the latest version, even if there are versions in between. The standard update will take approximately 10 minutes and at the end of the update there will be a brief disruption as the Enforcer reboots once to complete the installation. Any exception to this will be called out in the release notes.
The following information is displayed:
Name | Description |
Build Number | The latest build number |
Release Date | the release date of the latest build |
Release Notes | PDF of the build release notes that will open in a separate browser tab |
Critical Update | Displays at the top of the screen if the build is critical in nature, including important security-related updates, critical bug fixes, or new features critical to the operation of the threatER platform. Admins should install critical updates as soon as possible. |
Update Now
In the row of the Enforcer, select Update Now from the ellipsis menu to immediately install the latest build.
Select the Update button on the confirmation modal. The table will display Update Pending for the Enforcer until the build installation is complete and will automatically clear as soon as the associated Enforcer has begun the process of the update. The installation may take several minutes to finalize.
The table will display an “Update Pending” icon for the Enforcer until the build installation is complete. The “Update Pending” will automatically clear as soon as the associated Enforcer has begun the process of the update. Upon completion, which can take several minutes, the new build number will appear in the status.
Schedule Update
Updates can be scheduled for one or more Enforcers. To schedule a build installation, select the Enforcer(s) in the table and provide desired date and time in the calendar.
The time selected is in the user's local timezone, but saved in the backend in UTC. If the user is located in New York City (EST) and selects 6:00PM, but the Enforcer is located in San Francisco (PST), the installation will begin at 6:00PM EST or 3:00pm PST.
Select the Schedule button and then Schedule on the Confirm Schedule Updates modal. The table will reflect the update schedules.
Cancel a Scheduled Update
In the row of the Enforcer, select Cancel from the ellipsis menu to cancel a scheduled update.
Select the Cancel button on the Confirm Cancel modal. The table will reflect the cancelation with the removed scheduled time.
Revert to Previous Build
Users may have the ability to revert to the previous software build that was installed on an Enforcer, if both the previous and current versions, as a pair, are revertible. Reverts must be scheduled and can be done by completing the following steps:
Select Schedule Revert to Build [#] from the ellipsis menu of the Enforcer.
Choose a date and time from the calendar (both hours and minutes). The time selected is in the user's local timezone, but saved in the backend in UTC. If the user is located in New York City (EST) and selects 6:00PM, but the Edge instance is located in San Francisco (PST), the installation will begin at 6:00PM EST / 3:00PM PST. Select the Revert button to finalize the scheduling.
Select Revert in the Confirm Scheduled Revert modal. The table will reflect the scheduled revert.
Manual Downloads
It is strongly recommended to utilize the automatic installation of Enforcer builds described in the above sections. Should a manual download of a build be required, please consult our Customer Success team for assistance. We do not recommend that you attempt Manual Downloads on your own without assistance. Use threatER's automated mechanism as previously described unless instructed otherwise by our Customer Success team.
Subscription Management
To manage subscriptions from the Enforcers tab:
- Select (or remove) a subscription from the drop-down
- Make any additional necessary subscription updates to other Enforcers
- Select the Save Subscriptions button at the top of the table
Review the selected changes on the Save Changes modal and then select the Save button.
Subscription Status Indicators:
- Green - subscription is actively supported
- Yellow - support has lapsed; any Enforcee assigned a subscription in this state may not receive updated threat intelligence and as a result may be in an Allow-All state. You should contact our Customer Success team to review your subscription status.
Editing Enforcer Name and Location
Admins can edit the Name and/or Location of an Enforcer to help simplify and identify instances according to own network naming conventions.
Find the Enforcer in the table and select the vertical ellipsis and click Edit in the far right column. Enter the desired name or location and select Save.
Configurations
The Enforcer must be on at least build 247 to access this feature. Once updated, threatER Enforce configurations can be managed directly in the threatER Portal.
Navigate to Enforce in the left-hand navigation menu, click on the Enforcers tab and select the hyperlinked name of the applicable Enforcer. Customers on a build that is below 247 will not have access to this feature and will see the below message.
For those on build 247 and above, click on the carrot to expand the Configuration card. The Enforcer's current configurations will be copied over to the Portal as part of the build 247 installation. Configurations for Enforcers on Build 247 or greater will now be managed in the Portal and will be read-only on the threatER Enforcer user interface (UI).
Select through the Configuration navigation bar to make updates. You can save once when complete or can choose to save at each individual tab.
Moving away from the Enforcers tab without saving will show the "unsaved changes" pop-up message.
Navigation Tab Name | Portal Configuration Setting | Location in Enforce UI |
Settings | Hostname | Settings > General |
Timezone | Settings > Date & Time > Date & Time | |
Login | Settings > General | |
Session | Settings > General > Session | |
Password | Settings > General > Password | |
Loose State Handling | NA | |
Banner | Settings > Banner | |
Syslog | Servers | Logging > External Syslog |
Access | Access Rules | Network > Access |
Bridges | Bridge | Network > Bridging Interface > Bridging Interface |
Bypass | Network > Bridging Interface > Bypass Mode | |
NTP | NTP Servers | Settings > Date & Time > NTP Servers |
SMTP | SMTP | Settings > SMTP |
SNMP | SNMP | Settings > SNMP |
Settings
The Settings tab allows you to configure the following:
Section Name | Field Name | Description | Default Setting |
Hostname | Hostname | A unique label identifying the Enforcer. | n/a |
Timezone | Timezone | Time zone for the location where the Enforcer will be deployed. | UTC |
Login | Maximum Login Attempts | Restricting the number of login attempts allowed until the lockout time is reset. Choose any value between 1 and 90 attempts. | 5 |
Lockout Time | Prevents a user from logging in again for a specified amount of time after multiple failed attempts. The value is in minutes and must be between 0 and 1440 minutes. 1440 minutes = 24 hours. | 30 min | |
Session | Maximum Duration | Specify a maximum duration of a session before it ends. The value is in minutes and must be between 30 and 1440 minutes. 1440 minutes = 24 hours. | 480 min |
Timeout | Determines the time a user can remain idle before the session id is terminated and the user must log in again. The value is in minutes and must be between 1 and 120 minutes. 120 minutes = 2 hours. | 60 min | |
Password | Minimum Duration | Minimum duration password age is a password policy setting that prevents users from changing their password multiple times a day. The value must be between 0 to 90 though we recommend a minimum duration age to one day for security purposes. Setting the number of days to 0 allows immediate password changes. | 1 day |
Maximum Duration | The maximum length of time a password can be used before it needs to change. The value must be between 1 and 365 days. 1 calendar year = 365 days. | 60 days | |
Minimum Length | Determines the minimum number of characters that can be used in a user account password. The minimum length must be between 5 to 64 characters. | 8 | |
Maximum Length | Determines the maximum number of characters that can be used in a user account password. The max length must be between 16 to 64 characters. | 32 | |
Minimum Character Groups | Determines the least number of characters that can make up a password. The value must be between 1 and 4 characters. | 3 | |
Loose State Handling (LSH) | Description |
Loose State Handling (LSH) is effectively trying to ascertain the direction of a conversation when you jump in the middle of it. This can happen in network security enforcement points when the Enforcer is deployed and operating as a layer 2 bump in the wire. This includes when an Enforcer is first placed in-line, when it is shutdown and powered back up, when it reboots (software upgrade), and when it is taken in and out of bypass mode. When the Enforcer sees the packet that it can't attribute to a known conversation starter, the Enforce software uses some simple logic to attempt to make an educated guess as to the direction of the conversation.
The LSH configuration setting provides the user a level of control over how LSH should be handled and supports the below modes:
|
Always On |
Always On | Always performs the LSH logic and is how the Enforcer software exclusively operated prior to this configuration being available in the Portal | ||
Always Off | Allows you to tell the Enforcer to completely disable the LSH logic and just use packet direction for those scenarios when it isn't sure. | ||
Timed On | Enables LSH for the specified time period after an "LSH event" occurs, where those events are things like power on, bypass toggling, adding bridge pairs, and so on. | ||
Banner | Accepted Text | A quick note or alert across the login page for a successful login attempt. There is no character text limit and the toggle must be enabled to use. | N/A |
Declined Text |
A quick note or alert across the login page for an unsuccessful login attempt. There is no character text limit and the toggle must be enabled to use. |
N/A |
Syslog
Syslog exports are an industry-standard way of exporting data in a concise, timely manner. Our syslog export format is compliant to RFC-5424 and ensures seamless integration alongside any number of external tools like:
- Security information and event management (SIEM) tools, such as Splunk and IBM QRadar
- Data analytics tools like Gravwell
- Full open-source tools like syslog-ng
Our Syslog export is not designed with any particular SIEM tool in mind. We focus on the comprehensive data contained in our syslog exports, enabling you to parse are logs by any tool that can ingest RFC-compliant syslog exports.
More information on the Syslog requirements can be found at this link. Once you complete the provided steps, your syslog will display the following columns.
Subset | Field Name | Description |
Server | Host | Your Target System IP |
Port | Input 514 for the UDP port, which is the typical listening port most systems use for syslog ingest. This can be changed if needed. | |
Description | Optional but useful for quick identification if you are sending logs to more than one system | |
Log Types | IP | This column is checked if you are sending packet logs via Syslog Export |
Syslog | This column is checked if you are sending system operating logs via Syslog Export | |
Audit | This column is checked if you are sending internal administration logs via Syslog Export | |
DNS | This column is checked if you are sending domain logs via Syslog Export | |
DNS RESP | This column is checked if you are sending DNS traffic logs via Syslog Export |
Access
Access rules can be managed in the Portal or in the Enforcer UI, depending on your company's security standards. Within the Enforcer UI under Network > Access, Security Admins (SEC_Admin) with local access will be able to toggle on and off the Portal access.
When Portal Managed is On, these settings are managed on the Portal and can't be modified locally.
When this setting is Off, these settings can be managed locally and are not synced from the Portal.
The Protocols available include:
- HTTP
- Ping
- SSH
- SNMP
Select New to add a new access setting. Add the Protocol, Address and Maskbit and then select Create.
Bridges
The Bridges tab shows you the bandwidth or maximum rate of data transfer between the two bridge Ethernet ports. The Bridging pair is configured within the Enforcer UI.
The link status will be displayed in Red when the Enforcer is disconnected. The Enforcer is indicated inline when the link status is green.
If Bypass is available, end users will be able to view the following sections:
Mode Name | Description |
Bypass Mode | The mode the device is currently in |
Startup Mode | The mode the device will be upon Startup |
Power-Off Mode | The Mode the device will go into upon getting a shutdown command |
NTP
Enforce uses a NTP server so that the clock on the Enforcer is properly synchronized. The software leverages time.google.com NTP server by default.
You also have the option to add your own NTP server by going to New, adding a valid IP or domain host and selecting Create.
Confirmation of the sync will be indicated by a green clock alert icon next to NTP Servers title. It might take a few minutes for the server to sync with the Enforcer.
The NTP Server can be edited or deleted by selecting three vertical ellipses next to the host.
SMTP
SMTP messages are sent when an Alarm is raised (e.g. an update fails, entering bypass mode or an account gets locked out). The alerts can also be accessed within the Enforcer UI.
You can set the following parameters in SMTP:
Title | Description |
Enabled | Toggle on to enable the SMTP Alerts |
Protocol | Options include SMTP or SMTPS |
Host | The hostname or IP address of the mail server |
Port | The port of the mail server, typically 25 or 587 for SMTP, or 465 for SMTPS |
Username | Username if the server requires authentication |
Password | Password if the server requires authentication |
From Address | The email address that sends the alerts on threatER's behalf |
To Address | The email address that will receive the alerts |
SNMP
The Enforcer Security Appliance supports the internet standard Simple Network Management Protocol (SNMP). Admins can remotely monitor Enforce by a network management system, such as IBM Tivoli Network Manager, CiscoWorks LAN Management Solution, and HP Network Node Manager.
Admins will need to set up SNMP access first before using the SNMP tab.
threatER supports two versions of SNMP:
- the Community-based SNMPv2c
- SNMPv3
This includes the security features of device authentication, packet integrity, and data confidentiality. Under the preferred version, click New and input the required information. On this menu you can specify trusted IPv4 and IPv6 internet addresses, from which the Enforcer will accept data requests, as well as designate Internet addresses where Enforcer will send asynchronous SNMP traps.
Version | Field Name | Description |
SNMPv2c | Community | User ID or Password |
SNMPv3 | Username | User ID |
Authentication: Type | Options include MD5 and SHA | |
Authentication: Passphrase | Key for authentication | |
Privacy: Type | Options include DES and AES | |
Privacy: Passphrase | Key for encryption |
Subscription Throughput
The Subscription Throughput chart provides the past 30 days of an Enforcer's inbound and outbound throughput. Click on the hyperlinked Enforcer Name in the table and then select the Subscription Throughput Bar to view throughput data.
The following throughput details will display at the top:
- % Subscription Throughput utilized for the past 30 days
- 95th Percentile for the past 30 days, via industry standard 95/5 measurements
- Current Outbound throughput (in bits)
- Current Inbound throughput (in bits)
The table in the top right corner shows the following inbound and outbound data:
- Current throughput (in bits per second)
- Average throughput (in bits per second)
- Maximum throughput (in bits per second)
The chart displays a graphical representation of the inbound and outbound throughput and the 95th percentile for the past 30 days. Click and drag within the plot area to zoom for a specific date and time.
Comments
0 comments
Please sign in to leave a comment.