Cisco amp threat grid Setup And Configuration Manual

Cisco AMP Threat Grid Appliance Setup and Configuration Guide

Version 2.2

Last Updated: March 8, 2017

Cisco Systems, Inc. www.cisco.com

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at www.cisco.com/go/offices.

Cisco AMP Threat Grid Appliance Setup and Configuration Guide

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company.

Cover photo: Copyright © 2015 Mary C. Ecsedy. All rights reserved. Used with permission. Prickly Pear cactus about to bloom in Arches National Park. It takes good defenses and making the most of your resources to flourish in a harsh and hostile environment.

Cisco AMP Threat Grid Appliance Setup and Configuration Guide

CONTENTS

LIST OF FIGURES ........................................................................................................................................................ III!

INTRODUCTION ............................................................................................................................................................ 1!

"#$!%#&'!()&*+!&'!,$-!................................................................................................................................!/!

-+0+1'+!2$%+'!............................................................................................................................................!/!

"#1%3'!2+"!...............................................................................................................................................!4!

!"#$%&'#()"*+(#,*-&. */ ' � *1 $ #$ 2 #() " *' ". *3 " &(2 , 4$"#*5$&6(2$7*8888888888888888888888888888888888888888888888888888888888888*9! :;<#(=<$*>?@7*A)&*1(7=)7(#()"*>=.'#$*5$&6(2$*:'"'%$&*888888888888888888888888888888888888888888888888888888888888888888888888*9! B<'4CD*5(%"'#;&$7*C;#)4'#(2*1'(<0*>=.'#$*88888888888888888888888888888888888888888888888888888888888888888888888888888888888888888*9! @1C/*C;#,$"#(2'#()"*88888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888*9! B(72)*>B5*B99E*:F*5$&6$&*888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888*9! G(&$C:/*/&(6'#$*B<);.*!"#$%&'#()"*88888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888*9! D$&7()"*98E*888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888*-!

')55$-%!6!7$2%17%&2(!%#-+1%!(-&*!.............................................................................................................!8!

5;==)&#*:).$*8888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888*-! 5#'&#*5;==)&#*:).$*H*@(2$"7$*I)&J'&);".*/&()&*#)*D$&7()"*K8F8F*888888888888888888888888888888888888888888888888888888888*-! 5;==)&#*5$&6$&7*8888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888*F! 5;==)&#*5"'=7,)#7*888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888*F!

PLANNING ..................................................................................................................................................................... 5!

)'+-!*$7)9+2%1%&$2!12*!$20&2+!#+05!.......................................................................................................!:!

+2;&-$29+2%10!-+<)&-+9+2%'!...................................................................................................................!:!

#1-*"1-+!-+<)&-+9+2%'!...........................................................................................................................!:!

#1-*"1-+!*$7)9+2%1%&$2!........................................................................................................................!=!

2+%"$->!-+<)&-+9+2%'!.............................................................................................................................!=!

1L5*5$&6$&*C22$77*888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888*M! LN/*5$&6$&*C22$77*8888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888*O!

&2%+(-1%&$2'!?!+'1@"'1@,&-+195!+%7.!.....................................................................................................!A!

*#75!.........................................................................................................................................................!A!

0&7+2'+!.......................................................................................................................................................!A!

$-(12&B1%&$2!12*!)'+-'!............................................................................................................................!A!

)5*1%+'!.....................................................................................................................................................!A!

%#-+1%!(-&*!1550&127+!)'+-!&2%+-,17+'!......................................................................................................!C!

NP5Q*1('<)%*8888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888*R! S=C.4("*/)&#'<*8888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888*R! C:/*N,&$'#*P&(.*/)&#'<*8888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888*R! B!:B*888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888*R!

2+%"$->!&2%+-,17+'!...................................................................................................................................!C!

C.4("*!"#$&A'2$*8888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888*R! B<$'"*!"#$&A'2$*88888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888*T! 1(�*!"#$&A'2$*888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888*T!

Cisco AMP Threat Grid Appliance Setup and Configuration Guide

CONTENTS

B!:B*!"#$&A'2$*888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888*T! ?$7$&6$.*!"#$&A'2$*888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888*T!

0$(&2!219+'!12*!51''"$-*'!6!*+,1)0%'!...................................................................................................!/D!

I$U*>!*C.4("(7#&'#)&*8888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888*KE! S=C.4("*'".*5,$<<*;7$&*8888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888*KE! B!:B*VB(72)*!"#$%&'#$.*:'"'%$4$"#*B)"#&)<<$&W*8888888888888888888888888888888888888888888888888888888888888888888888888888888*KE!

'+%)5!12*!7$2,&()-1%&$2!'%+5'!$)%0&2+!................................ ...................................................................!/D!

%&9+!-+<)&-+*!,$-!'+%)5!12*!7$2,&()-1%&$2!............................................................................................!/D!

SERVER SETUP .......................................................................................................................................................... 12!

2+%"$->!&2%+-,17+!7$22+7%&$2'!'+%)5!....................................................................................................!/4!

B99E*:-*?'2J*5$&6$&*5$#;=*88888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888*K9! B99E*:F*?'2J*5$&6$&*5$#;=*88888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888*KF!

2+%"$->!&2%+-,17+!'+%)5!*&1(-19!..........................................................................................................!/=!

,&-+"100!-)0+'!')((+'%&$2'!.....................................................................................................................!/A!

5$"+-!$2!12*!E$$%!)5!............................................................................................................................!/C!

INITIAL NETWORK CONFIGURATION – TGSH DIALOG ......................................................................................... 20!

CONFIGURATION WIZARD - OPADMIN PORTAL .................................................................................................... 26!

7$2,&()-1%&$2!"$->,0$"!.......................................................................................................................!4=!

0$(&2!%$!%#+!$51*9&2!5$-%10!..................................................................................................................!4=!

1*9&2!51''"$-*!7#12(+!.........................................................................................................................!4C!

+2*!)'+-!0&7+2'+!1(-++9+2%!....................................................................................................................!4F!

2+%"$->!7$2,&()-1%&$2!'+%%&2('!............................................................................................................!4F!

L$#+)&J*B)"A(%;&'#()"*'".*1QB/*8888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888*9T!

0&7+2'+!&2'%1001%&$2!.................................................................................................................................!8D!

+91&0!#$'%!7$2,&()-1%&$2!.......................................................................................................................!8D!

'+-;+-!2$%&,&71%&$2'!7$2,&()-1%&$2!........................................................................................................!8/!

2%5!'+-;+-!7$2,&()-1%&$2!......................................................................................................................!88!

-+;&+"!12*!&2'%100!7$2,&()-1%&$2!'+%%&2('!.............................................................................................!88!

INSTALLING THREAT GRID APPLIANCE UPDATES ............................................................................................... 37!

1550&127+!E)&0*!2)9E+-!..........................................................................................................................!8A!

C==<('"2$*X;(<.*L;4U$&YD$&7()"*@))J;=*N'U<$*8888888888888888888888888888888888888888888888888888888888888888888888888888888888*-R!

TEST THE APPLIANCE SETUP - SUBMIT A SAMPLE ............................................................................................. 41!

APPLIANCE ADMINISTRATION ................................................................................................................................. 42!

APPENDIX A – CIMC CONFIGURATION (RECOMMENDED) ................................................................................... 43!

Cisco AMP Threat Grid Appliance Setup and Configuration Guide

LIST OF FIGURES

iii

LIST OF FIGURES

Figure 1 - OpAdmin Start a Live Support Session ................................................................................................... 4!

Figure 2 - Cisco 1000BASE-T Copper SFP (GLC-T) .............................................................................................. 5!

Figure 3 - Cisco UCS C220 M3 SFF Rack Server ................................................................................................ 12!

Figure 4 - Cisco UCS C220 M3 Rear View Details ............................................................................................... 13!

Figure 5 - Cisco UCS C220 M4 SFF Rack Server ................................................................................................ 14!

Figure 6 - CIsco UCS C220 M4 Rear View Details ............................................................................................... 15!

Figure 7 - Network Interfaces Setup Diagram ....................................................................................................... 16!

Figure 8 - Cisco Screen During Boot Up ............................................................................................................... 18!

Figure 9 - TGSH Dialog ......................................................................................................................................... 19!

Figure 10 - TGSH Dialog - Network Configuration Console .................................................................................. 20!

Figure 11 - Network Configuration In-Progress (clean and dirty) .......................................................................... 21!

Figure 12 - Network Configuration In-Progress (admin) ........................................................................................ 22!

Figure 13 - Network Configuration Confirmation ................................................................................................... 23!

Figure 14 - Network Configuration - List of Changes Made .................................................................................. 24!

Figure 15 - IP Addresses ....................................................................................................................................... 25!

Figure 16 - OpAdmin Login ................................................................................................................................... 27!

Figure 17 - OpAdmin Change Password ............................................................................................................... 28!

Figure 18 - License Page ...................................................................................................................................... 29!

Figure 19 - License Information After Successful Installation ................................................................................ 30!

Figure 20 - Notifications Configuration .................................................................................................................. 31!

Figure 21 - Appliance is Installing .......................................................................................................................... 34!

Figure 22 - Successful Appliance Installation ........................................................................................................ 35!

Figure 23 - Appliance is Rebooting ....................................................................................................................... 35!

Figure 24 - Appliance Is Configured ...................................................................................................................... 36!

Figure 25 - Appliance Build Number ...................................................................................................................... 37!

Figure 26 - Threat Grid Portal Login Page ............................................................................................................ 41!

Figure 27 - The Cisco screen – F8 to enter the CIMC Configuration Utility .......................................................... 43!

Figure 28 - CIMC Configuration Utility ................................................................................................................... 44!

Figure 29 - Cisco Integrated Management Controller (CIMC) Interface ................................................................ 45!

Cisco AMP Threat Grid Appliance Setup and Configuration Guide

INTRODUCTION

A Cisco AMP Threat Grid Appliance provides safe and highly secure on-premises advanced malware analysis, with deep threat analytics and content. Threat Grid Appliances provide the complete Threat Grid malware analysis platform, installed on a single UCS server (UCS C220-M3 or C220 M4). They empower organizations operating under various compliance and policy restrictions, to submit malware samples to the appliance.

Many organizations that handle sensitive data, such as banks, health services, etc., must follow various regulatory rules and guidelines that will not allow certain types of files, such as malware artifacts, to be sent outside of the network for malware analysis. By maintaining a Cisco AMP Threat Grid Appliance onpremises, organizations are able to send suspicious documents and files to it to be analyzed without leaving the network.

With an AMP Threat Grid Appliance, security teams can analyze all samples using proprietary and highly secure static and dynamic analysis techniques. The appliance correlates the analysis results with hundreds of millions of previously analyzed malware artifacts, to provide a global view of malware attacks and campaigns, and their distributions. A single sample of observed activity and characteristics can quickly be correlated against millions of other samples to fully understand its behaviors within an historical and global context. This ability helps security teams to effectively defend the organization against threats and attacks from advanced malware.

Who This Guide Is For

Before a new appliance can be used for malware analysis, it must be set up and configured for the organization's network. This guide is for the security team IT staff tasked with setting up and configuring a new Threat Grid Appliance.

This document describes how to complete the initial setup and configuration for a new Threat Grid Appliance, up to the point where malware samples can be submitted to it for analysis.

For more information, please see the Cisco AMP Threat Grid Appliance Administrator's Guide, which can be found on the Install and Upgrade page on Cisco.com.

Release Notes

For detailed updates information, see the Release Notes, which may be found in the OpAdmin Portal:

Operations menu > Update Appliance

Formatted PDF versions of the Threat Grid Appliance Release Notes are also available online with the other Threat Grid Appliance documentation:

http://www.cisco.com/c/en/us/support/security/amp-threat-grid-appliances/products-installationguides-list.html

Version Lookup Table

For a list of Threat Grid Appliance release information see the Threat Grid Appliance Administrator’s Guide section Installing Updates.

Note: To view the release notes for the Threat Grid Portal UI, click Help in the UI’s navigation bar.

Cisco AMP Threat Grid Appliance Setup and Configuration Guide

INTRODUCTION

What’s New

For a full description of new features always check the Release Notes and other release documentation such as Migration Notes and Data Retention Notes. Major highlights are included here.

Integration with 3rd Party Detection and Enrichment Services

With version 2.2, OpenDNS, TitaniumCloud, and VirusTotal integrations can now be configured on the Appliance, in the new configuration page. In OpAdmin, select Configuration > Integrations to open this page. See the Threat Grid Administrator’s Guide for more information.

Multiple URLs for Disposition Update Service Manager

Version 2.2 also includes the ability to configure multiple URLs for the Disposition Update Service Manager.

ClamAV Signatures Automatic Daily Update

With version 2.2 the appliance can now automatically download updates to ClamAV signatures on a daily basis, improving recognition of known malware. This feature is enabled by default, and can be disabled from the newly-added Integrations page in OpAdmin.

LDAP Authentication

LDAP Authentication has been added to the OpAdmin and TGSH Dialog administrator interfaces with version 2.1.6, released on January 5, 2017, to support those customers with multiple appliance administrators who don’t want them sharing the same login and password. See the Threat Grid Administrator’s Guide for more information.

Cisco UCS C220 M4 Server

Released on November 17, 2016, the C220 M4 server includes a hardware refresh, as well as the Secure Boot feature. Please contact us at support@threatgrid.com to discuss any questions you may have about upgrading.

Note: Threat Grid will continue to provide support for M3s until after the expiration of their contracted

lifespan. All the same M4 features are available as over-the-wire updates for existing M3s.

The M5 server upgrade is currently under development. We strongly encourage existing M3 and M4 customers to contact us at support@threatgrid.com to discuss any questions you may have about which server upgrade is best for your needs, as well as data migration, backups, rollout strategies, etc. Additional complexity is introduced by the migration to version 2.1.5 of the Threat Grid Appliance software, which is currently in development. We think the best approach for planning the upgrade path to the M5 is to address our customers’ requirements on an individual basis.

FireAMP Private Cloud Integration

The 2.0.3 release contains features to facilitate Threat Grid Appliance integrations with Fire AMP Private Cloud, including the ability to split the DNS between the Clean and Dirty network interfaces, CA Management, and FireAMP Private Cloud Integration Configuration.

Generated SSL certificates now have the CN duplicated as a subjectAltName. This addresses an incompatibility with SSL clients, which ignore the CN field when at least one subjectAltName is present. It may be necessary to regenerate any previously appliance-generated certificates if using such tools.

Cisco AMP Threat Grid Appliance Setup and Configuration Guide

INTRODUCTION

Version 2.0

Version 2.0 is a major release, built upon an updated operating system. It includes enhancements that will support future hardware releases, and also brings the Threat Grid Portal UI more in line with the Cloud version. This includes significant numbers of new and updated Behavioral Indicators and other changes.

Please read the Threat Grid Portal Release Notes beginning with release 3.3.45 for details. (From the Portal UI Navigation bar select Help, then click on the link to the release notes. The release notes are cumulative: the most recent version contains all previous notes.)

Support - Contacting Threat Grid

There are several ways to request support from a Threat Grid engineer:

Email. Send email to support@threatgrid.com with your query.

Open a Support Case. You will need your Cisco.com ID (or to generate one) to open a support case. You

will also need your service contract number, which was included on the order invoice. Enter your support case here: https://tools.cisco.com/ServiceRequestTool/scm/mgmt/case

Call. For Cisco phone numbers see: http://www.cisco.com/c/en/us/support/index.html

When requesting support from Threat Grid, please send the following information with your request:

• Appliance version: OpAdmin > Operations > Update Appliance)

• Full service status (service status from the shell)

• Network diagram or description (if applicable)

• Support Mode (Shell or Web interface)

• Support Request Details

Support Mode

If you require support from a Threat Grid engineer, they may ask you to enable "support mode", which is a live support session that gives Threat Grid support engineers remote access to the appliance. Normal operations of the appliance will not be affected. This can be done via the OpAdmin Portal Support menu. (You can also enable SUPPORT MODE from the TGSH Dialog, from the legacy Face Portal UI, and when booting up into Recovery Mode.)

To start a live support session with Threat Grid tech support:

In OpAdmin, select Support > Live Support Session and click Start Support Session.

Note: You can break out of the OpAdmin wizard task-flow to enable Support Mode, prior to licensing.

Start Support Mode - License Workaround Prior to Version 1.4.4

There is an issue with licenses that has been resolved in the Threat Grid Appliance v1.4.4. If your software version is prior to 1.4.4, you will need to have successfully connected to Support Mode servers at least

Cisco AMP Threat Grid Appliance Setup and Configuration Guide

INTRODUCTION

once (after November 14th, 2015), in order for your license to be accepted. The connection does not need to be ongoing or active at the time of the license validation.

Required: The Dirty network needs to be up in order for this step to work.

Figure 1 - OpAdmin Start a Live Support Session

Support Servers

Establishing a support session requires that the TG appliance reach the following servers:

• support-snapshots.threatgrid.com

• rash.threatgrid.com

Both servers should be allowed by the firewall during an active support session.

Support Snapshots

A support snapshot is basically a snapshot of the running system, which contains logs, ps output, etc., to help Support staff troubleshoot any issues.

1. Verify that SSH is specified for Support Snapshot services.

2. From the Support menu, select Support Snapshots.

3. Take the snapshot.

Cisco AMP Threat Grid Appliance Setup and Configuration Guide

PLANNING

4. Once you take the snapshot you can either download it yourself as .tar .gz, or you can press Submit,

which will automatically upload the snapshot to the Threat Grid snapshot server.

PLANNING

A Cisco AMP Threat Grid Appliance is a Linux server with Threat Grid software installed by Cisco Manufacturing prior to shipping. Once a new appliance is received, it must be set up and configured for your on-premises network environment. Before you begin, there are a number of issues to consider and plan. Environmental requirements, hardware requirements, and network requirements are described below.

User Documentation and Online Help

Threat Grid Appliance - Threat Grid Appliance user documentation, including this document, the Threat Grid Appliance Administrator’s Guide, Release Notes, integration guides, and more, can be found on the

Install and Upgrade page on Cisco.com.

Threat Grid Portal UI Online Help - Threat Grid Portal user documentation, including Release Notes,

“Using Threat Grid” Online Help, API documentation, and other information is available from the Help menu located in the navigation bar at the top of the user interface.

Environmental Requirements

The Threat Grid Appliance is deployed on a UCS C220-M3 or C220-M4 server. Before you set up and configure your appliance, make sure the necessary environment requirements for power, rack space, cooling, and other issues are met, according to the specification for your server.

Hardware Requirements

The form factor for the Admin interface is SFP+. If there are no SFP+ ports available on the switch, or SFP+ is not desirable, then a transceiver for 1000Base-T can be used (for example, Cisco Compatible Gigabit RJ 45 Copper SFP Transceiver Module Mini -GBIC - 10/100/1000 Base-T Copper SFP Module.

Figure 2 - Cisco 1000BASE-T Copper SFP (GLC-T)

Monitor: You can either attach a monitor to the server, or, if CIMC (Cisco Integrated Management

Controller) is configured, you can use a remote KVM.

Cisco AMP Threat Grid Appliance Setup and Configuration Guide

PLANNING

Hardware Documentation

Installation and Service Guide for Cisco UCS C220 M4 Server:

http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/c/hw/C220M4/install/C220M4.pdf

Installation and Service Guide for Cisco UCS C220 M3 Server:

http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/c/hw/C220/install/C220.html

Spec Sheet for Cisco UCS C220 M3 High-Density Rack Server (Small Form Factor Disk Drive Model):

http://www.cisco.com/c/dam/en/us/products/collateral/servers-unified-computing/ucs-c-series-rackservers/C220M3_SFF_SpecSheet.pdf

Cisco has a power/cooling calculator, which you may also find useful:

https://mainstayadvisor.com/Go/Cisco/Cisco-UCS-Power-Calculator.aspx

Network Requirements

The Threat Grid Appliance requires three networks:

ADMIN - The "Administrative" network. Must be configured in order to perform the appliance setup.

CLEAN - The "Clean" network is used for inbound, trusted traffic to the appliance (requests). This includes

integrated appliances. For example, the Cisco Email Security appliances and Web Security appliances (ESA/WSA) connect to the IP address of the Clean interface.

Note: The following specific, restricted kinds of network traffic can be outbound from Clean:

• Remote syslog connections

• Email messages sent by the Threat Grid Appliance itself

• Disposition Update Service connections to FireAMP Private Cloud devices

• DNS requests related to any of the above

• LDAP

DIRTY - The "Dirty" network is used for outbound traffic from the appliance (including malware traffic).

Note: We recommend using a dedicated external IP address (i.e., the "Dirty" interface) that is different

from your corporate IP, in order to protect your internal network assets.

For network interface setup information and illustrations, see the Network Interfaces, and Network Interface Connections Setup sections below.

DNS Server Access

The DNS server used for purposes other than Disposition Update Service lookups, resolving remote syslog connections, and resolving the mail server used for notifications from the Threat Grid software itself needs to be accessible via the dirty network.

Cisco AMP Threat Grid Appliance Setup and Configuration Guide

PLANNING

By default, DNS uses the Dirty interface. The Clean interface is used for FireAMP Private Cloud integrations. If the FireAMP Private Cloud hostname cannot be resolved over the Dirty interface, then a separate DNS server that uses the Clean interface can be configured in the OpAdmin interface.

See the Threat Grid Appliance Administrator’s Guide for additional information.

NTP Server Access

The NTP server needs to be accessible via the Dirty network.

Integrations – ESA/WSA/FireAMP etc.

Additional planning may be required if the Threat Grid Appliance is going to be used with other Cisco products, such as ESA/WSA appliances, FireAMP Private Cloud, etc.

DHCP

If you are connected to a network configured to use DHCP, then follow the instructions provided in the Using DHCP section of the Threat Grid Appliance Administrator's Guide.

License

You will receive a license and password from Cisco AMP Threat Grid.

For questions about licenses, please contact support@threatgrid.com.

Organization and Users

Once you have completed the appliance setup and network configuration, you will need to create the initial Threat Grid Organizations and user account(s), so people can login and begin submitting malware samples for analysis. This task may require planning and coordination among multiple organizations and users, depending on your requirements.

Managing Threat Grid Organizations and users is documented in the Threat Grid Appliance Administrator’s Guide.

Updates

The initial appliance setup and configuration steps must be completed before installing any Threat Grid appliance updates.

We recommend that you check for updates immediately after completing the initial configuration described in this guide.

Updates must be done in sequence. Threat Grid Appliance updates cannot be downloaded until the license is installed, and the update process requires the initial appliance configuration to be completed. Instructions for updating the appliance are located in the Threat Grid Appliance Administrator's Guide.

Note: Verify that SSH is specified for updates.

Cisco AMP Threat Grid Appliance Setup and Configuration Guide

PLANNING

Threat Grid Appliance User Interfaces

After the server has been correctly attached to the network and powered up, there are several user interfaces available for configuring the Threat Grid Appliance. Note that LDAP authentication is available for TGSH Dialog and OpAdmin with version 2.1.6.

TGSH Dialog

The first interface is the TGSH Dialog, which is used to configure the Network Interfaces. TGSH Dialog is displayed when the appliance successfully boots up.

Reconnecting to the TGSH Dialog

TGSH Dialog will remain open on the console and can be accessed either by attaching a monitor to the appliance or, if CIMC is configured, via remote KVM.

To reconnect to the TGSH Dialog, ssh into the Admin IP address as the user 'threatgrid'.

The required password will either be the initial, randomly generated password, which is visible initially in the TGSH Dialog, or the new Admin password you create during the first step of the OpAdmin Portal Configuration, which is described in the next section.

OpAdmin Portal

This is the primary Threat Grid GUI configuration tool. Much of the appliance configuration can ONLY be done via OpAdmin, including licenses, email host, SSL Certificates, etc.

AMP Threat Grid Portal

The Threat Grid user interface application is available as a cloud service, and is also installed on Threat Grid Appliances. There is no communication between Threat Grid Cloud service, and the Threat Grid Portal that is included with a Threat Grid Appliance.

CIMC

Another user interface is the Cisco Integrated Management Controller ("CIMC"), which is used to manage the server.

Network Interfaces

Admin Interface

• Connect to the Admin network. Only inbound from Admin network.

• OpAdmin UI traffic

• SSH (inbound) for tgsh-dialog

Note: The form factor for the Admin interface is SFP+. See Figure 2 - Cisco 1000BASE-T Copper SFP (GLC-

T).

Cisco AMP Threat Grid Appliance Setup and Configuration Guide

PLANNING

Clean Interface

• Connect to the Clean network. Clean must be accessible from the corporate network but requires no outbound access to the Internet, except in Recovery Mode.

• UI and API traffic (inbound)

• Sample Submissions

• SMTP (outbound connection to the configured mail server)

• Recovery Mode Support Session (outbound)

• SSH (in for tgsh-dialog)

• Syslog (outbound to configured syslog server)

• ESA/WSA – CSA Integrations

• FireAMP Private Cloud Integration

• DNS – Optional.

• LDAP (outbound)

Dirty Interface

• Connect to the Dirty network. Requires Internet access. Outbound Only!

• DNS

Note: If you are setting up an integration with a FireAMP Private Cloud, and the FireAMP appliance

hostname cannot be resolved over the Dirty interface, then a separate DNS server that uses the Clean interface can be configured in OpAdmin.

• NTP

• Updates

• Support Session in Normal Operations Mode

• Support Snapshots

• Malware Sample-initiated Traffic

CIMC Interface

Recommended. If the Cisco Integrated Management Controller (“CIMC”) interface is configured, it can be used for server management and maintenance. For more information see APPENDIX A – CIMC CONFIGURATION (RECOMMENDED).

Reserved Interface

The non-Admin SFP+ port is reserved for future use.

Cisco AMP Threat Grid Appliance Setup and Configuration Guide

PLANNING

Web UI Administrator

Password: "changeme"

OpAdmin and Shell user

Use the initial Threat Grid/TGSH Dialog randomly generated password, and then the new password entered during the first step of the OpAdmin configuration workflow.

If you lose the password, follow the Lost Password instructions located in the Support section of the Threat Grid Appliance Administrator's Guide.

CIMC (Cisco Integrated Management Controller)

Password: "password"

Setup and Configuration Steps Outline

The following setup and initial configuration steps are described in this document:

Server Setup.

Network Interface Connections Setup:

• Admin

• Clean

• Dirty

Initial Network Configuration - TGSH Dialog.

Main Configuration – OpAdmin Portal.

Install Updates.

Test the Appliance setup: Submit a Sample for Analysis.

Admin Configuration – Complete the remaining administrative configuration tasks (license installation, email server, SSL Certificates, etc.) in the OpAdmin Portal as documented in the Threat Grid Appliance Administrator's Guide.

Time Required for Setup and Configuration

You should allow yourself approximately 1 hour to complete the server setup and initial configuration steps.

Note: Please be patient during the "Apply" sections of the TGSH Dialog during the initial Appliance

configuration installation steps. These steps can sometimes take more than 10 minutes to complete.

+ 35 hidden pages

Cisco amp threat grid Setup And Configuration Manual

Specifications and Main Features

Frequently Asked Questions

User Manual