FidelisUserGuide 60

User Guide
Version 6.0
Copyright 20022010 by Fidelis Security Systems, Inc.
All rights reserved worldwide.
Fidelis XPS, version 6.0
User Guide, version 6.0
Revised March 2010
Users are granted permission to copy and/or distribute this document in its original electronic form and print
copies for personal use. This document cannot be modified or converted to any other electronic or
machine-readable form in whole or in part without prior written approval of Fidelis Security Systems, Inc.
While we have done our best to ensure that the material found in this document is accurate, Fidelis
Security Systems, Inc. makes no guarantee that the information contained herein is error free.
Fidelis XPS includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
Fidelis Security Systems

4416 East West Highway, Suite 310
Bethesda, MD 20814
Table of Contents
Preface............................................................................................................................................. 1
Intended Audience ....................................................................................................................... 1
Technical Support ........................................................................................................................ 2
Available Guides .......................................................................................................................... 2
Fidelis XPS Overview.................................................................................................................. 3
Fidelis XPS Modules.................................................................................................................... 3
CommandPost ........................................................................................................................ 4
Direct....................................................................................................................................... 4
Internal .................................................................................................................................... 4
Proxy ....................................................................................................................................... 4
Mail.......................................................................................................................................... 5
Web Walker............................................................................................................................. 5
Connect................................................................................................................................... 5
Fidelis XPS Policies ..................................................................................................................... 5
Prebuilt Policies....................................................................................................................... 5
Custom Policies ...................................................................................................................... 6
Chapter 1 Getting Started .............................................................................................................. 7
Access CommandPost................................................................................................................. 7
Change your Account .................................................................................................................. 7
Access the Guides ....................................................................................................................... 8
Lock Icon ..................................................................................................................................... 8
CommandPost Navigation ........................................................................................................... 8
System Status.............................................................................................................................. 8
Logout.........................................................................................................................................10
Using Non-ASCII Characters in Fidelis XPS...............................................................................10
Chapter 2 The Dashboard .............................................................................................................11
The Radar Page .........................................................................................................................11
What is an event? ..................................................................................................................11
What is an alert? ....................................................................................................................11
What is alert radar? ................................................................................................................11
Uses of Alert Radar ................................................................................................................12
Current Status Frame.............................................................................................................13
Information Flow Map Page ....................................................................................................14
The Information Flow Map......................................................................................................15
Controls in the Left Panel .......................................................................................................17
Fidelis XPS User Guide Version 6.0 Table of Contents iii

Filtering and Sorting Criteria...................................................................................................19
Chapter 3 Understand and Manage Alert Workflows .................................................................22
Access to Alerts and Quarantined E-Mails..................................................................................22
Handle Alerts ..............................................................................................................................22
The Alert Workflow Log...............................................................................................................23
Manage a Single Alert.................................................................................................................23
Change Status .......................................................................................................................23
Change Alert Group ...............................................................................................................24
Manage Multiple Alerts ...............................................................................................................24
Chapter 4 Understand and Manage Alerts ..................................................................................25
Alert Report.................................................................................................................................26
Alert Quick Summary .............................................................................................................26
Filter Alerts .............................................................................................................................27
Navigate Alert Pages ..................................................................................................................27
Alert Actions................................................................................................................................28
Alert Labels ............................................................................................................................28
Export Alerts to Excel .............................................................................................................28
Purge Alerts ...........................................................................................................................29
Alert Report Page Controls .........................................................................................................29
System Reports for Alerts ......................................................................................................30
Search for Alerts ....................................................................................................................30
Duration..................................................................................................................................35
Include or Exclude Incoming Alerts ........................................................................................35
Customize Alert Report...............................................................................................................36
Group .....................................................................................................................................36
Group Details .........................................................................................................................38
Create PDF Reports for Alerts ....................................................................................................38
Trending......................................................................................................................................39
Alert Details ................................................................................................................................41
Alert Highlighting ....................................................................................................................43
Scroll through Alert Details.....................................................................................................44
Download Text File.................................................................................................................44
Find Similar Alerts ..................................................................................................................44
Manage Label ........................................................................................................................45
Purge this Alert.......................................................................................................................45
Alert Compression..................................................................................................................45
Decoding Path and Channel Attributes ..................................................................................45
Forensic Data.........................................................................................................................47
Recorded TCP Session..........................................................................................................47
Tune Rules from an Alert ............................................................................................................49
Fidelis XPS User Guide Version 6.0 Table of Contents iv

Chapter 5 Understand and Manage Quarantined E-Mails ..........................................................52
Understand Fidelis XPS Mail Quarantine....................................................................................52
The Quarantine Report ...............................................................................................................53
Take Actions on Quarantined E-Mails.........................................................................................54
Deliver or Discard Quarantined E-Mail........................................................................................54
Search Quarantined E-Mails.......................................................................................................54
Search Quarantined E-Mails using Duration...............................................................................56
Advanced Search for Quarantined E-Mails.................................................................................57
Quarantine Details ......................................................................................................................58
Chapter 6 Manage Reports ...........................................................................................................59
Create Custom Reports ..............................................................................................................60
Search....................................................................................................................................60
Filters .....................................................................................................................................62
Duration..................................................................................................................................63
Columns .................................................................................................................................64
Group By ................................................................................................................................66
Custom Report Controls.........................................................................................................66
Run Custom Reports ..................................................................................................................67
Edit Custom Reports...................................................................................................................67
Copy Custom Reports.................................................................................................................67
Save and Schedule Reports .......................................................................................................68
Save .......................................................................................................................................68
Save and Schedule ................................................................................................................68
Delete Reports............................................................................................................................69
Chapter 7 Create and Use Quick Reports....................................................................................70
Define Quick Reports..................................................................................................................70
Create Quick Reports .................................................................................................................73
Create PDFs for Quick Reports ..................................................................................................74
Schedule Quick Reports .............................................................................................................74
Chapter 8 Network Reports ..........................................................................................................75
TCP Resets ................................................................................................................................77
Application Protocols ..................................................................................................................78
IP Defragmenter .........................................................................................................................79
Inline Module ..............................................................................................................................80
Network Statistics .......................................................................................................................81
TCP Processor ...........................................................................................................................82
Proxy...........................................................................................................................................83
Mail .............................................................................................................................................84
Connect ......................................................................................................................................85
Web Walker ................................................................................................................................85
Fidelis XPS User Guide Version 6.0 Table of Contents v

Chapter 9 Manage Users, Roles, and Groups .............................................................................86
Access Control in CommandPost ...............................................................................................87
Small Security Teams .................................................................................................................88
Define User Profiles ....................................................................................................................88
Add or Edit a Local User .............................................................................................................89
Delete a User..............................................................................................................................91
Define Alert Management Groups ..............................................................................................92
Add or Edit an Alert Management Group ...............................................................................92
Delete an Alert Management Group.......................................................................................93
Define User Roles.......................................................................................................................93
Access Roles .........................................................................................................................94
Add or Edit a Custom Role.....................................................................................................95
Delete a Custom Role ............................................................................................................96
Chapter 10 Configure Fidelis XPS Components .........................................................................97
The Component Page.................................................................................................................97
Component Information ..............................................................................................................97
Status Lights ..........................................................................................................................97
Details ....................................................................................................................................97
License Messages..................................................................................................................98
Component Buttons................................................................................................................98
Add a Sensor ..............................................................................................................................99
Edit a Sensor ..............................................................................................................................99
License...................................................................................................................................99
Expiration .............................................................................................................................100
System Monitor ....................................................................................................................100
Logs .....................................................................................................................................102
Configure CommandPost..........................................................................................................103
User Authentication ..............................................................................................................103
Email Configuration ..............................................................................................................107
User Notification ...................................................................................................................108
LDAP Configuration..............................................................................................................109
LDAP Reports ......................................................................................................................111
Alert Storage ........................................................................................................................112
CommandPost Language Configuration ..............................................................................113
Diagnostics...........................................................................................................................114
Archive .................................................................................................................................115
Configure Sensors ....................................................................................................................116
Sensor Run Time Information ..............................................................................................116
Sensor Config Page .............................................................................................................116
Direct and Internal ................................................................................................................117
Fidelis XPS User Guide Version 6.0 Table of Contents vi

Proxy ....................................................................................................................................122
Mail.......................................................................................................................................123
Web Walker..........................................................................................................................125
Connect................................................................................................................................127
EMail Relayhost ...................................................................................................................129
Sensor Language Configuration...........................................................................................129
Chapter 11 Version Control ........................................................................................................131
Fidelis Release Naming Conventions .......................................................................................131
Update Fidelis XPS...................................................................................................................132
Prepare to Update ................................................................................................................132
Run Update ..........................................................................................................................132
Update Progress ..................................................................................................................133
Schedule Update ......................................................................................................................134
Cancel Scheduled Jobs ............................................................................................................135
Chapter 12 Configure Exports ....................................................................................................136
Export Methods.........................................................................................................................136
Fidelis Archive ......................................................................................................................136
EMail and Syslog .................................................................................................................136
SNMP Trap and ArcSight .....................................................................................................138
Verdasys Digital Guardian....................................................................................................138
IBM SiteProtector .................................................................................................................138
Define Exports ..........................................................................................................................139
Available Export Buttons ......................................................................................................140
Testing Export Communication ............................................................................................140
Delete Exports ..........................................................................................................................140
Chapter 13 Audit ..........................................................................................................................141
Access Audit .............................................................................................................................141
Search for Audit Entries ............................................................................................................142
Search Terms.......................................................................................................................142
Notes about Search Options ................................................................................................143
Time Periods ........................................................................................................................143
Chapter 14 Backup and Restore.................................................................................................144
Accessing the Command Line Interface ...................................................................................144
Backup and Restore CommandPost.........................................................................................144
Backup CommandPost.........................................................................................................144
Restore CommandPost ........................................................................................................145
Backup and Restore a Sensor ..................................................................................................146
Chapter 15 Archive ......................................................................................................................147
Export Archive Data .............................................................................................................147
Import Archive Data..............................................................................................................147
Fidelis XPS User Guide Version 6.0 Table of Contents vii

Index .............................................................................................................................................149
List of Tables
Table 1. Critical conditions................................................................................................................ 9
Table 2. High severity conditions ...................................................................................................... 9
Table 3. Controls .............................................................................................................................16
Table 4. Filter Lists ..........................................................................................................................20
Table 5. Actions list options .............................................................................................................24
Table 6. System Reports .................................................................................................................30
Table 7. Alert search fields ..............................................................................................................32
Table 8. Sections in Alert Details .....................................................................................................42
Table 9. Decoding paths..................................................................................................................46
Table 10. Quarantined E-mail: search fields....................................................................................55
Table 11. Quarantined E-mail: advanced search fields ...................................................................57
Table 12. Search Fields...................................................................................................................60
Table 13. Filters ...............................................................................................................................62
Table 14. System report columns ....................................................................................................64
Table 15. Quick reports ...................................................................................................................71
Table 16. Determine user access ....................................................................................................90
Table 17. User access levels ...........................................................................................................94
Table 18. General parameters .......................................................................................................119
Table 19. Advanced parameters....................................................................................................120
Table 20. Proxy parameters ..........................................................................................................122
Table 21. Mail parameters .............................................................................................................124
Table 22. Web Walker parameters ................................................................................................125
Table 23. Connect: General parameters........................................................................................127
Table 24. Alert Export keywords ....................................................................................................137
Table 25. Audit Log columns .........................................................................................................142
Fidelis XPS User Guide Version 6.0 Table of Contents viii

Preface
This guide describes how to use the Fidelis XPSCommandPost console to monitor and
manage security alerts, to configure sensors, and to create and maintain CommandPost users
This guide contains the following chapters:
The Overview describes Fidelis XPS: the CommandPost Management Console and other
moudules. This section also briefly describes prebuilt and custom policies.
Chapter 1 Getting Started describes how to access and navigate CommandPost, change account
information, and access more information.
Chapter 2 describes the and how to use alert radar and Information Flow Map.
Chapter 3 describes how to manage alert workflows.
Chapter 4 describes the alert report and how to use alert features.
Chapter 5 describes the quarantine management list and how to manage quarantined e-mails.
Chapter 6 describes how to manage Custom Reports.
Chapter 7 describes how to create and use Quick Reports.
Chapter 8 describes how to use network reports.
Chapter 9 describes how to create and modify user information.
Chapter 10 describes how to configure CommandPost and Fidelis XPS sensors.
Chapter 11 descries how to update and manage Fidelis XPS versions.
Chapter 12 describes how to configure exports.
Chapter 13 describes the Audit feature and how to run it from the CommandPost GUI.
Chapter 14 describes how to backup and restore CommandPost and sensors.
Chapter 15 describes how to Archive alert and session data on the CommandPost.
Intended Audience
This information is intended for network system administrators familiar with networking, computer
security, and with the security requirements and practices of their enterprises. This help system
and related guides are intended for users that fit into at least one of the following major categories:
The alert and quarantine managers are frequent users of the system, likely to visit the
CommandPost GUI several times each day. Both roles are usually filled by system
administrators responsible for reviewing alerts (or quarantined e-mails) and managing any
action required within the enterprise. Alert and quarantine management require high level
data analysis and the ability to delve into the details of any single violation.
The network IT manager will be the first to touch the CommandPost, but is expected to rarely
use Fidelis XPS after initial installation. The IT manager might need to adjust sensor network
settings and CommandPost to sensor communications, manage CommandPost users and
their credentials, and monitor network statistics to verify connectivity.
Fidelis XPS User Guide Version 6.0 Preface 1

Technical Support
For all technical support related to this product, check with your site administrator to determine
support contract details. Contact your reseller or if you have a direct support contract, contact the
Fidelis Security support team at:
Phone: +1 301.652.7190*
Toll-free in the US: 1.800.652.4020*
*Use the customer support option.
E-mail: support@fidelissecurity.com
Web: https://portal.fidelissecurity.com
Available Guides
The following guides are available:
The Guide to Creating Policies describes how to define policies and the rules and fingerprints that
policies contain.
The Guide to Prebuilt Policies describes policies that ship with Fidelis XPS and the rules and
fingerprints that these policies contain. This guide also indicates which rules and fingerprints might
need to be configured for your enterprise.
The Enterprise Setup and Configuration Guide describes how to set up and configure Fidelis XPS
hardware.
Release Notes are updated with each release to provide information about new features, major
changes, and bugs corrected.
Fidelis XPS User Guide Version 6.0 Preface 2

Fidelis XPS Overview
Since 2002, organizations have chosen the Fidelis Extrusion Prevention System, Fidelis XPS,
to solve their biggest data leakage challengessafeguarding intellectual property and identity
information, complying with government and industry privacy regulations, and enabling visibility and
control of their networks. Built on a patented deep session inspection platform, Fidelis XPS is the
industry's only next-generation data leakage prevention solution with the power to deliver
comprehensive prevention over all 65,535 ports and all channels, complete visibility and control,
and the lowest total cost-of-ownership to stop network data leakage on gigabit-speed networks.
Simply deployed as a context-aware network appliance, Fidelis XPS gives global enterprises
unequalled accuracy, security, and performance.
Enterprises use Fidelis XPS to protect against leakage of sensitive information and to enforce
corporate network usage policies. Sensitive information examples include trade secrets, budgets,
contracts, merger and acquisition activity, consumer information, research, and many other forms.
Enforcement of network usage policies includes usage of corporate resources for personal
activities, proper handling of sensitive data, and proper usage of network security measures in
place for web proxies, e-mail gateways, and more.
The Fidelis Extrusion Prevention System product family includes multiple Fidelis XPS sensors
each designed to address the most demanding network environmentsand the CommandPost
management console. Refer to Fidelis XPS Modules.
DLP or extrusion prevention is also done through the use of policies that map Fidelis XPS
technology to laws and regulations so that business infrastructure requirements are met. Refer to
Fidelis XPS Policies.
Fidelis XPS Modules

Fidelis XPS modules and the appliances on which they reside include several types of sensors
placed within your network and a management console. The sensors can be deployed to specific
areas of the network to provide control and visibility as needed. This section describes how an
enterprise might deploy Fidelis XPS modules and provides an overview of all available sensors and
the CommandPost console.
Figure 1. Fidelis XPS Modules
Fidelis XPS User Guide Version 6.0 Overview 3

CommandPost
The CommandPost module is the management console and offers web-based enterprise
administration and strong third-party product integration. CommandPost collects, aggregates, and
stores data from multiple sensors.
You can access the web-based, CommandPost GUI from anywhere on your network to:
Visually monitor and analyze network alerts and other data in real time.
Enable, disable, or customize policies and rules as required.
Add, configure, and manage sensors and the console itself.
Create CommandPost users using the granular access control capabilities in several user
authentication mechanisms including integration with a user directory server.
Export information to a third party network alert aggregation system.
Use the built-in reports or customize reports to your requirements. Reports can be scheduled
for automatic delivery or run in real time with click-through drill down capability.
For information about setting up CommandPost, refer to chapters 2 and 4 in the Enterprise Setup
and Configuration Guide. To get started using CommandPost, refer to Getting Started. For more
information about CommandPost's configuration features, refer to Configure CommandPost.
Direct
The Direct module is used to monitor direct-to-Internet traffic and provides prevention on all ports
and all application protocols. Products with the Direct module are typically deployed at the network
perimeter, inline or out-of-band to monitor applications and protocols at multi-gigabit speed.
Fidelis offers products with the Direct module ranging from 25 Mb/s to 2.5Gb/s.
For more details, refer to Direct and Internal. For information about setting up and configuring
Direct, refer to chapter 5 in the Enterprise Setup and Configuration Guide.
Internal
The Internal module addresses internal traffic to ensure protection for your enterprise's databases,
file shares, and user directories. Products with Internal capability are typically deployed in the
network core to provide visibility and control of information leaving data centers or transmitted
between divisions. The Internal provides prevention on all ports and all protocols.
Fidelis XPS offers products with Internal modules ranging from 25 Mb/s to 2.5 Gb/s.
For more details, refer to Direct and Internal. For information about setting up and configuring this
sensor, refer to chapter 5 in the Enterprise Setup and Configuration Guide.
Proxy
The Proxy module offers an interface to a third party HTTP proxy using the Internet Content
Adaptation Protocol (ICAP). ICAP is a lightweight and extensible point-to-point protocol used for
requesting services for content inspection.
The Proxy module offers the following advantages for HTTP traffic:
Prevention can be accomplished by redirecting the user to a customizable web page that
states their violation and other applicable information.
When combined with an ICAP-enabled SSL proxy, the Proxy module can access unencrypted
data destined to secure web sites.
Refer to Proxy. For information about setting up and configuring this sensor, refer to chapter 6 in
the Enterprise Setup and Configuration Guide.

Mail
The Mail module provides graceful control of your enterprise's e-mail traffic. The Mail module
supports monitoring and prevention similar to the Direct module, but also offers the ability to
quarantine and to redirect messages to secure e-mail gateways. You can deploy products with the
Mail module in an SMTP path in MTA mode or with a Milter-enabled e-mail gateway.
For more details, refer to Mail . For information about setting up and configuring this sensor, refer to
chapter 7 in the Enterprise Setup and Configuration Guide.
Web Walker
The Web Walker module is used to scan all content on one or more internal web sites and analyze
the data against your extrusion policies. Deploying products with the Web Walker module in your
environment will notify you if sensitive material is available on your web site.
For more details, refer to Web Walker. For information about setting up and configuring this sensor,
refer to chapter 8 in the Enterprise Setup and Configuration Guide.
Connect
The Connect module provides content inspection services to any application that provides a Simple
Content Inspection Protocol (SCIP) interface. SCIP is a TCP-based, client-server communication
protocol that provides the ability to submit information for content analysis and retrieve results.
For more details, refer to Connect. For information about setting up and configuring this sensor,
refer to chapter 9 in the Enterprise Setup and Configuration Guide.
Fidelis XPS Policies

A policy is a set of rules that guide business practices within an enterprise. Some examples include
determining acceptable use of network resources, preventing transmission of sensitive information,
and ensuring compliance with privacy laws.
Fidelis XPS provides policy-based enforcement that maps rules to your enterprise's content
disclosure or network use policies.
Prebuilt Policies
Fidelis XPS ships with multiple policies that are grouped into one of the following categories:
Compliance.
Protection of digital assets and sensitive information.
Managing insider use of the Internet.
All prebuilt policies will require some level of configuration, as described in the Guide to Prebuilt
Policies.
C o m pl i a nc e
Fidelis XPS can be used to enforce policies to comply with federal and state privacy laws and
industrial security standards. Such laws and standards include HIPAA, GLBA, PCI and many
others. The following policies use rules that can prevent inappropriate transmission of this
information:
Identity Leakage
HIPAA
PCI
Financial Information

Prot ection of Digi tal Assets a n d S e ns i t i v e I n f o r m a t i o n
Fidelis XPS can be used to enforce policies pertaining to corporate sensitive information. These
policies are:
Digital Asset Protection (DAP) provides the capability to detect and prevent sensitive
materials being leaked through the network.
U.S. Federal Government provides enforcement of Department of Defense Directive 5200.1
M a n a gi n g I ns i der U s e o f t he I nt e r n et
Fidelis XPS can be used to enforce corporate policy pertaining to the acceptable use of Internet
resources. The policies in this category are:
Application Management (AM) allows enforcement of unauthorized applications, such as

peer-to-peer file sharing, instant messenger, access to web-based e-mail systems, and many
others.
Unauthorized Traffic (UT) is the detection and prevention of users who circumvent corporate
security measures by using unauthorized proxies, defeating firewall rules, and using
unauthorized encryption methods
Inappropriate Content enforces policies regarding offensive material or language on the
corporate network.
In addition, the File Transfer Management policy can apply to each major category. Using this
policy and customizing it appropriately enables you to manage the types of files transferred over
the network.
For more detailed information about each policy, refer to the Guide to Prebuilt Policies.
Custom Policies
In addition to the prebuilt policies, it is possible to use the rich policy creation engine to define any
network security policy required within your enterprise. Policies are a collection of rules, which are
based on some definition of network traffic. The definition can be one or more of the following
methods of identifying network traffic:
Content refers to the textual content of an e-mail message, an IM chat, a file, or any other
container of information. Fidelis XPS offers eleven methods to describe sensitive information,
which include methods to register and methods to profile the information. Registration refers
to the process of locating the sensitive information in its original format, sending it to
CommandPost, and registering the content. Profiling refers to methods to describe sensitive
information without the need to locate it.
Location refers to the sender or the recipient of the information.
Channel refers to all other aspects of network communication including the application
protocol, attributes (such as URL, FTP user name, and social networking application modes
of operation), the time of day and day of the week, the length of the communication, and
many other parameters.
Using the combination of configured prebuilt and custom policies, an administrator is able use
Fidelis XPS to enforce all corporate policies for network usage and confidentiality.
For information about editing or creating policies and rules for your enterprise, refer to the Guide to
Creating Policies.

Chapter 1 Getting Started
Fidelis XPS is a real-time, extrusion prevention system that detects and prevents network abuse
and extrusions. It reassembles and analyzes traffic on your computer network. Fidelis XPS
accomplishes this though its sensors and the CommandPost management console. CommandPost
enables you to manage and configure the sensors that detect network abuse and extrusions.
This chapter provides information on how to get started using CommandPost including: accessing
and navigating CommandPost, changing your account information, and where to find more
information.
Access CommandPost
You can access CommandPost from anywhere on your network, by using a web browser that
supports SSL. Communications between the sensors and CommandPost and between
CommandPost and the web-based GUI are encrypted SSL communications.
CommandPost has been verified with Microsoft Internet Explorer versions 6, 7 and 8 and with
Mozilla Firefox versions 1, 2, and 3.
For CommandPost to work properly, your client workstation must have the following installed:
Adobe Flash Player obtain a recent version of Adobe Flash Player free of charge from the
Adobe web site at www.adobe.com.
WinSCP available free of charge from the WinSCP web site at www.winscp.net. WinSCP
transfers files to CommandPost for policy creation and verification. All other aspects of
CommandPost function properly without WinSCP.
Allow pop-up windows from the CommandPost server.
Enable Javascript execution in your browser.
Change your Account

From your browser, navigate to the IP address of the console device and log in with the user name
and password that Technical Support provides. The CommandPost Radar page displays.
Change the password for this account immediately after your first log in.
Note: Access to account information is determined based on the CommandPost
configuration for user authentication. Questions should be addressed to your
CommandPost system administrator.
To do this:
1. Click the Account link at the top right corner. The Change Account dialog box displays.
Figure 2. Change Account Information

2. Enter your old password and then enter your new password.
3. Re-enter your new password.
4. You can change the full name and the e-mail address associated with this account.
Fidelis XPS User Guide Version 6.0 Getting Started 7

5. Click Change. CommandPost saves the new password, name, and e-mail address. If you
changed the password, the system will log you out.
6. Log in with your new password.
7. Add a new user for each CommandPost user. Fidelis recommends adding at least one new
user, even if you are the only one accessing the system. Refer to Users for more information.
Access the Guides

Click the help icon at the top of the CommandPost GUI. The Fidelis XPS WebHelp system
displays. Click the PDF Downloads link in the Table of Contents to display the Guides page with its
links to the PDF files for the guides, the release notes, and the redistribution notice.
The information in the User Guide and The Guide to Creating Policies is accessible in WebHelp.
Lock Icon
Fidelis XPS CommandPost and sensors communicate over encrypted SSL connections, using self-
signed certificates and an internal authentication method. This mode can be overridden by
installing externally generated certificates that use the Public Key Infrastructure (PKI). Refer to the
Enterprise Setup and Installation Guide for information about installing PKI certificates to run in this
mode.
When operating with PKI certificates, a lock icon appears at the top right of the CommandPost
menu bar. You can mouse over the lock icon to see the expiration date for the certificate.
CommandPost Navigation
With the exception of Radar, clicking a main menu option in the CommandPost GUI displays
subnavigation menus. A highlighted option from the subnavigation menu indicates which page is
currently accessed. CommandPost navigation is "sticky" meaning that if you later return to the
same major heading, the page last accessed displays.
Note: Users need permissions to see many of the menu options. If a user does not
have the appropriate permissions for a menu option, that option does not display.
Refer to User Roles.
System Status
System Status provides information about Fidelis XPS components and their status that you can
access from any GUI page. The diamond next to System Status reflects the status of the
component with the highest severity. Mouse over the System Status diamond to see the list of
components. The component list that displays is CommandPost and all sensors that have been
registered which are within the users access privileges. Refer to Define User Profiles. Mouse over
a component in the list to see a message about that component's status. Each component has a
green, yellow, or red diamond next to it to indicate the severity of the component's status.
Note: Users need permissions to see system status. Refer to User Roles.
Green indicates that the component is operational.
A red diamond indicates a condition with critical severity. The following table describes some of the
more common conditions that can cause system status messages with this severity.

Table 1. Critical conditions
Condition Description
Invalid License Contact Technical Support for a new license.
Sensor has lost connection Sensors can lose connectivity with the CommandPost for a number of
Sensor has not communicated reasons.
in the last 10 minutes
Insufficient disk space, alerts & This can occur if CommandPost cannot insert alerts or sessions into
sessions not being inserted the data store.
Unable to make space for This can occur if CommandPost cannot delete alerts or sessions from
alerts/sessions, alerts & the data store when operating at space limitations.
sessions not being inserted
Process is having difficulties The process manager sends this notification if it cannot start one of the
starting server processes on the sensor or on CommandPost.
Disk space on partition is gone The process manager runs on sensors and checks the disk periodically.
A yellow diamond indicates a condition with high severity. The following table describes some of
the more common conditions that can cause system status messages with this severity.
Table 2. High severity conditions
High stress levels Fidelis XPS sensors reassemble packets into sessions in the sensor
memory.Stress is an indication of the amount of memory currently
consumed by the sensor for reassembly. As stress increases, the
sensor's ability to analyze all traffic diminishes. There are several
reasons for increased stress:
1. When the incoming data is missing packets, stress will be high. In
this situation, the sensor cannot efficiently reassemble sessions. In high
stress situations with high packet loss, the sensor may be inoperable.
Packet loss is the most common culprit in high sensor stress and must
be remedied within the enterprise network.
2. When sustained network bandwidth exceeds the rating of the sensor,
stress may be high. The remedy is to analyze the sensor model and
whether it is rated to handle the observed network bandwidth.
3. When network bandwidth exceeds the rating of the sensor for small
bursts, stress may rise temporarily. The sensor can withstand busts as
indicated by momentary rises in the stress level.
Policy update required This occurs when policy assignments on CommandPost are not sent to
the sensors by a policy update . The sensor will be executing the last
policy download, not the assignments shown on CommandPost. Refer
to chapter 9 in the Guide to Creating Policies.

License refresh required Ensure that you entered the license key for the component. Refer to
License expired License. Contact Technical Support if you require a new license.
License expires within one day
License expires in [number of]
days
Demo mode
License error
No sensor registered Register each sensor with the CommandPost. Refer to Add a Sensor.
[number of] alerts & [number of] CommandPost deletes alerts from the data store when operating at
sessions deleted to create space space limitations.
Database maintenance running, This occurs when database maintenance takes place on
alerts are being spooled CommandPost. Refer to Alert Storage to schedule this maintenance.
Rate of logging too high, spooler A sensor sends this message if it cannot write alerts to the spool file
cannot keep up fast enough.
Logout
To securely log out of CommandPost, click the logout link at the top of the page. Logging out will
end your browser session to CommandPost.
Note: If inactive for 15 minutes, CommandPost will log you out.
Using Non-ASCII Characters in Fidelis XPS

Fidelis XPS supports the use of non-ASCII characters in most input fields.The fields that do not
allow Unicode are: e-mail addresses, host names, domain names, login names, and server
directory names. CommandPost user names and passwords also do not support Unicode
characters.

Chapter 2 The Dashboard
The Dashboard enables you to access either the Fidelis XPS Radar page or the Information Flow
Map page.
All users can access the Radar or the Information Flow Map page.
Both the Radar and the Information Flow Map pages require the Adobe Flash Player. Refer to
Getting Started for details.
The Radar Page

CommandPosts unique Radar page is a real-time graphical representation of alerts occurring on
your network.
To access this page, Click Dashboard>Radar.
The Radar page refreshes with new alert data periodically. Alerts are caused by events on your
network.
What is an event?
When a Fidelis XPS sensor detects an extrusion of sensitive information or security breach, it
generates an event. An event can be generated as the result of a match to a specific rule and can
result in generating an alert, preventing the session, throttling the session, quarantining e-mail,
rerouting e-mail, or combinations of these actions.
What is an alert?
An alert is the recorded and displayed incidence of an event. Alerts are generated only if the alert
action for an event is enabled in the violated rule. Alerts are transferred to and stored by
CommandPost.
Figure 3. The Radar page
What is alert radar?

Alert Radar graphically represents alerts occurring on your network, grouped by common
characteristics identified by CommandPosts Adaptive Alert Classifier which uses artificial neural
networks technology.
Fidelis XPS User Guide Version 6.0 Dashboard 11

What are alert cl us ters?
CommandPosts Adaptive Alert Classifier groups related network alerts into an alert cluster.
Clusters are a visual presentation of similar alerts. When creating a cluster, CommandPost
considers the sender and receiver of the information transfer, the time of the transfer, the sensor on
which the alert was detected, the rule violated, and the priority of an alert.
CommandPost creates clusters based on similar information, but not necessarily equivalent or
related information. For example, alerts with similar, but not equal, source IP addresses may be
grouped in a single cluster, which may be indicative of a problem generated by a location rather
than an individual. Also, alerts from a similar time period during normal working hours may be
grouped together while others occurring during non-working hours may be grouped into a different
cluster.
A cluster is represented by a dot or a line on the alert radar. The line represents a cluster that
contains several alerts over time. The line connects the first and most recent alerts within the
cluster. A dot represents a single alert or several alerts that were detected at the same time.
The clusters are intended as a visual representation of alert activity and are not necessarily
presented in the best form for investigation into network behavior. CommandPost offers many
features for investigative purposes, including the Alerts and Alert Details pages, the Quarantine and
Quarantine Details pages, reports, searches, filtering, and sorting.
What does the Radar show ?

Alert clusters requiring immediate attention are in red. The orange-
colored alerts represent alerts with a high severity. Alerts with medium
severity are colored in blue and green and symbolize a low-level alert.
The shape of the alert cluster on the radar corresponds to its
durationan alert grouping that appears as a point has a succinct
duration and an alert grouping over a longer duration may appear as a
line. Severity is determined, per rule, when the rule is created.
W h a t i s a t i m e h or i z on ?
The Alert Radar shows data over a configurable time horizon. As the radar beam sweeps over the
alert cluster, each alert cluster is identified by rule. Mousing over the alert cluster displays a pop-up
containing more information including:
The rule violated by the alerts in the cluster.
Sensor: provides the name of the sensor that detected the alert.
Source address: indicates the senders IP address.
Destination address: indicates the receivers IP address.

Duration: provides the time difference between the oldest and newest alerts in the cluster.
As you mouse over the radar and change the horizon, you will notice a change to the key in the
lower right hand corner of the page. The numbers listed here refer to the number of alert clusters,
per severity level, that fall into the current time horizon. If any portion of a radar line falls within the
horizon, this cluster is included in the key.
Uses of Alert Radar

Alert Radar allows network security personnel to monitor at a glance significant alerts occurring on
the network.
The maximum time horizon can be set from 1 hour to 96 days by selecting from the pull-down
options at the top of the alerts table and clicking Go. Moving the mouse out from the radars center
allows you to examine data within that time horizon. As the mouse moves out, the number of alert
clusters displayed by severity changes in real time.

E x am i n i ng A l er t C l u s t e rs
Clicking on an alert cluster takes you to the Alert Report for that alert cluster.
A l er t Cl us t er T able
Above the Alert Radar, the Radar page displays a table of alert clusters over a configurable time
horizon. Click + to display the Alert Cluster table. Click to hide the Alert Cluster table.
Figure 4. The Alerts table

The Alerts Cluster table of the Radar page displays:
Severity of the alert cluster
Number of alerts in the alert cluster, hyperlinked to Alert Report
Sensor discovering the alerts
The rule that was violated

Time and Duration
The display time period can easily be changed from 1 hour to 96 days by using the pull-down
menu. Changing the pull-down selection also changes the time display on Alert Radar. If the list is
truncated, the More link appears in the bar at the tables foot.
Current Status Frame

The Current Status frame, located on the left of the Radar page, displays the following information,
updated in real-time.

User:
Displays the login name of the user currently logged in and the total
number of alerts per sensor and per CommandPost. The component list
and numbers represent only those alerts the user is permitted to see
based on the users role, alert management group assignments, and
sensor assignments. Refer to Define User Profiles. Clicking the number
of alerts displays a list of these alerts.
Hold your cursor over the green, yellow, or red diamond to see useful
information about a component: for example, if a license is expiring, if
the sensor needs updating, or if the sensor is experiencing traffic
problems. Refer to System Status for explanations of conditions with
critical and high severity.
E v ent s i n t h e L a s t 7 D ay s
Presents a graph of events in the past seven days, by severity. This
graph lists all events in CommandPost, including those the user may
not access. The colors in the graph refer to severity levels.
Critical severity
High Severity
Medium Severity
Low Severity
Information Flow Map Page

The Information Flow Map feature within Fidelis XPS takes data leakage prevention (DLP)
beyond alerts to an actual understanding of how information flows across your network. A Direct
sensor automatically collects information about the network it monitors and displays all levels of
communication, from the transport protocol through to the content involved in network
communications. Information Flow Map displays communication between nodes as network flows
in real time.
Information Flow Map can display up to 64 nodes based on activity monitored by the sensor. You
can manipulate the nodes that display by using the controls available on the page.
The map reflects the activity monitored by a single sensor, as chosen at the sensor selection
control.
Filtering and sorting criteria change the sensor configuration. Manipulation of these controls
will change the way nodes are chosen for display.
The Watch list can be used to mark a node for inclusion in the map at all times, regardless of
the filtering and sorting settings.
The Ignore list can be used to mark a node for exclusion from the map at all times.
A scanning radar line passes over the map to highlight the activity of each node. The radar
can be stopped to examine details of any node on the map and to view a summary of the
nodes activity over the past 24 hours.
Information Flow Map is a CommandPost view of data collected by the sensor. The sensor process
is resource intensive and cannot be executed on low performance sensor hardware. Information
Flow Map can only be enabled on a Direct sensor with enough capability to support Information
Flow Map. In addition, the sensor to CommandPost network bandwidth will increase significantly,
Before Information Flow Map is enabled, verify the following:

The sensor is a Direct 1000 or Direct 2500. Lower performance sensors have insufficient
resources.
The sensor must be registered and actively communicating with CommandPost.
Each sensor enabled for Information Flow Map will increase the network load between
sensors and CommandPost by approximately 5 - 10 Mbps. If your system uses an
administrative network of 100 Mbps or higher for Fidelis system component communication,
Information Flow Map should not present a problem. Refer to the Enterprise Setup Guide.
Information Flow Map is not supported on Internet Explorer 6.0.
Information Flow Map requires version 10.0 and above of the Adobe Flash Player.
Refer to Direct and Internal for details about enabling Information Flow Map on a sensor.
To see a different network flow:
Select a different sensor at the drop-down list. The main Information Flow Map change and so do
the filtering options for Transport, Protocol, Format, Content, Rule, and Alert.
Click Dashboard>Information Flow Map to access the page. The main sections of Information Flow
Map page are described in subsequent sections:
The Information Flow Map

Controls in the left panel
Filtering and Sorting Criteria
Figure 5. Information Flow Map
The Information Flow Map

The map displays network nodes based on the selected sensor and its filter and sort configuration.
The map is presented with a scanning radar line. As the radar passes over a node, the node and its
communication flows are highlighted. The left panel will reflect the name of the node under the
radar and details about each color coded flow. The radar can be stopped by clicking on any node
or by clicking the Pause button located at the lower left. When the radar is stopped, you can access
details about the node and its communication.

U n d e r s t an d i n g t h e M a p
By default, nodes are represented by green circles on the map. Larger circles represent nodes with
more activity. Nodes represent hosts on the network. The lines between the nodes represent
communication between nodes. Clicking a node pauses the radar and provides more information.
The map presents up to 64 nodes based on the sensor configuration. Many flows will be seen
between nodes on the map, in addition to flows with the cloud. In the context of Information Flow
Map, the cloud represents all nodes not currently shown.
If a border is configured for the sensor, a grey box will appear in the center of map. Nodes are
classified as internal or external based on their placement according to the network border. In this
view there are two clouds. Flows between a node on the inside of the border to the external edge of
the map reflect communication with an external node that is not part of the 64 nodes being
displayed, otherwise known as the external cloud. Similarly, flows from an external node to the
edge of the grey box represent communication to an internal node that is not being displayed, or
the internal cloud.
If no border is configured, the grey box will not appear. In this case, there is only one cloud
represent by flows that terminate at the edge of the map.
The lines between nodes represent communication between the nodes, color coded to match the
accordion bars in the left panel:
Blue represents the transport protocol, (for example:TCP or UDP).

Yellow represents application protocol, (for example: HTTP. GoogleMail, AOL Instant
Messenger, Facebook).
Green is the format of the data transfer, which may represent the format of a file (for example:
text, MS-Word, PDF) or the format of email or chat content (for example: text, HTML, XML).
Purple represents content, as defined by fingerprints that are running on the sensor.
Fingerprints are descriptions of content, communication channel, or location. The information
flow map presents all fingerprint matches detected by the sensor. Refer to chapter 5 in the
Guide to Creating Policies for details about the creation of fingerprints.
Orange represents rules that have an action of Information Flow Map. Using Information Flow
Map rules, fingerprints can be combined in a logical manner to monitor information without
creating alerts. Refer to chapter 7 in the Guide to Creating Policies for details about creating
and using rules.
Red represents rules that have an action of Alert. Detailed alert information is available on the
Alerts report. Refer to Alert Details.
Nodes are represented by their IP Address. CommandPost will attempt to resolve the host name of
all nodes and the with display the resolved name instead of the IP Address when possible.
U s i n g I n f o r m a t i o n F l ow M a p C o nt r ol s
Information Flow Map controls enable you to view more information about a node, its flows, or
detailed information for a selected node's history. The controls also allow you to manipulate the
Watch List and the Ignore List. Controls are located in the lower left of the screen or within the map
itself.
Table 3. Controls
Control Description
Click to open or close the Ignore List in the left panel. Adding a node to the Ignore List
instructs the sensor to not collect information from that node.
Click to open or close the Watch List in the left panel. Adding a node to the Watch List
instructs the sensor to collect information from that node regardless of filter and sort
settings.

Control Description
This button becomes active if the radar is stopped and if a node is selected. Click to view
the activity of the selected node over the past 24 hours. Refer to History Charts.
Click to return to the Information Flow Map.
Click to switch to full screen mode.

Press ESC to exit full screen mode.
Redraws the Information Flow Map. The map will automatically redraw approximately
once per minute. Clicking this button will redraw the map immediately.
Pause the radar. The sensor will continue to collect information but the map will remain
static until the radar is restarted.
Starts the radar.
Click a node on Clicking a node causes the same behavior as the pause button. In this case, you select
the map. the node to be reflected on the left panel.
Drag a node on Nodes can be dragged within the map to change their position. When many nodes are
the map. displayed, the communication flows may not be obvious without dragging.
Controls in the Left Panel

The left panel is used to view details about activity for a selected node and to manage the Watch
and Ignore lists. The name of the selected node appears at the top of the panel. A icon next to
the name of the selected node indicates that the node is part of the Watch List. Node activity is
presented by accordion bars which provide a quick view of a node's recent activity.
A c c o r di on B ar s
The accordion bars in the left panel display node activity The
information for each node displays when the radar passes over the
node or when the node is selected while the radar is stopped. Click an
accordion bar to view the associated chart.
You can mouse over the graph to see specific information such as the
number of sessions, packets, and bytes.

Each chart presents a bar chart reflecting the node activity. The X-axis of the chart reflects the
average activity in the last minute. The Y-axis reflects all possible values available within the map.
W at ch Lis t
When the control on the lower left of the screen is clicked, the left panel is replaced by the
Watch List. Nodes in the Watch List are displayed on the map regardless of filtering criteria
selected. However, they will not display if they have no detected activity.
The Watch List can contain up to 50 nodes. The Count at the bottom
tracks how many nodes are in the list.
To add a node to the list, select it on the map and click the Add
button at the bottom of the Watch List. To remove a node from the
list, select it from the Watch List and click the Remove button.
When you select a node in the Watch List the following occurs in the
Information Flow Map:
The radar stops.
The node and its flows are highlighted.
Note: If the node has no activity, it is not on the map and
nothing is highlighted.
Select a new shape or a new color and click Save.
Changes to the Watch List are not effective until you click
Save.
I g n o r e Lis t
When the control on the lower left of the screen is clicked, the left panel is replaced by the
Ignore List. Nodes in the Ignore List are not displayed on the map and the sensor will not collect
information on these nodes.
The controls for adding or removing nodes from the list operate in the same manner as the Watch
List.

H i s t o ry C h a r t s
Select a node and click to view the charts for the selected node. History charts provide a
summary of Protocol, Transport, Format, Content, Rule, and Alert activity for the past 24 hours.
You can examine specific time periods within that time frame by moving the icons to change the
time frame or move the slider bar to view a different time segment.
The page is presented by one large chart in the upper left in addition to smaller charts. Click to
move a chart into the large section. The large chart provides an interactive legend. Clicking on a
name in the legend will toggle whether the associated line in the graph is shown or not.
The history charts may include gaps of time where information is missing. This represents periods
where the node was not being tracked by the sensor. This can be due to inactivity, filter or sort
criteria changes, and changes to watch and ignore lists.
Figure 6 . Information Flow Map: History
Filtering and Sorting Criteria

The selection area at the top of the Information Flow Map page contains a sensor selection, filter
and sort controls, Submit and Cancel buttons, and a status icon. These controls enable you to
change the map by selecting a different sensor or by modifying the sensor configuration via filtering
and sorting changes.
By default, no filters are selected. This means that the network sensor collects all available
information from each node and the map will reflect the most active 64 nodes. You can filter this
information by selecting specific criteria from the filter lists available at the top of the page. This

changes the criteria used by the sensor to collect information, which changes the method used to
determine the nodes to display.
When filters are applied only those nodes that meet the chosen criteria are displayed. However, all
activity of these nodes will be seen. For example, if you choose to filter by the Protocol Facebook,
the Information Flow Map show all nodes using Facebook. The map will also show other flows
involving these nodes.
Filter criteria across the lists are taken as a single criterion for node selection. For example, if you
choose the Protocol Facebook and Content of Sensitive Data, the map will only show nodes that
are communicating with Facebook and have flows that match Sensitive Data. Note that this does
not mean that a single flow contains both parameters used in this example, only that the node is
involved with flows that match both.
To change the filter, click to view a list and select criteria.
Table 4. Filter Lists
List Description
Transport Enables you to filter based on transport protocols: TCP, UDP, and ICMP.
Protocol Select protocols of interest from a list of all application protocols.
Select from a list of all supported data formats.

Format
Content Select from a list of fingerprints assigned to the sensor through policy assignments. Each
sensor can track information for up to 64 fingerprints. The fingerprints are chosen according to
this order: Content fingerprints are first, followed by channel and location fingerprints found in
rules with an action of Information Flow Map followed by all remaining fingerprints. Each sublist
is sorted alphabetically. This list is displayed according to this order, on the Content filter
control.
Rule Select from a list of rules that have an Information Flow Map action running on the sensor. The
list can contain up to 32 rules, sorted alphabetically.
Alert Select from a list of rules that have an alert action running on the sensor. This list can contain
up to 32 rules. Rules that also have Content fingerprints display first, then all other rules. Each
sublist is sorted alphabetically.
To change the sort, click the button of the list you wish to sort. Only one list can be chosen for
sorting. The icon indicates that the sort that will choose the most active 64 nodes (high to low
activity). The icon indicates a sort that will choose the least active 64 nodes (low to high activity).
Clicking the button again switches sort mode.
Note: Sort is only possible if at least one item is selected as filter criteria. For
example, if all Protocols are deselected, sorting by Protocol has no effect.
After selecting and sorting criteria, you can:
Click Cancel to eliminate current selections.

Click Submit to send your changes to the network sensor and to nodes on the same network.
The sensor collects information from the network based on your selected configuration and
sends it to the CommandPost GUI for display in Information Flow Map. Once configuration
changes are sent, new changes cannot be sent until the sensor is synchronized. The Sync
icon changes to indicate that information is being retrieved from the sensor.
Synchronization takes about 1 minute to complete.
Sample uses of Filtering and Sorting:

To show the most active nodes on the network, use the default filter settings.
To show the most active nodes, based on application protocol usage, sort based on the
Protocol control. This will sort the nodes based on protocol usage rather than any other level
of activity.
To show the most active nodes using Facebook and sharing sensitive data, deselect all filters
except the Protocol Facebook and Content of Sensitive Data, assuming such a fingerprint is
defined and running on the sensor. Nodes are selected based on the most active Facebook
users and the most active Sensitive Data transfers, which are not necessarily the same set of
nodes.
To show all nodes sharing Sensitive Data over Facebook, define a rule that defines this
condition. Filter the Information Flow Map based on this rule.
To show the least active nodes, change the sorting criteria to low-to-high.

Chapter 3 Understand and Manage Alert
Workflows
From the Alert Report or the Quarantine pages, you can assign, monitor, and manage alerts and
quarantined e-mail. The Alert Report and Quarantine pages are available from the Reports main
heading.
This chapter covers the following topics:
Access to Alerts and Quarantined e-mail
Assign a New Alert
Manage an Alert
Manage Multiple Alerts
Access to Alerts and Quarantined E-Mails

The Alert Report page provides a list of all alerts accessible to the user. Accessibility to this
information is determined by the CommandPost users role, sensor assignments, and alert
management group assignments.
Refer to Access Control in CommandPost for details on assigned sensors, alert management
groups, and how these affect users. Refer to chapter 9 in the Guide to Creating Policies for details
on assigning policies and rules to sensors and to alert management groups.
Users with full access to the Alert function may:
Read and examine the details of an alert, including the original transmission that caused the
violation.
Export summary alert information to Microsoft Excel or any other application that accepts
comma-separated files.
Purge alerts.
Users with full access to the Quarantine function may:
Read and examine the details of every quarantined e-mail, including the original e-mail that
caused the quarantine.
Deliver e-mail from quarantine, sending it to its original recipient.

Discard e-mail from quarantine, removing it from the quarantine queue without delivery.
Users with full access to the ticket system may also:
Assign alert tickets to another user with access to the alert.
Close an alert ticket, providing a ticket resolution.
Move an alert from its current alert management group to another. This action makes the alert
accessible to another group of users.
Add comments to the alert workflow log.
Handle Alerts
To find all alerts currently assigned to you, use the My Alerts view on the Alert Report page. Refer
to System Reports for Alerts.
To find all alerts owned by a specific user:
Fidelis XPS User Guide Version 6.0 Alert Workflows 22

1. Click Search.
2. Enter the user name in the Search for text box.
3. Select Owner and click Go.
To find all unassigned alerts:
1. Click Search
2. Enter unassigned in the Search for text box.
3. Select Owner and click Go.
The Alert Workflow Log

New alerts are not assigned to an owner. A user with ticketing privileges and access to the alert
may open, close, and assign an alert. Alert Workflow Management includes:
Assign one or more alerts to another user with access to the sensor(s) that generated the
alerts and have access to the alert management group(s) to which these alerts belong. When
an alert is assigned, an e-mail is sent to the new alert owner.
Close an alert. This action may be performed by anyone with access to the alert. When the
alert is closed, a resolution is entered to the alert workflow log.
Add comments to the ticket log.
Change Management Group will make the alert accessible to a different group of users. When
the group is changed, an e-mail is sent to the group mailing list, to make members of the new
group aware of the alert.
Change Label changes the label that displays in the Alert Report and Alert Details pages.
For each action, the alert manager has the option to fill out the Subject and Details fields which will
be added to the alert workflow log. The alert workflow log will display the full history of the alert with
all comments as it changes from group to group, owner to owner, and finally to a closed state.
The subject and details information will be included in the body of an e-mail sent to the newly
assigned user or group.
Alerts may be managed individually at the Alert Details page or may be managed in bulk at the
Alert Report page. The same options are available in the Quarantine and Quarantine Details
pages.
The alert workflow log only applies to alerts not to quarantined e-mail. When managing alerts
from the Quarantine Details page, the action will apply to all alerts associated with the e-mail.
When managing alerts from the Quarantine page, the action will apply to all alerts associated with
all selected quarantined e-mail messages.
Manage a Single Alert

You can manage an alert at the Alert Workflow Log section of the Alert Details page. You can
access this page by clicking next to an alert at the Alert Report pageor from the Quarantine
Management page. This functionality enables users with ticketing privileges to do the following:
Change Status
Enter a Subject or Comment.
Click Assign to and select a user from the list to assign the alert. The list of users includes
those with access to the sensor that generated the alert and have access to the alert
management group to which the alert belongs. After you submit the change, the selected user
receives an e-mail reflecting the assignment.
Click Add comment to add comments to the ticket log without changing the ticket status or
ownership. After you submit the change, information entered in the Subject and Details text
boxes will be appended to the comment.

Click Close as and select a reason from the list. Your options are Allowed, Action taken, No
action taken, and False positive. The alert is closed.
Note: Closing an alert marks you as the owner of the alert.
Change Alert Group

Click Change Group to: and select the alert management group for the alert at the dialog box. If
you do not belong to the selected group, you will not have access to the alert after clicking Submit.
Note: Changing the alert management group, removes the assigned owner and
changes the status to new.
Manage Multiple Alerts

Multiple alerts can be managed from the Alert Report and Quarantine pages by using checkboxes
and the Actions list at the top of the Alerts List.
To manage multiple alerts from both pages:
1. Select one or more alerts or one or more quarantine e-mails.
To select all alerts or e-mails on the page, click the checkbox at the top of the page.
2. Select a management option from the Actions list. The dialog box that displays depends on
the option selected.
3. Enter changes into the dialog box and click Submit.
Table 5. Actions list options
You can access these options from the Alert Report and Quarantine Management pages.
Management Description
option
Change Status Assign, Close, or add comments to the selected alert

tickets.
Change Changes the management group associated with

Management selected alerts. Enter a subject or a comment if desired.
Group
Note: From the Alert Report you can also apply labels, purge, and export selected
alerts. These functions do not impact the ticketing system and are described in
Understand and Manage Alerts.
From the Quarantine Management page you can discard or deliver selected quarantine
e-mails. Refer to Deliver or Discard Quarantine E-Mail.

Chapter 4 Understand and Manage Alerts
The Alert Report displays a list of all alerts accessible to you. You can filter which alerts display,
search for specific alert attributes, and research details about alerts.
With ticketing privileges, you can also assign or close alerts. Refer to The Alert Workflow Log.
This chapter covers the following topics:
Alert Report
Navigate Alert Pages
Select Alert Actions

Alerts Page Controls
Alert Details
To access the Alert Report, click Reports>Alerts or click an alert cluster in the Radar page. The first
time you access it, the Default Report displays. You can change the report to another system report
or to a Custom Report that you create. The last report that you view will restored on your next
access.
When you Access Alerts by clicking an alert cluster on the Radar page, you will see your last saved
report, filtered by the cluster that you selected.
Figure 7. Alert Report

The Alert Report contains the following major elements:
Alert Reporta list of all alerts displayed according to the selected report and actions taken at
controls on the Alert Report page.
Fidelis XPS User Guide Version 6.0 Alerts 25

Page Navigation
ActionsEnables you to take action on selected alerts.
Alert Report controlsEnables you to search, group, change the display settings of the page,
and retrieve a custom report. Click in the in the upper right corner of the Alert Report page
to open the control section or to hide the controls.
Alert Report
An Alert Report is created from all alerts available within your assigned groups and sensors. The
report can be greatly customized by choosing the columns to display, by reducing the alerts to
those that match specified criteria, by summarizing, and by choosing to display the results as
charts or as a table.
In all cases, the report is highly interactive. Rows in a table and sections in a graph can be clicked
to obtain further information; specific details of any alert can be obtained; actions can be taken on
single alerts or groups of alerts; and alerts can be purged.
The selection of a report restores settings for that report, including:
The columns available in your report. Primary columns are shown on your report. Secondary
columns become available when you click on a row within the report to view the quick
summary of the alert.
Data criteria including Searches, Filters, and Duration. These terms serve to reduce the
number of alerts in the report.
Grouping and sorting of the report. Reports can be grouped by any one or multiple primary
columns to produce a summary of the data. Sorting can be applied to any primary column
whether grouped or not.
The report can be displayed as a chart or table. Charts are available only for grouped reports.
A trending chart can be saved with any type of report. The trending chart will show alerts per
time above the report.
After running a report, you can use the controls on the Alert Report to further manipulate the
information. When you make changes, you are changing the report into an Unnamed Report. By
clicking Customize you can save this new report with your new settings. Alternatively, you can use
the Unnamed Report to analyze and drill down into your information as you would any other report.
Alert Quick Summary

Click a row on the Alert Report to display a Quick Summary, which provides the information
associated with the columns in the secondary row of your view.
At the Quick Summary, you can click to view the Alert Details page for the selected alert.
You can also choose to filter alerts based on the value of the available information.
The Quick Summary of an alert shown below is from the Default Report.
Figure 8. Alert Report: Quick Summary

Filter Alerts
You can filter alerts by selecting items at the Quick Summary page. Filters are used to reduce the
list to only those alerts that match your filter criteria. For example, you can use a filter to see only
those alerts generated by a specific rule. Or if you choose to filter by Sensor = Sensor-One, the
result will be a list of all alerts from the sensor named Sensor-One. This list would not include alerts
from any other sensor.
To set a filter:
1. Click the check box next to one or more values in the Quick Summary page.
2. Click Filter.
3. CommandPost finds all alerts that exactly match the filtered value and display only these
alerts.
Figure 9. Filtered alerts

When a filter is applied, the following occurs:
If you selected multiple fields, all are applied to the filter. The more filters that you select, the
more narrow your results.
The applied filters display above the table.

The [x] next to the value in the filter list allows you to remove the filter.
Filtering performance is typically fast when filtering on one column, but can degrade as more filters
are applied.
Navigate Alert Pages

Because CommandPost may contain thousands or millions of alerts, Alert Report is presented in
pages. Each page initially contains 25 rows of alerts. You can change the number of rows per page
by entering the new amount in the text box at the bottom of the page. This value will be stored as
your new default page size.
Up to 10 page numbers display at the top and at the bottom of each page. Clicking a page number
takes you to that page. Click the < or > arrow buttons to move to the next page in either direction.
Click << or >> to advance to the first or last page. These buttons may be disabled when you are
currently at the beginning or the end of the alert report.

Alert Actions
Click the check box next to one or more alerts to select them. Clicking check boxes again deselects
alerts. Clicking the check box at the top of the Alert Report page selects (or deselects) all alerts on
the current page.
Figure 10. Alert actions

The following actions may be taken on selected alerts:
Change Status. Refer to The Alert Workflow Log.
Change Management Group. Refer to The Alert Workflow Log.
Manage Label. Refer to Alert Labels.
Export alerts to Microsoft Excel or any other application that accepts comma-separated files.
Refer to Export Alerts.
Purge alerts from the CommandPost database. Refer to Purge Alerts.
Alert Labels
Labels are tags that a CommandPost user can apply to an alert. By using labels, you can
categorize alerts into meaningful names for your enterprise. You can later search or filter by label to
retrieve alerts that contain your label.
Labels can be applied from the Alert Report page or from the Alert Details page. From the Alert
Report page you can select multiple alerts and apply the same label to each.
To apply a label from the Alert Report page:
1. Click the checkbox next to the alert or alerts that you wish to label.
2. From the Actions list, select Manage Label. The Change Label dialog box displays where you
can select an existing label or create a new one.
3. The Label Name text box lists all previously used labels. You may choose a label from this list
and click Apply Label.
4. If you wish to create a new label, type it into the New Label text box and click Apply Label.
To remove a label from an alert: You can choose a new label using the steps above and overwrite
the label with the new label. To clear the label for all selected alerts, click Clear Label.
To remove a label that is no longer required: Select the label in the Label Name text box and click
. Labels can only be removed if there are no alerts that use the label,
Export Alerts to Excel

Export selected alerts to a comma separated file, which can be opened in Microsoft Excel or a
similar application. If your alerts are grouped, this function will export the group summary
information, not the individual alerts within the group.

Figure 11. Export alerts
Purge Alerts
Purge Alerts removes selected alerts from CommandPost.
1. Click Purge Alerts.
2. Click Ok at the confirmation dialog box.
Alert Report Page Controls

The Alert Report page contains several options to modify Alert Reports, drill down into alert details,
and manipulate the presentation of alerts to facilitate investigations. The controls are located at the
top of the page. Click in the upper right corner of the Alert Report page to open the control section.
Click to hide the controls.
Within this section the following controls are available:
ReportEnables you to select a report from the list. All other functions available on the Alert
Report are based on this initial setting. You may choose from seven system reports plus any
report that you create and save.
SearchEnables you to reduce an Alert Report to alerts that match your search criteria.
Searches are performed as case-insensitive partial string matches, whereas Filters are
performed as exact matches. Refer to Search for Alerts.
DurationEnables you to reduce an Alert Report to alerts that occurred during a specified
time period.
Group Enables you to summarize alerts by selected columns. The result will display the
selected columns and the number of alerts that match each available value within those
columns. Grouped information can be displayed in a table or graph form.
Filtered ByDisplays what you have selected at the Quick Summary to filter alerts. Refer to
Filter Alerts. Click an x to delete a filter.
RefreshRefreshes the Alert Report page.
PDF Enables you to save the alert report as a PDF document. The generated PDF will
include all elements on the current page of your Alert Report. Refer to Create PDF Reports
for Alerts.
E-mailEnables you to send the Alert Report via e-mail.
TrendingEnables you to view and control alert trend charts. Refer to Trending.

Fixed (Relax) ColumnsWhen the report contains many columns, you can select Fixed
Columns to resize columns to better fit within your page size, truncating some of the data in
the columns and replacing it with ellipses. Mouse over the ellipses to view the hidden
information. Relax Columns displays all information in each column which may require
horizontal scrolling in your browser window to view all information.
System Reports for Alerts

System Reports are a built into CommandPost and available to all users who can access the Alert
Report. Seven system reports are available:
Table 6. System Reports
Report Description
Default The default report provides crucial alert information that will be useful to most
users. This report will display all alerts sorted by Alert ID.
Summary The summary report is the most condensed report, offering simple alert
information in a uncluttered and easy to read manner. Enterprises who create
informative alert summaries in their rule definitions will benefit from this simple
report. This report will display all alerts sorted by Alert ID.
Violation The violation report is focused on the policy, rule, and action taken by the sensor.
It is useful for users most concerned with the actions taken by Fidelis XPS
sensors. This report will display all alerts sorted by Alert ID.
Alert The alert management report provides a summary of alert tickets and their status.
Management This report is most useful to alert managers who fully use the CommandPost
ticketing system. This report will display all alerts sorted by Alert ID.
Network The network report provides source and destination information in the primary
rows. It is most useful to users focused on these aspects of the alerts. This report
will display all alerts sorted by Alert ID.
Label The label report displays label information in the primary rows. This enables users
to see alerts that users tagged with specific labels. This report will display all
alerts sorted by Alert ID.
My Alerts My Alerts is identical to the Alert Management report, but includes data criteria to
reduce alerts to only those alerts assigned to the user.
Search for Alerts

Searching alerts can be done by entering criteria in the Search dialog box within the Alert page
controls.
If the alert control buttons are not visible, click in the upper right corner of the Alert Report page
to display them.
Searches differ from filters in the manner that the data is matched:
Filters use an exact match to find alerts.

Searches use a case-insensitive, partial string match to find alerts. Refer to Alert Search
Fields.

Figure 12. Searchable alert fields
1. Click Search within the Alert control bar.
2. Enter search terms in the Search For: text box. The search term is a simple phrase or set of
phrases to find within alert information.
3. Select a search field at the In: pull down menu.
4. Include or Exclude incoming alerts.
Enter Search Terms
The following guidelines apply to entering search terms:
Searching for term will match any alert containing term in the chosen field. This will match
alerts with words such as term, terminate, and exterminate.
Entering multiple words such as:
term1 term2
matches alerts containing both term1 and term2. The terms can be found in any order and
with any amount of separation between them.
You can search on multiple Alert IDs and for multiple Any, Source, or Destination Ports by
separating entries with a comma. For example,entering AlertID1,AlertID2 would find alerts
with both ID numbers.
You can specify a range for Alert ID and for multiple Any, Source, or Destination Ports by
using a hyphen.
The use of quotes around a phrase will be treated as a single search term. The phrase term1
term2 will match any alert containing the exact phrase within the quotes. Any spaces in the
phrase will match any space characters in the alert, including a space, a tab, a new line, etc.
Matching is done on the character boundaries, not word boundaries. Therefore, a phrase of
top secret will match an alert containing a phrase such as stop secrets.
Multiple phrases such as a literal phrase 1 and a literal phrase 2 can be included in the
Find field. This will match any alerts containing all of the phrases listed.
You can combine word-terms and phrase-terms. Any combination is allowed, such as:
literal phrase 1 word word1 word2 literal phrase 2
Matching does not consider the order of the terms, only that all are found within the search
field.
Placing a minus sign (-) before a word or a literal phrase changes the meaning to match all
alerts that do not contain the specified word or phrase. Any combination of positive (no

minus) and negative (minus) terms is supported.
For example:
Top secret matches alerts that contain the word top but do not contain the word secret.
top secret confidential personal matches alerts that contain the phrase top secret but
contain neither confidential nor personal.
top secret confidential document matches alerts that contain the words top and secret but
do not contain the phrase confidential document.
Important: the following also applies to all searches:
All searches are case insensitive.
There is a limit of 40 terms (words or literal phrases). If more terms are entered, the 41st and
beyond will be ignored.
If Go is pressed without entering a search term, the Alerts List reappears. However, entering
unknown in the Find text box, substitutes for an empty string in the Country, Filename, From,
To, and User fields.
Search performance is typically fast, even with very large alert databases. With a database of
over 2 million alerts, search will typically respond in a few seconds. Exceptions are searches
over Forensic Data, Session Attributes, and Owner fields, which may require considerable
time to execute.
Table 7. Alert search fields
Alert search fields Description
Action Search is applied over the action field.
Alert ID Enables you to search for specific alert ID numbers.
Country: Any Searches for the specified country in either the source or destination country.
Note: Entering two or more countries in search criteria returns all entries
with any of the countries entered. For example if you do a country search
for France Afghanistan the search will return entries that have either
France or Afghanistan.
This applies to all country searches.
Country: Destination Searches for the specified country in the destination country.
Country: Source Searches for the specified country in the source country.
Filename Searches the name of the file that caused the violation. Will be empty if no file was
involved in the violation.
Forensic Data The search is applied over the data field of the alert, as shown in the Alert Details
page. Note that some alerts will not contain forensic data per policy definition.
From Searches the value of the From field.
IP Address: Any Searches for any IP address: source or destination. Refer to Search IP Addresses .
IP Address: Searches for the receivers IP address. Refer to Search IP Addresses.

Destination
IP Address: Source Searches for the senders IP address. Refer to Search IP Addresses.
Label Searches for an alert label. The label search has one special feature: A search for the
term unassigned (with or without quotes) will display all alerts that have not been
assigned a label

Alert search fields Description
Management Group The search is applied over the alert management group field. An alert can belong to
only one alert management group. If you search for multiple groups, the search will
match an alert containing any one of the groups (most other search fields require a
match of all terms). For example, a management group search for: Group1 Group2
yields all alerts belonging to either Group1 or Group2.
Owner An alert can belong to only one owner. However, if you enter a search with multiple
terms, the search will match an alert containing any one of the terms (most other
search fields require a match of all terms). For example, a search for:
Owner1Owner2 yields all alerts belonging to either Owner1 or Owner2.
Also, a search for the term unassigned (with or without quotes) will display all alerts
that have not been assigned.
Policy The search by policy is applied over the name of the violated policy per alert. There
are no special features for policy searches.
Port: Any Searches on any port, either source or destination.
Port: Destination Searches on the sender's port number.
Port: Source Searches on the recipient's port number.
Protocol An alert can only contain one protocol. Therefore, a search containing multiple terms
will match an alert that matches any one of the terms (most other search fields
require a match of all terms). For example, a protocol search for: ssh http yields all
alerts found over either SSH or HTTP.
Resolved IP Address This search returns alerts where the source or destination address of the alert
matches the resolved DNS name. Note that the text provided to the search may
match several resolved names. Search results improve when the text entered in the
Find text box is as specific as possible.
Rule This search is applied on the Rule field.
Session Attributes This search is performed over the Channel Attributes of the alerts. The value in the
Find text box will match the name of a protocol or file format for which attributes are
available, the attribute name, or the attribute value. Refer to chapter 4 in the Guide to
Creating Policies for details about protocol or file formats and their attributes.
Summary The search by summary is applied over the summary field of the alert.
Target Target refers to the intended destination of the information. The value is protocol
specific. Examples include the destination domain name, server name, or host name.
Target is based on extracted protocol information and not based on the IP address of
the data. In many network configurations, the IP address may be an internal address
corresponding to a local NAT server or proxy, whereas the target represents the
intended destination of the data.
To Searches the value of the extracted To field.
User Searches the value of the extracted User field.

UUID Enables you to search for a specific alert UUID number. This is an exact search.

Search IP Addresses
There are four methods available to search for an IP address:
Alert source
Alert destination
Both source and destination
Resolved IP address.
Search Source, Destination, or Any IP Address

Searching can be performed by entering an IP address in the Search For: text box using CIDR
representation. The following formats are supported for single addresses or address ranges.
192.167.10.5 finds this exact IP address within the selected field (source, destination, or
both).
192.167.10.5/24 applies an IP address mask of 24 bits to the address. This includes all IP
addresses within the 192.167.10 subnet, from 192.167.10.0 through 192.167.10.255. Replace
24 with any value 0-31 to obtain the appropriate mask.
192.167.10.5-192.167.10.15 provides a range of IP addresses and returns all matches within

the range and including the end points. In this example, the search matches any address
within the range of 5 through 15.
192.167.10.5,192.167.10.15,192.167.10.25 provides a list of specific IP addresses to match.

A comma must be placed between each IP address in the list. No spaces are allowed. The list
has no limit with regard to the number of IP addresses provided, however, long lists will
require more processing time. A range (using a colon to separate the end points of the range)
is preferred over long lists due to search performance.
In all cases, IPv6 addresses may be substituted for the IPv4 addresses shown in the
examples above.
Search Resolved IP Addresses

This search returns alerts where the source or destination address of the alert matches the
resolved DNS name. Note that the text provided to the search may match several resolved names.
Search results improve when the text entered in the Search text box is as specific as possible.
Notes on IP address searches

Comma and dash separated strings must contain no spaces for the parser to behave correctly. As
an alternative, the entry may be encapsulated in quotes () in which case the spaces do no impact
behavior. For example, 192.167.10.5 - 192.167.10.15 would create an IP address range.
If the search string contains malformed IP addresses, the search will ignore the entry. In the case
of a single address search, no alerts will be found. In the case of a list, malformed addresses will
be ignored. In the case of a range, the search will revert to a single address search using the one
legal address or will return nothing if both ends of the range are malformed.

Duration
To specify a time period for alerts, click Duration at the alert control bar and select a value at the
Duration list. When you click Go, all alerts during the selected time period will be listed.
Figure 13. Specifying time periods

Duration selections include:
All Alerts: the default setting of the Alert Report.
Last Login: reduces alerts to those that have occurred since the last time you logged into
CommandPost.
Last 24 Hours, 7 Days, or 30 Days: provide shortcuts to reduce alerts to the prior day, week,
and month.
Specific Hours: will display a text box to which you can enter a two digit number, N. Only
alerts occurring in the past N hours will be displayed.You can use this feature to reduce alerts
by partial days with granularity of one hour increments.
Specific Days: will display a text box to which you can enter a two digit number, N. Only alerts
occurring in the past N days will be displayed. You can use this feature to reduce alerts to
those that occurred during a specific number of days.
Specific Date: you can enter a date in the text box or click to select a date. This reduces
your alerts to those that occurred on the specified date. Dates must be entered in the form of
mm/dd/yyyy.
Date Range: you can enter a range by entering start and end dates in the text boxes or click
to select a date. This reduces your alerts to those that occurred during the specified date
range, including the start and end dates. Dates must be entered in the form of mm/dd/yyyy.
Include or Exclude Incoming Alerts

Every access to the Alert Report presents live data as it is reported to CommandPost. If new alerts
are occurring on your network, this may distort your view of the data.
For example, you may click Next Page only to see the same set of alerts from the first page. This
occurs because the first set of alerts has been superseded by new alerts, moving them to the next
page. You will notice similar effects any time you apply filters, perform searches, apply column
sorting, change alert reports, or if you access alert details then return to the main report.
You can change this behavior by clicking the Include Incoming Alerts in the Search dialog box. By
default, this option is checked, meaning new alerts will be considered in all alert actions.
To change the behavior:
1. Click Search or Duration.
2. Uncheck the Include Incoming Alerts box and click Search.

New alerts will not be considered in your activities within the Alert Report and Alert Details pages. If
you move to another section of the CommandPost, the behavior will revert to Include Incoming
Alerts on your next Alert page access.
Customize Alert Report

Click Customize to access the Custom Report page. From this page, you can search multiple fields
at the same time. Customize enables you to save current search, filter, duration, or group by
selections.
Using Customize to save criteria entered at the Alert Report page as a Custom Report enables you
to access the report later at the Alert Report page. Refer to Create Custom Reports.
The new Custom Report is also available at the Reports>Manage>Report List. From the Report
List, you can edit the custom report, schedule it to run at specified times, or copy it to other users.
You can create other Custom Reports and make them available at the Alert Report page.
Group
This feature enables you to group alerts by information available in one or more of the primary
columns of your current alert page. For example, if you select protocols, alerts are grouped by
protocols. The total number of alerts for each protocol will be listed in the Count column.
Grouped alerts can be displayed in tabular or graphical form. Graphical forms include pie charts,
bar charts, and stacked bar charts. You may choose the display most relevant to your analysis.
Group By enables you to more easily organize alert information. After grouping, the checkboxes on
the left side of the Alert Report page apply to the whole group. With one click, you can manage,
purge, or label thousands or even millions of alerts at once. The more alerts that you select, the
longer it will take.
To group alerts:
1. Click Group. The Alerts Group By dialog box displays.
I
Figure 14. Alerts Group By
Note: If the desired column is not displayed, select another report at Alerts.
2. Click one or more of the desired columns. Clicking Group By Columns selects or deselects all
available columns.
Note: Group by can take several minutes depending on the size of the alert database.
3. Select how the results will display at the View Results as list. You can select from Tabular, Pie
Chart, Bar Chart, and Stacked Bar Chart options.
4. Click Apply Group By.

Figure 15. Group By results in a pie chart
After applying Group By, you can easily change the output between tabular and graphical output
options.
Displays a pie chart.

Displays a bar chart.
Displays a stacked bar chart.
Displays the alerts in a tabular format.
When alerts not grouped, these icons are disabled.

You can click a section of the pie chart, bar chart, or stacked histogram to see a list of alerts
represented by that section. For example, if you click on the portion of the pie chart representing
the HTTP protocol, a page displays with alerts that have HTTP protocol violations. At the initial
group by list, click a row to see a Distribution Summary for all other elements in the views primary
and secondary rows. The distribution summary can provide insight into areas where further group
analysis may be beneficial. For example, a Distribution Summary indicates 25 alerts found over
GOOGLEMAIL. Of these 25 alerts, you can learn that all are from the same sensor, two rules were
violated with a low severity and the alerts were from multiple sources to multiple destinations.

Figure 16. Group By Distribution Summary
At the Distribution Summary page, you can:
Click Group Details to see a list of all alerts in the selected row. This action is identical to
clicking a section of the associated graph.
Click one of the Group By links in the Distribution Summary to group alerts again using this
new element in the group analysis. A new group-by page is generated.
Group Details
When you click a section of a group by graph or click the Group Details button within the group
distribution summary, you are taken to a page with ungrouped alerts, filtered by the criteria
associated with the graph section or row in the group table.
You may change the filter, search, and sort criteria as designed. The Group row displays a link to
Return to Group List. Clicking this link will restore the Group By settings that started your flow.
If you change the Group settings, the Return to Group List link will no longer be valid.
Create PDF Reports for Alerts

You can create a PDF of an Alert Report page to open and print immediately or save on your
workstation to retrieve later.
For alerts, the PDF report includes current alert data such as:
Alerts in the currently selected report.

Trending information is included if selected. The trending chart displays with alerts in the PDF
report.
Group by information is included if selected. For example, if you group by Summary and
Protocol, then alerts are grouped by Summary and Protocol. If you select a chart to display
with the alerts, the graphics are included in the PDF report.
The number of alerts in the current page size. For example, if you selected 25 for page size,
that is the number of alerts that will be in the PDF report.
The alerts on the selected page. If you are on page 2 of the Alert Report, those alerts are in
the PDF report, not alerts from other pages.
To create a PDF report:
1. Click .
2. Select to open the PDF report or to save it.
The PDF is available for your use.

Trending
Trending enables you to graphically display the trend for all alerts within your current settings.
Filtering alerts, entering search or duration values, and grouping alerts will change the trending
display accordingly.
1. Click at the Alert Report. The Alert Trends dialog box displays.
Figure 17. Alert Trends

2. Select the Time Scale. You can select from the last 24, hours, the last 7, or the last 30 days.
You can also enter a date range.
Note: Any duration settings within your view or set at the Duration dialog box will
override this value. Refer to System Reports for Alerts or to Duration.
3. Click Check to persist trend graphs to keep the trending display. If this is not checked, the
trending display goes away if you navigate away from the Alert Report page then later return.
If checked, a trend graph will be part of your Alert Report page for every access, until this
setting is changed.
Note: Response time can slow if trending is selected. This depends on the number of
alerts within the specified time period and the number of options selected.
4. Click Select. Alert Trends displays. For example, if alerts are grouped by rule and severity and
a 7-day period is selected, then each trend line displays the trend for each violated rule.
Trending charts match colors with the group by charts and vary depending on the groups
selected. If one group is selected, then one color displays in the trending chart.

Figure 18. Display of alert trends

Alert Details
The most granular level for examining data is the Alert Details page. To access alert details,
click at the selected alert.

Note: Alert Details is only available to users with the correct privileges. Refer to User
Roles.
Figure 19. The Alert Details page

The Alert Details page contains multiple sections, which can be hidden (or expanded) by clicking
the title bar of the section. Click expand all to display information in all sections. Collapse all hides
all information.
Page ViewAllows you display the Alert Details in one column or two. Viewing the alert in two
columns will maximize the information available and is most suitable for users with wide page
monitors. The same information is presented in both views. Click the appropriate icon to change
the view. The icon related to the alternate page view will be highlighted.

Table 8. Sections in Alert Details
Alert Details Description
Alert Information Provides information about the alert including the severity, time/date of detection, age
(elapsed time since detection), the sensor that detected the alert, the application
protocol, alert label, and the action taken by the sensor.
This section also specifies the Format Type of the content whether it is sent within a
file, in the body of an e-mail, or in any other form. Alert Information also includes the
Format Data size to indicate a match of the size of the data.
Alert Information also includes information about the TCP session including source
and destination IP address and source and destination ports (presented as the
service). If alert compression has occurred, this table will include the number of events
that were compressed into this alert. Refer to Alert Compression below.
When the source or destination IP address is a registered host, its location will also be
presented. Location data includes the city, state, and country of the registered host. If
the IP address is not registered then location will not appear.
Violation Provides the names of the policy and rule that were violated, in addition to the rule
Information summary.
The Matched on table provides a table of all fingerprints in the violated rule, along with
the fingerprint true/false match result. When the result is true, the table will include a
table of fingerprint matches that were detected. This table will vary by fingerprint type.
For example, if the fingerprint is a keyword content fingerprint, you will see a table of
all keywords that were found. If the fingerprint is an identity profile content fingerprint,
you will see a table of all pattern sets that were detected.
Each fingerprint in the Matched on table will be associated with a color code,
representing the highlight color for this fingerprint. Refer to Alert Highlighting below.
The highlighting can be disabled per fingerprint in this table. Alert highlighting can be
turned on or off. Click the icon next to Highlighting.
Related Alerts A single user action can create multiple alerts. When this occurs, related alerts will list
all alerts generated by the users actions.
There are two scenarios where this may occur:
When multiple rules are violated. For example, you may have a rule to alert on
webmail and another to alert on the detection of Personally Identifiable
Information (PII). A user who sends PII data over webmail would violate both
rules and generate two related alerts (if both rules contained Alert in the action).
A user may violate the same rule multiple times. For example, consider a PII rule.
If a user sends one webmail message with five attached files containing PII, this
will result in five related alerts, since each file violated the rule.
Refer to chapter 1 in the Guide to Creating Policies for more information about how
Fidelis XPS decodes and analyzes network traffic.
When related alerts exist, a list appears showing the severity, alert ID, summary, and
time of the alert. The Alert ID of a related alert can be clicked to access the details of
that alert.
Alert Workflow Provides information about history of the alert ticket. In this section you can assign the
Log alert to a CommandPost user, change the alert management group, close the alert
ticket, and add comments to the alert workflow log. Refer to The Alert Workflow Log.

Alert Details Description
Decoding Path Provides the Decoding Path and the information extracted by Fidelis XPS decoders.
and Channel The Decoding Path provides access to the original data detected by the sensor,
Attributes broken into each level of protocol or file format extraction. Refer to Decoding Path and
Channel Attributes below for a description of how you can use this information.
Each line in the Decoding Path represents the output of a Fidelis XPS decoder. These
decoders also extract attributes from the protocol or file that is being decoded. The
Channel Attributes present a table, per decoder, listing all extracted attributes.
Channel fingerprints are based on matching these attributes to those listed in the
fingerprint. Refer to chapter 4 in the Guide to Creating Policiesfor more information
about channel fingerprints.
When the alert is generated based on directory information, this section will include
Directory Attributes extracted from your LDAP server. Refer to CommandPost
Configuration for information about how to configure which attributes are extracted
from your directory server.
Forensic Data This window presents the session data in two forms:
and TCP
Forensic data is the information extracted from the session that is used by
Recorded
content fingerprint analyzers. You will see text, stripped of all formatting, that
Session
represents a portion of the actual extracted data used by the sensor. You may
view this information in either a text or hexadecimal format.
The recorded session is the entire session, recorded up to the configured limits.
This information is not stripped in any way and is presented as it was recorded
on the network (in client side and server side data). Refer to Configure an XPS
Direct Sensor for session limit settings.
Forensic data may not be present for every alert especially those that are not based
on content fingerprints. Recorded session data will be present for most alerts, but not
immediately. The recorded session will not be available if it is corrupted or truncated in
any way, including when the session is prevented by an action taken by your policy.
Forensic data is recorded up to the point where a rule is violated. Sessions are
recorded in their entirety, which is why there may be a significant delay between the
alert generation and the arrival of recorded session data.
Viewing Forensic Data in text form is the default setting. When you change to view the
data as text, hexadecimal, or recorded session, your choice will become your new
default and will be applied the next time you access alert details.
Alert Highlighting
Every alert is triggered by matching some element defined in a fingerprint to some aspect of the
data transmission. Each fingerprint displayed in the Matched on table will be associated with a
color code. Within the Alert Details page, some element will be highlighted in this color so you can
easily determine the cause of the violation.
You will find highlighted information within Alert Information, Decoding Path and Channel Attributes,
Forensic Data, and TCP Recoded session sections of the Alert Details page.
It is possible that a single element can match more than one fingerprint. In these cases, the
highlight will be dashed lines over the text.
Moving your mouse over any highlighted element will display the name of each fingerprint that
matched this element. You can also click on a highlighted element to focus on it. Hitting TAB will
move the focus to the next highlight.
Highlighting may be disabled per fingerprint, by clicking the color coded box next to the fingerprint
name within the matched on section.

Figure 20. Alert Details: highlighting
Scroll through Alert Details

From the Alert Report page, you can create a list of alerts by searching, filtering, or sorting. When
you enter the Alert Details page of any alert, CommandPost remembers the original list so that you
can scroll through it by clicking Previous and Next at the top of the page. As you move through alert
pages, the title refers to the location of the specific alert within the list.
Click Back to Alert List to return to the Alert Report page at the location of the current alert.
Scrolling is done within the parameters of the initial list, which includes the page size. If you scroll
outside of the page size, CommandPost returns to the database to find the next group of alerts.
Because CommandPost is working with a real-time list of alerts, any new alerts generated since the
original Alert Report list may alter the result. This will not occur if your list was generated by
unselecting Include Incoming Alerts. Refer to Include or Exclude Incoming Alerts.
When you click on the ID of a related alert, CommandPost remembers the current list. Therefore,
clicking through related alerts does not change your place in the list. Previous, Next, and Back links
will work as if you did not click on a related alert.
Download Text File

Click Download text file to open the Alert Details page in a text file. This feature can be useful for
sending details of an alert by e-mail
Find Similar Alerts

Click on the Find Similar links within the Alert or Violation Information sections to find similar alerts.
This action will apply the selected values as filters and return you to the Alert Report page showing
the result of these filters. For example, clicking the Find Similar link next to the Rule displays a list
of alerts that violated the same rule.

Figure 21. Finding similar alerts: clickable fields
Manage Label
Within the Alert Information section, you will see the label applied to the alert. To change the label
or to delete labels, click Manage Label. The process is identical to that described in Alert Labels.
Purge this Alert

Clicking Purge this alert will remove the alert you are viewing and the display will move to the next
alert in the list. If you purge the last alert in the list, you will be returned to the Alert Report page.
Once purged, the alert cannot be restored.
Alert Compression
In cases of high event activity, the sensor may compress multiple, very similar events into a single
alert to reduce the network communication load on the CommandPost-to-sensor connection.
When one alert represents several events, the Alert Details will include the Events/Compression
data in the Alert Information section. The associated value indicates the number of additional
events represented by this alert. For example, if the value is 8, then there were nine similar events,
the one displayed in the Alert Details plus eight similar events.
If the alert contains no compression, you will not see the Events/Compression data. This is the
typical case.
Decoding Path and Channel Attributes

The Decoding Path displays each level of decoding performed by Fidelis XPS during analysis of a
data transmission. Many levels of the decoding path can be clicked to provide a file of the decoded
transfer from that stage of the decoding process.
Which part of the decoding path you click determines the format of the file that is downloaded. The
result will either be a text file or binary file revealing the partially decoded session.
If you click on the line that includes a file name, the file will be opened. Your browser will choose
the appropriate application for the file, based on the file extension. Note that the file name is the

exact name used in the original transmission which may indicate an incorrect file type. Your
browser may not be able to handle this situation.
In some cases, if the file has been encrypted, clicking on the file name will not provide the original
file. Usually, the next item in the Decoding Path list will provide the unencrypted file. Base64
encryption is the most common cause of this problem.
Lets take, for example, the decoding path of an MS Word document that was zipped, attached,
and sent in an e-mail with multiple attachments. You can click on any part of the decoding path to
download the file as decoded up to that point. The table below describes what file is downloaded
for each part of the path.
Table 9. Decoding paths
Decoding path Files downloaded
SMTP[1] The entire SMTP message (including complete SMTP

headers)
MIME The body of the full MIME (Multipurpose Internet Mail

Extensions) message. This includes all MIME attachments.
multipart[3] The particular MIME attachment that contains the file

(including the part header).
MIME(cnd.1.zip) The MIME attachment without the part header (in this case,
a Base64-encoded file).
Base64 The Base64-decoded file (in this case, a zip file)
zip(cnd.1.doc) The unzipped file (in this case, an MS Word file).
ms-word The core content stripped of all Microsoft Word formatting

(analogous to copying the contents of the Word document
and pasting them into Notepad). The data from the last
element in the Decoding Path will match the Forensic Data
for the alert.
It is important to note that whether an entire file can be downloaded depends on how much of the
intercepted session is recorded in the Fidelis XPS alert database. The maximum amount of the
session that is recorded is specified in the TCP session forensics limit setting. Refer to Configure a
Fidelis XPS Direct Sensor for information on setting the TCP session forensic limit. If prevention is
turned on, the file will be truncated at the point where the session was terminated.
If the recording of a session ends in the middle of a file you wish to download, you may get a partial
file that cannot be read by the original application. For example, Fidelis XPS decoders and
analyzers can read a partial zip file even though the WinZip Windows application cannot.
If the recording of a session ends before a file you wish to download, that part of the decoding path
will not be clickable, and that file cannot be downloaded.

Forensic Data
The forensic data represents the unformatted text on which content fingerprint analysis is
performed. When there is a match to a content fingerprint, you will see the matched information
highlighted.
Figure 22. Alert Details: Forensic Data

The forensic data window is limited to 16K bytes of data. The information in the Matched on table
within the Violation Information section of the Alert Details page includes the entire analyzed buffer
which may be bigger than the data shown in the forensic data window. For this reason, in some
cases, the number of highlights in the forensic data may not match the numbers shown in the
Matched on table.
The forensic data buffer begins near the occurrence of the first matching data. In some cases, the
forensic data will only represent a portion of the original data transmission and it may not start from
the beginning of the data. The entire data transmission is available in the recorded TCP session.
Recorded TCP Session

A verbatim session recording is available from the Alert Details page. Click View recorded TCP
session link in the Forensic Data table to view the Recorded TCP Session.
The View recorded TCP session link will appear as soon as the session is terminated or completed.
In cases where the session is not complete or there is some other kind of session corruption, this
link will not appear.
The recorded TCP Session contains session information and verbatim transcripts of both the client
and server halves of the session.

Figure 23. Alert Details: Recorded TCP Session
Session Information
Session information includes client and server IP address (with resolved DNS names if possible),
start and end times of the session, session duration, and the total size and number of packets of
both the client and server halves of the session.
Note that the total size and number of packets includes all packet retransmissions, so this number
may exceed the size of the recorded session.
Client and Session Server Transcripts
The client and server session transcripts are shown exactly as reassembled by Fidelis XPS. If the
total size of the session exceeds the Alert Recorded Object Limit setting, the transcript sizes may
be less than the total session. You can change this at the configuration page for your sensor. Refer
to Configure a Sensor.
The transcript is in raw form. No content decoding of any kind is shown, so if all or part of the
session is encrypted, encoded, compressed, or in some other way transformed it may not be
legible. Most high-level protocols like SMTP and HTTP are composed of largely human-readable
exchanges so this information can be very useful in investigating network and information handling
policy violations.
It is possible to download the complete client and server transcripts by clicking on the Client Data
and Server Data links, respectively. The complete transcript is downloaded regardless of the Show
Amount setting below. The transcripts are downloaded as files with a .bin extension as the data
may be binary data.
Show Amount
It is possible to vary the length of the transcript displayed in the recorded TCP
Session page. Enter the number of kilobytes you wish to see in the Show KB text box and press
enter. This setting only affects the number of bytes displayed in this page.

Tune Rules from an Alert
When reviewing alert details, you can create a rule exception based on the alert's attributes. For
example, to suppress all alerts from a specific location, you can access the rule tuning interface at
the alert details page to modify the rule and make the identified location an exception.The rule
tuning interface is a four-step wizard that enables you to create the rule exceptions.
From the Alert Details page:
1. Click Tune Rule. The first page of the wizard lists attributes of the current alert.
Figure 24. Tune Rule: Alert Attributes

2. Select the fingerprint type: IP Address, Country, Alert Information, and Channel Attributes.
The available options change depending on the type of fingerprint selected.
IP Address enables you to create an exception based on the alert source and destination
IP addresses. Choosing both will create an exception for transfers from the source IP to
the destination IP, but not the reverse. Choosing one will create an exception for all
transfers from/to the source/destination IP address.
Country enables you to create an exception based on the alert source and destination
countries. Choosing both will create an exception for transfers from the source country to
the destination country, but not the reverse. Choosing one will create an exception for all
transfers from/to the source/destination countries.
Alert Information enables you to create an exception based on the source and destination
TCP ports and the application protocol. Selecting more than one option will create an
exception when all selected items are found in network traffic. For example, selecting
Source TCP port 8080 and protocol HTTP will create an exception for HTTP detected
from port 8080 on the source. It will not match traffic from port 8080 on other protocols
nor will it match HTTP on other ports.
Channel Attributes enables you to create an exception based on any channel attribute
extracted from the alert. Choosing more than one attribute will match any one of the
attributes found in network traffic. For example, choosing HTTP command = GET and
HTTP URL = a specific URL will match all HTTP get requests and all accesses (GET or
POST) to the selected URL. To match the combination, you will need to use the Policy
interface, create separate fingerprints for each attribute, and logically combine them in
the rule expression. Refer to Create an Expression in the section: Define a Rule.
3. Select at least one attribute and click Next. The Modify Rule screen displays with the current
rule and its expression.

Figure 25. Tune Rule: Modify Rule
4. Select from the following options. Available options vary depending on the attributes selected.
Add attributes to the fingerprint [fingerprint name].
One or more fingerprints are available for modification. The list of fingerprints are those
that have been previously modified by the Tune Rule wizard and were marked as
exception fingerprints. If there are no such fingerprints in the rule, this option is not
available. Selecting this option will add the selected attributes to the chosen exception
fingerprint. The fingerprint will be modified not the rule expression.
Add attributes to a new fingerprint.
Enter a name for the new fingerprint. This new fingerprint will be added to the rule
expression as an exception.
Add attributes to the [fingerprint name] fingerprint in the rule.
One or more fingerprints are available for modification. The list of fingerprints are all
applicable Channel, IP Address, or Country fingerprints in the rule excluding those that
were previously modified by the Tune Rule Wizard (refer to the first option). Selecting this
option will add the selected attributes to the chosen exception fingerprint. The fingerprint
will be modified not the rule expression.
Add attributes to an existing fingerprint to be included in the rule.
Select an existing fingerprint to be added to the rule. The drop down list includes all
applicable fingerprints not in the rule. The fingerprint will be added to the rule expression
as an exception.
5. Click Next. The tuning summary displays with the revised rule expression and a list of
attributes that will be added to the selected fingerprint.

Figure 26. Tune Rule: tuning summary
6. Review your selections.If these are the changes you want to implement click Submit . Click
Back to change your selections. The last page of the wizard tells you that the rule was
modified.
Click the rule name on the last page of the wizard to review the rule in the editor and make any
needed changes.
You will need to update the sensor for these changes to take effect. You can access the update
page by clicking Update on the last page of the wizard or by going through the Policies link on the
main navigation bar. Refer to chapter 9 in the Guide to Creating Policies.

Chapter 5 Understand and Manage
Quarantined E-Mails
The Quarantine Management page displays all e-mails that are currently held in a quarantine
queue by a Fidelis XPS Mail Sensor. Click Reports>Quarantine to access this page.
E-mail is quarantined when it violates a rule that specifies the action of alert and quarantine.
Quarantined e-mail resides on the Mail queue until a quarantine manager takes action, or until the
e-mail expires.
Figure 27. Quarantine Management

The information about each e-mail includes the message ID, and the From, To, Subject, and Time
information.
Understand Fidelis XPS Mail Quarantine

The Mail sensor operates on e-mail messages. Due to the nature of e-mail, the Mail sensor can
analyze an entire e-mail at once, and take action if policy violations are found.
Most other Fidelis sensors operate on data in flight. They cannot analyze an entire transfer, but are
operating on data as it passes through the analyzer. This is an important difference in
understanding how a Mail sensor works and how managing quarantined e-mail differs from
managing alerts from other types of sensors.
As an example, consider a transfer of information that violates multiple rules. One example is an e-
mail message containing attachments; the body of the e-mail may violate one rule, while an
attachment violates another. A second example is an Instant Messenger session where the chat
content violates one rule, while a file transferred over the same IM session, violates a second rule.
The Direct sensor would detect the IM violations. It would issue an alert immediately after finding
the chat violation. It would issue a second alert at a later time, when the file transfer occurred.
These two rules may have required different actions and each action would be taken. For example,
the chat violation may result in an alert, while the file transfer may result in preventing the session.
Both actions are taken at the time the violation is determined.
The Mail sensor operates differently in this situation. Because e-mail is delivered as a single entity
from mail server to mail server, the Mail sensor can analyze all content at one time. Therefore, only
one action is taken for the e-mail, even if multiple rules are violated and each rule requires different
action.
The Mail sensor applies the following priority to e-mail actions:
Quarantine takes first priority. Any e-mail that violates one or more rules with the Quarantine
action will be quarantined.
Prevent has second priority. Any e-mail that violates one or more rules with the Prevent action
will be prevented (unless it also violates one or more rules with the Quarantine action).
Reroute has third priority. If other actions such as quarantine are detected, they are taken.
If the quarantine action is taken, the following occurs:
Fidelis XPS User Guide Version 6.0 Quarantine E-Mails 52

The e-mail is placed in the quarantine queue on the Mail sensor. It remains here until a
person responsible for quarantine management decides to deliver or discard the email, or
until the message expires. Contact Technical Support to change the default expiration of 14
days, if needed.
Information about the e-mail message, and all associated alerts, is transferred to
CommandPost where it can be viewed by a quarantine manager. The action for each alert
refers to the action taken by the Mail sensor.
Note: This action may be different than the action specified by the rule due to the
prioritization described above.
Each alert is assigned to the alert management group defined by the rule.
A quarantine manager assigned to the Mail sensor that holds the e-mail in quarantine, can
view the message, and take action.
Alerts and quarantined e-mail are managed independently. E-mail actions will remove an e-
mail from quarantine and if All is selected, can remove all associated alerts. Removing all
alerts associated with a quarantined e-mail purges these alerts from Fidelis XPS. Selecting
None keeps associated alerts available at Alert Report. Refer to Deliver or Discard
Quarantine E-mail.
Most quarantined e-mail will have at least one alert. The only exception will be when alert
compression becomes active. Refer to Alert Compression for details. When the sensor
generates many alerts, it will begin to compress similar alerts to relieve congestion between
CommandPost and the sensor. In some rare cases, all alerts from one e-mail will be
compressed together with other similar alerts, and therefore not be available on
CommandPost. The quarantined e-mail will always be available.
Quarantined e-mail is another key difference between the Mail sensor and other sensor types.
Other sensors make a decision to prevent, alert, or throttle immediately based on analysis. The
Mail sensor offers the quarantine option, which defers the final decision to a person who reviews
the offending message. Therefore, persons with quarantine management responsibility may need
to take immediate action to avoid unnecessary delays in business communication. The Mail sensor
offers the ability to notify quarantine managers immediately upon taking the quarantine action.
Refer to Fidelis XPS Mail for configuration options.
The Quarantine Report

The Quarantine report displays a summary of information for each quarantined e-mail. The From,
To, and Subject columns provide information about the e-mail message held in quarantine. You
may click the row of an e-mail to view expanded information.
Note: Navigation is performed the same as it is in the Alert page. Refer to Navigate
Alert Pages.
Figure 28. Expanded quarantine information

The expanded information includes the message ID, time stamp, and the sensor. Information about
any corresponding alerts also displays.
Quarantine Details: Click next to the e-mail to see the Quarantine Details page for that e-
mail.
Alert Details: Quarantined e-mails can have alerts associated with them. Click an alert
number at the Quarantine Details page or at the Quick Summary for the quarantined e-mail.
The Alert Details page displays with information for the alert. Refer to Alert Details for more
information. Any changes made at the Alert Details page will only affect the selected alert and
not the quarantined e-mail or any other alerts generated by the e-mail.
Take Actions on Quarantined E-Mails

Click the check box next to one or more quarantined e-mails to select them. Clicking check boxes
again deselects the e-mails. Clicking the check box at the top of the Quarantine Management list
selects (or deselects) all e-mails on the current page.
The following actions may be taken on the selected alerts:
Change Status. Refer to The Alert Workflow Log.

Change Alert Management Group. Refer to The Alert Workflow Log.
Deliver or Discard the message. Refer to Deliver or Discard Quarantined E-Mail. These
options also enable you to purge alerts associated with the quarantined e-mail.
Deliver or Discard Quarantined E-Mail

You can choose to deliver or discard quarantined e-mail. Either action will remove the quarantined
message from the sensor and CommandPost. You may choose to also remove all alerts
associated with the message or to leave all alerts on CommandPost.
If deliver is chosen, the e-mail is sent from the quarantine queue to the original recipient. An
e-mail is also sent to the original sender of the e-mail notifying them that their e-mail was
delivered.
If discard is chosen, the e-mail is removed from the quarantine queue and not sent to its
original recipient. An e-mail is sent to the original sender of the e-mail notifying them that their
e-mail violated policy and was not delivered.
A dialog box displays asking if you want to remove all of the alerts associated with this
message. If you choose All, the alerts are purged from CommandPost. Make sure that you
really want to discard all alerts before proceeding.
If you select None, any associated alerts remain available on the Alert Report page. The
quarantined e-mail is delivered or discarded.
If the quarantined e-mail does not contain associated alerts, a dialog box asks if you want to
continue. Click OK to continue to deliver or discard the quarantined e-mail.
After you deliver or discard the quarantined e-mail it is removed from the quarantine queue and will
no longer appear on the Quarantine Management page.
Search Quarantined E-Mails

Searching for quarantined e-mails can be done by entering criteria in the control section at the top
of the Quarantine page. If the page controls are not visible, click in the upper right corner to
open them. Searches use a case-insensitive, partial string match to find quarantine e-mails. The
search term is a simple phrase or set of phrases to find within quarantine information.
1. Enter search terms in the Search For: text box. Refer to Enter Search Terms for Alerts for
specific search guidelines.
2. Select a search field at the In: pull down menu.

Figure 29. Searchable Quarantine fields
You can search for quarantined e-mails by searching for specific text strings in the following fields:
Table 10. Quarantined E-mail: search fields
Quarantine search Description

fields
Message ID The ID the system assigns to the quarantined e-mail.
Sensor The Mail sensor on which the e-mail resides.
Sender Any part of the From line of an e-mail message.
Recipient Any part of the To line of an e-mail message.
Subject Any part of the subject line of an e-mail message.
Management Group Any part of the management group associated with alerts.
Forensic data Any part of the data captured from the e-mail.
Refer to Alert Search Fields for more specific information about how these searches are applied.
3. Include or exclude Incoming quarantined e-mails.
Every access to the Quarantine page presents live data as it is reported to CommandPost. If
new quarantine e-mails are occurring on your network, this may distort your view of the data.
For example, you may click Next Page only to see the same set of quarantined e-mails from
the first page. This occurs because the first set of quarantined e-mails has been superseded
by new quarantined e-mails, moving them to the next page. You will notice similar effects any
time you perform searches, or if you access Quarantine Details then return to the Quarantine
Management page.
You can change this behavior by clicking the Include Incoming Quarantine in the Search
dialog box. By default, this option is checked, meaning new quarantined e-mails will be
considered. To change this behavior, uncheck the Include Incoming Alerts box.
4. Click Search. You can search without specifying a time period.

Search Quarantined E-Mails using Duration
You can use Duration to reduce the list of quarantined e-mails to those that occurred within a
specified time range. Duration can be found in the control section at the top of the Quarantine
page. If the page controls are not visible, click in the upper right corner to open them.
1. Click Duration to select a time period, If needed. The default value is all messages.
Figure 30. Quarantine search duration

All Messages: the default setting of the Quarantine page.
Last Login: reduces messages to those that have occurred since the last time you
logged into CommandPost.
Last 24 Hours, 7 Days, or 30 Days: provide shortcuts to reduce the messages to the prior
day, week, and month.
Specific Hours: will display a text box to which you can enter a two digit number. You
can use this feature to reduce alerts by partial days with granularity of one hour
increments.
your messages to those that occurred during the specified date. Dates must be entered
in the form of mm/dd/yyyy.
Date Range: you can enter a range by entering start and stop dates in the text boxes or
click to select a date. This reduces your messages to those that occurred during the
specified date range, including the start and stop dates. Dates must be entered in the
form of mm/dd/yyyy.
2. Include or exclude Incoming quarantined e-mails.
3. Click Search.

Advanced Search for Quarantined E-Mails
An advanced search gives the ability to search on two or more fields simultaneously.
1. Click Advanced Search. The Quarantine Report Editor displays.
Figure 31 . Quarantined e-mail: advanced search

2. Enter search criteria into the search fields.
Table 11. Quarantined E-mail: advanced search fields
Field name Description
Sensor(s) From the sensor box, choose a Fidelis XPS sensor or Ctrl-click to
choose multiple sensors.
Interval Specify a time interval to search: 1 hour to 96 days.
Date Specify a date. If you also specify an interval, the report searches
from this date and includes any interval times. For example, if you
enter September 1 as the date and select an interval time of 10 days,
the report searches from September 1 through the preceding 10
days.
Sender Any part of the From line of the e-mail message.
Recipient Any part of the To line of the e-mail message.
Subject Any part of the subject line of the e-mail message.
Forensic Data Enter search terms to search within Forensic Data.
3. Click Run Report to retrieve reports that match your search.

Quarantine Details
Click next to the quarantined e-mail to access Quarantine Details. You can view the original e-
mail message, a list of any attachments, and alerts associated with this e-mail.
Note: Quarantine Details is only available to users with the correct privileges. Refer to
User Roles.
Figure 32. Quarantine Details

Users with full privileges to quarantine management can choose to deliver or discard the
quarantined e-mails. Refer to Deliver or Discard Quarantined E-Mail .
Users with ticketing privileges can access the Message Workflow Log to make changes to alerts
associated with the quarantined e-mail. The alerts may be assigned to individuals or groups,
closed, or commented. Any ticket action applies to all alerts associated with the quarantined e-mail.

Chapter 6 Manage Reports
Manage enables you to access and manage all your reports from one location. You can use criteria
entered at the Alert or Quick Report pages and save these reports which are then available at the
Report List. You can continue to use these reports or include other criteria such as filters, duration,
columns, and group by to create new custom reports.
To access the list of your saved reports, click Reports>Manage. When you first access the list, it
displays the seven default system reports.If you have upgraded from a version of CommandPost,
the list will also contain entries related to any saved customer reports, quick reports, and views.
System Reports These reports ship with Fidelis XPS and include: Default, Summary
Violation, Alert Management, Network, Label, and My Alerts. You can run these reports or
use them as the basis for a new custom report. If saved as a custom report, the original
system report is not affected. System reports are also available at the Alert Report page.
Refer to System Reports for Alerts.
Custom Reports Customized reports allow you to control the contents and the display of
your report. From the Manage page you can run, modify, and schedule these reports. Refer to
Create Custom Reports.
Saved Quick Reports These are Quick Reports (such as Alerts by rule or Data Discovery)
that were created and scheduled at the Quick Reports page. From the Manage page you can
run, modify, and change the execution schedule. Refer to Create Quick Reports.
Figure 33. Manage page

Click a report to see report details. The following buttons also display depending on the report
selected.
Run to view the report. This is active for all reports. Refer to Run Custom Reports.
Edit takes you to the Custom Report page to edit criteria and save the report under a new
name. Refer to Create Custom Reports.
Modify is available for saved Quick Reports and takes you to the Quick Reports page. Refer
to Create Quick Reports.
Delete is available for Custom and Quick reports. Refer to Delete Reports.
Schedule enables you to enter scheduling information. This button is active for Custom
Reports.Refer to Save and Schedule Custom Reports.
Modify Schedule also enables you to enter scheduling information and is active for Quick
Reports. Refer to Save and Schedule Reports.
Copy enables you to copy a report and send it to other users. This button is active for Custom
Reports. Refer to Copy Custom Reports.
Fidelis XPS User Guide Version 6.0 Manage Reports 59

Create Custom Reports
Custom Reports are only available to the user who creates the report. These reports can be
modified, scheduled for automatic execution, and copied to other users.
There are several ways to begin creating a custom report:
Click Customize at the Alert Report page. All alert search, filter, and view criteria is selected in
the Custom Report page. You can change any parameter and save it.
Click the appropriate report at the Manage page and click Edit. The Custom Report page
displays with any criteria selected for the saved report. This enables you to create a new
Custom Report based on a system report or an existing custom report.
Click Create New Report at the Manage page.
The Custom Report page contains the following sections that you can expand or collapse as
needed:
Search provides an interface to identify alerts by a search rather than an exact match. Search
terms are typed into the available input fields.
Filters provide an interface to identify alerts by an exact match of one or more attribute.
Values are selected by choosing one or more from the available lists.
Duration provides an interface to identify alerts by time.
Columns provides a control for the information available in your alert report.
Group By provides a control to summarize and chart the results of your report. The fields
available for grouping are those chosen as your primary columns for the report.
Search
To search, enter criteria into one or more of the text boxes within Search. Searches use a case-
insensitive, partial string match to find alerts. Refer to Enter Search Terms.
Figure 34. Custom Search: Search
Table 12. Search Fields
Search fields Description
Alert Id Enter a single alert ID, a comma-separated list of alert IDs or a range. Ranges are
entered by a hyphen between the start and end of the range
UUID Enter a specific alert UUID number. This is an exact search.

Search fields Description
Source Ip Enter an IPv4 or IPv6 IP address, a comma-separated list of IP addresses, or a

range. Ranges are entered by a hyphen between the start and end of the range.
Custom Search cannot accept resolved IP addresses, however, other information is
valid in Search IP Addresses.
Destination Ip Enter an IPv4 or IPv6 IP address, a comma-separated list of IP addresses, or a

range. Ranges are entered by a hyphen between the start and end of the range.
Custom Search cannot accept resolved IP addresses, however, other information is
valid in Search IP Addresses.
Source Port Enter a TCP port number, a comma-separated list of port numbers, or a range.
Ranges are entered by a hyphen between the start and end of the range
Destination Port Enter a TCP port number, a comma-separated list of port numbers, or a range.
Ranges are entered by a hyphen between the start and end of the range
Summary The search is applied over the summary field of the alert.
Forensic Data The search is applied over the forensic data field of the alert, as shown in the Alert
Details page. Note that some alerts will not contain forensic data per policy definition.
Session Attributes This search is performed over the Channel Attributes of the alerts. The value will
match the name of a protocol or file format for which attributes are available, the
attribute name, or the attribute value. Refer to chapter 4 in the Guide to Creating
Policies for details about protocol or file formats and their attributes.
Note: Search terms entered for Summary, Forensic Data, and Session Attributes
follow the same syntax as described in Search for Alerts.

Filters
Filters use an exact match to find alerts. You can use filters to limit the report to only those alerts
that match your filter criteria. If you select multiple fields, all are applied to the filter. The more filters
that you select, the more narrow your results.
Figure 35. Custom Search: Filters
Table 13. Filters
Filter Description
Severity Select one or more severity levels. Severity could be low, medium, high, or critical as
indicated by the rule that was violated.
Sensors Select one or more sensors. This refers to the name of the sensor that detected the
violation.
Protocols Protocol refers to the network protocol over which the violation was detected.
Source Country Select one or more source countries.

Filter Description
Destination Country Select one or more destination countries.

Rules Select one or more rules. This list displays all rules even those not assigned to a
policy.
Policies Select one or more policies. This list displays all policies even those not assigned to
a sensor.
Labels Select one or more alert labels.
Alert Actions Select one or more alert actions.

Assigned to Click to select an alert owner. All CommandPost users with alert management
privledges are listed.
Groups Select one or more alert management groups to which the alerts belong. All groups
available in CommandPost are listed.
Ticket Status Select one or more statuses for the alerts.
Ticket Resolution Select one or more resolutions for the alerts.
Duration
Duration enables you to specify a time period for your Custom Report and include trending
information.
Figure 36. Custom Search: Duration

All Alerts: the default setting of the report.

Last Login: reduces alerts to those that have occurred since the last time you logged into
CommandPost.
Last 24 Hours, 7 Days, or 30 Days: provide shortcuts to reduce alerts to the prior day, week,
and month.
Specific Hours: will display a text box to which you can enter a two digit number, N. Only
alerts occurring in the past N hours will be displayed. You can use this feature to reduce
alerts by partial days with granularity of one hour increments.
Specific Days: will display a text box to which you can enter a two digit number, N. Only alerts
occurring in the past N days will be displayed. You can use this feature to reduce alerts to
those that occurred during a specific number of days.
your alerts to those that occurred on the specified date. Dates must be entered in the form of
mm/dd/yyyy.
Date Range: you can enter a range by entering start and end dates in the text boxes or click
to select a date. This reduces your alerts to those that occurred during the specified date
range, including the start and end dates. Dates must be entered in the form of mm/dd/yyyy.
Click Trending to graphically display the trend for all alerts in your report Trending is based on the
time periods entered at Duration.

Columns
Columns determine what information is displayed in the custom report. You must select at least
one primary and one secondary row to run or save a report.
Column Choices lists all columns that you can include in a report. Refer to the table below
that describes system report columns.
The Primary Row contains the columns that will display as the main columns for the custom
report. These columns can be sorted or used to group alerts.
The Secondary Row contains additional columns that can be used to provide extended
information on the Alert Report. When the report is run within CommandPost, each primary
column is show per alert. You can click the alert to open the the Quick Summary to access
your secondary information. Secondary row columns can be used to filter alerts and to
navigate to other pages by following clickable information fields. When the report is scheduled
for automatic delivery, secondary rows are not shown as part of the report.
Sort By displays columns selected for the primary row or those selected for grouping. The
selection will determine the order of your report.
Figure 37. Custom Search: Columns

To set up columns:
To add a new column: Select one or more choices from Column Choices and click or
.
To edit column order: Select one or more column and click or until all columns are in
the desired order.
To delete columns: Select one or more rows and click .

Table 14. System report columns
Available Description
columns
Action The action taken by the sensor in response to the violation.
Alert Id Displays a unique ID belonging to an alert.

UUID The Universal Unique ID (UUID) is an alert ID that will be unique over all
CommandPost systems. If an alert is archived and imported at a later date, the
UUID will not clash with the current set of CommandPost alert IDs, however the
Alert Id may.
Compression Indicates the number of additional events represented by an alert. Refer to Alert
Compression.

columns
Country: The country to which the destination IP address is registered.

Destination
Country: Source The country to which the source IP address is registered.
Filename Displays the name of the file that caused the violation. Will be empty if no file was
involved in the violation.
Format Type Displays the data format type that caused the violation.
From Displays the value of the extracted From field. The value is protocol specific and
most applicable to email or webmail. The value will be empty if the violation
occurred over a protocol that does not provide From.
Group Displays the alert management group to which the alert belongs.
IP:Destination The IP address of the recipient of the data. When available, both IP and resolved
host name are provided.
IP: Source The IP address of the sender of the data. When available, both IP and resolved
host name are provided.
Label Displays the label assigned to the alert.
Owner The name of the CommandPost user to whom the alert has been assigned.
Policy The name of the policy that was violated
Port: Destination The destination TCP port number

Port: Source The source TCP port number
Protocol The application protocol on which the violating transfer occurred.
Resolution Displays the resolution to an alert that was closed. Resolution can take the
following values: Allowed, Action taken, No action taken, and False positive. Refer
to The Alert Workflow Log.
Rule Dispays the name of the rule that was violated.
Sensor Displays the name of the sensor that detected the violation.
Severity Displays a level of severity. Severity could be low, medium, high, or critical.
Status Provides the status of an alert, which can be new, open, or closed. Refer to The
Alert Workflow Log.
Summary Displays summary text associated with the rule.
Target Target refers to the intended destination of the information. The value is protocol
specific. Examples include the destination domain name, server name, or host
name.
Target is based on extracted protocol information and not based on the IP
address of the data. In many network configurations, the IP address may be an
internal address corresponding to a local NAT server or proxy, whereas the target
represents the intended destination of the data.
Time Displays the time when the alert was detected.

columns
To Displays the value of the extracted To field. The value is protocol specific and
most applicable to e-mail or webmail. The value will be empty if the violation
occurred over a protocol that does not provide To.
User Displays the value of the extracted User field. The value is protocol specific and
most applicable to protocols that require a login or user name. The value will be
empty if the violation occurred over a protocol that does not provide User.
Alert Details
Icon Displays the icon at the location of your choice in the Alert List .
Group By
Group by enables you to summarize your report by grouping selected values. The list of available
columns matches your selection of primary columns. If you choose to group, you can also choose a
graphical output format of your report.
Group by enables you to group alerts in your report by selecting primary columns. Use CTRL-Click
to select one or more columns to group report results. You should also select a view for your report,
either tabular, pie chart, bar chart, or stacked bar chart. Refer to Group.
Figure 38. Custom Search: Group By
Custom Report Controls

After entering criteria, you have the following options:
Resetremoves all criteria.

Runruns the report after it is saved.
Saveenables you to save the report with a unique name.
Save & Scheduleenables you to save and schedule the report. Refer to Save and Schedule
Custom Reports.

Run Custom Reports
Select the appropriate report and click Run. CommandPost displays any data that matches your
criteria in the Alert Report page. The criteria chosen will be displayed at the top of the report. All
normal operations of the Alert Report page are available. Refer to Understand and Manage Alerts.
Click Customize to return to the Custom Report page.
Figure 39. Report Results
Edit Custom Reports

To edit a report:
1. Click Reports>Manage.
2. Select the appropriate report.
3. Click Edit. The Custom Report page displays with any previously selected criteria. Refer to
Create a Custom Report to make any needed changes.
4. Save your changes. Click Save to save your changes to this report. Enter a new report name
to save this report with a new name.
Copy Custom Reports

Custom reports are created for the sole use of the CommandPost user who creates the report.You
may a copy a custom report to one or more CommandPost users that hold the correct privileges
(full access to reports and access to any sensors or groups chosen in the report).
You can send a copy of a Custom Report to one or more users. Users must have full access to
reports. Also, If the report being shared has a sensor or group selected, the user must have access
to the same sensor and alert management group. Refer to Manage User Roles and Groups.
To copy a custom report:
2. Select the appropriate report and click Copy.

Figure 40. Copy a Custom Report
3. Enter a new report name if desired. The copy of the report is saved under this name and sent
to selected users. If the selected users already have a report with this name, CommandPost
will attempt to find a new name for the copied report. The name of the copied report will be
displayed upon successful copy.
4. Select one or more users from the list. Selecting your login copies the report to your list .
5. Click Copy.
The report is copied to the selected users and they can manage it as any of their other saved
reports. Any changes made will not affect your original report.
Save and Schedule Reports

You can save or choose to save and schedule a custom report.
To schedule a system report, you must edit it and save it as a custom report. To schedule a Quick
report, refer to Schedule Quick Reports.
Save
To save a custom report:
1. After entering your report criteria, click Save at the Custom Report page.
2. Enter a unique report name.
3. Click the checkbox next to Save as alerts report to have this report available as a shortcut on
the Alert Report page.
4. Click Save.
Your saved report displays in the Manage page.
Save and Schedule

To save and schedule a custom report:
1. Click Save & Schedule at the Custom Report page.
If you select a Custom Report and click Schedule you can select scheduling information
without entering a report name or saving as an alerts report. Proceed to step 4.
3. Click the checkbox next to Save as alerts report to have this report available at the Alert
Report page.
4. Select a report delivery time.
5. Specify report frequency. This ranges from every day to specific days of the week or the
month. Report Frequency only determines the delivery schedule for the report and does not
change any times entered when creating the report.
Note: If you selected Date Range for the report, this date range will not change when
the report is executed. However, if you choose Last 24 hours, 7 days, or 30 days, the
time frame of the report will change with each execution.
6. Enter an e-mail address for report delivery.

7. Choose to send the report as a pdf attachment to the e-mail. You can also send the report as
HTML or text. Click Save.
Note: If your report includes group by, trending, or pie or bar chart criteria, the Send
As option is not available. The report is sent as a pdf attachment.
To send as HTML: Click, HTML and select columns. Any columns that display in the column
list will send that information from your report in the e-mail.
For more information about columns, refer to Columns.
To send as Text: Click Text. Select keywords and click Add Keyword. Keywords display in
the text box. If a user-defined format is chosen, type your format into the text box. Use
keywords to select the specific alert information to include in the report. If you desire a
comma-separated list, for example, enter each keyword from the drop-down list and type a
comma between each valid entry.
For more information about keywords, refer to Email user-defined.
8. Click Save.
Your saved report displays at the Manage page. The Scheduled column at the Report List indicates
that your report is scheduled.
Delete Reports
To delete a report:
2. Click Delete next to the appropriate report.
3. Click OK at the confirmation dialog box. The report is removed from the Manage page.

Chapter 7 Create and Use Quick Reports
The Quick reports page provides access to commonly used reports of alert and session data.
Reports can be generated immediately or scheduled for periodic creation and delivery.
Click Reports>Quick then select a report by clicking on the corresponding link. Refer to Define
Quick reports.
Figure 41. The Quick reports page
Define Quick Reports

Quick reports enable you to answer key questions about policy violations detected on your network
and associated alert management activities.
These reports are organized under some of the more common concerns that administrators often
need to address.
The Executive Summary provides four reports in one view to give you a snapshot of data
leakage violations.
Select a date range.
Select one or more sensors.
Include the number of results to be considered. The graphics will display the top nine
results individually and sum the remaining results into a tenth result.
Traffic Summary reports provide a view of violating network traffic compared to the total
traffic analyzed by Fidelis XPS sensors.
Choose from available data filters.
Tickets provide an analysis of your alert management activities.Tickets reports can provide
a summary of ticket activity as well as a breakdown by current status and the resolution of
closed alert tickets.
Choose from available data filters
Fidelis XPS User Guide Version 6.0 Quick Reports 70

Select the chart type (for status and resolution reports only).
Include data provides a table listing all results.
Include trend adds a time chart to show the distribution of alerts over time. The trend
chart is based on the time the alert was detected on the network.
Alerts Breakdown reports provide an analysis of your alerts.
Choose from available data filters.
Include the number of results to be considered, up to 99. The graphics will display the
top nine results individually and sum the remaining results into a tenth result. The
chosen number will influence the size of the associated data table, if selected.
Select the chart type: pie or bar chart.
Include data provides a table listing all results. The number of rows in this table is
determined by the Number Of Results value.
chart is based on the time the alert was detected on the network.
Data Discovery provides a view into the source and destination of sensitive data crossing
your network. The report enables you to track the location of this information so that you
may take the necessary actions to secure it.
Choose from available data filters. Choose to view results based on the sender
(source IP address), receiver (destination IP address) or the transmission path (IP
Pair).
Choose to view results based on the sender (source IP address), receiver (destination
IP address) or the transmission path (any IP address).
Include the number of results to be considered, up to 99. The graphics will display the
top nine results individually and sum the remaining results into a tenth result. The
chosen number will influence the size of the associated data table, if selected.
Select the chart type: pie or a stacked bar chart.
Include data provides a table listing all results. The number of rows in this table is
determined by the Number Of Results value.
chart is based on the time the alert was detected on the network
Table 15. Quick reports
Report Report Description

Organization
Executive Executive The Executive Summary provides a snapshot of your data
Summary Summary leakage violations by showing the percentage of traffic in
violation, and the policies, rules, and network protocols
contributing to the violations.

Organization
Traffic Summary by Protocol The Traffic Summary by Protocol report compares the total
number of TCP sessions analyzed by the selected sensors to
those that were in violation. The report breaks down the analysis
by application protocol.
For each protocol, you will see a comparison between compliant
and non-compliant sessions as well as a trend analysis of the
non-compliant sessions.
by Session The Traffic Summary by Session report compares the total

number of TCP sessions analyzed by the selected sensors to
those that were in violation.
The report includes a trend analysis of all violations.
Tickets by Status The Tickets by Status report shows the total number of tickets
broken down by the current ticket status: New, Closed, or Open.
Time selections and trend graphs refer to the alert creation time.
by Resolution The Tickets by Resolution report shows the total number of

closed tickets broken down by resolution: Allowed, Action taken,
No action taken, and False positive.
Time selections and trend graphs refer to the alert creation time.
Workflow Summary Workflow Summary displays alert management statistics including
the average time to progress ticket status andthe total number of
alerts processed You can run this report by user, group, rule, or
policy.
by Policy
Alerts Breakdown The Alerts by Policy report shows the total number of alerts
generated during a selected time period broken down by policy.
by Rule Alerts by Rule shows the number of alerts broken down by rule
for the selected time period.
by Severity The Alerts by Severity report shows the total number of alerts
generated during the selected time period broken down by
severity. Severity includes Low, Medium, High, and Critical.
by IP Address The Alerts by IP Address shows the total number of alerts

generated during a selected time range and broken down by
source, destination, or any IP addresses.The choice of IP Pair
results in a report showing communications paths.
by Directory The Alerts by Directory report displays alerts for user attributes
extracted from your LDAP or Active Directory server. This report
depends on the CommandPost configuration settings for LDAP
Reports.
by Destination This report displays the number of alerts broken down by
Country destination country. This enables you to determine which country
the transmission was going to when the alert was generated.
by Protocol The Alerts by Protocol report shows the total number of alerts
generated during the selected time range summarized by
application protocol.

Organization
Data Discovery Data Discovery Data Discovery can be used to report the flow of sensitive
information observed by the selected sensors. The report breaks
alerts down by the combination of the violated rule and the IP
address (source, destination, or pair). If you select only a single
rule, you can use the report to discover the flow of that type of
information in your network,
Note: The Traffic by Session and Traffic by Protocol reports are the only ways to view
the effects of policies that use the prevent option. This option prevents violating
sessions without generating an alert. The alert and alert and prevent options generate
alerts that display in all custom and alert reports.
Create Quick Reports

You can run any Quick Report by selecting it and clicking Run Report. Each report has several
customizable fields which can be left in their default setting or changed before clicking Run Report.
Note: Not all of the controls described in the steps below are available for each
report.
To create a Quick Report with more specific criteria:
1. Select all alerts or only those that match your selection. For example to run a report on
specific rules, uncheck All Rules at the Alerts by Rule page. A list of individual rules displays.
You can then select one or more rules on which to report.
2. Select a time range.
The Time Range allows you to select from several options:Last 24 hours, Last 7 days,
Last 30 days, and Date Range.
If you choose Date Range, text boxes for start and end dates display. These text boxes
only accept dates in the mm/dd/yyyy format. You can also click the Calendar icon to
display a calendar that allows you to choose the start and end dates.
3. Select one or more sensors. The Sensor list allows you to select either a single sensor or all
sensors.
4. Choose the number of results to include in your report. The graphic will include the top nine
results as individual sections of your bar or pie chart. All remaining results will be combined
into the last element of the chart labeled "Other."
5. Select a chart type to display your information either pie chart or bar chart.
6. Click Include Data to include a tabular report of your data associated with each bar or pie
section in the graphical output.
7. Click Include Trend to display alert trends in your report during the selected time period for
each alert item.
The time reported by trending graphs and the time used in time range selection reflect the
time at which the network violation occurred.
8. If needed, click Reset to restore default values. You can also do the following:.
Click Run Report. The result displays in a pop-up window. You can print the report, save
it as a PDF, or send the report as an e-mail attachment. Refer to Create PDFs for Quick
Reports.
Click Schedule to schedule this report for delivery to an e-mail address at a specified
time. Scheduling a Quick report makes it available at the Reports>Manage>Report List.
Refer to Schedule Quick Reports.
Click Customize. The Custom Report page displays with any criteria entered at the Quick
report page.Once you make the required changes you can save the report and manage
and schedule it as a Custom Report from Reports>Manage. Refer to Create Custom

Reports. Saving a Quick report as a Custom Report does not affect the original Quick
report.
Note: Not all quick reports can be customized. Specifically, the Executive
Summary, Traffic Summary, and Workflow summary reports cannot be
customized.
Create PDFs for Quick Reports

All Quick reports can be saved as a PDF.
To create a PDF report:
1. Create and run a Quick Report. Refer to Create a Quick Report.
2. Click Save PDF.
The PDF will open in your browser. You may choose to view or save the file to your local
workstation.
To send a PDF report via e-mail:
1. Enter an e-mail address at the Email text box.
2. Click Send Report.
The PDF report is attached to the e-mail and sent.
Schedule Quick Reports

You can schedule any of the Quick Reports to distribute automatically via e-mail at specified times
and intervals. You can use the default criteria when creating a report or select your own criteria.
To schedule a Quick Report:
1. Select one of the Quick Reports.
2. Keep the default report criteria or edit as needed. Refer to Create Quick Reports.
3. Click Schedule. The Schedule Report dialog box displays.
5. Select a report delivery time.
6. Specify report frequency. This ranges from every day to specific days of the week or the
month. Report Frequency only determines the delivery schedule for the report and does not
change any times entered when creating the report.
7. Enter an e-mail address for report delivery.
8. Click Submit.
The report can be managed at Reports>Manage with all other saved reports.

Chapter 8 Network Reports
The Network Reports page displays statistical information about the data flow observed by Fidelis
XPS sensors.
To display network statistics:
1. Click Reports>Network.
2. Select the time period.
3. Select the type of report.
4. Select the sensor.
5. Click Go.
The following reports are available depending on the type of Fidelis XPS sensors connected to
CommandPost. If a module you select is not present for the selected sensor, a message appears
stating that the module is disabled.
TCP Resets
Application Protocols
IP Defragmenter
Inline Module Network Statistics
TCP Processor
XPS Proxy
XPS Mail
XPS Connect
XPS Web Walker
Each Network report provides an interactive performance graph that you can use to closely
examine what is occurring on your network at specific times. With the performance graph, you can
look at time periods from 10 minutes to 7 days.
To do this:
Highlight an area of activity to expand that portion of the report.
Note how the time changes in the button below the slider bar. Time
measurements also change on the graph.
Mouse over a line to see what occurred at that point and how frequently.
Fidelis XPS User Guide Version 6.0 Network Reports 75

Figure 42. Network reports: interactive performance reports
To return to a larger view, double click in the graph. Each time you double click, the time
displayed in the graph doubles.
Clicking displays the information available for the 7-day period, even if you
initially selected a shorter time period.
Use the slider bar to see another portion of the graph.
Move the to expand or contract the time period being examined. You can also move to another
part of the performance graph. The time changes in the button and time
measurements on the graph also change.
Click to switch the graph to linear or to logarithmic scale.

TCP Resets
CommandPost displays the following information about the sensor. If enabled, TCP Resets control
the insertion of TCP reset packets for prevention.
Sample (size by time, showing when taken)

Total processed packets since last restart
Wire statistics (errors, dropped, invalid, received, and captured packets)
Requests
Resets
Recent Resets
Runtime (shows packets per minute transferred and reset)
Figure 43. Active Mode statistics

The legend contains controls to remove or restore the associated information from the graph

Application Protocols
CommandPost shows the following information about the Application Protocols observed by the
sensor:

Packets by protocol: a graphical display and a numerical breakdown
Bytes by protocol: a graphical display and a numerical breakdown, bits/sec
Packets per second by service, graphically
Bytes per second by service, graphically
Volume of packets by size, graphically

The two charts in the Protocols row show observed protocols during the selected time frame at the
top of the page while the interactive chart in the Per minute row shows all protocols that had a per
minute rate greater than 1 for at least 10 minutes at some point during the past 7 days. Therefore,
the list of displayed protocols in the two rows may be very different.
Figure 44. Application Protocol statistics

The legend contains controls to remove or restore the associated information from the graph

IP Defragmenter
CommandPost shows the following information about the IP Defragmenter module:

Config (shows current configuration and capacity of IP defragmenter module)
Runtime (information about the IP defragmentation alerts per minute over the selected time
period)
Figure 45. IP Defragmenter statistics

The legend contains controls to remove or restore the associated information from the graph.

Inline Module
CommandPost shows the following information about inline and throttle modes.

Total processed TCP packets since last restart
Throttle drop: how many packets were dropped in response to the throttle action.
Throttle TCP window cut: the number of packets on which the TCP window size was reduced
Bytes of TCP packets: a graphical display and a numerical breakdown, bits/sec
Throttle drop: the number of bytes in dropped packets
Throttle TCP window cut: the number of bytes in packets on which the TCP window size was
reduced
Figure 46. Inline Module statistics


Network Statistics
CommandPost displays the following statistical information about your network data flow by sensor,
including:

Packets by protocol: a graphical display and a numerical breakdown
Bytes by protocol: a graphical display and a numerical breakdown, bits/sec
Packets per second by service, graphically
Bytes per second by service, graphically
Volume of packets by size, graphically
Wire statistics (NIC errors, dropped and invalid packets)
Figure 47. Network statistics


TCP Processor
CommandPost displays the following information about the TCP Session module:

Configuration (shows current configuration and capacity of TCP Session module)
Runtime (TCP sessions per minute over the past 12 hours)
Figure 48. TCP Processor statistics


Proxy
CommandPost shows the following information about a Proxy sensor using the ICAP interface to
an external proxy server:
Total transactions since last restart
Total protocol errors
Connection information: current, postponed, total, and rejected connections
Traffic information: input and output traffic and buffers
Proxy Traffic: a graphical display and a numerical breakdown, Proxy traffic per minute
Figure 49. Proxy server statistics


Mail
CommandPost shows the following information about the Mail sensor:
Number of connections
Alerts generated
Messages prevented
Messages rerouted
Messages that were appended to

Messages that were appended to
Messages with custom header added
Number of messages
Messages quarantined
Messages rejected by IP white list
Sender notification messages sent out

Messages that did not violate policy
Figure 50. XPS Mail statistics

The legend contains controls to remove or restore the associated information from the graph.Hard
drive utilization displays a breakdown of usage on the Mail sensor.The Postfix Queue size indicates
how much space is available for quarantined messages.
The Postfix Queue graphic displays a breakdown of the postfix queue size. Refer to the Postfix web
site for more information.

Connect
The network report indicates how much traffic is on a Connect sensor and contains the following
information:

Total Protocol errors
Connection: Displays current and total connections
Traffic: Displays total transactions, input and output traffic, and maximum input and output
buffers
Figure 51. Connect Statistics

Web Walker
The Web Walker sensor downloads and analyzes the files stored on configured web sites, and
generates alerts when policy violations are detected. The Network report reveals the Web Walker
activity in terms of local disk space used to store downloaded files
Figure 52. Web Walker Statistics


Chapter 9 Manage Users, Roles, and Groups
CommandPost includes multiple concepts of administrative users: local, LDAP, and AutoLogin
users.
Local users are defined within CommandPost. Using the System>Users page, you can
create a user profile, which includes the local password and all permission settings.Local
users obtain a CommandPost user name and password and are the easiest to configure and
manage. CommandPost includes one default local user (admin) which must be used to
configure all other settings. Fidelis recommends that you create local user accounts for all
persons responsible for the maintenance and support of the Fidelis products.
LDAP users are created and managed by an external LDAP or Active Directory server.
Directory attributes can be used to map users or user groups to CommandPost permission
settings. LDAP users can access CommandPost using their directory user names and
passwords. They have full access to the system once logged on. Management is performed
by creating a user profile that maps directory attributes, such as group names, to
CommandPost access permissions.
AutoLogin users are authenticated by a remote authentication server. CommandPost detects
the user name in the HTTP header sent by the remote server and uses this name to map
AutoLogin users to a CommandPost user profile. This mode is recommended only for
enterprises that include a central user authentication mechanism which can intercept all
HTTPS communication. AutoLogin users are not provided a CommandPost user name nor a
password. Some capability will be limited due to the lack of these credentials.
Note: LDAP and AutoLogin users display in the Users>Profiles list after the first
login.
To create and manage LDAP and AutoLogin CommandPost users, refer to LDAP Configuration
and Auto Login. To understand CommandPost permissions, refer to Define User Roles.
To manage CommandPost users, click System>Users. The Users page displays with the current
list of CommandPost user profiles (local, LDAP, and AutoLogin) and basic information about each
user.
Note: The Users option is only available if you have access to user features. Refer to
Define User Roles.
Figure 53. CommandPost Users page

When first installed, CommandPost has one default user, admin, with full System Administrator
privileges. Fidelis Technical Support provides the default password for the admin user. Change this
password immediately after you first log in.
Fidelis XPS enables you to manage local user access by assigning each user to:
Fidelis XPS User Guide Version 6.0 Users, Roles, Groups 86

A role; required
Zero or more groups; needed for alerts and quarantine management features.
Zero or more sensors; needed to manage sensors and to view alerts from sensors.
LDAP and AutoLogin users are managed in a similar fashion. In these cases, you create a profile to
map user attributes to role, group, and sensor assignments. Each profile may manage a single user
or many users, depending on your configuration.
The user page provides two icons to note user status:
Denotes a valid user. The user has a role and has at least one group and sensor
assignment.
Denotes a user with limited access to the system. This user may have a role, but lacks
either a group or sensor assignment. They may log into the system, but will not be able to execute
their role.
Access Control in CommandPost

CommandPost provides multiple layers of access control to the secure information stored in
CommandPost and to the information collected from network sensors. The design is scalable from
small to large enterprises, so that access can be easily assigned to security teams that range in
size from a single person to a large, multi-tiered team.
Access control is managed by three entities: a role, alert management groups, and sensor access
control.
Roles provide access to CommandPost functions.
Sensor access restricts the CommandPost function to specified sensors.
Alert Management Groups can be used to divide the work of violation review and to segregate
violations by type.
The role is the first part of the access control system. Each CommandPost user is assigned one
role. This determines which parts of the system the user can access. Refer to User Roles.
Sensor access control is the second part of the access control system. Each users role provides
that user with access to certain CommandPost features. However, these features may only be
applied to the sensors to which the user is assigned. This control applies to all CommandPost
functions. For example:
A network operator may only configure and manage sensors to which that operator is
assigned.
A Policy author may write policies, but may only install these policies on assigned sensors.
An alert or quarantine manager may only view violations from sensors to which the manager
is assigned. The sensor access control serves to segregate data depending on where it was
found in the network.
The alert management group is the final component of the access control system. This is a group
of one or more users with a similar function, who should review similar network violations.
Examples might include a network administration group, Human Resources, or a network security
office.
Rules are associated with an alert management group. When a rule is violated, an alert or a
quarantined e-mail may only be managed by persons in the assigned group. Once viewed, an alert
manager may move the alert or quarantined e-mail to a different group as needed.
Alert management groups allow you to segregate data based on the rule that was violated. For
example, PII (personally identifiable information) violations may be sent to one group of users,
while violations involving inappropriate use of network resources are sent to a different group. It
also helps to split the workflow involved with alert management across one or more teams of
individuals.

Small Security Teams
Many enterprises may be too small to need access control. This is especially true of enterprises
with a single network security office. To simplify access control, Fidelis Security Systems has set
up default configurations:
The System Administrator role provides full access to the system.
All rules and all new users are initially assigned to the default group.
When a sensor is registered to a CommandPost, no user will have access, except the admin
user and the user who created the sensor.
The admin user has access to all groups, all sensors, and all system functions.
Define User Profiles

At Profiles, you can view all CommandPost users. Each user will be denoted as Local , LDAP, or
AutoLogin within the profile list.
Local users can be added, deleted, and managed from this page.
LDAP users can be deleted at the Users>Profiles page. Management of these users is
performed by mapping your external LDAP or Active Directory server information to
CommandPost user access profiles.Refer to LDAP Configuration.
AutoLogin users can be deleted or have full name and e-mail information edited at this page.
Management of these users is performed by mapping your AutoLogin profile to
CommandPost user access profiles. Refer to Enable AutoLogin.
To access user profiles:
Click System>Users>Profiles.
The Profiles page appears with a list of CommandPost users. You can click on any user name to
see expanded information, and the Edit and Delete buttons as appropriate.

Figure 54. CommandPost Users
The roles, groups, and sensor assignments are links that you can click to access the Roles,
Groups, or Sensor pages.
Add or Edit a Local User

Those with a role that allows user management can add, edit, or delete local CommandPost users.
Adding a user involves the following:
Provide identifying information for the user to Fidelis XPS. This information includes user
name, password, and e-mail address. This information is stored and managed within
CommandPost.
Determine access to Fidelis XPS features by assigning the appropriate role.
Assign the user to the appropriate groups and sensor to implement assigned roles. Alert
Management Groups can be used to divide the work of violation review and to segregate
violations by type
User managers have the following restrictions when creating or modifying users:
Create users with permissions equal to or less than their own permissions.
Assign users to groups to which they belong. For example, a User Manager that belongs to
group A and group B can only assign new users to those groups. Use CTRL+click to choose
multiple groups. Select No Groups to unassign a user from every group.

Assign users to sensors to which they belong. For example, a User Manager assigned to
sensor A and sensor B can only assign new users to those sensors. Use CTRL+click to
choose multiple sensors. Select No Sensors to unassign a user from every sensor.
The following table provides an overview of how to make role, group, and sensor
assignments so that a user has access to the more frequently used Fidelis XPS features.
Table 16. Determine user access
To access: The assigned Group assignment: Sensor assignment

role must
provide:
Alerts Full or view access Users must be assigned to Users must be assigned to
to Alerts the same group as the alert the sensor that generated the
and its associated rule to alert.
access the alert.
Quarantine Full or view access No impact Users must be assigned to

to Quarantine sensor that generated the
quarantined e-mail.
Policies Full or view access No impact Users can only assign

to Policies policies to sensors to which
they are assigned.
XPS sensor Full or view access No impact Users can only configure
configuration to Sensor Admin sensors to which they are
assigned.
CommandPost or view access to No impact No impact
configuration CommandPost
Admin
Users Full or view access A new user may be added to A new user may be added to
to Users any group to which the user any sensor to which the user
manager belongs. manager belongs.
Audit Full access to No impact No impact.

Audit
To add or edit a local user:
1. Click Add User and the New CommandPost User page displays. To edit an existing user,
select the user and click Edit.

Figure 55. New CommandPost User page
2. Enter user name, password, and e-mail address.
User name is required for new local users and must conform to valid name restrictions.
Valid names start with a letter and may contain letters, numbers, and underscores (_).
If needed, you can enter a full name to identify this user.
E-mail is optional. If entered, a correctly formatted Internet e-mail address is required. If
omitted, this user will not receive notification messages when alerts are assigned.
Passwords are required for new local users. Passwords must conform to the
CommandPost password settings defined in CommandPost Configuration. For an
existing user, click the Change Password button to change the password.
Note: Local users can change their account information after they log into
CommandPost. LDAP and AutoLogin users have limited ability to change their
account settings.
3. Select a role from the drop-down list.
4. Select the appropriate alert management groups for this user. Multiple groups may be
selected by dragging the mouse or using CTRL+click. Assignments may be reset by choosing
the No Group option.
5. Select the appropriate sensors for this user. Multiple sensors may be selected by dragging the
mouse or using CTRL+click. Assignments may be reset by choosing the No Sensor option.
6. Click Save.
The new or modified user is included in the list on the CommandPost Users page.
Delete a User
Before you can delete a user, you must first reassign all alerts assigned to the user.
To delete a user:
1. Click Profiles.
2. Click the appropriate user. The Delete button becomes available. The Delete button will not
be available if open alert tickets are assigned to the selected user.
3. Click Delete.
4. Click OK at the confirmation dialog box.
The user is deleted from the list on the Users>Profiles page.

To prevent future login from an LDAP user, you will need to change or remove this user from your
directory server or alter or remove the profile to which this user belongs. Refer to LDAP
Configuration .
To prevent future login from an AutoLogin user, you will need to change or remove the profile to
which this user belongs. Refer to Enable AutoLogin.
Define Alert Management Groups

You can create alert management groups to which you can assign users and alerts.
Each rule is assigned to an alert management group. Alerts generated when a rule is violated are
assigned to this group and visible only to the users in the group associated with the rule.
The alert manager may later move the alert to a different alert management group so that it may be
managed by members of other Alert Management Groups.
To access alert management groups:
Click System>Users> Groups. The Alert Management Groups page appears with a list of existing
groups. You can click on any group name to see expanded information, and the Edit and Delete
buttons.
The user and rule names and Assigned to Alerts are links that you can click to access Users,
Rules, and Alert Report pages.
Figure 56. Alert Management Groups page
Add or Edit an Alert Management Group

You can use groups to control user access to alerts. For example, a legal group could include
users with access to alerts generated when a personally identifiable information (PII) rule is
violated, while a different group could manage alerts for inappropriate use of the network.
To add or edit an alert management group:
1. Click Add Group. The New Alert Management Group page appears with empty text boxes. or
Select an existing group and click Edit.
2. Enter a name and a description for a new group.
3. Enter an e-mail address for the group. When an alert changes from one group to another, a
notice is sent to this e-mail. Similarly, notifications of quarantined e-mails are sent to this

address if a Mail sensor has been configured for quarantine notification. The e-mail address
must be a single address, which can be a group distribution list, and must conform to e-mail
syntax requirements.
4. Click Save.
A new group displays in the list with other alert management groups. You can now assign users to
the new group assign alerts to the group, and modify rules to place alerts into the group.
Delete an Alert Management Group

Any group associated with a rule cannot be deleted. Similarly, any group that contains alerts cannot
be deleted. To delete such a group, first remove it from all rules and move all alerts to another
group.
To delete a group:
1. Click the appropriate group. The Edit and Delete buttons become available.
2. Click Delete.
The group is deleted from the list at the Alert Management Groups page.
Define User Roles

Roles determine access rights for users. Fidelis XPS ships with predefined roles which determine
user access to each of the major CommandPost features.
Figure 57. User Roles page

Predefined roles cannot be edited or deleted. These are indicated with a Fidelis logo next to a role
name. Multiple users can share a role, but each user can only have one assigned role. You can
customize user access by creating a custom role.
Custom roles may be edited or deleted and are identified by the pencil icon.
Predefined roles are generally in one of the following categories:
Network Administratoradjusts sensor network settings and communications between

CommandPost and the sensor, monitors network statistics to verify connectivity, and installs
software upgrades to Fidelis XPS.
Policy Authorcreates and manages policies and rules to one or more sensor.
Alert and Quarantine Managerreviews alerts (or quarantined e-mails) and manages any
action required within the enterprise.
Each category includes the basic role described above and a supervisor role. The supervisor role
provides access to all the features of the basic role plus access to the Users feature. This enables
supervisors to add and manage local CommandPost users in their categories.
The System Administrator role provides full access to all Fidelis XPS features. This role can be
applied to any user.

The No Role role prevents access to all Fidelis XPS features.
A roles (and a users) access to each Fidelis XPS feature is determined by the access levels
specified for that feature: Full, View, or None. The following table describes each access level.
Table 17. User access levels
Access Level Description
Full Provides read and modify access to the feature. Depicted by a full
green circle.
View Provides read-only access to the feature. Depicted by a half-green

circle.
None Provides no access to the feature. Depicted by an empty circle.
Access Roles
To access roles:
Click System>Users>Roles.
On the Roles page, the permission levels and user information are hidden by default. Click on a
row, or click expand all to reveal the access levels and any user information associated with a role.
The user names display in links that you can click to access the Users page and see expanded
information for that user.
Figure 58. Viewing role permissions

The available permissions are:
Alerts: Provides access to Reports>Alerts. View permission allows you to read and manipulate the
report. Full permission allows you to purge and export alert data.
Details: Provides access to the detailed forensic data for Alerts and Quarantined email messages.
Without access to details, you cannot view the forensic data nor retrieve the data that caused an
alert. Details access is only available as either Full or None.
Quarantine: Provides access to Reports>Quarantine. View permission allows you to read the list
of messages. Full permission allows you to discard and deliver quarantined e-mail messages.

Tickets: Provides access to the alert workflow. With Full privilege you can assign alerts, change
the alert management group and close alerts. With View privileges you can read the workflow log of
any alert, but may not change it.
Manage/Quick: Provides access to Quick reports and to report customization and management.
You may view, create, save, and schedule reports for automatic delivery. Access is only available
as either Full or None.
Policies: Provides access to Policies. Full access is required to edit create policies, rules, or
fingerprints. View access allows you to view, but not change, the existing policies.
Users: Allows access to System>Users. With Full access you can add, remove, and modify user
profiles (including passwords), alert management groups, and roles. View access allows you to
view, but not modify, user profiles, alert management groups, and roles.
Sensor Admin: Provides access to the sensor configuration pages at System>Components. Full
access is required to modify the configuration of sensors. With View access, you may view the
configuration, but not modify it. Access to Reports>Network is also granted based on the Sensor
Admin setting.
CmdPost Admin: Provides access to the CommandPost configuration page at
System>Components. Full access is required to modify the configuration of CommandPost. With
View access, you may view the configuration, but not modify it.
Note: Access to System>Version Control requires Full access to both Sensor Admin
and CmdPost Admin.
Audit: Provides access to System>Audit. Audit access is only available as either Full or None.
Add or Edit a Custom Role

If the predefined roles do not meet your requirements for user access, you can create custom roles.
To add or edit a custom role:
1. Click Add Role and the New Role page appears. To edit an existing role, select the custom
role and click Edit.
Figure 59 . New role

2. Enter a name and a description for the new role.
3. Specify an access level for each Fidelis XPS permission. None is the default value; you can
select Full or View access.
Note: You can also base your role on an existing role. Select from the list next to Base
Role On. You can customize access levels.
4. Click Save.
The new custom role displays in the Roles page with a pencil icon next to its name.
Not all combinations of features are available in the definition of a custom role. Specifically:
Manage/Quick is available as either no access or full access. View-only is not available.
Details are available as either no access or full access. View-only is not available.

Access to Audit is either no access or full access. View-only is not available.
Access to Quarantine, Manage/Quick reports, and Ticket functions requires View or Full
access to Alerts. If you choose access to one of these three functions, CommandPost will
raise the level of Alerts to an acceptable level.
Note: Not all options are available to all users. You may only create a role with less
than or equal privileges than your own role.
Delete a Custom Role

After you delete a custom role, any users assigned to it are reassigned to the No Role role. This
means that these users will not have access to any Fidelis XPS features until they are assigned to
a new role.
Note: Predefined roles cannot be removed from the system.
To delete a custom role:
1. Select the appropriate role.
2. Click Delete.
The role is deleted from the Roles list.

Chapter 10 Configure Fidelis XPS Components
The Components page allows you to view, manage, and configure Fidelis XPS components
including CommandPost and all sensors.
The Component Page

To access this page: click System>Components.
Note: The Components page is only visible to users with the correct privileges. Refer
to User Roles for details on user privileges.
Figure 60 . The Components page

The Components page contains a list that provides you with a quick view of the CommandPost
management console and each sensor controlled by this CommandPost. From the main
Components page, you can register or unregister a sensor, edit basic sensor information, or
change configuration information.
Management is performed in real time, so configuration changes are effective immediately once the
Save button is clicked at a Config page.
Component Information
The Component list will display the CommandPost console at the top of the list. All sensors, if any,
follow in alphabetical order.
To see more details about a specific component, click the row for that component. Component
details for the CommandPost and sensors provide a summary of the current status and relevant
configuration details. Full configuration details can be accessed at the component configuration
page.
Note: If your product is a CommandPost with an embedded sensor, such as the
Scout, the initial list will show the embedded sensor. For embedded products, you
cannot add or remove sensors, but can configure the embedded sensors.
Status Lights
Shown as a green, red, or yellow diamond, the status light indicates whether a component is
operational. Green indicates that the component is fully operational. Yellow indicates a warning
message, which may indicate operational problems or the detection of a condition that warrants
attention. Red indicates operational failure.
By mousing over the status light, you can see a short description of any detected problem or
warning. The same description is available in the details of the component status.
Details
Click a row to view details about a component. CommandPost information includes the Name
(Local), Version, OS Version, Time, and any yellow or red Notifications. The absence of
notifications indicates that the component is fully operational.
Name the name of the component which was given when the sensor was added to
CommandPost.
Fidelis XPS User Guide Version 6.0 Components 97

Description an optional field supplied when the sensor was added to CommandPost. You
can edit the description at any time.
Version Provides the Fidelis XPS software version installed on the component.
Decoder Version Provides the decoder version installed on the sensor. In response to
application protocol changes, Fidelis is able to release decoder updates without the need for
a new version of software. The most recent decoder release will offer the best product
performance.
OS Version Provides the operating system version installed on the component.
Time Displays the component's local date and time This can be used to verify the correct
time settings between all components in your system.
IP Address provided when the sensor is added to CommandPost. If the sensor is

unregistered, you can change the IP address by editing sensor information.
Alerts is a current count of alerts generated by this sensor.Clicking the count will take you
to an Alerts Report showing alerts from this sensor.
State The state of the sensor; either registered or unregistered.

Last Seen tells you how long ago CommandPost last received communication from this
sensor.Each sensor posts information to CommandPost every five minutes, or with each alert.
The lack of information within a ten minute window indicates a communication problem.
The green arrow indicates that communication is working properly.
A broken yellow arrow indicates that communication has been lost between CommandPost
and sensor.
A broken red arrow indicates that the sensor has never communicated with CommandPost.
Note: If sensor communication is lost, many of the details listed above cannot
be obtained.
Notifications Displays messages from the sensor with a status light to indicate the
importance of each message, either medium (yellow diamond) or high (red diamond).
User Assignments provides a list of users assigned to the sensor. Clicking a user displays
the Profiles page for that user.
License Messages
The following license messages can display in the Notifications section for the CommandPost or a
sensor:
Demo ModeYou need a valid license key. Refer to License.

License Refresh Required: It is recommended that you get a new license for each sensor and
the CommandPost from Fidelis Technical Support.
License will expire in The license will expire in the stated number of days. Contact Technical
Support to request a new license. for each sensor and the CommandPost.
Component Buttons
When you click a Component row, several buttons will appear. Button availability depends on user
access privileges as well as the communication status between CommandPost and sensor.
Register (Unregister) Sensor click to register (or to unregister) a sensor. Upon

registration, CommandPost attempts to initiate an encrypted session to the sensor. The
session must be authenticated by a sensor with the given name and IP address as entered
into CommandPost. If successful, the sensor will come online. After registration, the sensor
will not communicate to any external device other than the CommandPost to which it is
registered.
Click Unregister to take a sensor out of service. You can then register this sensor to a
different CommandPost.

Note: If your product is a CommandPost with an embedded sensor, such as the Scout,
you will not see register or unregister buttons. These products communicate internally
and do not require registration.
Edit Sensor click to change basic information about a component, including name, IP
address, and description. If the sensor is currently registered, name and IP address cannot be
changed. This button is not available for embedded sensors.
Delete Sensor click to remove a sensor from CommandPost. This button is available only if
there are no alerts in the database generated by this sensor and if the sensor is currently
unregistered. If you wish to delete a sensor with alerts in the database, you must first go to
the Alert Report page and purge all alerts generated by this sensor from CommandPost.
Refer to Purge Alerts for more information. When you return to the Sensor Config page, you
will be able to remove the sensor . This button is not available for embedded sensors.
Config click to configure the CommandPost or sensor.
Add a Sensor
To add a sensor to CommandPost:
1. Click System>Components.
2. Click Add Sensor.
3. Provide the sensor name, IP address, and an optional description. The IP address is used to
identify the sensor to the CommandPost.
4. Click Save.
5. Click Register. CommandPost attempts to communicate to a sensor at the specified IP
address.
After the sensor begins to communicate to the CommandPost the status indicator turns green and
the Last Seen value indicates the time of the last communication.
You can now configure the sensor by clicking Config.
Note: For embedded sensor products, the Add button is not available.
Edit a Sensor
You can change the sensor name or IP address (if unregistered). You can also change the
description as needed.
To edit a sensor:
1. Select the appropriate sensor.
2. Click Edit Sensor.
3. At the Edit Sensor page, enter needed changes.
4. Click Save.
Note: After a sensor is renamed, all alerts associated with that sensor are
automatically associated with the new sensor name.
License
License shows the Host ID information, the current license key, and an expiration date. Each
component requires a separate license.
When you initially install and register a Fidelis XPS sensor the License Key field displays <demo
mode>.
When you initially install Fidelis XPS on CommandPost, CommandPost will run in demo mode. A
sensor or CommandPost remains in demo mode until a license key is entered.

Figure 61. The License
Clicking on the component's Host ID creates an e-mail to license@fidelissecurity.com, with the
subject line automatically completed with the components Host ID. Include in the body of the e-
mail your name, the location name and address, phone number, and reseller name (if pertinent),
and Fidelis Technical Support will respond within one business day with a license key.
When you receive the license key, paste or type it exactly into the License Key box, and click Save.
If the information was entered correctly and matches the Host ID provided, the key will be
accepted. If there is a problem with the license, you will receive an error and the License Key field
will display <Invalid>.
Expiration
Fidelis XPS begins displaying notices that your license will expire starting 60 days before the
expiration date. If you receive this notice, contact Technical Support to obtain a new license.
M o di f y a L i c e ns e K e y
To make changes to your license key in case of an entry error for example, just enter a new license
number in the License Key text box and click Save. Please remember that making changes to
license keys should be done with great care.
D e m o M od e
If no license key is detected, the sensor and the CommandPost will operate in demo mode. The
sensor does not function in demo mode. A CommandPost in demo mode will not accept alerts from
any sensor and will only accept statistics.
System Monitor
System Monitor is used to monitor the activity and health of a sensor or of the CommandPost. In
general, it monitors a component's status including disk space, process restarts, and statistics
counts. It attempts to make sure that the system is running smoothly. If not, it can send warnings in
a number of different ways.
System Monitor monitors the sensor or the CommandPost from the input interfaces all the way to
the alert output process, and everything in between. It will also monitor the state of critical files
stored on the server disk drive. If modifications from the original installation are detected, a critical
sysmon alert will be generated and sent to the configured System Monitor output.
Note: On a sensor, executable files are also verified upon system startup using an
embedded signature in each executable file. Startup errors are written to syslog or
other Fidelis log files, depending on the corrupted file.
By default, System Monitor writes all of its messages to the standard system log file. In addition, it
can be configured to write to a remote system log file, to send an e-mail, and to send an SNMP
message.
Notifications
The Notifications page allows the configuration of messages or notifications to be sent to external
entities. This page is the same for the CommandPost or a sensor, except that the CommandPost
version does not contain details about sensor activity such as the number of packets inspected.

Figure 62. System Monitor: Notifications settings
You can send messages to a system log, an e-mail address, or to SNMP. You can configure the
types of messages sent to each.
Message types:
Warningsomething has happened that may impact the performance of the system;
Criticalsomething will stop the system shortly. System may not be running properly;
Emergencythe system cannot operate.
The System Log field allows for the entry of a remote system name. This system should be
configured to allow remote hosts to send syslog messages to be recorded in its standard syslog
file. Make sure to allow a remote sysmon message in through any firewall on the system also.
The message types to be sent are also configurable for this field. You may want to ignore
information messages and warning messages, but make sure that you know about any critical and
emergency messages.
The eMail Address field allows for the configuration of an e-mail address and message types to be
sent to that e-mail address. If one or more e-mail relayhosts are configured, outgoing e-mails are
sent through e-mail relayhosts.
The SNMP field allows for the configuration of a remote SNMP monitor and the message types to
be sent. SNMP traps may be sent to an external system which may be specified by a host name or
IP address. Choose the alert information to include in these traps.To enable Fidelis SNMP traps, a
MIB is available with sample use instructions at. www.fidelissecurity.com/support.

A dv anced
Click Advanced to change the SNMP Community String. The default value is public.
Logs
Logs enables you to view log files from a sensor or from CommandPost that reside in different
directories, including/FSS/log and /var/log among others. Log files can help in troubleshooting
problems and are a valuable resource when interacting with Fidelis Technical Support. After
retrieving a log file, you can send it via e-mail. Fidelis support is the default email recipient of all log
files.
To retrieve logs:
1. Click System>Components>Config>Logs. You can select another at the Component list.
2. Select a file from the Log Files list.
3. Click Invert Log to reverse the order of log entries, if needed.
4. Click Get Log. The selected log entry displays and the Email Log button is available.
Figure 63. Logs

You can view the log and send it via e-mail.
To do this:
1. After retrieving a log file, click Email Log. The following dialog box displays.

Figure 64. Email Logs
2. Enter the desired e-mail addresses. The default values are support@fidelissecurity.com for
the recipient address and your e-mail address the sender address.
3. Click Send.
The log file displays in the body of the e-mail message.
Configure CommandPost
The CommandPost configuration page enables you to specify settings for CommandPost
operations. Your role requires full access to CommandPost administrative functions to access this
page. Some Configuration settings may require additional access permissions, as noted in the
specific CommandPost sections. Refer to User Roles.
To access CommandPost configuration, click the CommandPost row at System>Components and
click Config.
License
User Authentication
Email Config
User Notification
LDAP Config
LDAP Reports
Alert Storage
Language Config
Logs
Diagnostics
System Monitor
Archive
Instructions for License, Logs, and System Monitor apply to all CommandPost and sensors.
Instructions for other CommandPost configuration pages only apply to CommandPost.
User Authentication
CommandPost supports user authentication locally, via AutoLogin, or via LDAP or Active Directory.
Using CommandPost configuration, you may choose the authentication method for your
environment and modify configuration options. When a user accesses CommandPost,
authentication is performed as follows:
If the user name matches a local user, entered in System>Users>Profiles, then local
authentication is performed. Refer to Define User Profiles.
If the user name is not local, then CommandPost checks AutoLogin to see if it is enabled and
if a profile is set up for the user whose name appears in the HTTP header. The AutoLogin
authentication requires a network infrastructure to capture the user request, authenticate the

user, modify the HTTP header, and pass the information to CommandPost. This feature may
create security problems in your network if not handled properly. Refer to Technical Support
for more information.
If the user name does not match a local or an AutoLogin user, the directory is used for
authentication. CommandPost checks to see is LDAP is enabled and if a profile is set up.
Upon success, user information is downloaded from the directory to CommandPost and
matched against a configured profile.
To use LDAP or Active Directory authentication, you must also configure communication
between CommandPost and your directory server. Refer to LDAP Config.
If none of the above steps are successful, the user login is rejected.
Note: You must maintain at least one local CommandPost user which can be used to
create other local users and configure external communications. CommandPost ships
with one default user (admin) for this purpose. You may create other accounts for this
purpose, but the default user cannot be removed,
Set Password Strength for Local CommandPost User s

Before configuring password strength for local CommandPost users, refer to your enterprise's
security practices for password requirements. After you configure CommandPost password
strength, all new passwords must conform to the new settings. Existing passwords will not be
impacted by your changes.
To set password strength:
1. Select Strong or Standard. If you keep the default setting of Standard, you can only change
the minimum length for passwords.
If you select Strong, other settings become available.
Figure 65. CommandPost: Password Strength

2. Enter values for the minimum length, digits, special characters, and upper case characters.
The default settings for a strong password is to have a minimum length of 8 characters,
contain at least one digit, one non-alphanumeric character, one upper case letter, and one
lower case letter.
3. Click Update.
E n a bl e LD A P A u t he n t i c at i on
If you would like to authenticate users via LDAP or Active Directory, you must enable LDAP
authentication and create a profile. To correctly setup authentication, you must have a thorough
understanding of your local directory server data structure. This can be obtained by utilizing your
favorite LDAP/AD browser software.
Note: You also need to configure CommandPost to LDAP communication. Refer to
LDAP Configuration.
To enable LDAP Authentication:
1. Click Enable LDAP authentication.

Figure 66. CommandPost: Enable LDAP authentication
2. Enter the Login Prepend. This login prepend specifies name of an attribute whose value
uniquely identifies the user across all profiles base/filter settings.
For example:
If the login prepend is: sAMAccountName=
Profile1 sales group
Base: CN=Users,DC=fidelissecurity,DC=com
Filter: memberof=CN=sales,DC=fidelissecurity,DC=com
Profile2 Engineering group

Base: CN=Users,DC=fidelissecurity,DC=com
Filter: memberof=CN=engineering,DC=fidelissecurity,DC=com
In this example, users from the sales and engineering groups are allowed to log in. If a
user enters joeUser at login, the authentication process goes through all the LDAP profiles
and for each LDAP profile looks for the attribute sAMAccountName=joeUser on the LDAP
server.
The Login prepend setting can therefore be thought of as another filter which is internally
applied by the authentication process for each LDAP profile. In our example, joeUser must
be a unique value for LDAP attribute sAMAccountName for both sales and engineering
groups.
3. Enter the LDAP Base and Filter.
Enter the LDAP Base.

Members of a group can be represented using LDAP base/filter settings. In Active
Directory, users may have an attribute: memberof in their LDAP record to signify
membership of a group. So the following example can retrieve all members of the sales
group.
Base: cn=Users,dc=fidelissecurity,dc=com
Filter: memberof=cn=sales,dc=fidelissecurity,dc=com
In this example, base points to root of all user records, and filter is applied to these
records returned from the base and therefore returns records of members of only the
sales group.
Enter the LDAP Filter to further define user attributes. The combination of Base and Filter
are used to define the set of users that fit this profile. You may use these settings to
identify a group of users, such as sales or engineering, or to define a specific user for
this profile. The values entered for Base and Filter depend on the structure of your
directory server.
Filter examples could be:
(|(mail=joe*) ( mail=fred*)) This entry would return users with e-mail beginning with
joe or fred.
(&(mail=joe*) (sn=b*)) This entry would return users with an e-mail beginning with
joe and a last name starting with b.
Note: Please see rfc4515 (http://www.rfc-editor.org/rfc/rfc4515.txt) for more
examples of LDAP filter expressions.

4. Select an appropriate role for users identified by the Base and Filter. This determines access
to CommandPost functionality. Refer to User Roles.
5. Select appropriate alert management groups. Users identified by the Base and Filter will be
able to access alerts in the selected groups. Refer to Alert Management Groups.
6. Select appropriate sensors. Users identified by the Base and Filter will be able to configure
and manage the selected sensors and access alerts from the selected sensors. Refer to
Define User Profiles.
7. Click Save.
8. Add other profiles as needed.
9. Click Update.
After a profile is defined, it will appear in the list of profiles. You can click a profile to expand it to
view all settings for this role and to access the Edit and Delete buttons which allow you to change
or remove the profile.
Important: Use caution in deleting a profile. Multiple users might use a single profile
to access CommandPost.
E n a bl e A u t o L o gi n
If your network provides user authentication for HTTPS services, you may enable Auto Login and
create a profile.
Note: AutoLogin users are authenticated within your network and are not provided a
CommandPost user name nor password. Therefore, they will have no access to file
transfer capabilities offered via WinSCP because these functions require a
CommandPost user name and password. File transfer capabilities are offered within
the CommandPost Policy creation pages.
To enable AutoLogin:
1. Click Enable AutoLogin.
Figure 67. CommandPost: Enable AutoLogin

2. Click Add Profile to access the New Profile page. The feature requires you to define at least
one profile.
Your network authentication must intercept the HTTP request, authenticate, and insert
an HTTP header in the form: headername:username where the header name string is
set up in the AutoLogin profile.

Enter the header name of the http header. Valid user names start with a letter and may
contain letters, numbers, and underscores (_). Names are case insensitive.
Select an appropriate role. This determines access to CommandPost functionality for any
user logging in with the header entered above. Refer to User Roles.
Select appropriate alert management groups so that the users will be able to access
alerts in the selected groups. Refer to Alert Management Groups.
Select appropriate sensors so that the users will be able to configure and manage the
selected sensors and access alerts from the selected sensors. Refer to Define User
Profiles.
3. Click Save.
4. Add other profiles for AutoLogin users as needed.
After a profile is defined, it will appear in the list of profiles. You can click a profile to expand it
to view all settings for this role and to access the Edit and Delete buttons which allow you to
change or remove the profile.
Important: Use caution in deleting a profile. Multiple users might use a single profile to
access CommandPost.
5. Enter the IP address for the network component that inserts the HTTP header and forwards
the request to CommandPost. CommandPost will only grant auto login when the sender
matches on of the entered IP addresses.
Fidelis strongly recommends that you utilize this feature to avoid security problems that may
arise due to unauthorized accesses granted by the AutoLogin feature.
6. Click Update.
Email Configuration
Email Config enables you to set e-mail parameters to identify messages sent from CommandPost.
1. Click Email Config.
Figure 68. CommandPost:Email Configuration

2. Enter a name and an e-mail address for CommandPost. The senders name is the full name
that will be associated with the senders address. If left blank, this will be set automatically to
Fidelis CommandPost.
The senders address is the e-mail address from which the reports will be sent.If either field is
left blank, e-mail will not include a From name or address.
Note: If the e-mail address is not a reachable address, some e-mail servers might not
accept the message.
3. Configure Smart Relay by entering an IP address or a host name and click to specify an
e-mail server on your enterprise's network. Smart Relay will direct e-mail to the specified
server.
4. Click Update.
CommandPost will use these settings for messages from the ticketing system and for reports
delivered by e-mail. Reports include user-generated and scheduled Alerts, Custom, and Quick
reports.

User Notification
CommandPost can be configured to generate a notification message to a user whose e-mail
triggered an alert. The terms "user and end user in this section refer to someone transmitting
data over the network on which your sensor is installed. In this section, user does not refer to an
authorized CommandPost user.
The CommandPost user notification feature is limited to alerts generated over e-mail or webmail
protocols. CommandPost can respond to each alert, however, when compression is active or when
the violated rule does not include an alert action, CommandPost may not respond to every event.
Refer to What is an Event?.
The Mail sensor has an e-mail notification feature that is more reliable than CommandPost, in that
it can respond to every event, not only those that generate an alert. However, the Mail sensor only
operates on SMTP e-mail traffic, not webmail. CommandPost user notification can be an important
component in your overall security policy for data extrusions, whether or not your solution includes
a Mail sensor.
When this feature is enabled, the user will receive an e-mail notifying them that their action violated
a policy. By default, e-mail notification is not enabled.
For end users receiving a notification message, the body of the message contains two sections: a
message that can be configured by a CommandPost administrator and details of the violating e-
mail. The configurable message can be customized to include information appropriate for the
environment. The details section cannot be customized; it will include the From, To, Subject, and
time of the violating e-mail.
To set up e-mail notification:
1. Click User Notification.
Figure 69. CommandPost: User Notification

2. Select the notification e-mail for No, Alerts, Prevented or All.
No: Disables this feature. No is the default setting.

Prevented: Alerts with the action of alert and prevent generate e-mail notification.
Alert: Alerts with the action of alert generate e-mail notification.
All: All alerts generate e-mail notification.
3. Enter a domain name to control who receives the e-mail notification. You can provide an
unlimited number of domains by clicking Add domain. Only users in the specified domain
receive the notification.
If you do not enter a domain e-mail is sent for every e-mail alert. This may cause notification
messages to leave the local network.

4. Select one or more e-mail protocols from the list, which includes SMTP plus all webmail
protocols.
5. Enter a subject for the notification e-mail. The default value is You have violated company
protocol....
6. Enter the body of the e-mail by either entering text into the text box or by uploading a file.
7. Click Update.
Note: Some e-mail systems will not deliver e-mail when the sender cannot be
identified. If you have not properly configured CommandPost e-mail, users may not
receive the notifications.
LDAP Configuration
You can configure CommandPost to interface with an LDAP or Active Directory server. After
configuration, CommandPost will be able to authenticate logins via directory authentication, to use
directory information in policy definitions, and to associate user information detected within alerts to
directory information.
To correctly configure the CommandPost interface with LDAP, you must have thorough
understanding of your local directory server data structure and login access to all user records
stored on your server. You may use your favorite LDAP/AD browser software to gain the required
information for configuration.
Obtain the following information before you configure CommandPost to work with an LDAP server:
Server name (For example: ldap_server.yourcompanyname.com)

Server port (usually is 389)
Authentication method used (usually is simple). Simple means that the password entered is
sent in plain text to the LDAP server. Digest-MD5 sends a hash of the password.
Note: User name and password can be left blank for anonymous access if your LDAP
server supports this.
LDAP User name (For example: cn=Administrator,cn=Users,dc=yourcompanyname,dc=com)
Password
LDAP Base (example: dc=example,dc=com or cn=Users,dc=example,dc=com)
Check the LDAP server before configuring LDAP at the CommandPost.
Fidelis XPS systems that use LDAP request all records for a given base/filter combination
and cache the records locally on the CommandPost with a periodic refresh functionality built
in. By default, LDAP directories limit the number of objects that can be returned from a single
search filter. Please make sure this limit is disabled or at least large enough to return all the
records for the base/filter combination configured at the CommandPost.
To configure CommandPost to directory communication:
1. Click LDAP Config.

Figure 70. CommandPost: LDAP/AD
2. Enter the name or IP address of your LDAP or Active Directory server.
3. Enter the port number for the server or choose the default of port 389. Make sure that there
are no firewall settings between CommandPost and your directory server that will block this
port.
4. Select the authentication method that your directory server requires. CommandPost supports
simple or Digest-MD5 authentication.
5. If your directory server supports SSL, click Use SSL to encrypt communications between
CommandPost and your directory server.
6. Enter a user name and password for authentication by your directory server. The name and
password will be used by your directory server to allow CommandPost to retrieve information.
Either field may be left empty if your server allows anonymous access.
7. Enter the server timeout in seconds. CommandPost will stop communication attempts if the
server does not respond within this time. CommandPost will resume communication attempts
at the next refresh interval or login attempt.
8. Specify the refresh interval in hours. The refresh rate refers to the frequency of
CommandPost requests to download directory information. This applies to information used in
policies and alert attributes, but not to user authentication. For user authentication, the
directory is accessed with each user login attempt.
9. Click Test to test communications between CommandPost and the LDAP server. Make sure
that the returned records are what you expected.
10. Click Update to save your settings.
After you establish communication to a directory server, CommandPost can use the link for three
distinct activities.
User Authentication. To configure user authentication by your directory server refer to LDAP
Authentication.
Policy Creation. You can direct CommandPost to retrieve user or group attributes from your
directory which can then be utilized by policy creation. For example, you can set extrusion
policies based on the activities from Human Resources, where Human Resources refers to a
group established in your directory. To create policies based on your directory attributes refer
to chapter 3 in the Guide to Creating Policies.

User Information Retrieval. When an alert is generated, information about the end user who
caused the violation can be extracted from your directory. This information will be included
with any applicable alert. To specify which user attributes you would like to include with your
alerts, complete the Alert Attribute Insertion section on the LDAP Config page:
Note: You can use LDAP browser software on your PC to connect to the LDAP server
to get the correct base, filter, and attribute information.
1. Enter a Base to specify the LDAP starting point within your directory server hierarchy. User
information found under this base will be used to extract user information for alerts. For
example: "ou=abcdepartment, dc=mydomain, dc=com"
2. Enter one or more filters in the text box, as needed. This enables you to filter search results
from those directory entries found at the base.
For example, if you enter "cn=Joe*" in the filter and "ou=abcdepartment, dc=mydomain,
dc=com" for base, the server will return records for users whose names begin with Joe in the
abc department.
3. Specify a list of attributes to extract from your directory. You may enter RFC-defined or user-
defined attributes directory into the text box.
Enter attributes into the text box and click . Use attributes defined in RFC 4519 or
any user-defined attributes.
To remove attributes from the list, select an attribute and click .
Some examples of attributes you might want to specify are name, e-mail address,
organization, organization unit, title, and user id.
Your list of attributes will be displayed as user information within Alerts. Refer to Alert
Details.
4. Click Test to verify the correct attributes are extracted from your directory.
5. Click Update to save your settings.
LDAP Reports
The LDAP Reports page enables you to specify options for the LDAP Attributes available at the
Alerts By Directory Quick report. Using this page, you can create a user readable name for each
LDAP attribute. You must configure at least one attribute to execute the Alerts By Directory Quick
report. Refer to Quick Reports.
To do this:
1. Click LDAP Reports.
Figure 71. CommandPost: LDAP Reports

2. Click Add LDAP attribute.
3. Enter a GUI name that corresponds to the LDAP attribute. This is the name that displays in
the drop-down list for the Alerts By Directory Quick Report.
4. Enter the attribute. For example if you enter Name for the GUI name, a corresponding
attribute would be cn. If you enter Department, a corresponding attribute would be ou.
5. Enter more attributes and corresponding GUI names as needed.
6. Click Update.

Alert Storage
CommandPost alert storage refers to the length of time each alert is retained and to the storage
format.
A l er t R et e n t i o n
CommandPost performs daily maintenance which includes two distinct processes:
Alert purge is the removal of all alerts and recorded objects that are older than the specified
retention period. Alert purge will briefly lock the database so that new alerts cannot be
inserted during this time. This operation should last only a few minutes or less.
Disk optimization is required after alerts are purged. This function is very important to the long
term integrity of CommandPost and must be run at least once per week. Optimization will lock
the database so that new alerts cannot be inserted during this time. This operation may
require several hours to complete, depending on the size of alerts and recorded sessions
stored by CommandPost.
Note: If CommandPost storage becomes full, new alerts will overwrite old alerts, even
if the retention period has not been exceeded.
To configure Alert Retention:
1. Click Alert Storage.
Figure 72. CommandPost: Alert Retention

2. Enter the desired number of days for CommandPost to retain alerts. You can enter from 0 to
999; 45 days is the default and the recommended setting. Note that alerts may be removed
sooner if the CommandPost disk becomes overloaded.
3. Enter a time to specify when the daily purge is performed. Alerts and recorded objects older
than the number of retention days are deleted once a day at this time. Fidelis recommends
you choose a time when network activity is minimal.
4. Maintenance Days provides the days to run full maintenance, including disk optimization.
Optimization will be performed immediately following alert purge at the time specified. Fidelis
recommends that full maintenance be performed every day.
If you do not select any days and click Update, maintenance will occur each day. When you
refresh the page, all checkboxes will be selected.
5. Click Update to save your changes.
Database Encryption
Database Encryption enables you to control whether alert forensic data and the associated
recorded objects are stored in an encrypted or unencrypted form. When you change configuration,
forensic data and recorded objects already stored by CommandPost will no longer be available. An
encryption change will provide a warning regarding the availability of current information.
If encryption is important to your organization, Fidelis recommends that you enable this feature
immediately upon receipt of your CommandPost. Fidelis uses AES 128-bit key encryption. For
existing installations, you should archive your alerts before changing encryption status. Note that
archive data is not encrypted.
To enable encryption:

1. Click Alert Storage.
2. Enter an encryption key in the text box . Retain this key for future use in the event of alert
archival and subsequent import, or in case the key is lost.
Figure 73. CommandPost: DbEncryption
3. Click Encrypt. A dialog box warns that you will lose access to forensic data and recorded
objects.
4. Click OK to proceed.
To disable encryption:
1. Click Unencrypt. A dialog box warns that you will lose access to forensic data.
2. Click OK to proceed.
CommandPost Language Configuration

CommandPost Language Configuration is necessary for content fingerprint testing and generation
which allows these processes to correctly interpret the contents of your files.
Settings made on the CommandPost will not affect settings for the sensors. Sensors must be
configured separately. Refer to Language Configuration.
Note: Fingerprint test results may not match sensor results on network traffic if
language configuration differs.
To specify language settings on the CommandPost page:
1. Click Language Config.
Figure 74. CommandPost: Language Configuration

2. Choose the appropriate mode:
ASCII mode will recognize ASCII characters in any file. When applied to a sensor,
ASCII mode provides the optimal performance. If your sensors are running ASCII
mode, you should perform fingerprint testing and generation in ASCII mode.
International mode will recognize Unicode (UTF-8, UTF-16, and UTF-32) characters
as well as all supported extended ASCII character sets. When International mode is

selected, a list of summarized character sets will appear. The list of supported
character sets is available within each summary.
Many file formats will indicate the character set used within the file, although this
information may not be visible within the file processing or editing application. For
these files, CommandPost will correctly interpret the contents in International Mode.
If the character set is not specified in the file, CommandPost will utilize the character
sets that you specify on this page. For fingerprint generation, including Keyword and
Keyword Sequence generation, Identity Profile training, Exact and Partial Content,
CommandPost will use the first character set in the list. For fingerprint testing,
CommandPost will translate your file using each character set in your list and test it
against your fingerprint.
3. In International Mode, click a character set summary, such as Latin or Cyrillic. Each opens to
display a list of specific character sets. Select one or more and click Add. Your selection
displays in the text box on the right. Use the arrow keys to change the order of the selected
character sets or to remove a selected set. Character set order matters for fingerprint
generation processes.
4. Click Save.
Diagnostics
CommandPost problems may be caused by corrupt tables within the embedded database.
Diagnostics enables you to check database tables and to repair them if needed.
To check for and fix database corruption::
1. Click Diagnostics.
2. Select the extent of checking you want Diagnostics to perform.
QuickChecks the integrity of indices on the table and usually executes quickly.
MediumPerforms a Quick check and verifies the checksum value on each row of each table.
A medium check may require several minutes to complete.
ExtendedPerforms a Medium check and a look up of each row and table index on the table
to verify 100 percent consistency. An extended check may require a long period of time.
Because checks and repairs can be time-consuming, it is recommended that you perform a
Quick Check and Repair first.If the problem is not corrected, attempt the Medium and
Extended Checks.
3. Click Check. A notice displays telling you that this process might take longer than expected.
4. Click OK to proceed. Check indicates the progress of the check and which tables it is
checking within a running dialog box. When complete, Check displays a message indicating
that the Check is complete. A list of files that need repair also displays.
Click + to view the dialog.
Click to collapse the dialog.
You can click Clear to reset the GUI, but Clear does not stop the Check or Repair operation
on CommandPost. Exercise caution when using Clear and then only if there is a genuine
problem - especially with an extended check or repair.
While a Check is in progress, you can leave the page and perform other CommandPost
tasks. Upon your return to the Diagnostics page you can view the current status of the
operation.
5. Select a Repair option.
The Repair method should correspond to the Check method used. For example, if you
selected a Quick Check, then you should proceed with a Quick Repair.
QuickOnly attempt to fix the index tree.
Medium Provides the same repairs as Quick.
Extended Rebuild the index tree by row.
Repair is only available if one or more tables were determined to be corrupt in the preceding
Check operation.
6. Click Repair. A notice displays telling you that this process might take longer than expected.
Click OK to proceed. Repair indicates the progress of the repair within a running dialog box.

Click + to view the dialog.
Click to collapse the dialog
Archive
Archive enables you to configure a name and login for a remote FTP server. CommandPost will
use the information to export archive files to the remote system. Refer to Export. Archive also
enables you to import files. Refer to Import from a Remote FTP Server.
Note: To access Archive, you need full access to CommandPost administration
privileges. Refer to Define User Roles. CommandPost administration privileges allow
you to configure and test the archival process. No alerts are transmitted during the
test process, only test data.
Access to System->Export requires alerts, Alert Details, and CommandPost
administration privileges. This access allows you to export alert archives using the
process set up by the CommandPost administrator, as noted above.
S e t U p a R e m ot e FTP S er v er
To set up information for a remote server:
1. Click Archive.
Figure 75. CommandPost: Archive

2. Enter a name for the remote server.
3. Enter a login name and password for the remote server.
Note: Remote login name and password do not support the use of non-ASCII
characters.
4. Click Update Configuration.
After clicking Update Configuration, you may test communication between CommandPost and the
remote server. To test:
1. Click Test Archive Configuration
2. Enter a directory name on the remote server where the archive file will be stored. The entry
must be a fully specified path. For example, on a Unix or Linux server: /home/Fidelis/archive.
If the remote directory does not exist, it will be created.
Be sure that the user name provided at the Archive page has permission to write to this
directory.
3. Click Execute Test.
The test process creates a small text file including a timestamp representing the exact time of
creation. This file is sent to the remote server, retrieved from the remote server, and compared to
the original. If the transfers complete and the file comparison passes, then the test succeeds. Any
failure represents problems with configuration of either CommandPost, your remote server, or
network problems that may prevent communication between the systems.
Following a test, the simple test file will reside on your remote server. You may remove it at your
convenience.

I m p o rt f ro m a R em o t e FT P S e r v er
The Archive page is also used to import alert and session data that was previously exported to your
remote server.
To import archive data:
1. Click Import Archive Data.
2. Enter the directory on your remote server that holds the archive files. All files in this directory
will be transferred to CommandPost and imported. If you do not want to import all files, you
will need to manage your remote server storage accordingly.
3. Choose how you would like to handle conflicts between imported alert and object information
and the information currently stored by CommandPost. Your options are:
Reject duplicate alerts in your import data. The alert UUID is used to determine duplicate
alert information and the Object ID is used to determine duplicate objects. This choice will
ignore the imported data and CommandPost information will remain unchanged.
Overwrite CommandPost data with information from the import file. Note that
CommandPost maintains an alert ID and a UUID for every alert. The alert ID is
sequential, but not universal across all CommandPosts. The UUID is a uniqueID per
alert. If you choose to overwrite CommandPost data, the local alert ID will most likely be
changed after import. The UUID will be maintained from the import file.
4. Click Execute Import.
This operation can be time consuming, based on the network speed between CommandPost and
the remote server, the number of alerts in the imported file, and the number of duplicates detected.
Upon completion, results will be displayed.
Configure Sensors
To configure a sensor, click System>Components and click Config for the selected sensor.
Note: The Config button only displays if the user permissions are adequate and if
there are no communication problems with a sensor.
Sensor Run Time Information

The table at the top of a sensor configuration page shows run time information for the sensor,the
time since last restart, the sensor name, and how much activity has occurred. The type of activity
depends on the sensor type. The information will automatically refresh every few seconds.
Figure 76. Run time information

You can switch components from the Config page by choosing a different name in the drop down
box. When you click Go the component changes.
Sensor Config Page

The sensor configuration page provides access to the configuration tabs listed below.
License
Sensor configuration. The label indicates the sensor product type.
System Monitor
Email Relayhost
Language Config
Logs

Direct and Internal
This page is available if the sensor includes the Direct or Internal module.
The Direct module detects all supported protocols crossing a defined network border. The Direct,
however, will not analyze sessions specific to the Internal module, which include LDAP and SMB.
The Internal module detects and analyzes all supported protocols within a defined network border.
Refer to chapter 4 in the Guide to Creating Policies.
Instructions for the following pages are available:
General
Advanced
Network Border
You can make changes separately in each page by clicking Save changes.
General
You can configure your module to operate in either inline or out-of-band mode. Refer to chapter 5
in the Enterprise Setup and Configuration Guide for more information about these modes and how
to set up and connect hardware to the network.
Figure 77. Direct/Internal connectivity: out of band mode

Figure 78. Direct/Internal connectivity: Inline Mode

Table 18. General parameters
General parameters Description
Enable Direct/Internal Click to enable the module.
Inline Mode/Out-of- Choose the setting that reflects the network configuration of your module.
Band Mode Out-of-Band mode is used for monitoring via a network tap or SPAN port,
while inline is used when the module is directly in the network flow.
When a module is deployed inline, prevention is performed by dropping
packets received on offending sessions.
Note: To activate inline mode, the module must also be
operating in full duplex mode. Refer to chapter 5 in the
Enterprise Setup and Configuration Guide.
Throttle Mode When Inline Mode is chosen the Throttle Mode checkbox displays if
available. Throttle is typically used to identify applications (such as peer-
to-peer or instant messenger) that are allowed on the network, but to
control their use by throttling activity to an acceptable level. Throttle mode
enables the Direct/Internal module to react to throttle rule actions. If
throttle mode is disabled, the module will ignore the throttle action.
TCP Reset When checked, TCP Reset is enabled to provide prevention, as indicated
by the action setting when a rule is violated.
When used in out-of-band mode TCP resets used for prevention, you must
specify the dedicated Ethernet interface (Prevent /eth1) used for packet
injection. Make this choice at the drop-down menu. When used in Inline
Mode, the Direct/Internal module will inject TCP Reset packets (in addition
to dropping received packets) to implement prevention. In Inline Mode, the
module will choose the correct Active interface for injection of reset
packets based on the information flow.
Active Interfaces Active Interfaces determine which Ethernet adapters the module will
monitor. Click the appropriate checkboxes to select interfaces. One
adapter, such as Monitor A /eth2, indicates that the module is listening in
half duplex mode. Two adapters, such as Monitor A /eth2 and Monitor B
/eth3, indicate full duplex mode.
Information Flow Map Click to enable Information Flow Map. This option displays if you have a
Direct module on a module capable of supporting Information Flow Map.
Refer to Information Flow Map.

A dv anced
Advanced enables you to control settings for protocol checksums and length of recorded objects.
Figure 79. Direct/Internal connectivity: Advanced settings

The following table describes options advanced parameters for Direct/Internal modules.
Table 19. Advanced parameters
Advanced Description
parameters
Alert Recorded Object This setting determines the maximum length (in KB) of data recorded
Limit (1-16384): from the network session associated with each alert. It is important to
keep in mind that a larger limit might substantially increase the size of
your database, which will require more available disk space on
CommandPost. The default is set at 4096 KB because most useful
forensic information occurs in the beginning of a recorded session. It may
be useful, however, to have more data recorded.
Checksum setting A check beside the protocol name under Checksum instructs the software
to verify the checksum of each network packet of that protocol type.
Deselecting a protocol means that packets will always be accepted which
increases performance.
Network Border
Network Border allows you to configure the internal network subnets monitored by a Direct or an
Internal sensor.
The Direct sensor physically resides at the egress point, and looks at sessions where the
sender is internal to the border and the recipient is external. The Direct sensor analyzes
sessions that cross the defined network border.
When the border setting is blank (the default setting), the Direct sensor examines all
incoming and outgoing traffic on the network.
The Internal sensor looks at sessions where both the sender and the recipient are internal
to the defined border. The Internal sensor checks and analyzes the internal transmissions
of data including those to or from file and database servers.
Important: You must set a network border for the Internal sensor. You can install
up to three Class A networks on the border list.

Figure 80 . Network sensor: Network Border settings
Add a Border Setting

To add a border setting:
1. Enter IP addresses into the text box on the left. Each line represents a new address or range.
The following are supported:
CIDR IPv4 addresses such as 192.168.3.1

CIDR IPv4 addresses with subnet masks, such as 192.168.3.1/24
Short form IPv4 addresses as interpreted by UNIX INET formats. For example, 10.8 is
equivalent to 10.0.0.8. Subnet masks may be added such as 10.8/24, which is
equivalent to 10.0.0.8/24.
IPv6 addresses with or without a subnet mask, such as fe80:0:0:0:0:0:0:1 or
fe80:0:0:0:0:0:0:1/16
Short form IPv6 addresses such as fe80::1 or fe::1/16, which are equivalent to the
examples shown above.
An address range by separating two IP addresses by a dash (-). The address on each
side of the dash must be correctly formatted as explained above. In addition, the address
on the right side of the dash must be greater than the address on the left.
Note: This guide assumes familiarity with IP address notation syntax.
2. Click Add to List. Each line in your text box will be validated for proper syntax. Any errors will
be displayed and the associated lines will remain in the entry box. All valid entries will be
copied to the Border text box.
3. Click Save. For an Internal sensor, this operation will verify the size of the defined border. If it
is either empty or too large, an error will result.
Delete a Border Setting

Once valid addresses are available in the Border text box, they may be deleted. Select one or more
IP addresses or ranges (using control click) and click . Your changes will take effect when you
click Save.

Proxy
The Proxy page is available if the sensor includes a Proxy module.
When a Proxy module inspects traffic it can generate alerts, prevent transmission by dropping
traffic, or both. If the Proxy module stops traffic because that traffic violates a rule, by default, the
Proxy module sends an HTTP status 403 (forbidden) to the client's web browser. If the enterprise
has provided a valid, absolute HTTP URL; then the Proxy module sends an HTTP redirect as the
response to the prevented traffic.
Note: The third-party proxy must be configured properly to work with ICAP. Refer to chapter 6 in
the Enterprise Setup and Configuration Guide.
Figure 81. Proxy Configuration

The following table describes Proxy configurable parameters.
Table 20. Proxy parameters
Proxy parameters Description
Enable Proxy Click to enable the Proxy module.
Squid Click to enable Squid compatibility mode. This must be enabled if the client uses
the Squid proxy. By default, this is turned off.
Proxy prevention Enter a valid, absolute HTTP URL for browser redirection.
redirect URL
Note: This URL does not support the use of non-ASCII characters.
You can create several URLs and force redirection if you include attributes of the
alert information in your URL. For example, you may have a URL for each policy
running on the Proxy module. The keyword select box can be used to craft a URL
for redirection based on alert attributes.
To use the Proxy module's ability to redirect based on alert attributes, select one or
more keywords from the list and click Add Keyword. The keyword and the percent
signs around it will be replaced with a real value at runtime. For example, if you
add the %SENSOR% keyword, the actual sensor name will replace the
%SENSOR% keyword in the URL.
Restrict interface By default, the Proxy module listens to all ports for ICAP traffic, including the admin
port used for communication to CommandPost. Click Restrict interface to choose a
single interface for ICAP traffic.

Proxy parameters Description
Alert Recorded This setting determines the maximum length (in KB) of data recorded from the
Object Limit (1- session associated with each alert. It is important to keep in mind that a larger limit
16384): might substantially increase the size of your database, which will require more
available disk space on CommandPost. The default is set at 4096 KB.
Mail
The Mail page is available if the sensor includes a Mail module. The Mail module can be deployed
in one of two modes:
Mail Transfer Agent (MTA), SMTP server.

Sendmail mail filter or Milter as a content inspection agent connected to a third party MTA via
the Milter interface.
In either case, the Mail module performs content inspection and can prevent, quarantine, or reroute
offending e-mail messages. It can also, optionally, notify the original e-mail sender about their
infraction and append information to the message before sending it.
When deployed via the Milter interface, the Mail module instructs the third party MTA to hold all
quarantined e-mail. Quarantine management must be performed using the third party MTA
interface. When deployed as a Mail Transfer Agent, all quarantined e-mail is stored on the Mail
module and can be managed through CommandPost.
Note: The third-party MTA must be configured properly to work with the Mail module
in Milter mode. Refer to chapter 7 in the Enterprise Setup and Configuration Guide.
Figure 82. Mail Configuration

The Mail page enables you to configure Mail. The following table describes configurable Mail
parameters.

Table 21. Mail parameters
Mail parameters Description
Enable Mail Click to enable the Mail module.

Mode Select a mode: MTA or Milter.
MTA mode enables the Mail module to analyze e-mail to determine if a rule is
violated, then based on the rule action, allows you to quarantine the e-mail
within the Mail module. Quarantine management is done at the CommandPost
to which the Mail module is registered. Quarantined e-mail will be available on
the Quarantine page.
If not quarantined, the Mail module can send e-mail to a relayhost for delivery. If
one or more e-mail relayhosts are configured, outgoing e-mails are sent through
the e-mail relayhosts.
In MTA mode, the Mail module accepts incoming e-mails for analysis on the
standard SMTP port.
Milter mode provides an interface to a third-party e-mail server. The third-party
MTA sends e-mail to the Mail module for analysis. The analysis result is sent via
the Milter interface to the third-party e-mail server to take action. Mail does not
verify if the requested actions are performed.
In milter mode, quarantined e-mail will be stored on the third party e-mail server.
Quarantine management must be performed through the third party quarantine
management interface. Quarantined e-mail will not be available through the
CommandPost.
Restrict interface If you select milter mode, this checkbox appears. By default, the Mail module
listens for traffic over all ports including the admin port which is used for
communication to CommandPost. Click Restrict interface to choose a single
interface for milter traffic.
Mailer port If you select milter mode, you need to enter a Mailer port.You may configure the
TCP port number for use in milter mode. Enter any unused port. The default is
10025. You can use this default value or make another entry. When run in milter
mode, the third party e-mail server must be configured to run the milter interface
on this port.
Notify quarantine Click to have e-mail sent to the alert management group assigned to the rule
manager that was violated. Refer to Add or Edit an Alert Management Group for
information about entering and managing group e-mail addresses.
Reroute server Enter a fully qualified host name for an e-mail server. If the rule action on an e-
mail is reroute, the e-mail will be sent to the server named here.
This setting determines the maximum length (in KB) of data recorded from the e-
Alert Recorded Object
mail message associated with each alert. It is important to keep in mind that a
Limit (1-16384):
larger limit might substantially increase the size of your database, which will
require more available disk space on CommandPost. The default is set at 4096
KB.

Web Walker
The Web Walker page is available if the sensor includes a Web Walker module.
Web Walker is used to scan all content on an internal web site and analyze the data against your
extrusion policies. Deploying a Web Walker module in your environment will ensure that your
sensitive material is not posted on your web site.
You can control the name of the sites to scan, the total data size to analyze, and the rate at which
your sites are periodically re-scanned.
Figure 83. Web Walker configuration

The following table describes Web Walker parameters.
Table 22. Web Walker parameters
Web Walker Description

parameters
Enable Web Walker Click to enable the Web Walker module.
Rescan all URLs once When Web Walker is first configured, URLs are scanned in their entirety.
After the initial scanning, periodic scans are done only for files that have
changed.
Leave this option unchecked, unless there is a need to force Web Walker
to scan all URLs again.

Web Walker Description
parameters
Enter the URLs for the Web Walker module to scan. Web Walker will
follow all internal links at the web site and scan all files and web pages on
List of URLs to scan the site until it is complete or has reached the quota. Web Walker will not
follow links to external systems.
Ignore robots If clicked, Web Walker module will ignore a robots.txt file on the site. If
exclusion protocol unclicked, robots.txt will be followed.
Quota per URL Enter an amount in megabytes. Web Walker downloads all files from the
site and stores them locally This will specify a maximum size to control the
size of the downloaded data per Web site.
Tries per URL Enter the maximum number of times the module will attempt to access a
URL.
Recursive Level per Specify the download rate, in kilobytes per second. Specifying this rate
URL may help limit the bandwidth usage of the Web Walker module and Web
sites.
Download Rate per Specify the download rate, in kilobytes per second. Specifying this rate
URL may help limit the bandwidth usage of the Web Walker module and Web
sites.
Sleeptime (hours) Specify the number of hours before a new scan. You should consider the
quota and the download rate limits that you set to determine an
appropriate sleep time.
Alert Recorded Object This setting determines the maximum length (in KB) of data recorded from
Limit (1-16384): the file associated with each alert. It is important to keep in mind that a
larger limit might substantially increase the size of your database, which
will require more available disk space on CommandPost. The default is set
at 4096 KB.

Connect
The Connect page is available if the sensor includes a Connect module.
Enable Connect at the General page and enter a port number.
Figure 84. Connect: General

The following table describes general parameters.
Table 23. Connect: General parameters
General parameters Description
Enable Connect Click to enable.
Enable SSL Click to enable SSL so that the Connect client and server can exchange
information over a Secure Socket Layer. This enhances the security of
client-server communications.
Note: The client must be able to support SSL.
Connect port: Enter a port number. Ensure that this port is open on any firewall between
your client systems and the Connect appliance.
Mode Select Single client or Multiple clients. Single client limits Connect to one
connection, but enables you to examine larger buffers.
Multiple clients provide multiple connections and enable you to use more
clients, but you will need to limit the buffer for each.
Alert Recorded Object This setting determines the maximum length (in KB) of data recorded from
Limit (1-16384) the session associated with each alert. It is important to keep in mind that
a larger limit might substantially increase the size of your database, which
will require more available disk space on CommandPost. The default is set
at 4096 KB.

I P W h i t eli s t
The Connect module looks at the content of data files that originate from the IP addresses you
specify. These are the IP addresses of the Connect clients.
Figure 85. Connect: IP Whitelist

To add IP addresses:
1. Enter IP addresses into the text box on the left. Each line represents a new address or range.
The following are supported:
CIDR IPv4 addresses such as 192.168.3.1

CIDR IPv4 addresses with subnet masks, such as 192.168.3.1/24
Short form IPv4 addresses as interpreted by UNIX INET formats. For example, 10.8 is
equivalent to 10.0.0.8. Subnet masks may be added such as 10.8/24, which is
equivalent to 10.0.0.8/24.
IPv6 addresses with or without a subnet mask, such as fe80:0:0:0:0:0:0:1 or
fe80:0:0:0:0:0:0:1/16
Short form IPv6 addresses such as fe80::1 or fe::1/16, which are equivalent to the
examples shown above.
2. An address range by separating two IP addresses by a dash (-). The address on each side
of the dash must be correctly formatted as explained above. In addition, the address on the
right side of the dash must be greater than the address on the left.
Note: This paper assumes familiarity with IP address notation syntax.
3. Click Add to List. Each line in your text box will be validated for proper syntax. Any errors
will be displayed and the associated lines will remain in the entry box. Valid entries will be
copied to the IP Whitelist text box.
4. Click Save.
To Remove an IP address from the IP Whitelist:
Select the IP address in the right column and click .
S ett i ng Ti m eout Par am eters

If a Connect client experiences timeout, you might want to increase the inactivity timeout value to
allow the Connect module more time to respond. To do this:
1. Access the /FSS/etc/scipd.cf file.
2. Change the <session-timeout> value.

EMail Relayhost
EMail Relayhost will direct e-mail from System Monitor for each sensor to the e-mail server you
specify. E-mail from the XPS Mail sensor is also sent to a server specified at EMail Relayhost.
Figure 86. EMail Relayhost
Enter an IP address or a host name and click to specify an e-mail server on your enterprise's
network. EMail Relayhost will direct e-mail to the specified server. Selecting an IP address and
clicking removes it from the Relayhost list.
Sensor Language Configuration

Sensor language configuration enables the sensor to recognize content using international
character sets. There are two modes of operation:
In ASCII mode, the sensor will recognize ASCII characters in any file. This mode provides the
optimal performance of your sensor and works well with most files written in English. Files
written in another language may be interpreted as binary files and the content will not be
decoded.
ASCII mode is the default setting for the sensor.

In International mode, the sensor will recognize Unicode (UTF-8, UTF-16, and UTF-32)
characters as well as all supported character sets. When International mode is selected, a list
of summarized character sets will appear. The list of supported character sets is available
within each summary.
Many files and Internet protocols will indicate the character set used within the content,
although this information may not be visible within user application. For these files and
protocols, the sensor will correctly interpret the content in International Mode, as long as the
character set is supported.
If the character set is not specified in the file or protocol, the sensor will attempt to translate
the content using the character sets that you specify on this page. If you specify many
character sets, the sensor will use each one, first translating, then decoding, and analyzing.
This process may be time consuming and may impact sensor performance.
To operate in International mode, you must selected at least one character set to be used
when the character set cannot be determined from the file or protocol.
Language Config settings are done separately for each sensor since each may need to have
different language settings based on their physical location and the expected content at each site.
Language configuration must also be done separately for CommandPost. Refer to CommandPost
Language Configuration.
Note: Fingerprints generated on CommandPost are based on the CommandPost
language configuration. For proper performance of these fingerprints when installed
on a sensor, the sensor should be configured as the CommandPost was for
fingerprint generation.

To set up sensor language configuration:
1. Select the sensor.
2. Click Language Config.
Figure 87. Language Configuration for the Sensor

3. Click International Mode to display the summarized list of all supported character sets. Each
summarized list can be clicked to display specific character sets.
4. Select one or more and click Add. Your selection displays in the text box on the right.
Use the arrow keys to change the order of the selected character sets or to remove a
selected set. The order is used when the sensor attempts to decode a file or protocol whose
character encoding cannot be determined.
5. Click Save.
6. Repeat as needed for each sensor.

Chapter 11 Version Control
With Version Control, you can use the CommandPost GUI to manage Fidelis XPS software
versions and the decoder libraries that reside on CommandPost and its registered sensors.
Version Control includes the following features:
Update to a newer version of Fidelis XPS.

Update the decoder libraries independently of Fidelis XPS.
Update immediately or schedule an Update to occur later.
Scheduled Jobs lists all scheduled Updates and when they are scheduled. You can cancel
jobs at this page.
When using Version Control to update Fidelis XPS remember that:
Even though the sensors and CommandPost do not need to be at the same version of Fidelis
XPS, you should update all sensors first, then update CommandPost. Updating
CommandPost before updating sensors can result in some features not behaving correctly.
If the CommandPost is at an older version of Fidelis XPS and the sensors are at a newer
version, everything will function at the older version. Only after the entire Fidelis XPS system
is upgraded will new version be usable.
Performing an Update leaves CommandPost data intact. The data includes information such
as saved Custom Reports, user information, policy assignments, and alerts.
When using Version Control to update the decoder libraries remember that:
Updating Fidelis XPS also updates the decoder libraries.

You can update the decoder libraries without updating Fidelis XPS whenever new versions of
the decoder libraries are available .
The sensors and CommandPost do not need to be at the same version of the decoder
libraries, however, the best experience results when they are synchronized.
Fidelis Release Naming Conventions

Fidelis provides software updates in the following forms:
Major releases provide new capabilities for Fidelis XPS. These releases are identified by the
left most numeral in the version, for example, versions 5.0 and 6.0. Updates must be installed
on systems running the last minor release.
Minor releases extend the features and capabilities of the major version. These releases are
identified by the second numeral in the version, for example, versions 5.2 and 5.3. Updates
should usually be applied in sequence from version 5.0 to 5.1 to 5.2 and so on. Refer to the
latest release notes for information.
Maintenance releases provide minor features and correct known software problems. These
releases are identified by the third numeral in the version, for example 5.3.1 and 5.3.2.
Updates are usually applied to the last minor release, not necessarily the last maintenance
release. For example, it may be acceptable to install version 5.3.4 on a system running 5.3.1
without installing the 5.3.2 and 5.3.3 versions. Refer to the release notes for specific
instructions as this may not always apply.
Patch releases provide fixes for known issues, which may be software problems or may be
the result of a change in proprietary network protocols such as webmail, peer-to-peer, instant
messenger, and social networking protocols. Patch releases are given the version number of
the last maintenance release followed by a patch date. For example, 5.4.1-20090924. Patch
releases must be installed in a system running the maintenance version stated in the version
Fidelis XPS User Guide Version 6.0 Version Control 131

(5.4.1 in the example). Patch releases do not need to be installed in any order. All patches will
become available in a future release in one of the three categories listed above.
Update Fidelis XPS

Update enables you to update CommandPost and its registered sensors to a more recent version
of Fidelis XPS. The Update version must be later than the version currently installed on your
systems.
Depending on your system and network traffic, running Update for a sensor may take a few
minutes to complete. However, updating CommandPost can take a few minutes to several hours,
depending on the number of alerts in the system. Update times can also vary depending on the
release. Refer to the release notes for time estimates. Most updates require that you are running
the preceding version. Refer to the release notes for specific requirements.
After a sensor update, it will begin to process traffic immediately, using the policies previously
installed. Alerts will not be sent to CommandPost while it is being updated. In this case, alerts will
be stored locally. When the CommandPost update is complete, all alerts stored on sensors will be
sent.
Prepare to Update
Before proceeding with update, refer to the most recent version of the release notes. The release
notes contain information specific to your release and any procedures you might need to follow
before updating.
To prepare for the update:
1. Download the Fidelis XPS update installation file from: www.fidelissecurity.com/support to a
folder on your local workstation. Contact Technical Support if you cannot access this address
or are not sure which file to download. Release Notes are available from the same location
and can be reviewed prior to continuing with the installation.
2. Log into the CommandPost as a system administrator. Your role must provide access to
Version Control to proceed. Refer to Define User Roles.
3. Install the software by following the instructions in the section Run Update.
The update process automatically saves configuration data stored in the database such as policies,
users, and sensors to name a few examples. This configuration data is stored in the /var/FSS-save
directory. If the update fails, the automatic rollback procedure restores configuration data and
returns the system to its previous working version.
Run Update
After downloading the installation file to a folder on your local workstation:
1. Click System>Version Control>Update.
2. Click Browse to navigate to the update installation file.
3. Click Upload New Update.
If the selected file is valid, the following occurs:
Check boxes display next to system names for each system that is a valid candidate for
the selected update.
Current and available versions display for each system.
The Status column states if the Update file is available for each system.
The View Release Notes button becomes operational for an update. Click to see release-
specific information about the update including the time involved in updating the sensors
and the CommandPost.

Figure 88. Update Fidelis XPS
4. Select CommandPost and the sensors registered to CommandPost. Fidelis recommends that
you update all sensors before updating CommandPost.
5. Click Update Now to proceed with Update or enter a date and time and click Schedule Update
to schedule the Update.
6. Click OK at the confirmation dialog box to proceed with Update or Cancel to stop.
7. After the Update completes, Click View Log to see if it completed properly.
Note: The View Log button displays if an Update has ever been done on this system.
Update Progress
When an update is in progress for CommandPost a status screen displays that provides messages
about the status of the update. All users attempting to use CommandPost will see this screen.You
cannot access CommandPost until the Update completes.

Figure 89. Update in Progress
When complete, a message indicates if the update was successful.
Click Return to Login to access CommandPost.You will need to either clear the browser cache or
restart your browser for proper operation of the new version of CommandPost.
Schedule Update
Schedule Update enables you to schedule a job up to one month in advance. Keep in mind the
following when scheduling these jobs:
The scheduled Update must be to a newer version than the current version.
You can only schedule one Update per system. To schedule another Update, you must first
cancel a previously scheduled Update.
To schedule an Update, select the appropriate Update file.
If the Update is valid, the following occurs:
Check boxes display next to system names.
Current and available versions display for each system.

To schedule an Update:
1. Click System>Version Control.
2. Select the appropriate systems.
3. Select a date and time at the pull-down menus.
Note: You might want to schedule an update during off peak hours, especially for
CommandPost.
4. Click Schedule Update.
5. Click OK at the confirmation dialog box. Clicking Cancel stops the procedure.
The check boxes go away and the status box indicates that your Update is scheduled.

Cancel Scheduled Jobs
You must cancel a scheduled job before scheduling another one.
To cancel a scheduled job:
1. Click Scheduled Jobs. A list displays of all scheduled updates.
Figure 90. Scheduled Jobs

2. Click Cancel next to the appropriate job.
3. Click OK at the confirmation dialog box. Clicking Cancel stops the procedure.
You can now perform an Update or schedule another job.

Chapter 12 Configure Exports
Export enables you to integrate with a third party system by transferring alert and recorded object
data from CommandPost to a remote system. You can also export data in a Fidelis Archive format
which can later be imported to CommandPost (either the original CommandPost or another).The
following export methods are available. For more specific information about each, refer to Export
Methods.
Email user-defined
Syslog
SNMP traps
ArcSight
Verdasys Digital Guardian
IBM SiteProtector
Fidelis Archive
You need to be a CommandPost administrator with alerts and alert details permissions. All saved
exports are available to users with these privileges. Refer to Define User Roles.
Refer to Define Exports for instructions on setting up a new export.
Export Methods
This topic provides specific information for each of the export methods. For general instructions
about creating an export, refer to Define Exports.
Fidelis Archive
For this export method, the remote server name, login, and directory information need to be set up
at the System>Components>CommandPost Config>Archive page. Refer to Archive.
Specify the remote directory for export at Destination.
Select Include Recorded Objects to include in the export, if desired.
When exported, a file named archive.<extension> will be created and sent to your remote system
and placed into the directory specified in the Destination field. Notes about Fidelis Archive exports:
<extension> is a number created based on the time of the export

If the remote directory does not exist, it will be created.
Fidelis uses FTP to transmit archive files to the remote system.
If you encounter errors, check your Archive configuration, your network settings, and the
configuration of your remote system.
EMail and Syslog

Syslog and e-mail exports can be freely formatted by selecting keywords and clicking Add
Keyword. You can use the text box to create a comma-separated list of values, a link to the alert on
CommandPost, and any other required format for your external system.
To create a link to the alert on CommandPost, enter:
https://<commandpost>/j/alert.html?%ALERTID%
The destination for e-mail is provided by a single or comma-separated list of e-mail addresses. The
destination for Syslog is the name or IP address of your external Syslog server.
Fidelis XPS User Guide Version 6.0 Exports 136

Table 24. Alert Export keywords
Syslog keywords Description Type (values)
%ACTION% The action taken by the sensor in String: Can be alert, quarantine,
response to the violation. prevent, or throttle.
Can also include valid
combinations of actions, such as
quarantine and notify.
%ALERTID% Displays a unique ID belonging to an Numeric

alert. If you selected ArcSight this will
send a link back to the CommandPost
Alert Details page.
%COMPR% Indicates the number of additional Numreric

events represented by an alert.
%DSTADDR% The IP address of the recipient of the data. IP address

When available, both IPaddress and
resolved host name are provided.
%DSTPORT% Destination port number Numeric
%FILENAME% File name that caused the alert String
%FROM% E-mail address source String
%GROUP% The alert management group to which the String

alert belongs.
%POLICY% The name of the policy that was violated. String
%PROTO% The application protocol on which the String

violating transfer occurred.
%RULE% The name of the rule that was violated. String
%SENIP% Sensor IP address String
%SENSOR% Sensor name String
%SEVERITY% Severity level String: Can be low, medium, high,

or critical
%SRCADDR% The IP address of the sender of the data. String

When available, both IPaddress and
resolved host name are provided.
%SRCPORT% Source port number Numeric
%SUMMARY% Displays summary text associated with String

the rule.
%TIME% Time when the alert was detected. String in the format: YYYY-MM-DD
hh:mm:ss
%TO% E-mail address destination String
%USER% Protocol user String

SNMP Trap and ArcSight
You may choose the information to export by SNMP or ArcSight. The items in the column list
determine which alert information is included for each alert and the order in which they are sent.
SNMP traps may be sent to an external system specified by a host name or IP address entered at
Destination. To enable Fidelis SNMP traps, a MIB is available with sample use instructions at.
www.fidelissecurity.com/support.
ArcSight may be selected if you desire to export alert information to an ArcSight event
management system. Identify your ArcSight system by entering an IP address or host name at
Destination.
Figure 91. Export: SNMP trap and ArcSight
You can use the default column list or select columns from the Column Choices box and click
to move them to the column list. At the column list, you can order choices using and .
Remove a column from the Column List by selecting it and clicking .
Verdasys Digital Guardian

Verdasys Digital Guardian may be selected if you desire to export alert information to the Verdasys
Digital Guardian product.
To configure this output, enter the URL for your Digital Guardian at Destination. All alert information
will be exported to the appropriate fields within Digital Guardian.
For more information, contact Fidelis Technical Support or your Verdasys representative.
IBM SiteProtector
IBM SiteProtector may be selected if you need to export alert information to a SiteProtector server.
Enter an IP address or a host name at Destination to identify the SiteProtector server.
Note: Fidelis alert integration requires SiteProtector 2.0 Service Pack 7 with Database
Service Pack (DBSP) 7.19 or higher. Contact your IBM representative or refer to the IBM
SiteProtector documentation.
To use the SiteProtector export, you will also need to do the following:
Access the CommandPost command line and modify /FSS/thirdparty/iss/conf/fidConfig.dat.

Set agentIP to the IP address that you want to link back to. Note that this IP address may be
an external IP address. Setting agentName is optional and the default value is Fidelis.
Access the CommandPost command line and modify /FSS/thirdparty/iss/conf/lmilinks1_0.xml.
In the <lmi> section, there are two <link> entries. The first one must be set to
https://<command-post-host-name>. The second must be set to be https://<host-ip-address>.
This IP must be the same as the IP address set in the fidConfig.dat. These changes must
also be made to <phonehome> sections.

Review your rule summaries because IBM SiteProtector cannot handle some characters.
Refer to chapter 7 in the Guide to Creating Policies.
tilda and exclamation together (~!)
asterisk (*)
pipe (|)
left bracket ([]
right bracket (])
single quote (')
double quote (")
Refer to the IBM SiteProtector documentation for more details.
When you click Run Now, communication is verified and the heartbeat process begins.
Define Exports
This topic provides instructions on setting up an export. Refer to Export Methods for information
specific to each export delivery method.
1. Click System>Export. A list of available exports displays. The first time Exports is accessed,
the list is empty.
Figure 92. Export page

2. Click New to create a new export or click Edit next to the appropriate export. The Export
Editor displays.
Figure 93. Export Editor
3. Select an export delivery method. The Export Editor changes to reflect your choice. Refer to
Export Methods.
4. Enter a Destination. This can be an e-mail address, directory name, or IP address depending
on the export method.
Note: Destination does not support the use of non-ASCII characters.
5. Select to export either All alerts or alerts By Criteria.
Allenables you to select all available alerts. Exporting all alerts in your database can
take time. With this option, you might want to limit this export by selecting a maximum
number of alerts.
By Criteriaenables you to select alerts based on multiple search criteria. These criteria
vary depending on the export method.
6. Select criteria as needed to determine the alerts you want to export. You can select multiple
entries.
For Duration, you can select a specific time such as 24 hours or 7 days or enter a date or

date range. You can also select Oldest Alerts to include alerts older than a specified amount
of time. Refer to Duration.
7. Select the Export Frequency.
Manuallyexports alerts only when you run the export by clicking the Run Now button.
This method is useful to test communication with the external system and for Fidelis
Archive. It is less useful for other export methods.
Every Alertexports all new alerts that meet selected criteria. Exporting for each new
alert is guaranteed to export each alert exactly once. The Export occurs immediately
when the alert is received from the sensor. This method is recommended for integration
with external systems. It is not available for Fidelis Archive.
Periodicallyenables you to specify a time and day to run the export. This method is
recommended only for Fidelis Archive, e-mail, and Syslog exports. All other types of
exports should be performed on Every Alert to provide synchronization between the
Fidelis system and the external system.
8. Select the maximum number of alerts to be sent.This option is very useful when testing
communication to external systems and is not recommended in any other case. When you
choose this option, the selected alerts will be random, based on your alert criteria. You should
not depend on the exact alerts exported when this option is selected.
9. Enter a name for the export in Save As. You must save the Export before you can run it.
Clicking Reset restores settings to what was last saved.
10. Click Run Now to export.
Available Export Buttons

Save will save the export as currently configured. You must save before you can Run.
Run Now is used to test communication. This button is not available until you save any
changes made to the Export.
Reset will restore the export to the last saved state. This will enable the Run Now button if you
have made changes that you do not wish to save.
Cancel will return you to the list of Exports.
Testing Export Communication

The Run Now button is provided as a mechanism to test communication with the external system
provided by the Export Method and Destination. When clicked, alerts are exported immediately
regardless of the chosen Export Frequency.
If the Export Frequency is set to Every Alert, Run Now will export exactly one alert, if one can
be found to match the criteria of the alert. This alert will be transported to the external system
and handled accordingly.
If the Export Frequency is set to Manual or Periodic, all alerts that match your criteria will be
exported to the external system. Note that this can be millions of alerts and can take a very
long time to execute. You can use the maximum number of alerts to limit the size of the
export for testing purposes.
Run Now can only be performed after the Export is saved. If you make any changes on the Export
page, the Run Now button will be disabled until you either Reset or Save.
Delete Exports
To delete an export:
1. Click System>Export.
2. Click Delete next to the appropriate export.
3. Click OK at the confirmation dialog box. The Export is removed from the Exports page.

Chapter 13 Audit
The CommandPost audit trail is used to monitor user activities throughout the Extrusion Prevention
System. User actions that modify system configuration or system data or export information result
in an audit entry.
Auditable actions include:
CommandPost user login (successful or not) and logout
CommandPost user actions that change system configuration, including sensor configuration,
sensor registration, and policy updates to sensors.
CommandPost user actions to remove or export data from the system. This includes alert
purge, alert export, and user-generated reports.
CommandPost user actions to add, modify, or remove system components such as policies
and policy components, users, groups, roles, sensors, etc.
User actions taken at sensor or CommandPost front panel keypad and LCD display. Actions
performed at the sensor will be recorded to the CommandPost to which the sensor is
registered.
You can access the Audit Log from the CommandPost GUI to find audit entries.
Note: Fidelis recommends that you restrict audit log access to system administrators
and network security personnel. A user with Audit access can see all auditable actions.
Access Audit
Click System>Audit at the main menu. The Audit Log displays.
Figure 94. Audit Log
Fidelis XPS User Guide Version 6.0 Audit 141

Clicking on a column heading sorts all rows by that column. By default, the Audit Log displays
content in descending order of time. To change this sort order, click the header of any column. If
the column header is clicked multiple times, the order alternates between descending and
ascending order.
Table 25. Audit Log columns
Audit log Description

column
ID The audit log ID number.
Timestamp The date and time when the action occurred.
User The user who performed the action.
Category The general type of action that occurred. For example, roles, users, audit.
Action The specific action that occurred. Most actions relate to the section of the
CommandPost used to trigger the action. For example. Alerts, Policies,
and Reports. The Action column may also include information about what
occurred, such as login or a policy update.
Click a row to display more detailed information about an audit log entry. Expand all displays more
details about all rows. Detailed information includes the effect and a description of the action.
Figure 95. Audit Log details
Search for Audit Entries

Searching for audit entries can be done by entering criteria at the Search bar. If the searching
options are not visible, click in the upper right corner of the Audit Log to open it.
You can search for specific audit entries by entering terms into the Find: text box. This enables you
to focus the search on specific areas of the audit entry.
Search Terms
Entering an ID number returns one and only row. For example, entering 21 matches only 21 and
not 211. Ranges are not supported for ID searches.
Enter specific terms in the Find: text box. Searching for term will match any audit entry containing
term in the chosen field. This will match audit entries with words such as term, terminate, and
exterminate.
Entering multiple words such as
term1term2
matches any audit entry containing both term1 and term2. The terms can be found in any order and
with any amount of separation between them.
The use of quotes around a phrase will be treated as a single search term. The phrase term1
term2 will match any audit entry containing the exact phrase within the quotes. Any spaces in the
phrase will match any space characters in the audit entry, including a space, a tab, a new line, etc.
Matching is done on the character boundaries, not word boundaries. Therefore, a phrase of top
secret will match an audit entry containing a phrase such as stop secrets.
Multiple phrases such as a literal phrase 1 and a literal phrase 2 can be included in the Find
field. This will match any audit entries containing all of the phrases listed.

You can combine word-terms and phrase-terms. Any combination is allowed, such asliteral phrase
1 word word1 word2 literal phrase 2
Matching does not consider the order of the terms, only that all are found within the search field.
Notes about Search Options

All searches are case insensitive.
There is a limit of 40 terms (words or literal phrases) in the search bar. If more terms are entered,
the 41st and beyond will be ignored.
Clicking Go without entering a search term results in the Audit Log list redisplaying.
You can change the time frame by selecting any value at the During Last list and clicking Go,
without making any other entries.
Time Periods
To specify a new time period, select a value from the During Last list, select hours or days, and
click Go. Options range from 1 hour to 96 days and also include the default value of all.

Chapter 14 Backup and Restore
Fidelis XPS provides a command line interface for direct access to diagnostic and custom
configuration options.
The command line interface provides access to Backup, Restore, and Archive. Generally, most
other command line operations are reserved for defect analysis under the direction of Technical
Support.
Accessing the Command Line Interface

This interface is reserved for the advanced administrator thoroughly experienced with Linux
commands because misuse can lead to unrecoverable loss of system operation and data.
Advanced users may contact Technical Support for details.
The command line interface can be accessed using a local connections keyboard and video
devices or over your network using an SSH client such as PuTTY or Open SSH.
Backup and Restore CommandPost

Fidelis XPS provides backup and restore capabilities from the command line which may be useful
in certain environments.
Performing a backup is recommended in the following situations:
Before and after extensive changes have been made to the system that you want to preserve
Before upgrading
Important:
The Fidelis XPS software must remain at the same version between Backup and Restore.
Restore stipulates that the CommandPost host name and IP address remain the same
between Backup and Restore.
Restore restores the database to the backup that was previously saved. Data added after that
backup will be lost.
Note: CommandPost has a recovery disk supplied by Fidelis Security Systems to
restore the Fidelis XPS software, but using this disk wipes out all file and database
objects.
Backup CommandPost
All objects of a CommandPost system are backed up including file and database objects.
Important: These instructions use SCP or your site's preferred method of file transfer
and external data storage.
1. As root user on the CommandPost appliance, stop all services:
/etc/init.d/httpd stop
/etc/init.d/tomcat stop
/etc/init.d/pman stop
/etc/init.d/rconfigd stop
/etc/init.d/mysql stop
2. Copy the database files to a backup location:
Fidelis XPS User Guide Version 6.0 Backup and Restore 144
cd /var/lib/mysql/
tar cvzf <db-archive-name>.tgz fss* policies4 mysql
scp <db-archive-name>.tgz <user>@<host>:/path/to/backup/storage/
rm <db-archive-name>.tgz
Where <db-archive-name> is the name of your database output file
Where <user>@<host> is the destination location of the database output file
3. Copy the configuration files to a backup location:
cd /
tar cvzf /var/lib/mysql/<conf-archive-name>.tgz /FSS /etc/passwd
/etc/shadow /etc/sudoers /etc/group /etc/cron* /etc/sysconfig/
scp /var/lib/mysql/<conf-archive-name>.tgz
<user>@<host>:/path/to/backup/storage/
rm /var/lib/mysql/<conf-archive-name>.tgz
# NOTE: above files are created in /var/lib/mysql because of space
requirements
# NOTE: above does not preserve spool files and log files, but
audit data is saved in the database
Where <conf-archive-name> is the file name
4. Restart key services:
/etc/init.d/mysql start
/etc/init.d/rconfigd start
/etc/init.d/pman start
/etc/init.d/tomcat start
/etc/init.d/httpd start
Restore CommandPost
All objects of a CommandPost system are restored.
1. As root user on the CommandPost appliance, stop all services:
/etc/init.d/httpd stop
/etc/init.d/tomcat stop
/etc/init.d/pman stop
/etc/init.d/rconfigd stop
/etc/init.d/mysql stop
2. Copy the database files to the CommandPost database location:
cd /var/lib/mysql/
scp <user>@<host>:/path/to/backup/storage/<db-archive-name>.tgz .
tar xvzf <db-archive-name>.tgz
rm <db-archive-name>.tgz
Copy the configuration files to the CommandPost location:
cd /
scp <user>@<host>:/path/to/backup/storage/<conf-archive-name>.tgz
/var/lib/mysql/
tar xvzf /var/lib/mysql/<conf-archive-name>.tgz
rm /var/lib/mysql/<conf-archive-name>.tgz
# NOTE: above files are placed in /var/lib/mysql because of space
requirements
# NOTE: above does not restore spool files and log files, but audit
data is saved in the database
4. Restart key services:
/etc/init.d/mysql start
/etc/init.d/rconfigd start
/etc/init.d/pman start
/etc/init.d/tomcat start
/etc/init.d/httpd start
5. Sync the database:
/FSS/bin/db_installer --update --yes
Backup and Restore a Sensor

Because file and database objects are not stored on the sensor, an automated backup process is
not needed. Ensure that you note the initial values entered during set up. These include the sensor
name, IP address, net mask, gateway, NTP, DNS, and the license key.
To Restore a sensor:
1. Use the recovery disk supplied by Fidelis Security Systems to restore the Fidelis XPS
software for the model of sensor indicated on the hardware.
2. Enter sensor set up information. Refer to chapter 4 in the Enterprise Set Up and
Configuration Guide.
3. Reconcile sensor registration. This may require manual token resets on the CommandPost
before you successfully register the recovered sensor.
For example, these commands manually unregister a sensor:
On CommandPost: /FSS/bin/tokrstcp sensor <sensor_name>
On the sensor: /FSS/bin/tokrstds
Note: If the recovery includes replacing hardware parts, a new license could be
required for the sensor.
4. At the CommandPost GUI, update policies for the sensor.
Chapter 15 Archive
Archive enables you to take alert and session data on the CommandPost and FTP it to another
server.
Note: To access Archive, you need full system administrator permissions to Alerts
and Alert Details.
Archive also requires access to the command line interface. Access to this interface is reserved for
advanced administrators thoroughly familiar with Linux.
To archive CommandPost data, you need to set up the FTP server and configure it, export data to
another server, then verify that the data is on the server. You can then import the exported files, if
needed.
Note: Archive and Export are available from the CommandPost GUI. Refer to Archive
and Export.
Export Archive Data

1. Edit the /FSS/etc/evspool.cf file. The relevant entries are:
## ftp parameters for archiving
ftp_host localhost
ftp_user anonymous
The ftp_host should be set to the DNS name or IP address of the ftpd server. The ftp_user
and ftp_pass should be set to the user name and password of the ftp account user for
archive. The ftp account should have the ability to create directories and put/get files.
2. Export the files. To export archive files, use ssh to send the command as the fidelis user.
Additionally, the command itself needs a CommandPost user with CommandPost admin,
Alert Reports, and alert details permissions.
ssh fidelis@commandpost /FSS/html/query/export_archive.cgi
user=username pass=password name=/ftphome alert session
alert_id=1234
--name creates (if possible) the directory /ftphome
then archive/ is placed in /ftphome with archive files
--alert says to export alerts (meta data in the Alert Report)
--session says to export session (forensic data)
search & filter work like aac_alerts.cgi
When complete, export returns a message similar to the following to tell you what was exported.
Status: 200 OK
Content-type: text/tab-separated-values
Content-disposition: filename="export_archive.tsv"
x-rows: 2
37 alerts exported with good hash
21 sessions exported with good hash
3. Verify that the files and directories exported to the ftp server.
If needed, you can import the archive files back to CommandPost or to another CommandPost.
Import Archive Data

To import archive files, use ssh to send the command as the fidelis user. Additionally, the
command itself needs a CommandPost user with CommandPost admin, alert report, and alert
details permissions.
Fidelis XPS User Guide Version 6.0 Archive 147

ssh fidelis@commandpost /FSS/html/query/import_archive.cgi
user=username pass=password name=/ftphome --params=ignore
--name = the directory used for exporting /ftphome
--params=ignore OR params=replace
Ignore mode only inserts unmatched alerts and session (if you delete some from the db,
the import will insert only the missing ones).
Replace mode inserts missing alerts and overwrites existing alerts
When complete, import returns a message similar to the following to tell you what was exported.
Status: 200 OK
Content-type: text/tab-separated-values
Content-disposition: filename="import_archive.tsv"
x-rows: 2
111 alerts rejected with no hash
42 sessions rejected with no hash
Fidelis XPS User Guide Version 6.0 Archive 148

Index
access control of alert data by sensor, 38
alert management groups, 78, 82 Configuration page, 87
user roles, 83 configure XPS Mail, 112
access control in CommandPost, 77 connect an XPS ICAP sensor, 117
active mode statistics, 67 create alert management groups, 82
add a user, 79 create custom roles, 85
address, 89 Creating a New Report, 63
Advanced, 109 Current Status frame, 12
alert custom roles
defined, 10, 38 creating, 85
alert cluster delete, 86
defined, 10 Decoding Path, 38
Alert Clusters, 11 delete a user, 81
alert details delete alert management groups, 83
previous and next in, 37 delete custom roles, 86
Alert Details page, 34 deliver quarantine e-mail, 44
alert filtering demo mode, 89, 90
speed of, 19 discard quarantine e-mail, 44
alert handling notes, 15 edit a user, 79
alert management groups, 78, 82 Email Configuration, 98
creating, 82 event
deleting, 83 defined, 10, 38
Alert Radar, 11 definition of, 10
Adaptive Alert Classifier and, 10 Events in the Past 7 Days, 12
changing the time period of, 12 Finding Related Alerts, 37
duration of event type, 11 Inline Mode and Active Mode, 109
severity of events, 11 inline module statistics, 70
time horizon of, 11 IP address
Alert Retention, 102 searching alerts by, 26
Alerts by Severity, 62 IP address searches
Alerts Table, 11 notes regarding, 27
application protocols statistics, 68 IP Defragmenter
audit, 130 monitoring using Stats page, 69
Backup, 133 IP defragmenter statistics, 69
checksum setting, 110 issue tracking manager, 15
Checksum setting, 110 LDAP, 99
client and server transcripts, 41 license key, 89
client half of the session, 40 changing, 90
CommandPost information required for, 90
logging in, 8 initial installation and, 89
CommandPost access control, 77 modifying, 90
CommandPost Configuration, 93 obtaining, 90
component management Network Border, 110
real time, 87 Network Statistics or Stats page, 71
compression Notifications subtab, 90
Fidelis XPS User Guide Version 6.0 Index 149
owner network statistics, 71
searching alerts by, 25 TCP processor, 72
password strength, 94 XPS ICAP, 73
Processor XPS Mail, 74
monitoring using Stats page, 72 Stats page, 74
Quarantine Management, 42 IP defragmenter, 69
quarantined e-mails, 42 status lights, 87
deliver, 44 Sysmon, 90
discard, 44 Tabular report results, 57
search, 45 TCP processor statistics, 72
recorded session page, 40 TCP session forensics limit settings, 39
reports upgrade
running, 57 and configuration settings and files, 122
scheduling, 64 User Notification, 98
resolved IP addresses user roles, 83
searching alerts by, 26 users
Restore, 133 adding, 79
Run a Tabular Report, 57 alert management groups, 78, 82
run time information, 106 custom roles, 85
saving delete, 81
real-time configuration changes, 87 editing, 79
Searching alerts roles, 83
using quotes in, 23, 131 Users page, 76
sensor Version Control, 121
edit, 89 cancel scheduled jobs, 123
register, 89 Schedule Jobs, 123
unregister, 89 Update, 121
sensor status XPS Direct
checking, 87 advanced settings, 109
server half of the session, 40 configure, 107
session forensics limit, 110 General, 107
Session Forensics limit, 41 sniffing mode, 107
session information, 41 XPS ICAP, 113
sniff on setting, 109 XPS ICAP sensor, 117
Sniffing Mode and Active Mode, 109 XPS ICAP statistics, 73
SSL, 8 XPS Mail, 112
Stats XPS Mail sensor
active mode, 67 and quarantine, 42
application protocols, 68 XPS Mail statistics, 74
inline module, 70
Fidelis XPS User Guide Version 6.0 Index 150

FidelisUserGuide 60

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

FidelisUserGuide 60

Hochgeladen von

Copyright:

Verfügbare Formate

User Guide

Fidelis Security Systems

Fidelis XPS User Guide Version 6.0 Table of Contents iii

Fidelis XPS User Guide Version 6.0 Table of Contents iv

Fidelis XPS User Guide Version 6.0 Table of Contents v

Fidelis XPS User Guide Version 6.0 Table of Contents vi

Fidelis XPS User Guide Version 6.0 Table of Contents vii

Fidelis XPS User Guide Version 6.0 Table of Contents viii

Fidelis XPS User Guide Version 6.0 Preface 1

Fidelis XPS User Guide Version 6.0 Preface 2

Fidelis XPS Modules

Figure 1. Fidelis XPS Modules

Fidelis XPS User Guide Version 6.0 Overview 3

Fidelis XPS User Guide Version 6.0 Overview 4

Fidelis XPS Policies

Fidelis XPS User Guide Version 6.0 Overview 5

Application Management (AM) allows enforcement of unauthorized applications, such as

Fidelis XPS User Guide Version 6.0 Overview 6

Allow pop-up windows from the CommandPost server.

Enable Javascript execution in your browser.

Change your Account

Figure 2. Change Account Information

Fidelis XPS User Guide Version 6.0 Getting Started 7

Access the Guides

Fidelis XPS User Guide Version 6.0 Getting Started 8

Invalid License Contact Technical Support for a new license.

Fidelis XPS User Guide Version 6.0 Getting Started 9

Using Non-ASCII Characters in Fidelis XPS

Fidelis XPS User Guide Version 6.0 Getting Started 10

The Radar Page

Figure 3. The Radar page

What is alert radar?

Fidelis XPS User Guide Version 6.0 Dashboard 11

What does the Radar show ?

The rule violated by the alerts in the cluster.

Source address: indicates the senders IP address.

Destination address: indicates the receivers IP address.

Uses of Alert Radar

Fidelis XPS User Guide Version 6.0 Dashboard 12

Figure 4. The Alerts table

Severity of the alert cluster

Number of alerts in the alert cluster, hyperlinked to Alert Report

Sensor discovering the alerts

The rule that was violated

Current Status Frame

Fidelis XPS User Guide Version 6.0 Dashboard 13

Information Flow Map Page

Fidelis XPS User Guide Version 6.0 Dashboard 14

The Information Flow Map

Figure 5. Information Flow Map

The Information Flow Map

Fidelis XPS User Guide Version 6.0 Dashboard 15

Blue represents the transport protocol, (for example:TCP or UDP).

Fidelis XPS User Guide Version 6.0 Dashboard 16

Click to return to the Information Flow Map.

Click to switch to full screen mode.

Controls in the Left Panel

Fidelis XPS User Guide Version 6.0 Dashboard 17

Fidelis XPS User Guide Version 6.0 Dashboard 18

Figure 6 . Information Flow Map: History

Filtering and Sorting Criteria

Fidelis XPS User Guide Version 6.0 Dashboard 19

Table 4. Filter Lists