Beruflich Dokumente
Kultur Dokumente
Version 6.0
Copyright 20022010 by Fidelis Security Systems, Inc.
All rights reserved worldwide.
Fidelis XPS, version 6.0
User Guide, version 6.0
Revised March 2010
Users are granted permission to copy and/or distribute this document in its original electronic form and print
copies for personal use. This document cannot be modified or converted to any other electronic or
machine-readable form in whole or in part without prior written approval of Fidelis Security Systems, Inc.
While we have done our best to ensure that the material found in this document is accurate, Fidelis
Security Systems, Inc. makes no guarantee that the information contained herein is error free.
Fidelis XPS includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
Preface............................................................................................................................................. 1
Intended Audience ....................................................................................................................... 1
Technical Support ........................................................................................................................ 2
Available Guides .......................................................................................................................... 2
Fidelis XPS Overview.................................................................................................................. 3
Fidelis XPS Modules.................................................................................................................... 3
CommandPost ........................................................................................................................ 4
Direct....................................................................................................................................... 4
Internal .................................................................................................................................... 4
Proxy ....................................................................................................................................... 4
Mail.......................................................................................................................................... 5
Web Walker............................................................................................................................. 5
Connect................................................................................................................................... 5
Fidelis XPS Policies ..................................................................................................................... 5
Prebuilt Policies....................................................................................................................... 5
Custom Policies ...................................................................................................................... 6
Chapter 1 Getting Started .............................................................................................................. 7
Access CommandPost................................................................................................................. 7
Change your Account .................................................................................................................. 7
Access the Guides ....................................................................................................................... 8
Lock Icon ..................................................................................................................................... 8
CommandPost Navigation ........................................................................................................... 8
System Status.............................................................................................................................. 8
Logout.........................................................................................................................................10
Using Non-ASCII Characters in Fidelis XPS...............................................................................10
Chapter 2 The Dashboard .............................................................................................................11
The Radar Page .........................................................................................................................11
What is an event? ..................................................................................................................11
What is an alert? ....................................................................................................................11
What is alert radar? ................................................................................................................11
Uses of Alert Radar ................................................................................................................12
Current Status Frame.............................................................................................................13
Information Flow Map Page ....................................................................................................14
The Information Flow Map......................................................................................................15
Controls in the Left Panel .......................................................................................................17
List of Tables
Table 1. Critical conditions................................................................................................................ 9
Table 2. High severity conditions ...................................................................................................... 9
Table 3. Controls .............................................................................................................................16
Table 4. Filter Lists ..........................................................................................................................20
Table 5. Actions list options .............................................................................................................24
Table 6. System Reports .................................................................................................................30
Table 7. Alert search fields ..............................................................................................................32
Table 8. Sections in Alert Details .....................................................................................................42
Table 9. Decoding paths..................................................................................................................46
Table 10. Quarantined E-mail: search fields....................................................................................55
Table 11. Quarantined E-mail: advanced search fields ...................................................................57
Table 12. Search Fields...................................................................................................................60
Table 13. Filters ...............................................................................................................................62
Table 14. System report columns ....................................................................................................64
Table 15. Quick reports ...................................................................................................................71
Table 16. Determine user access ....................................................................................................90
Table 17. User access levels ...........................................................................................................94
Table 18. General parameters .......................................................................................................119
Table 19. Advanced parameters....................................................................................................120
Table 20. Proxy parameters ..........................................................................................................122
Table 21. Mail parameters .............................................................................................................124
Table 22. Web Walker parameters ................................................................................................125
Table 23. Connect: General parameters........................................................................................127
Table 24. Alert Export keywords ....................................................................................................137
Table 25. Audit Log columns .........................................................................................................142
Intended Audience
This information is intended for network system administrators familiar with networking, computer
security, and with the security requirements and practices of their enterprises. This help system
and related guides are intended for users that fit into at least one of the following major categories:
The alert and quarantine managers are frequent users of the system, likely to visit the
CommandPost GUI several times each day. Both roles are usually filled by system
administrators responsible for reviewing alerts (or quarantined e-mails) and managing any
action required within the enterprise. Alert and quarantine management require high level
data analysis and the ability to delve into the details of any single violation.
The network IT manager will be the first to touch the CommandPost, but is expected to rarely
use Fidelis XPS after initial installation. The IT manager might need to adjust sensor network
settings and CommandPost to sensor communications, manage CommandPost users and
their credentials, and monitor network statistics to verify connectivity.
Available Guides
The following guides are available:
The Guide to Creating Policies describes how to define policies and the rules and fingerprints that
policies contain.
The Guide to Prebuilt Policies describes policies that ship with Fidelis XPS and the rules and
fingerprints that these policies contain. This guide also indicates which rules and fingerprints might
need to be configured for your enterprise.
The Enterprise Setup and Configuration Guide describes how to set up and configure Fidelis XPS
hardware.
Release Notes are updated with each release to provide information about new features, major
changes, and bugs corrected.
Visually monitor and analyze network alerts and other data in real time.
Enable, disable, or customize policies and rules as required.
Add, configure, and manage sensors and the console itself.
Create CommandPost users using the granular access control capabilities in several user
authentication mechanisms including integration with a user directory server.
Export information to a third party network alert aggregation system.
Use the built-in reports or customize reports to your requirements. Reports can be scheduled
for automatic delivery or run in real time with click-through drill down capability.
For information about setting up CommandPost, refer to chapters 2 and 4 in the Enterprise Setup
and Configuration Guide. To get started using CommandPost, refer to Getting Started. For more
information about CommandPost's configuration features, refer to Configure CommandPost.
Direct
The Direct module is used to monitor direct-to-Internet traffic and provides prevention on all ports
and all application protocols. Products with the Direct module are typically deployed at the network
perimeter, inline or out-of-band to monitor applications and protocols at multi-gigabit speed.
Fidelis offers products with the Direct module ranging from 25 Mb/s to 2.5Gb/s.
For more details, refer to Direct and Internal. For information about setting up and configuring
Direct, refer to chapter 5 in the Enterprise Setup and Configuration Guide.
Internal
The Internal module addresses internal traffic to ensure protection for your enterprise's databases,
file shares, and user directories. Products with Internal capability are typically deployed in the
network core to provide visibility and control of information leaving data centers or transmitted
between divisions. The Internal provides prevention on all ports and all protocols.
Fidelis XPS offers products with Internal modules ranging from 25 Mb/s to 2.5 Gb/s.
For more details, refer to Direct and Internal. For information about setting up and configuring this
sensor, refer to chapter 5 in the Enterprise Setup and Configuration Guide.
Proxy
The Proxy module offers an interface to a third party HTTP proxy using the Internet Content
Adaptation Protocol (ICAP). ICAP is a lightweight and extensible point-to-point protocol used for
requesting services for content inspection.
The Proxy module offers the following advantages for HTTP traffic:
Prevention can be accomplished by redirecting the user to a customizable web page that
states their violation and other applicable information.
When combined with an ICAP-enabled SSL proxy, the Proxy module can access unencrypted
data destined to secure web sites.
Refer to Proxy. For information about setting up and configuring this sensor, refer to chapter 6 in
the Enterprise Setup and Configuration Guide.
Web Walker
The Web Walker module is used to scan all content on one or more internal web sites and analyze
the data against your extrusion policies. Deploying products with the Web Walker module in your
environment will notify you if sensitive material is available on your web site.
For more details, refer to Web Walker. For information about setting up and configuring this sensor,
refer to chapter 8 in the Enterprise Setup and Configuration Guide.
Connect
The Connect module provides content inspection services to any application that provides a Simple
Content Inspection Protocol (SCIP) interface. SCIP is a TCP-based, client-server communication
protocol that provides the ability to submit information for content analysis and retrieve results.
For more details, refer to Connect. For information about setting up and configuring this sensor,
refer to chapter 9 in the Enterprise Setup and Configuration Guide.
Prebuilt Policies
Fidelis XPS ships with multiple policies that are grouped into one of the following categories:
Compliance.
Protection of digital assets and sensitive information.
Managing insider use of the Internet.
All prebuilt policies will require some level of configuration, as described in the Guide to Prebuilt
Policies.
C o m pl i a nc e
Fidelis XPS can be used to enforce policies to comply with federal and state privacy laws and
industrial security standards. Such laws and standards include HIPAA, GLBA, PCI and many
others. The following policies use rules that can prevent inappropriate transmission of this
information:
Identity Leakage
HIPAA
PCI
Financial Information
Digital Asset Protection (DAP) provides the capability to detect and prevent sensitive
materials being leaked through the network.
U.S. Federal Government provides enforcement of Department of Defense Directive 5200.1
M a n a gi n g I ns i der U s e o f t he I nt e r n et
Fidelis XPS can be used to enforce corporate policy pertaining to the acceptable use of Internet
resources. The policies in this category are:
Custom Policies
In addition to the prebuilt policies, it is possible to use the rich policy creation engine to define any
network security policy required within your enterprise. Policies are a collection of rules, which are
based on some definition of network traffic. The definition can be one or more of the following
methods of identifying network traffic:
Content refers to the textual content of an e-mail message, an IM chat, a file, or any other
container of information. Fidelis XPS offers eleven methods to describe sensitive information,
which include methods to register and methods to profile the information. Registration refers
to the process of locating the sensitive information in its original format, sending it to
CommandPost, and registering the content. Profiling refers to methods to describe sensitive
information without the need to locate it.
Location refers to the sender or the recipient of the information.
Channel refers to all other aspects of network communication including the application
protocol, attributes (such as URL, FTP user name, and social networking application modes
of operation), the time of day and day of the week, the length of the communication, and
many other parameters.
Using the combination of configured prebuilt and custom policies, an administrator is able use
Fidelis XPS to enforce all corporate policies for network usage and confidentiality.
For information about editing or creating policies and rules for your enterprise, refer to the Guide to
Creating Policies.
Access CommandPost
You can access CommandPost from anywhere on your network, by using a web browser that
supports SSL. Communications between the sensors and CommandPost and between
CommandPost and the web-based GUI are encrypted SSL communications.
CommandPost has been verified with Microsoft Internet Explorer versions 6, 7 and 8 and with
Mozilla Firefox versions 1, 2, and 3.
For CommandPost to work properly, your client workstation must have the following installed:
Adobe Flash Player obtain a recent version of Adobe Flash Player free of charge from the
Adobe web site at www.adobe.com.
WinSCP available free of charge from the WinSCP web site at www.winscp.net. WinSCP
transfers files to CommandPost for policy creation and verification. All other aspects of
CommandPost function properly without WinSCP.
Lock Icon
Fidelis XPS CommandPost and sensors communicate over encrypted SSL connections, using self-
signed certificates and an internal authentication method. This mode can be overridden by
installing externally generated certificates that use the Public Key Infrastructure (PKI). Refer to the
Enterprise Setup and Installation Guide for information about installing PKI certificates to run in this
mode.
When operating with PKI certificates, a lock icon appears at the top right of the CommandPost
menu bar. You can mouse over the lock icon to see the expiration date for the certificate.
CommandPost Navigation
With the exception of Radar, clicking a main menu option in the CommandPost GUI displays
subnavigation menus. A highlighted option from the subnavigation menu indicates which page is
currently accessed. CommandPost navigation is "sticky" meaning that if you later return to the
same major heading, the page last accessed displays.
Note: Users need permissions to see many of the menu options. If a user does not
have the appropriate permissions for a menu option, that option does not display.
Refer to User Roles.
System Status
System Status provides information about Fidelis XPS components and their status that you can
access from any GUI page. The diamond next to System Status reflects the status of the
component with the highest severity. Mouse over the System Status diamond to see the list of
components. The component list that displays is CommandPost and all sensors that have been
registered which are within the users access privileges. Refer to Define User Profiles. Mouse over
a component in the list to see a message about that component's status. Each component has a
green, yellow, or red diamond next to it to indicate the severity of the component's status.
Note: Users need permissions to see system status. Refer to User Roles.
Green indicates that the component is operational.
A red diamond indicates a condition with critical severity. The following table describes some of the
more common conditions that can cause system status messages with this severity.
Condition Description
Sensor has lost connection Sensors can lose connectivity with the CommandPost for a number of
Sensor has not communicated reasons.
in the last 10 minutes
Insufficient disk space, alerts & This can occur if CommandPost cannot insert alerts or sessions into
sessions not being inserted the data store.
Unable to make space for This can occur if CommandPost cannot delete alerts or sessions from
alerts/sessions, alerts & the data store when operating at space limitations.
sessions not being inserted
Process is having difficulties The process manager sends this notification if it cannot start one of the
starting server processes on the sensor or on CommandPost.
Disk space on partition is gone The process manager runs on sensors and checks the disk periodically.
A yellow diamond indicates a condition with high severity. The following table describes some of
the more common conditions that can cause system status messages with this severity.
Table 2. High severity conditions
Condition Description
High stress levels Fidelis XPS sensors reassemble packets into sessions in the sensor
memory.Stress is an indication of the amount of memory currently
consumed by the sensor for reassembly. As stress increases, the
sensor's ability to analyze all traffic diminishes. There are several
reasons for increased stress:
1. When the incoming data is missing packets, stress will be high. In
this situation, the sensor cannot efficiently reassemble sessions. In high
stress situations with high packet loss, the sensor may be inoperable.
Packet loss is the most common culprit in high sensor stress and must
be remedied within the enterprise network.
2. When sustained network bandwidth exceeds the rating of the sensor,
stress may be high. The remedy is to analyze the sensor model and
whether it is rated to handle the observed network bandwidth.
3. When network bandwidth exceeds the rating of the sensor for small
bursts, stress may rise temporarily. The sensor can withstand busts as
indicated by momentary rises in the stress level.
Policy update required This occurs when policy assignments on CommandPost are not sent to
the sensors by a policy update . The sensor will be executing the last
policy download, not the assignments shown on CommandPost. Refer
to chapter 9 in the Guide to Creating Policies.
License refresh required Ensure that you entered the license key for the component. Refer to
License expired License. Contact Technical Support if you require a new license.
License expires within one day
License expires in [number of]
days
Demo mode
License error
No sensor registered Register each sensor with the CommandPost. Refer to Add a Sensor.
[number of] alerts & [number of] CommandPost deletes alerts from the data store when operating at
sessions deleted to create space space limitations.
Database maintenance running, This occurs when database maintenance takes place on
alerts are being spooled CommandPost. Refer to Alert Storage to schedule this maintenance.
Rate of logging too high, spooler A sensor sends this message if it cannot write alerts to the spool file
cannot keep up fast enough.
Logout
To securely log out of CommandPost, click the logout link at the top of the page. Logging out will
end your browser session to CommandPost.
Note: If inactive for 15 minutes, CommandPost will log you out.
What is an event?
When a Fidelis XPS sensor detects an extrusion of sensitive information or security breach, it
generates an event. An event can be generated as the result of a match to a specific rule and can
result in generating an alert, preventing the session, throttling the session, quarantining e-mail,
rerouting e-mail, or combinations of these actions.
What is an alert?
An alert is the recorded and displayed incidence of an event. Alerts are generated only if the alert
action for an event is enabled in the violated rule. Alerts are transferred to and stored by
CommandPost.
W h a t i s a t i m e h or i z on ?
The Alert Radar shows data over a configurable time horizon. As the radar beam sweeps over the
alert cluster, each alert cluster is identified by rule. Mousing over the alert cluster displays a pop-up
containing more information including:
Sensor: provides the name of the sensor that detected the alert.
A l er t Cl us t er T able
Above the Alert Radar, the Radar page displays a table of alert clusters over a configurable time
horizon. Click + to display the Alert Cluster table. Click to hide the Alert Cluster table.
E v ent s i n t h e L a s t 7 D ay s
Presents a graph of events in the past seven days, by severity. This
graph lists all events in CommandPost, including those the user may
not access. The colors in the graph refer to severity levels.
Critical severity
High Severity
Medium Severity
Low Severity
The map reflects the activity monitored by a single sensor, as chosen at the sensor selection
control.
Filtering and sorting criteria change the sensor configuration. Manipulation of these controls
will change the way nodes are chosen for display.
The Watch list can be used to mark a node for inclusion in the map at all times, regardless of
the filtering and sorting settings.
The Ignore list can be used to mark a node for exclusion from the map at all times.
A scanning radar line passes over the map to highlight the activity of each node. The radar
can be stopped to examine details of any node on the map and to view a summary of the
nodes activity over the past 24 hours.
Information Flow Map is a CommandPost view of data collected by the sensor. The sensor process
is resource intensive and cannot be executed on low performance sensor hardware. Information
Flow Map can only be enabled on a Direct sensor with enough capability to support Information
Flow Map. In addition, the sensor to CommandPost network bandwidth will increase significantly,
Before Information Flow Map is enabled, verify the following:
U s i n g I n f o r m a t i o n F l ow M a p C o nt r ol s
Information Flow Map controls enable you to view more information about a node, its flows, or
detailed information for a selected node's history. The controls also allow you to manipulate the
Watch List and the Ignore List. Controls are located in the lower left of the screen or within the map
itself.
Table 3. Controls
Control Description
Click to open or close the Ignore List in the left panel. Adding a node to the Ignore List
instructs the sensor to not collect information from that node.
Click to open or close the Watch List in the left panel. Adding a node to the Watch List
instructs the sensor to collect information from that node regardless of filter and sort
settings.
This button becomes active if the radar is stopped and if a node is selected. Click to view
the activity of the selected node over the past 24 hours. Refer to History Charts.
Redraws the Information Flow Map. The map will automatically redraw approximately
once per minute. Clicking this button will redraw the map immediately.
Pause the radar. The sensor will continue to collect information but the map will remain
static until the radar is restarted.
Starts the radar.
Click a node on Clicking a node causes the same behavior as the pause button. In this case, you select
the map. the node to be reflected on the left panel.
Drag a node on Nodes can be dragged within the map to change their position. When many nodes are
the map. displayed, the communication flows may not be obvious without dragging.
A c c o r di on B ar s
The accordion bars in the left panel display node activity The
information for each node displays when the radar passes over the
node or when the node is selected while the radar is stopped. Click an
accordion bar to view the associated chart.
You can mouse over the graph to see specific information such as the
number of sessions, packets, and bytes.
W at ch Lis t
When the control on the lower left of the screen is clicked, the left panel is replaced by the
Watch List. Nodes in the Watch List are displayed on the map regardless of filtering criteria
selected. However, they will not display if they have no detected activity.
The Watch List can contain up to 50 nodes. The Count at the bottom
tracks how many nodes are in the list.
To add a node to the list, select it on the map and click the Add
button at the bottom of the Watch List. To remove a node from the
list, select it from the Watch List and click the Remove button.
When you select a node in the Watch List the following occurs in the
Information Flow Map:
The radar stops.
The node and its flows are highlighted.
Note: If the node has no activity, it is not on the map and
nothing is highlighted.
Select a new shape or a new color and click Save.
Changes to the Watch List are not effective until you click
Save.
I g n o r e Lis t
When the control on the lower left of the screen is clicked, the left panel is replaced by the
Ignore List. Nodes in the Ignore List are not displayed on the map and the sensor will not collect
information on these nodes.
The controls for adding or removing nodes from the list operate in the same manner as the Watch
List.
Select a node and click to view the charts for the selected node. History charts provide a
summary of Protocol, Transport, Format, Content, Rule, and Alert activity for the past 24 hours.
You can examine specific time periods within that time frame by moving the icons to change the
time frame or move the slider bar to view a different time segment.
The page is presented by one large chart in the upper left in addition to smaller charts. Click to
move a chart into the large section. The large chart provides an interactive legend. Clicking on a
name in the legend will toggle whether the associated line in the graph is shown or not.
The history charts may include gaps of time where information is missing. This represents periods
where the node was not being tracked by the sensor. This can be due to inactivity, filter or sort
criteria changes, and changes to watch and ignore lists.
List Description
Transport Enables you to filter based on transport protocols: TCP, UDP, and ICMP.
Content Select from a list of fingerprints assigned to the sensor through policy assignments. Each
sensor can track information for up to 64 fingerprints. The fingerprints are chosen according to
this order: Content fingerprints are first, followed by channel and location fingerprints found in
rules with an action of Information Flow Map followed by all remaining fingerprints. Each sublist
is sorted alphabetically. This list is displayed according to this order, on the Content filter
control.
Rule Select from a list of rules that have an Information Flow Map action running on the sensor. The
list can contain up to 32 rules, sorted alphabetically.
Alert Select from a list of rules that have an alert action running on the sensor. This list can contain
up to 32 rules. Rules that also have Content fingerprints display first, then all other rules. Each
sublist is sorted alphabetically.
To change the sort, click the button of the list you wish to sort. Only one list can be chosen for
sorting. The icon indicates that the sort that will choose the most active 64 nodes (high to low
activity). The icon indicates a sort that will choose the least active 64 nodes (low to high activity).
Clicking the button again switches sort mode.
Note: Sort is only possible if at least one item is selected as filter criteria. For
example, if all Protocols are deselected, sorting by Protocol has no effect.
After selecting and sorting criteria, you can:
Manage an Alert
Read and examine the details of an alert, including the original transmission that caused the
violation.
Export summary alert information to Microsoft Excel or any other application that accepts
comma-separated files.
Purge alerts.
Users with full access to the Quarantine function may:
Read and examine the details of every quarantined e-mail, including the original e-mail that
caused the quarantine.
Move an alert from its current alert management group to another. This action makes the alert
accessible to another group of users.
Add comments to the alert workflow log.
Handle Alerts
To find all alerts currently assigned to you, use the My Alerts view on the Alert Report page. Refer
to System Reports for Alerts.
To find all alerts owned by a specific user:
Assign one or more alerts to another user with access to the sensor(s) that generated the
alerts and have access to the alert management group(s) to which these alerts belong. When
an alert is assigned, an e-mail is sent to the new alert owner.
Close an alert. This action may be performed by anyone with access to the alert. When the
alert is closed, a resolution is entered to the alert workflow log.
Change Management Group will make the alert accessible to a different group of users. When
the group is changed, an e-mail is sent to the group mailing list, to make members of the new
group aware of the alert.
Change Label changes the label that displays in the Alert Report and Alert Details pages.
For each action, the alert manager has the option to fill out the Subject and Details fields which will
be added to the alert workflow log. The alert workflow log will display the full history of the alert with
all comments as it changes from group to group, owner to owner, and finally to a closed state.
The subject and details information will be included in the body of an e-mail sent to the newly
assigned user or group.
Alerts may be managed individually at the Alert Details page or may be managed in bulk at the
Alert Report page. The same options are available in the Quarantine and Quarantine Details
pages.
The alert workflow log only applies to alerts not to quarantined e-mail. When managing alerts
from the Quarantine Details page, the action will apply to all alerts associated with the e-mail.
When managing alerts from the Quarantine page, the action will apply to all alerts associated with
all selected quarantined e-mail messages.
Change Status
Enter a Subject or Comment.
Click Assign to and select a user from the list to assign the alert. The list of users includes
those with access to the sensor that generated the alert and have access to the alert
management group to which the alert belongs. After you submit the change, the selected user
receives an e-mail reflecting the assignment.
Click Add comment to add comments to the ticket log without changing the ticket status or
ownership. After you submit the change, information entered in the Subject and Details text
boxes will be appended to the comment.
Management Description
option
Note: From the Alert Report you can also apply labels, purge, and export selected
alerts. These functions do not impact the ticketing system and are described in
Understand and Manage Alerts.
From the Quarantine Management page you can discard or deliver selected quarantine
e-mails. Refer to Deliver or Discard Quarantine E-Mail.
Alert Report
Navigate Alert Pages
Alert Reporta list of all alerts displayed according to the selected report and actions taken at
controls on the Alert Report page.
Alert Report
An Alert Report is created from all alerts available within your assigned groups and sensors. The
report can be greatly customized by choosing the columns to display, by reducing the alerts to
those that match specified criteria, by summarizing, and by choosing to display the results as
charts or as a table.
In all cases, the report is highly interactive. Rows in a table and sections in a graph can be clicked
to obtain further information; specific details of any alert can be obtained; actions can be taken on
single alerts or groups of alerts; and alerts can be purged.
The selection of a report restores settings for that report, including:
The columns available in your report. Primary columns are shown on your report. Secondary
columns become available when you click on a row within the report to view the quick
summary of the alert.
Data criteria including Searches, Filters, and Duration. These terms serve to reduce the
number of alerts in the report.
Grouping and sorting of the report. Reports can be grouped by any one or multiple primary
columns to produce a summary of the data. Sorting can be applied to any primary column
whether grouped or not.
The report can be displayed as a chart or table. Charts are available only for grouped reports.
A trending chart can be saved with any type of report. The trending chart will show alerts per
time above the report.
After running a report, you can use the controls on the Alert Report to further manipulate the
information. When you make changes, you are changing the report into an Unnamed Report. By
clicking Customize you can save this new report with your new settings. Alternatively, you can use
the Unnamed Report to analyze and drill down into your information as you would any other report.
At the Quick Summary, you can click to view the Alert Details page for the selected alert.
You can also choose to filter alerts based on the value of the available information.
The Quick Summary of an alert shown below is from the Default Report.
If you selected multiple fields, all are applied to the filter. The more filters that you select, the
more narrow your results.
Export alerts to Microsoft Excel or any other application that accepts comma-separated files.
Refer to Export Alerts.
Alert Labels
Labels are tags that a CommandPost user can apply to an alert. By using labels, you can
categorize alerts into meaningful names for your enterprise. You can later search or filter by label to
retrieve alerts that contain your label.
Labels can be applied from the Alert Report page or from the Alert Details page. From the Alert
Report page you can select multiple alerts and apply the same label to each.
To apply a label from the Alert Report page:
1. Click the checkbox next to the alert or alerts that you wish to label.
2. From the Actions list, select Manage Label. The Change Label dialog box displays where you
can select an existing label or create a new one.
3. The Label Name text box lists all previously used labels. You may choose a label from this list
and click Apply Label.
4. If you wish to create a new label, type it into the New Label text box and click Apply Label.
To remove a label from an alert: You can choose a new label using the steps above and overwrite
the label with the new label. To clear the label for all selected alerts, click Clear Label.
To remove a label that is no longer required: Select the label in the Label Name text box and click
. Labels can only be removed if there are no alerts that use the label,
Purge Alerts
Purge Alerts removes selected alerts from CommandPost.
1. Click Purge Alerts.
2. Click Ok at the confirmation dialog box.
ReportEnables you to select a report from the list. All other functions available on the Alert
Report are based on this initial setting. You may choose from seven system reports plus any
report that you create and save.
SearchEnables you to reduce an Alert Report to alerts that match your search criteria.
Searches are performed as case-insensitive partial string matches, whereas Filters are
performed as exact matches. Refer to Search for Alerts.
DurationEnables you to reduce an Alert Report to alerts that occurred during a specified
time period.
Group Enables you to summarize alerts by selected columns. The result will display the
selected columns and the number of alerts that match each available value within those
columns. Grouped information can be displayed in a table or graph form.
Filtered ByDisplays what you have selected at the Quick Summary to filter alerts. Refer to
Filter Alerts. Click an x to delete a filter.
PDF Enables you to save the alert report as a PDF document. The generated PDF will
include all elements on the current page of your Alert Report. Refer to Create PDF Reports
for Alerts.
TrendingEnables you to view and control alert trend charts. Refer to Trending.
Report Description
Default The default report provides crucial alert information that will be useful to most
users. This report will display all alerts sorted by Alert ID.
Summary The summary report is the most condensed report, offering simple alert
information in a uncluttered and easy to read manner. Enterprises who create
informative alert summaries in their rule definitions will benefit from this simple
report. This report will display all alerts sorted by Alert ID.
Violation The violation report is focused on the policy, rule, and action taken by the sensor.
It is useful for users most concerned with the actions taken by Fidelis XPS
sensors. This report will display all alerts sorted by Alert ID.
Alert The alert management report provides a summary of alert tickets and their status.
Management This report is most useful to alert managers who fully use the CommandPost
ticketing system. This report will display all alerts sorted by Alert ID.
Network The network report provides source and destination information in the primary
rows. It is most useful to users focused on these aspects of the alerts. This report
will display all alerts sorted by Alert ID.
Label The label report displays label information in the primary rows. This enables users
to see alerts that users tagged with specific labels. This report will display all
alerts sorted by Alert ID.
My Alerts My Alerts is identical to the Alert Management report, but includes data criteria to
reduce alerts to only those alerts assigned to the user.
If the alert control buttons are not visible, click in the upper right corner of the Alert Report page
to display them.
Searches differ from filters in the manner that the data is matched:
Searching for term will match any alert containing term in the chosen field. This will match
alerts with words such as term, terminate, and exterminate.
Entering multiple words such as:
term1 term2
matches alerts containing both term1 and term2. The terms can be found in any order and
with any amount of separation between them.
You can search on multiple Alert IDs and for multiple Any, Source, or Destination Ports by
separating entries with a comma. For example,entering AlertID1,AlertID2 would find alerts
with both ID numbers.
You can specify a range for Alert ID and for multiple Any, Source, or Destination Ports by
using a hyphen.
The use of quotes around a phrase will be treated as a single search term. The phrase term1
term2 will match any alert containing the exact phrase within the quotes. Any spaces in the
phrase will match any space characters in the alert, including a space, a tab, a new line, etc.
Matching is done on the character boundaries, not word boundaries. Therefore, a phrase of
top secret will match an alert containing a phrase such as stop secrets.
Multiple phrases such as a literal phrase 1 and a literal phrase 2 can be included in the
Find field. This will match any alerts containing all of the phrases listed.
You can combine word-terms and phrase-terms. Any combination is allowed, such as:
Matching does not consider the order of the terms, only that all are found within the search
field.
Placing a minus sign (-) before a word or a literal phrase changes the meaning to match all
alerts that do not contain the specified word or phrase. Any combination of positive (no
There is a limit of 40 terms (words or literal phrases). If more terms are entered, the 41st and
beyond will be ignored.
If Go is pressed without entering a search term, the Alerts List reappears. However, entering
unknown in the Find text box, substitutes for an empty string in the Country, Filename, From,
To, and User fields.
Search performance is typically fast, even with very large alert databases. With a database of
over 2 million alerts, search will typically respond in a few seconds. Exceptions are searches
over Forensic Data, Session Attributes, and Owner fields, which may require considerable
time to execute.
Table 7. Alert search fields
Country: Any Searches for the specified country in either the source or destination country.
Note: Entering two or more countries in search criteria returns all entries
with any of the countries entered. For example if you do a country search
for France Afghanistan the search will return entries that have either
France or Afghanistan.
This applies to all country searches.
Country: Destination Searches for the specified country in the destination country.
Country: Source Searches for the specified country in the source country.
Filename Searches the name of the file that caused the violation. Will be empty if no file was
involved in the violation.
Forensic Data The search is applied over the data field of the alert, as shown in the Alert Details
page. Note that some alerts will not contain forensic data per policy definition.
IP Address: Any Searches for any IP address: source or destination. Refer to Search IP Addresses .
IP Address: Source Searches for the senders IP address. Refer to Search IP Addresses.
Label Searches for an alert label. The label search has one special feature: A search for the
term unassigned (with or without quotes) will display all alerts that have not been
assigned a label
Management Group The search is applied over the alert management group field. An alert can belong to
only one alert management group. If you search for multiple groups, the search will
match an alert containing any one of the groups (most other search fields require a
match of all terms). For example, a management group search for: Group1 Group2
yields all alerts belonging to either Group1 or Group2.
Owner An alert can belong to only one owner. However, if you enter a search with multiple
terms, the search will match an alert containing any one of the terms (most other
search fields require a match of all terms). For example, a search for:
Owner1Owner2 yields all alerts belonging to either Owner1 or Owner2.
Also, a search for the term unassigned (with or without quotes) will display all alerts
that have not been assigned.
Policy The search by policy is applied over the name of the violated policy per alert. There
are no special features for policy searches.
Port: Any Searches on any port, either source or destination.
Port: Destination Searches on the sender's port number.
Port: Source Searches on the recipient's port number.
Protocol An alert can only contain one protocol. Therefore, a search containing multiple terms
will match an alert that matches any one of the terms (most other search fields
require a match of all terms). For example, a protocol search for: ssh http yields all
alerts found over either SSH or HTTP.
Resolved IP Address This search returns alerts where the source or destination address of the alert
matches the resolved DNS name. Note that the text provided to the search may
match several resolved names. Search results improve when the text entered in the
Find text box is as specific as possible.
Session Attributes This search is performed over the Channel Attributes of the alerts. The value in the
Find text box will match the name of a protocol or file format for which attributes are
available, the attribute name, or the attribute value. Refer to chapter 4 in the Guide to
Creating Policies for details about protocol or file formats and their attributes.
Summary The search by summary is applied over the summary field of the alert.
Target Target refers to the intended destination of the information. The value is protocol
specific. Examples include the destination domain name, server name, or host name.
Target is based on extracted protocol information and not based on the IP address of
the data. In many network configurations, the IP address may be an internal address
corresponding to a local NAT server or proxy, whereas the target represents the
intended destination of the data.
Alert source
Alert destination
Resolved IP address.
192.167.10.5 finds this exact IP address within the selected field (source, destination, or
both).
192.167.10.5/24 applies an IP address mask of 24 bits to the address. This includes all IP
addresses within the 192.167.10 subnet, from 192.167.10.0 through 192.167.10.255. Replace
24 with any value 0-31 to obtain the appropriate mask.
In all cases, IPv6 addresses may be substituted for the IPv4 addresses shown in the
examples above.
Last Login: reduces alerts to those that have occurred since the last time you logged into
CommandPost.
Last 24 Hours, 7 Days, or 30 Days: provide shortcuts to reduce alerts to the prior day, week,
and month.
Specific Hours: will display a text box to which you can enter a two digit number, N. Only
alerts occurring in the past N hours will be displayed.You can use this feature to reduce alerts
by partial days with granularity of one hour increments.
Specific Days: will display a text box to which you can enter a two digit number, N. Only alerts
occurring in the past N days will be displayed. You can use this feature to reduce alerts to
those that occurred during a specific number of days.
Specific Date: you can enter a date in the text box or click to select a date. This reduces
your alerts to those that occurred on the specified date. Dates must be entered in the form of
mm/dd/yyyy.
Date Range: you can enter a range by entering start and end dates in the text boxes or click
to select a date. This reduces your alerts to those that occurred during the specified date
range, including the start and end dates. Dates must be entered in the form of mm/dd/yyyy.
Group
This feature enables you to group alerts by information available in one or more of the primary
columns of your current alert page. For example, if you select protocols, alerts are grouped by
protocols. The total number of alerts for each protocol will be listed in the Count column.
Grouped alerts can be displayed in tabular or graphical form. Graphical forms include pie charts,
bar charts, and stacked bar charts. You may choose the display most relevant to your analysis.
Group By enables you to more easily organize alert information. After grouping, the checkboxes on
the left side of the Alert Report page apply to the whole group. With one click, you can manage,
purge, or label thousands or even millions of alerts at once. The more alerts that you select, the
longer it will take.
To group alerts:
1. Click Group. The Alerts Group By dialog box displays.
I
Figure 14. Alerts Group By
Note: If the desired column is not displayed, select another report at Alerts.
2. Click one or more of the desired columns. Clicking Group By Columns selects or deselects all
available columns.
Note: Group by can take several minutes depending on the size of the alert database.
3. Select how the results will display at the View Results as list. You can select from Tabular, Pie
Chart, Bar Chart, and Stacked Bar Chart options.
4. Click Apply Group By.
Click Group Details to see a list of all alerts in the selected row. This action is identical to
clicking a section of the associated graph.
Click one of the Group By links in the Distribution Summary to group alerts again using this
new element in the group analysis. A new group-by page is generated.
Group Details
When you click a section of a group by graph or click the Group Details button within the group
distribution summary, you are taken to a page with ungrouped alerts, filtered by the criteria
associated with the graph section or row in the group table.
You may change the filter, search, and sort criteria as designed. The Group row displays a link to
Return to Group List. Clicking this link will restore the Group By settings that started your flow.
If you change the Group settings, the Return to Group List link will no longer be valid.
1. Click .
2. Select to open the PDF report or to save it.
The PDF is available for your use.
1. Click at the Alert Report. The Alert Trends dialog box displays.
Alert Information Provides information about the alert including the severity, time/date of detection, age
(elapsed time since detection), the sensor that detected the alert, the application
protocol, alert label, and the action taken by the sensor.
This section also specifies the Format Type of the content whether it is sent within a
file, in the body of an e-mail, or in any other form. Alert Information also includes the
Format Data size to indicate a match of the size of the data.
Alert Information also includes information about the TCP session including source
and destination IP address and source and destination ports (presented as the
service). If alert compression has occurred, this table will include the number of events
that were compressed into this alert. Refer to Alert Compression below.
When the source or destination IP address is a registered host, its location will also be
presented. Location data includes the city, state, and country of the registered host. If
the IP address is not registered then location will not appear.
Violation Provides the names of the policy and rule that were violated, in addition to the rule
Information summary.
The Matched on table provides a table of all fingerprints in the violated rule, along with
the fingerprint true/false match result. When the result is true, the table will include a
table of fingerprint matches that were detected. This table will vary by fingerprint type.
For example, if the fingerprint is a keyword content fingerprint, you will see a table of
all keywords that were found. If the fingerprint is an identity profile content fingerprint,
you will see a table of all pattern sets that were detected.
Each fingerprint in the Matched on table will be associated with a color code,
representing the highlight color for this fingerprint. Refer to Alert Highlighting below.
The highlighting can be disabled per fingerprint in this table. Alert highlighting can be
turned on or off. Click the icon next to Highlighting.
Related Alerts A single user action can create multiple alerts. When this occurs, related alerts will list
all alerts generated by the users actions.
There are two scenarios where this may occur:
When multiple rules are violated. For example, you may have a rule to alert on
webmail and another to alert on the detection of Personally Identifiable
Information (PII). A user who sends PII data over webmail would violate both
rules and generate two related alerts (if both rules contained Alert in the action).
A user may violate the same rule multiple times. For example, consider a PII rule.
If a user sends one webmail message with five attached files containing PII, this
will result in five related alerts, since each file violated the rule.
Refer to chapter 1 in the Guide to Creating Policies for more information about how
Fidelis XPS decodes and analyzes network traffic.
When related alerts exist, a list appears showing the severity, alert ID, summary, and
time of the alert. The Alert ID of a related alert can be clicked to access the details of
that alert.
Alert Workflow Provides information about history of the alert ticket. In this section you can assign the
Log alert to a CommandPost user, change the alert management group, close the alert
ticket, and add comments to the alert workflow log. Refer to The Alert Workflow Log.
Decoding Path Provides the Decoding Path and the information extracted by Fidelis XPS decoders.
and Channel The Decoding Path provides access to the original data detected by the sensor,
Attributes broken into each level of protocol or file format extraction. Refer to Decoding Path and
Channel Attributes below for a description of how you can use this information.
Each line in the Decoding Path represents the output of a Fidelis XPS decoder. These
decoders also extract attributes from the protocol or file that is being decoded. The
Channel Attributes present a table, per decoder, listing all extracted attributes.
Channel fingerprints are based on matching these attributes to those listed in the
fingerprint. Refer to chapter 4 in the Guide to Creating Policiesfor more information
about channel fingerprints.
When the alert is generated based on directory information, this section will include
Directory Attributes extracted from your LDAP server. Refer to CommandPost
Configuration for information about how to configure which attributes are extracted
from your directory server.
Forensic Data This window presents the session data in two forms:
and TCP
Forensic data is the information extracted from the session that is used by
Recorded
content fingerprint analyzers. You will see text, stripped of all formatting, that
Session
represents a portion of the actual extracted data used by the sensor. You may
view this information in either a text or hexadecimal format.
The recorded session is the entire session, recorded up to the configured limits.
This information is not stripped in any way and is presented as it was recorded
on the network (in client side and server side data). Refer to Configure an XPS
Direct Sensor for session limit settings.
Forensic data may not be present for every alert especially those that are not based
on content fingerprints. Recorded session data will be present for most alerts, but not
immediately. The recorded session will not be available if it is corrupted or truncated in
any way, including when the session is prevented by an action taken by your policy.
Forensic data is recorded up to the point where a rule is violated. Sessions are
recorded in their entirety, which is why there may be a significant delay between the
alert generation and the arrival of recorded session data.
Viewing Forensic Data in text form is the default setting. When you change to view the
data as text, hexadecimal, or recorded session, your choice will become your new
default and will be applied the next time you access alert details.
Alert Highlighting
Every alert is triggered by matching some element defined in a fingerprint to some aspect of the
data transmission. Each fingerprint displayed in the Matched on table will be associated with a
color code. Within the Alert Details page, some element will be highlighted in this color so you can
easily determine the cause of the violation.
You will find highlighted information within Alert Information, Decoding Path and Channel Attributes,
Forensic Data, and TCP Recoded session sections of the Alert Details page.
It is possible that a single element can match more than one fingerprint. In these cases, the
highlight will be dashed lines over the text.
Moving your mouse over any highlighted element will display the name of each fingerprint that
matched this element. You can also click on a highlighted element to focus on it. Hitting TAB will
move the focus to the next highlight.
Highlighting may be disabled per fingerprint, by clicking the color coded box next to the fingerprint
name within the matched on section.
Manage Label
Within the Alert Information section, you will see the label applied to the alert. To change the label
or to delete labels, click Manage Label. The process is identical to that described in Alert Labels.
Alert Compression
In cases of high event activity, the sensor may compress multiple, very similar events into a single
alert to reduce the network communication load on the CommandPost-to-sensor connection.
When one alert represents several events, the Alert Details will include the Events/Compression
data in the Alert Information section. The associated value indicates the number of additional
events represented by this alert. For example, if the value is 8, then there were nine similar events,
the one displayed in the Alert Details plus eight similar events.
If the alert contains no compression, you will not see the Events/Compression data. This is the
typical case.
MIME(cnd.1.zip) The MIME attachment without the part header (in this case,
a Base64-encoded file).
It is important to note that whether an entire file can be downloaded depends on how much of the
intercepted session is recorded in the Fidelis XPS alert database. The maximum amount of the
session that is recorded is specified in the TCP session forensics limit setting. Refer to Configure a
Fidelis XPS Direct Sensor for information on setting the TCP session forensic limit. If prevention is
turned on, the file will be truncated at the point where the session was terminated.
If the recording of a session ends in the middle of a file you wish to download, you may get a partial
file that cannot be read by the original application. For example, Fidelis XPS decoders and
analyzers can read a partial zip file even though the WinZip Windows application cannot.
If the recording of a session ends before a file you wish to download, that part of the decoding path
will not be clickable, and that file cannot be downloaded.
Session Information
Session information includes client and server IP address (with resolved DNS names if possible),
start and end times of the session, session duration, and the total size and number of packets of
both the client and server halves of the session.
Note that the total size and number of packets includes all packet retransmissions, so this number
may exceed the size of the recorded session.
Client and Session Server Transcripts
The client and server session transcripts are shown exactly as reassembled by Fidelis XPS. If the
total size of the session exceeds the Alert Recorded Object Limit setting, the transcript sizes may
be less than the total session. You can change this at the configuration page for your sensor. Refer
to Configure a Sensor.
The transcript is in raw form. No content decoding of any kind is shown, so if all or part of the
session is encrypted, encoded, compressed, or in some other way transformed it may not be
legible. Most high-level protocols like SMTP and HTTP are composed of largely human-readable
exchanges so this information can be very useful in investigating network and information handling
policy violations.
It is possible to download the complete client and server transcripts by clicking on the Client Data
and Server Data links, respectively. The complete transcript is downloaded regardless of the Show
Amount setting below. The transcripts are downloaded as files with a .bin extension as the data
may be binary data.
Show Amount
It is possible to vary the length of the transcript displayed in the recorded TCP
Session page. Enter the number of kilobytes you wish to see in the Show KB text box and press
enter. This setting only affects the number of bytes displayed in this page.
Quarantine takes first priority. Any e-mail that violates one or more rules with the Quarantine
action will be quarantined.
Prevent has second priority. Any e-mail that violates one or more rules with the Prevent action
will be prevented (unless it also violates one or more rules with the Quarantine action).
Reroute has third priority. If other actions such as quarantine are detected, they are taken.
If the quarantine action is taken, the following occurs:
Information about the e-mail message, and all associated alerts, is transferred to
CommandPost where it can be viewed by a quarantine manager. The action for each alert
refers to the action taken by the Mail sensor.
Note: This action may be different than the action specified by the rule due to the
prioritization described above.
Each alert is assigned to the alert management group defined by the rule.
A quarantine manager assigned to the Mail sensor that holds the e-mail in quarantine, can
view the message, and take action.
Alerts and quarantined e-mail are managed independently. E-mail actions will remove an e-
mail from quarantine and if All is selected, can remove all associated alerts. Removing all
alerts associated with a quarantined e-mail purges these alerts from Fidelis XPS. Selecting
None keeps associated alerts available at Alert Report. Refer to Deliver or Discard
Quarantine E-mail.
Most quarantined e-mail will have at least one alert. The only exception will be when alert
compression becomes active. Refer to Alert Compression for details. When the sensor
generates many alerts, it will begin to compress similar alerts to relieve congestion between
CommandPost and the sensor. In some rare cases, all alerts from one e-mail will be
compressed together with other similar alerts, and therefore not be available on
CommandPost. The quarantined e-mail will always be available.
Quarantined e-mail is another key difference between the Mail sensor and other sensor types.
Other sensors make a decision to prevent, alert, or throttle immediately based on analysis. The
Mail sensor offers the quarantine option, which defers the final decision to a person who reviews
the offending message. Therefore, persons with quarantine management responsibility may need
to take immediate action to avoid unnecessary delays in business communication. The Mail sensor
offers the ability to notify quarantine managers immediately upon taking the quarantine action.
Refer to Fidelis XPS Mail for configuration options.
Quarantine Details: Click next to the e-mail to see the Quarantine Details page for that e-
mail.
Alert Details: Quarantined e-mails can have alerts associated with them. Click an alert
number at the Quarantine Details page or at the Quick Summary for the quarantined e-mail.
The Alert Details page displays with information for the alert. Refer to Alert Details for more
information. Any changes made at the Alert Details page will only affect the selected alert and
not the quarantined e-mail or any other alerts generated by the e-mail.
Deliver or Discard the message. Refer to Deliver or Discard Quarantined E-Mail. These
options also enable you to purge alerts associated with the quarantined e-mail.
If deliver is chosen, the e-mail is sent from the quarantine queue to the original recipient. An
e-mail is also sent to the original sender of the e-mail notifying them that their e-mail was
delivered.
If discard is chosen, the e-mail is removed from the quarantine queue and not sent to its
original recipient. An e-mail is sent to the original sender of the e-mail notifying them that their
e-mail violated policy and was not delivered.
A dialog box displays asking if you want to remove all of the alerts associated with this
message. If you choose All, the alerts are purged from CommandPost. Make sure that you
really want to discard all alerts before proceeding.
If you select None, any associated alerts remain available on the Alert Report page. The
quarantined e-mail is delivered or discarded.
If the quarantined e-mail does not contain associated alerts, a dialog box asks if you want to
continue. Click OK to continue to deliver or discard the quarantined e-mail.
After you deliver or discard the quarantined e-mail it is removed from the quarantine queue and will
no longer appear on the Quarantine Management page.
Management Group Any part of the management group associated with alerts.
Forensic data Any part of the data captured from the e-mail.
Refer to Alert Search Fields for more specific information about how these searches are applied.
3. Include or exclude Incoming quarantined e-mails.
Every access to the Quarantine page presents live data as it is reported to CommandPost. If
new quarantine e-mails are occurring on your network, this may distort your view of the data.
For example, you may click Next Page only to see the same set of quarantined e-mails from
the first page. This occurs because the first set of quarantined e-mails has been superseded
by new quarantined e-mails, moving them to the next page. You will notice similar effects any
time you perform searches, or if you access Quarantine Details then return to the Quarantine
Management page.
You can change this behavior by clicking the Include Incoming Quarantine in the Search
dialog box. By default, this option is checked, meaning new quarantined e-mails will be
considered. To change this behavior, uncheck the Include Incoming Alerts box.
4. Click Search. You can search without specifying a time period.
Sensor(s) From the sensor box, choose a Fidelis XPS sensor or Ctrl-click to
choose multiple sensors.
Date Specify a date. If you also specify an interval, the report searches
from this date and includes any interval times. For example, if you
enter September 1 as the date and select an interval time of 10 days,
the report searches from September 1 through the preceding 10
days.
System Reports These reports ship with Fidelis XPS and include: Default, Summary
Violation, Alert Management, Network, Label, and My Alerts. You can run these reports or
use them as the basis for a new custom report. If saved as a custom report, the original
system report is not affected. System reports are also available at the Alert Report page.
Refer to System Reports for Alerts.
Custom Reports Customized reports allow you to control the contents and the display of
your report. From the Manage page you can run, modify, and schedule these reports. Refer to
Create Custom Reports.
Saved Quick Reports These are Quick Reports (such as Alerts by rule or Data Discovery)
that were created and scheduled at the Quick Reports page. From the Manage page you can
run, modify, and change the execution schedule. Refer to Create Quick Reports.
Run to view the report. This is active for all reports. Refer to Run Custom Reports.
Edit takes you to the Custom Report page to edit criteria and save the report under a new
name. Refer to Create Custom Reports.
Modify is available for saved Quick Reports and takes you to the Quick Reports page. Refer
to Create Quick Reports.
Delete is available for Custom and Quick reports. Refer to Delete Reports.
Schedule enables you to enter scheduling information. This button is active for Custom
Reports.Refer to Save and Schedule Custom Reports.
Modify Schedule also enables you to enter scheduling information and is active for Quick
Reports. Refer to Save and Schedule Reports.
Copy enables you to copy a report and send it to other users. This button is active for Custom
Reports. Refer to Copy Custom Reports.
Click Customize at the Alert Report page. All alert search, filter, and view criteria is selected in
the Custom Report page. You can change any parameter and save it.
Click the appropriate report at the Manage page and click Edit. The Custom Report page
displays with any criteria selected for the saved report. This enables you to create a new
Custom Report based on a system report or an existing custom report.
Click Create New Report at the Manage page.
The Custom Report page contains the following sections that you can expand or collapse as
needed:
Search provides an interface to identify alerts by a search rather than an exact match. Search
terms are typed into the available input fields.
Filters provide an interface to identify alerts by an exact match of one or more attribute.
Values are selected by choosing one or more from the available lists.
Duration provides an interface to identify alerts by time.
Columns provides a control for the information available in your alert report.
Group By provides a control to summarize and chart the results of your report. The fields
available for grouping are those chosen as your primary columns for the report.
Search
To search, enter criteria into one or more of the text boxes within Search. Searches use a case-
insensitive, partial string match to find alerts. Refer to Enter Search Terms.
Alert Id Enter a single alert ID, a comma-separated list of alert IDs or a range. Ranges are
entered by a hyphen between the start and end of the range
UUID Enter a specific alert UUID number. This is an exact search.
Forensic Data The search is applied over the forensic data field of the alert, as shown in the Alert
Details page. Note that some alerts will not contain forensic data per policy definition.
Session Attributes This search is performed over the Channel Attributes of the alerts. The value will
match the name of a protocol or file format for which attributes are available, the
attribute name, or the attribute value. Refer to chapter 4 in the Guide to Creating
Policies for details about protocol or file formats and their attributes.
Note: Search terms entered for Summary, Forensic Data, and Session Attributes
follow the same syntax as described in Search for Alerts.
Filter Description
Severity Select one or more severity levels. Severity could be low, medium, high, or critical as
indicated by the rule that was violated.
Sensors Select one or more sensors. This refers to the name of the sensor that detected the
violation.
Protocols Protocol refers to the network protocol over which the violation was detected.
Source Country Select one or more source countries.
Duration
Duration enables you to specify a time period for your Custom Report and include trending
information.
Last 24 Hours, 7 Days, or 30 Days: provide shortcuts to reduce alerts to the prior day, week,
and month.
Specific Hours: will display a text box to which you can enter a two digit number, N. Only
alerts occurring in the past N hours will be displayed. You can use this feature to reduce
alerts by partial days with granularity of one hour increments.
Specific Days: will display a text box to which you can enter a two digit number, N. Only alerts
occurring in the past N days will be displayed. You can use this feature to reduce alerts to
those that occurred during a specific number of days.
Specific Date: you can enter a date in the text box or click to select a date. This reduces
your alerts to those that occurred on the specified date. Dates must be entered in the form of
mm/dd/yyyy.
Date Range: you can enter a range by entering start and end dates in the text boxes or click
to select a date. This reduces your alerts to those that occurred during the specified date
range, including the start and end dates. Dates must be entered in the form of mm/dd/yyyy.
Click Trending to graphically display the trend for all alerts in your report Trending is based on the
time periods entered at Duration.
Column Choices lists all columns that you can include in a report. Refer to the table below
that describes system report columns.
The Primary Row contains the columns that will display as the main columns for the custom
report. These columns can be sorted or used to group alerts.
The Secondary Row contains additional columns that can be used to provide extended
information on the Alert Report. When the report is run within CommandPost, each primary
column is show per alert. You can click the alert to open the the Quick Summary to access
your secondary information. Secondary row columns can be used to filter alerts and to
navigate to other pages by following clickable information fields. When the report is scheduled
for automatic delivery, secondary rows are not shown as part of the report.
Sort By displays columns selected for the primary row or those selected for grouping. The
selection will determine the order of your report.
To add a new column: Select one or more choices from Column Choices and click or
.
To edit column order: Select one or more column and click or until all columns are in
the desired order.
Available Description
columns
Compression Indicates the number of additional events represented by an alert. Refer to Alert
Compression.
Filename Displays the name of the file that caused the violation. Will be empty if no file was
involved in the violation.
Format Type Displays the data format type that caused the violation.
From Displays the value of the extracted From field. The value is protocol specific and
most applicable to email or webmail. The value will be empty if the violation
occurred over a protocol that does not provide From.
Group Displays the alert management group to which the alert belongs.
IP:Destination The IP address of the recipient of the data. When available, both IP and resolved
host name are provided.
IP: Source The IP address of the sender of the data. When available, both IP and resolved
host name are provided.
Label Displays the label assigned to the alert.
Owner The name of the CommandPost user to whom the alert has been assigned.
Resolution Displays the resolution to an alert that was closed. Resolution can take the
following values: Allowed, Action taken, No action taken, and False positive. Refer
to The Alert Workflow Log.
Sensor Displays the name of the sensor that detected the violation.
Severity Displays a level of severity. Severity could be low, medium, high, or critical.
Status Provides the status of an alert, which can be new, open, or closed. Refer to The
Alert Workflow Log.
Target Target refers to the intended destination of the information. The value is protocol
specific. Examples include the destination domain name, server name, or host
name.
Target is based on extracted protocol information and not based on the IP
address of the data. In many network configurations, the IP address may be an
internal address corresponding to a local NAT server or proxy, whereas the target
represents the intended destination of the data.
To Displays the value of the extracted To field. The value is protocol specific and
most applicable to e-mail or webmail. The value will be empty if the violation
occurred over a protocol that does not provide To.
User Displays the value of the extracted User field. The value is protocol specific and
most applicable to protocols that require a login or user name. The value will be
empty if the violation occurred over a protocol that does not provide User.
Alert Details
Icon Displays the icon at the location of your choice in the Alert List .
Group By
Group by enables you to summarize your report by grouping selected values. The list of available
columns matches your selection of primary columns. If you choose to group, you can also choose a
graphical output format of your report.
Group by enables you to group alerts in your report by selecting primary columns. Use CTRL-Click
to select one or more columns to group report results. You should also select a view for your report,
either tabular, pie chart, bar chart, or stacked bar chart. Refer to Group.
Save
To save a custom report:
1. After entering your report criteria, click Save at the Custom Report page.
2. Enter a unique report name.
3. Click the checkbox next to Save as alerts report to have this report available as a shortcut on
the Alert Report page.
4. Click Save.
Your saved report displays in the Manage page.
Delete Reports
To delete a report:
1. Click Reports>Manage.
2. Click Delete next to the appropriate report.
3. Click OK at the confirmation dialog box. The report is removed from the Manage page.
Tickets by Status The Tickets by Status report shows the total number of tickets
broken down by the current ticket status: New, Closed, or Open.
Time selections and trend graphs refer to the alert creation time.
by Rule Alerts by Rule shows the number of alerts broken down by rule
for the selected time period.
by Severity The Alerts by Severity report shows the total number of alerts
generated during the selected time period broken down by
severity. Severity includes Low, Medium, High, and Critical.
by Directory The Alerts by Directory report displays alerts for user attributes
extracted from your LDAP or Active Directory server. This report
depends on the CommandPost configuration settings for LDAP
Reports.
by Destination This report displays the number of alerts broken down by
Country destination country. This enables you to determine which country
the transmission was going to when the alert was generated.
by Protocol The Alerts by Protocol report shows the total number of alerts
generated during the selected time range summarized by
application protocol.
Note: The Traffic by Session and Traffic by Protocol reports are the only ways to view
the effects of policies that use the prevent option. This option prevents violating
sessions without generating an alert. The alert and alert and prevent options generate
alerts that display in all custom and alert reports.
The Time Range allows you to select from several options:Last 24 hours, Last 7 days,
Last 30 days, and Date Range.
If you choose Date Range, text boxes for start and end dates display. These text boxes
only accept dates in the mm/dd/yyyy format. You can also click the Calendar icon to
display a calendar that allows you to choose the start and end dates.
3. Select one or more sensors. The Sensor list allows you to select either a single sensor or all
sensors.
4. Choose the number of results to include in your report. The graphic will include the top nine
results as individual sections of your bar or pie chart. All remaining results will be combined
into the last element of the chart labeled "Other."
5. Select a chart type to display your information either pie chart or bar chart.
6. Click Include Data to include a tabular report of your data associated with each bar or pie
section in the graphical output.
7. Click Include Trend to display alert trends in your report during the selected time period for
each alert item.
The time reported by trending graphs and the time used in time range selection reflect the
time at which the network violation occurred.
8. If needed, click Reset to restore default values. You can also do the following:.
Click Run Report. The result displays in a pop-up window. You can print the report, save
it as a PDF, or send the report as an e-mail attachment. Refer to Create PDFs for Quick
Reports.
Click Schedule to schedule this report for delivery to an e-mail address at a specified
time. Scheduling a Quick report makes it available at the Reports>Manage>Report List.
Refer to Schedule Quick Reports.
Click Customize. The Custom Report page displays with any criteria entered at the Quick
report page.Once you make the required changes you can save the report and manage
and schedule it as a Custom Report from Reports>Manage. Refer to Create Custom
TCP Resets
Application Protocols
IP Defragmenter
TCP Processor
XPS Proxy
XPS Mail
XPS Connect
XPS Web Walker
Each Network report provides an interactive performance graph that you can use to closely
examine what is occurring on your network at specific times. With the performance graph, you can
look at time periods from 10 minutes to 7 days.
To do this:
Note how the time changes in the button below the slider bar. Time
measurements also change on the graph.
Mouse over a line to see what occurred at that point and how frequently.
To return to a larger view, double click in the graph. Each time you double click, the time
displayed in the graph doubles.
Clicking displays the information available for the 7-day period, even if you
initially selected a shorter time period.
Use the slider bar to see another portion of the graph.
Move the to expand or contract the time period being examined. You can also move to another
part of the performance graph. The time changes in the button and time
measurements on the graph also change.
Click to switch the graph to linear or to logarithmic scale.
Requests
Resets
Recent Resets
Runtime (information about the IP defragmentation alerts per minute over the selected time
period)
Throttle drop: how many packets were dropped in response to the throttle action.
Throttle TCP window cut: the number of packets on which the TCP window size was reduced
Throttle TCP window cut: the number of bytes in packets on which the TCP window size was
reduced
Proxy Traffic: a graphical display and a numerical breakdown, Proxy traffic per minute
Number of connections
Alerts generated
Messages prevented
Messages rerouted
Number of messages
Messages quarantined
Web Walker
The Web Walker sensor downloads and analyzes the files stored on configured web sites, and
generates alerts when policy violations are detected. The Network report reveals the Web Walker
activity in terms of local disk space used to store downloaded files
Local users are defined within CommandPost. Using the System>Users page, you can
create a user profile, which includes the local password and all permission settings.Local
users obtain a CommandPost user name and password and are the easiest to configure and
manage. CommandPost includes one default local user (admin) which must be used to
configure all other settings. Fidelis recommends that you create local user accounts for all
persons responsible for the maintenance and support of the Fidelis products.
LDAP users are created and managed by an external LDAP or Active Directory server.
Directory attributes can be used to map users or user groups to CommandPost permission
settings. LDAP users can access CommandPost using their directory user names and
passwords. They have full access to the system once logged on. Management is performed
by creating a user profile that maps directory attributes, such as group names, to
CommandPost access permissions.
AutoLogin users are authenticated by a remote authentication server. CommandPost detects
the user name in the HTTP header sent by the remote server and uses this name to map
AutoLogin users to a CommandPost user profile. This mode is recommended only for
enterprises that include a central user authentication mechanism which can intercept all
HTTPS communication. AutoLogin users are not provided a CommandPost user name nor a
password. Some capability will be limited due to the lack of these credentials.
Note: LDAP and AutoLogin users display in the Users>Profiles list after the first
login.
To create and manage LDAP and AutoLogin CommandPost users, refer to LDAP Configuration
and Auto Login. To understand CommandPost permissions, refer to Define User Roles.
To manage CommandPost users, click System>Users. The Users page displays with the current
list of CommandPost user profiles (local, LDAP, and AutoLogin) and basic information about each
user.
Note: The Users option is only available if you have access to user features. Refer to
Define User Roles.
Zero or more groups; needed for alerts and quarantine management features.
Zero or more sensors; needed to manage sensors and to view alerts from sensors.
LDAP and AutoLogin users are managed in a similar fashion. In these cases, you create a profile to
map user attributes to role, group, and sensor assignments. Each profile may manage a single user
or many users, depending on your configuration.
The user page provides two icons to note user status:
Denotes a valid user. The user has a role and has at least one group and sensor
assignment.
Denotes a user with limited access to the system. This user may have a role, but lacks
either a group or sensor assignment. They may log into the system, but will not be able to execute
their role.
Alert Management Groups can be used to divide the work of violation review and to segregate
violations by type.
The role is the first part of the access control system. Each CommandPost user is assigned one
role. This determines which parts of the system the user can access. Refer to User Roles.
Sensor access control is the second part of the access control system. Each users role provides
that user with access to certain CommandPost features. However, these features may only be
applied to the sensors to which the user is assigned. This control applies to all CommandPost
functions. For example:
A network operator may only configure and manage sensors to which that operator is
assigned.
A Policy author may write policies, but may only install these policies on assigned sensors.
An alert or quarantine manager may only view violations from sensors to which the manager
is assigned. The sensor access control serves to segregate data depending on where it was
found in the network.
The alert management group is the final component of the access control system. This is a group
of one or more users with a similar function, who should review similar network violations.
Examples might include a network administration group, Human Resources, or a network security
office.
Rules are associated with an alert management group. When a rule is violated, an alert or a
quarantined e-mail may only be managed by persons in the assigned group. Once viewed, an alert
manager may move the alert or quarantined e-mail to a different group as needed.
Alert management groups allow you to segregate data based on the rule that was violated. For
example, PII (personally identifiable information) violations may be sent to one group of users,
while violations involving inappropriate use of network resources are sent to a different group. It
also helps to split the workflow involved with alert management across one or more teams of
individuals.
All rules and all new users are initially assigned to the default group.
When a sensor is registered to a CommandPost, no user will have access, except the admin
user and the user who created the sensor.
The admin user has access to all groups, all sensors, and all system functions.
Local users can be added, deleted, and managed from this page.
LDAP users can be deleted at the Users>Profiles page. Management of these users is
performed by mapping your external LDAP or Active Directory server information to
CommandPost user access profiles.Refer to LDAP Configuration.
AutoLogin users can be deleted or have full name and e-mail information edited at this page.
Management of these users is performed by mapping your AutoLogin profile to
CommandPost user access profiles. Refer to Enable AutoLogin.
To access user profiles:
Click System>Users>Profiles.
The Profiles page appears with a list of CommandPost users. You can click on any user name to
see expanded information, and the Edit and Delete buttons as appropriate.
Provide identifying information for the user to Fidelis XPS. This information includes user
name, password, and e-mail address. This information is stored and managed within
CommandPost.
Assign the user to the appropriate groups and sensor to implement assigned roles. Alert
Management Groups can be used to divide the work of violation review and to segregate
violations by type
User managers have the following restrictions when creating or modifying users:
Create users with permissions equal to or less than their own permissions.
Assign users to groups to which they belong. For example, a User Manager that belongs to
group A and group B can only assign new users to those groups. Use CTRL+click to choose
multiple groups. Select No Groups to unassign a user from every group.
Alerts Full or view access Users must be assigned to Users must be assigned to
to Alerts the same group as the alert the sensor that generated the
and its associated rule to alert.
access the alert.
XPS sensor Full or view access No impact Users can only configure
configuration to Sensor Admin sensors to which they are
assigned.
CommandPost or view access to No impact No impact
configuration CommandPost
Admin
Users Full or view access A new user may be added to A new user may be added to
to Users any group to which the user any sensor to which the user
manager belongs. manager belongs.
Delete a User
Before you can delete a user, you must first reassign all alerts assigned to the user.
To delete a user:
1. Click Profiles.
2. Click the appropriate user. The Delete button becomes available. The Delete button will not
be available if open alert tickets are assigned to the selected user.
3. Click Delete.
4. Click OK at the confirmation dialog box.
The user is deleted from the list on the Users>Profiles page.
Policy Authorcreates and manages policies and rules to one or more sensor.
Alert and Quarantine Managerreviews alerts (or quarantined e-mails) and manages any
action required within the enterprise.
Each category includes the basic role described above and a supervisor role. The supervisor role
provides access to all the features of the basic role plus access to the Users feature. This enables
supervisors to add and manage local CommandPost users in their categories.
The System Administrator role provides full access to all Fidelis XPS features. This role can be
applied to any user.
Full Provides read and modify access to the feature. Depicted by a full
green circle.
Access Roles
To access roles:
Click System>Users>Roles.
On the Roles page, the permission levels and user information are hidden by default. Click on a
row, or click expand all to reveal the access levels and any user information associated with a role.
The user names display in links that you can click to access the Users page and see expanded
information for that user.
Details are available as either no access or full access. View-only is not available.
Access to Quarantine, Manage/Quick reports, and Ticket functions requires View or Full
access to Alerts. If you choose access to one of these three functions, CommandPost will
raise the level of Alerts to an acceptable level.
Note: Not all options are available to all users. You may only create a role with less
than or equal privileges than your own role.
Component Information
The Component list will display the CommandPost console at the top of the list. All sensors, if any,
follow in alphabetical order.
To see more details about a specific component, click the row for that component. Component
details for the CommandPost and sensors provide a summary of the current status and relevant
configuration details. Full configuration details can be accessed at the component configuration
page.
Note: If your product is a CommandPost with an embedded sensor, such as the
Scout, the initial list will show the embedded sensor. For embedded products, you
cannot add or remove sensors, but can configure the embedded sensors.
Status Lights
Shown as a green, red, or yellow diamond, the status light indicates whether a component is
operational. Green indicates that the component is fully operational. Yellow indicates a warning
message, which may indicate operational problems or the detection of a condition that warrants
attention. Red indicates operational failure.
By mousing over the status light, you can see a short description of any detected problem or
warning. The same description is available in the details of the component status.
Details
Click a row to view details about a component. CommandPost information includes the Name
(Local), Version, OS Version, Time, and any yellow or red Notifications. The absence of
notifications indicates that the component is fully operational.
Name the name of the component which was given when the sensor was added to
CommandPost.
Alerts is a current count of alerts generated by this sensor.Clicking the count will take you
to an Alerts Report showing alerts from this sensor.
License Messages
The following license messages can display in the Notifications section for the CommandPost or a
sensor:
Component Buttons
When you click a Component row, several buttons will appear. Button availability depends on user
access privileges as well as the communication status between CommandPost and sensor.
Delete Sensor click to remove a sensor from CommandPost. This button is available only if
there are no alerts in the database generated by this sensor and if the sensor is currently
unregistered. If you wish to delete a sensor with alerts in the database, you must first go to
the Alert Report page and purge all alerts generated by this sensor from CommandPost.
Refer to Purge Alerts for more information. When you return to the Sensor Config page, you
will be able to remove the sensor . This button is not available for embedded sensors.
Add a Sensor
To add a sensor to CommandPost:
1. Click System>Components.
2. Click Add Sensor.
3. Provide the sensor name, IP address, and an optional description. The IP address is used to
identify the sensor to the CommandPost.
4. Click Save.
5. Click Register. CommandPost attempts to communicate to a sensor at the specified IP
address.
After the sensor begins to communicate to the CommandPost the status indicator turns green and
the Last Seen value indicates the time of the last communication.
You can now configure the sensor by clicking Config.
Note: For embedded sensor products, the Add button is not available.
Edit a Sensor
You can change the sensor name or IP address (if unregistered). You can also change the
description as needed.
To edit a sensor:
1. Select the appropriate sensor.
2. Click Edit Sensor.
3. At the Edit Sensor page, enter needed changes.
4. Click Save.
Note: After a sensor is renamed, all alerts associated with that sensor are
automatically associated with the new sensor name.
License
License shows the Host ID information, the current license key, and an expiration date. Each
component requires a separate license.
When you initially install and register a Fidelis XPS sensor the License Key field displays <demo
mode>.
When you initially install Fidelis XPS on CommandPost, CommandPost will run in demo mode. A
sensor or CommandPost remains in demo mode until a license key is entered.
Expiration
Fidelis XPS begins displaying notices that your license will expire starting 60 days before the
expiration date. If you receive this notice, contact Technical Support to obtain a new license.
M o di f y a L i c e ns e K e y
To make changes to your license key in case of an entry error for example, just enter a new license
number in the License Key text box and click Save. Please remember that making changes to
license keys should be done with great care.
D e m o M od e
If no license key is detected, the sensor and the CommandPost will operate in demo mode. The
sensor does not function in demo mode. A CommandPost in demo mode will not accept alerts from
any sensor and will only accept statistics.
System Monitor
System Monitor is used to monitor the activity and health of a sensor or of the CommandPost. In
general, it monitors a component's status including disk space, process restarts, and statistics
counts. It attempts to make sure that the system is running smoothly. If not, it can send warnings in
a number of different ways.
System Monitor monitors the sensor or the CommandPost from the input interfaces all the way to
the alert output process, and everything in between. It will also monitor the state of critical files
stored on the server disk drive. If modifications from the original installation are detected, a critical
sysmon alert will be generated and sent to the configured System Monitor output.
Note: On a sensor, executable files are also verified upon system startup using an
embedded signature in each executable file. Startup errors are written to syslog or
other Fidelis log files, depending on the corrupted file.
By default, System Monitor writes all of its messages to the standard system log file. In addition, it
can be configured to write to a remote system log file, to send an e-mail, and to send an SNMP
message.
Notifications
The Notifications page allows the configuration of messages or notifications to be sent to external
entities. This page is the same for the CommandPost or a sensor, except that the CommandPost
version does not contain details about sensor activity such as the number of packets inspected.
Warningsomething has happened that may impact the performance of the system;
Criticalsomething will stop the system shortly. System may not be running properly;
Emergencythe system cannot operate.
The System Log field allows for the entry of a remote system name. This system should be
configured to allow remote hosts to send syslog messages to be recorded in its standard syslog
file. Make sure to allow a remote sysmon message in through any firewall on the system also.
The message types to be sent are also configurable for this field. You may want to ignore
information messages and warning messages, but make sure that you know about any critical and
emergency messages.
The eMail Address field allows for the configuration of an e-mail address and message types to be
sent to that e-mail address. If one or more e-mail relayhosts are configured, outgoing e-mails are
sent through e-mail relayhosts.
The SNMP field allows for the configuration of a remote SNMP monitor and the message types to
be sent. SNMP traps may be sent to an external system which may be specified by a host name or
IP address. Choose the alert information to include in these traps.To enable Fidelis SNMP traps, a
MIB is available with sample use instructions at. www.fidelissecurity.com/support.
Logs
Logs enables you to view log files from a sensor or from CommandPost that reside in different
directories, including/FSS/log and /var/log among others. Log files can help in troubleshooting
problems and are a valuable resource when interacting with Fidelis Technical Support. After
retrieving a log file, you can send it via e-mail. Fidelis support is the default email recipient of all log
files.
To retrieve logs:
1. Click System>Components>Config>Logs. You can select another at the Component list.
2. Select a file from the Log Files list.
3. Click Invert Log to reverse the order of log entries, if needed.
4. Click Get Log. The selected log entry displays and the Email Log button is available.
Configure CommandPost
The CommandPost configuration page enables you to specify settings for CommandPost
operations. Your role requires full access to CommandPost administrative functions to access this
page. Some Configuration settings may require additional access permissions, as noted in the
specific CommandPost sections. Refer to User Roles.
To access CommandPost configuration, click the CommandPost row at System>Components and
click Config.
License
User Authentication
Email Config
User Notification
LDAP Config
LDAP Reports
Alert Storage
Language Config
Logs
Diagnostics
System Monitor
Archive
Instructions for License, Logs, and System Monitor apply to all CommandPost and sensors.
Instructions for other CommandPost configuration pages only apply to CommandPost.
User Authentication
CommandPost supports user authentication locally, via AutoLogin, or via LDAP or Active Directory.
Using CommandPost configuration, you may choose the authentication method for your
environment and modify configuration options. When a user accesses CommandPost,
authentication is performed as follows:
If the user name matches a local user, entered in System>Users>Profiles, then local
authentication is performed. Refer to Define User Profiles.
If the user name is not local, then CommandPost checks AutoLogin to see if it is enabled and
if a profile is set up for the user whose name appears in the HTTP header. The AutoLogin
authentication requires a network infrastructure to capture the user request, authenticate the
E n a bl e LD A P A u t he n t i c at i on
If you would like to authenticate users via LDAP or Active Directory, you must enable LDAP
authentication and create a profile. To correctly setup authentication, you must have a thorough
understanding of your local directory server data structure. This can be obtained by utilizing your
favorite LDAP/AD browser software.
Note: You also need to configure CommandPost to LDAP communication. Refer to
LDAP Configuration.
To enable LDAP Authentication:
1. Click Enable LDAP authentication.
The Login prepend setting can therefore be thought of as another filter which is internally
applied by the authentication process for each LDAP profile. In our example, joeUser must
be a unique value for LDAP attribute sAMAccountName for both sales and engineering
groups.
3. Enter the LDAP Base and Filter.
(|(mail=joe*) ( mail=fred*)) This entry would return users with e-mail beginning with
joe or fred.
(&(mail=joe*) (sn=b*)) This entry would return users with an e-mail beginning with
joe and a last name starting with b.
Note: Please see rfc4515 (http://www.rfc-editor.org/rfc/rfc4515.txt) for more
examples of LDAP filter expressions.
E n a bl e A u t o L o gi n
If your network provides user authentication for HTTPS services, you may enable Auto Login and
create a profile.
Note: AutoLogin users are authenticated within your network and are not provided a
CommandPost user name nor password. Therefore, they will have no access to file
transfer capabilities offered via WinSCP because these functions require a
CommandPost user name and password. File transfer capabilities are offered within
the CommandPost Policy creation pages.
To enable AutoLogin:
1. Click Enable AutoLogin.
Your network authentication must intercept the HTTP request, authenticate, and insert
an HTTP header in the form: headername:username where the header name string is
set up in the AutoLogin profile.
Email Configuration
Email Config enables you to set e-mail parameters to identify messages sent from CommandPost.
1. Click Email Config.
3. Configure Smart Relay by entering an IP address or a host name and click to specify an
e-mail server on your enterprise's network. Smart Relay will direct e-mail to the specified
server.
4. Click Update.
CommandPost will use these settings for messages from the ticketing system and for reports
delivered by e-mail. Reports include user-generated and scheduled Alerts, Custom, and Quick
reports.
LDAP Configuration
You can configure CommandPost to interface with an LDAP or Active Directory server. After
configuration, CommandPost will be able to authenticate logins via directory authentication, to use
directory information in policy definitions, and to associate user information detected within alerts to
directory information.
To correctly configure the CommandPost interface with LDAP, you must have thorough
understanding of your local directory server data structure and login access to all user records
stored on your server. You may use your favorite LDAP/AD browser software to gain the required
information for configuration.
Obtain the following information before you configure CommandPost to work with an LDAP server:
Password
LDAP Base (example: dc=example,dc=com or cn=Users,dc=example,dc=com)
Check the LDAP server before configuring LDAP at the CommandPost.
Fidelis XPS systems that use LDAP request all records for a given base/filter combination
and cache the records locally on the CommandPost with a periodic refresh functionality built
in. By default, LDAP directories limit the number of objects that can be returned from a single
search filter. Please make sure this limit is disabled or at least large enough to return all the
records for the base/filter combination configured at the CommandPost.
To configure CommandPost to directory communication:
1. Click LDAP Config.
User Authentication. To configure user authentication by your directory server refer to LDAP
Authentication.
Policy Creation. You can direct CommandPost to retrieve user or group attributes from your
directory which can then be utilized by policy creation. For example, you can set extrusion
policies based on the activities from Human Resources, where Human Resources refers to a
group established in your directory. To create policies based on your directory attributes refer
to chapter 3 in the Guide to Creating Policies.
Enter attributes into the text box and click . Use attributes defined in RFC 4519 or
any user-defined attributes.
Some examples of attributes you might want to specify are name, e-mail address,
organization, organization unit, title, and user id.
Your list of attributes will be displayed as user information within Alerts. Refer to Alert
Details.
4. Click Test to verify the correct attributes are extracted from your directory.
5. Click Update to save your settings.
LDAP Reports
The LDAP Reports page enables you to specify options for the LDAP Attributes available at the
Alerts By Directory Quick report. Using this page, you can create a user readable name for each
LDAP attribute. You must configure at least one attribute to execute the Alerts By Directory Quick
report. Refer to Quick Reports.
To do this:
1. Click LDAP Reports.
A l er t R et e n t i o n
CommandPost performs daily maintenance which includes two distinct processes:
Alert purge is the removal of all alerts and recorded objects that are older than the specified
retention period. Alert purge will briefly lock the database so that new alerts cannot be
inserted during this time. This operation should last only a few minutes or less.
Disk optimization is required after alerts are purged. This function is very important to the long
term integrity of CommandPost and must be run at least once per week. Optimization will lock
the database so that new alerts cannot be inserted during this time. This operation may
require several hours to complete, depending on the size of alerts and recorded sessions
stored by CommandPost.
Note: If CommandPost storage becomes full, new alerts will overwrite old alerts, even
if the retention period has not been exceeded.
To configure Alert Retention:
1. Click Alert Storage.
Database Encryption
Database Encryption enables you to control whether alert forensic data and the associated
recorded objects are stored in an encrypted or unencrypted form. When you change configuration,
forensic data and recorded objects already stored by CommandPost will no longer be available. An
encryption change will provide a warning regarding the availability of current information.
If encryption is important to your organization, Fidelis recommends that you enable this feature
immediately upon receipt of your CommandPost. Fidelis uses AES 128-bit key encryption. For
existing installations, you should archive your alerts before changing encryption status. Note that
archive data is not encrypted.
To enable encryption:
3. Click Encrypt. A dialog box warns that you will lose access to forensic data and recorded
objects.
4. Click OK to proceed.
To disable encryption:
1. Click Unencrypt. A dialog box warns that you will lose access to forensic data.
2. Click OK to proceed.
Diagnostics
CommandPost problems may be caused by corrupt tables within the embedded database.
Diagnostics enables you to check database tables and to repair them if needed.
To check for and fix database corruption::
1. Click Diagnostics.
2. Select the extent of checking you want Diagnostics to perform.
QuickChecks the integrity of indices on the table and usually executes quickly.
MediumPerforms a Quick check and verifies the checksum value on each row of each table.
A medium check may require several minutes to complete.
ExtendedPerforms a Medium check and a look up of each row and table index on the table
to verify 100 percent consistency. An extended check may require a long period of time.
Because checks and repairs can be time-consuming, it is recommended that you perform a
Quick Check and Repair first.If the problem is not corrected, attempt the Medium and
Extended Checks.
3. Click Check. A notice displays telling you that this process might take longer than expected.
4. Click OK to proceed. Check indicates the progress of the check and which tables it is
checking within a running dialog box. When complete, Check displays a message indicating
that the Check is complete. A list of files that need repair also displays.
Click + to view the dialog.
Click to collapse the dialog.
You can click Clear to reset the GUI, but Clear does not stop the Check or Repair operation
on CommandPost. Exercise caution when using Clear and then only if there is a genuine
problem - especially with an extended check or repair.
While a Check is in progress, you can leave the page and perform other CommandPost
tasks. Upon your return to the Diagnostics page you can view the current status of the
operation.
5. Select a Repair option.
The Repair method should correspond to the Check method used. For example, if you
selected a Quick Check, then you should proceed with a Quick Repair.
QuickOnly attempt to fix the index tree.
Medium Provides the same repairs as Quick.
Extended Rebuild the index tree by row.
Repair is only available if one or more tables were determined to be corrupt in the preceding
Check operation.
6. Click Repair. A notice displays telling you that this process might take longer than expected.
Click OK to proceed. Repair indicates the progress of the repair within a running dialog box.
Archive
Archive enables you to configure a name and login for a remote FTP server. CommandPost will
use the information to export archive files to the remote system. Refer to Export. Archive also
enables you to import files. Refer to Import from a Remote FTP Server.
Note: To access Archive, you need full access to CommandPost administration
privileges. Refer to Define User Roles. CommandPost administration privileges allow
you to configure and test the archival process. No alerts are transmitted during the
test process, only test data.
Access to System->Export requires alerts, Alert Details, and CommandPost
administration privileges. This access allows you to export alert archives using the
process set up by the CommandPost administrator, as noted above.
S e t U p a R e m ot e FTP S er v er
To set up information for a remote server:
1. Click Archive.
Configure Sensors
To configure a sensor, click System>Components and click Config for the selected sensor.
Note: The Config button only displays if the user permissions are adequate and if
there are no communication problems with a sensor.
General
You can configure your module to operate in either inline or out-of-band mode. Refer to chapter 5
in the Enterprise Setup and Configuration Guide for more information about these modes and how
to set up and connect hardware to the network.
Inline Mode/Out-of- Choose the setting that reflects the network configuration of your module.
Band Mode Out-of-Band mode is used for monitoring via a network tap or SPAN port,
while inline is used when the module is directly in the network flow.
When a module is deployed inline, prevention is performed by dropping
packets received on offending sessions.
Note: To activate inline mode, the module must also be
operating in full duplex mode. Refer to chapter 5 in the
Enterprise Setup and Configuration Guide.
Throttle Mode When Inline Mode is chosen the Throttle Mode checkbox displays if
available. Throttle is typically used to identify applications (such as peer-
to-peer or instant messenger) that are allowed on the network, but to
control their use by throttling activity to an acceptable level. Throttle mode
enables the Direct/Internal module to react to throttle rule actions. If
throttle mode is disabled, the module will ignore the throttle action.
TCP Reset When checked, TCP Reset is enabled to provide prevention, as indicated
by the action setting when a rule is violated.
When used in out-of-band mode TCP resets used for prevention, you must
specify the dedicated Ethernet interface (Prevent /eth1) used for packet
injection. Make this choice at the drop-down menu. When used in Inline
Mode, the Direct/Internal module will inject TCP Reset packets (in addition
to dropping received packets) to implement prevention. In Inline Mode, the
module will choose the correct Active interface for injection of reset
packets based on the information flow.
Active Interfaces Active Interfaces determine which Ethernet adapters the module will
monitor. Click the appropriate checkboxes to select interfaces. One
adapter, such as Monitor A /eth2, indicates that the module is listening in
half duplex mode. Two adapters, such as Monitor A /eth2 and Monitor B
/eth3, indicate full duplex mode.
Information Flow Map Click to enable Information Flow Map. This option displays if you have a
Direct module on a module capable of supporting Information Flow Map.
Refer to Information Flow Map.
Advanced Description
parameters
Alert Recorded Object This setting determines the maximum length (in KB) of data recorded
Limit (1-16384): from the network session associated with each alert. It is important to
keep in mind that a larger limit might substantially increase the size of
your database, which will require more available disk space on
CommandPost. The default is set at 4096 KB because most useful
forensic information occurs in the beginning of a recorded session. It may
be useful, however, to have more data recorded.
Checksum setting A check beside the protocol name under Checksum instructs the software
to verify the checksum of each network packet of that protocol type.
Deselecting a protocol means that packets will always be accepted which
increases performance.
Network Border
Network Border allows you to configure the internal network subnets monitored by a Direct or an
Internal sensor.
The Direct sensor physically resides at the egress point, and looks at sessions where the
sender is internal to the border and the recipient is external. The Direct sensor analyzes
sessions that cross the defined network border.
When the border setting is blank (the default setting), the Direct sensor examines all
incoming and outgoing traffic on the network.
The Internal sensor looks at sessions where both the sender and the recipient are internal
to the defined border. The Internal sensor checks and analyzes the internal transmissions
of data including those to or from file and database servers.
Important: You must set a network border for the Internal sensor. You can install
up to three Class A networks on the border list.
Squid Click to enable Squid compatibility mode. This must be enabled if the client uses
the Squid proxy. By default, this is turned off.
Proxy prevention Enter a valid, absolute HTTP URL for browser redirection.
redirect URL
Note: This URL does not support the use of non-ASCII characters.
You can create several URLs and force redirection if you include attributes of the
alert information in your URL. For example, you may have a URL for each policy
running on the Proxy module. The keyword select box can be used to craft a URL
for redirection based on alert attributes.
To use the Proxy module's ability to redirect based on alert attributes, select one or
more keywords from the list and click Add Keyword. The keyword and the percent
signs around it will be replaced with a real value at runtime. For example, if you
add the %SENSOR% keyword, the actual sensor name will replace the
%SENSOR% keyword in the URL.
Restrict interface By default, the Proxy module listens to all ports for ICAP traffic, including the admin
port used for communication to CommandPost. Click Restrict interface to choose a
single interface for ICAP traffic.
Mail
The Mail page is available if the sensor includes a Mail module. The Mail module can be deployed
in one of two modes:
Restrict interface If you select milter mode, this checkbox appears. By default, the Mail module
listens for traffic over all ports including the admin port which is used for
communication to CommandPost. Click Restrict interface to choose a single
interface for milter traffic.
Mailer port If you select milter mode, you need to enter a Mailer port.You may configure the
TCP port number for use in milter mode. Enter any unused port. The default is
10025. You can use this default value or make another entry. When run in milter
mode, the third party e-mail server must be configured to run the milter interface
on this port.
Notify quarantine Click to have e-mail sent to the alert management group assigned to the rule
manager that was violated. Refer to Add or Edit an Alert Management Group for
information about entering and managing group e-mail addresses.
Reroute server Enter a fully qualified host name for an e-mail server. If the rule action on an e-
mail is reroute, the e-mail will be sent to the server named here.
This setting determines the maximum length (in KB) of data recorded from the e-
Alert Recorded Object
mail message associated with each alert. It is important to keep in mind that a
Limit (1-16384):
larger limit might substantially increase the size of your database, which will
require more available disk space on CommandPost. The default is set at 4096
KB.
Rescan all URLs once When Web Walker is first configured, URLs are scanned in their entirety.
After the initial scanning, periodic scans are done only for files that have
changed.
Leave this option unchecked, unless there is a need to force Web Walker
to scan all URLs again.
Ignore robots If clicked, Web Walker module will ignore a robots.txt file on the site. If
exclusion protocol unclicked, robots.txt will be followed.
Quota per URL Enter an amount in megabytes. Web Walker downloads all files from the
site and stores them locally This will specify a maximum size to control the
size of the downloaded data per Web site.
Tries per URL Enter the maximum number of times the module will attempt to access a
URL.
Recursive Level per Specify the download rate, in kilobytes per second. Specifying this rate
URL may help limit the bandwidth usage of the Web Walker module and Web
sites.
Download Rate per Specify the download rate, in kilobytes per second. Specifying this rate
URL may help limit the bandwidth usage of the Web Walker module and Web
sites.
Sleeptime (hours) Specify the number of hours before a new scan. You should consider the
quota and the download rate limits that you set to determine an
appropriate sleep time.
Alert Recorded Object This setting determines the maximum length (in KB) of data recorded from
Limit (1-16384): the file associated with each alert. It is important to keep in mind that a
larger limit might substantially increase the size of your database, which
will require more available disk space on CommandPost. The default is set
at 4096 KB.
Enable SSL Click to enable SSL so that the Connect client and server can exchange
information over a Secure Socket Layer. This enhances the security of
client-server communications.
Note: The client must be able to support SSL.
Connect port: Enter a port number. Ensure that this port is open on any firewall between
your client systems and the Connect appliance.
Mode Select Single client or Multiple clients. Single client limits Connect to one
connection, but enables you to examine larger buffers.
Multiple clients provide multiple connections and enable you to use more
clients, but you will need to limit the buffer for each.
Alert Recorded Object This setting determines the maximum length (in KB) of data recorded from
Limit (1-16384) the session associated with each alert. It is important to keep in mind that
a larger limit might substantially increase the size of your database, which
will require more available disk space on CommandPost. The default is set
at 4096 KB.
Enter an IP address or a host name and click to specify an e-mail server on your enterprise's
network. EMail Relayhost will direct e-mail to the specified server. Selecting an IP address and
clicking removes it from the Relayhost list.
In ASCII mode, the sensor will recognize ASCII characters in any file. This mode provides the
optimal performance of your sensor and works well with most files written in English. Files
written in another language may be interpreted as binary files and the content will not be
decoded.
Many files and Internet protocols will indicate the character set used within the content,
although this information may not be visible within user application. For these files and
protocols, the sensor will correctly interpret the content in International Mode, as long as the
character set is supported.
If the character set is not specified in the file or protocol, the sensor will attempt to translate
the content using the character sets that you specify on this page. If you specify many
character sets, the sensor will use each one, first translating, then decoding, and analyzing.
This process may be time consuming and may impact sensor performance.
To operate in International mode, you must selected at least one character set to be used
when the character set cannot be determined from the file or protocol.
Language Config settings are done separately for each sensor since each may need to have
different language settings based on their physical location and the expected content at each site.
Language configuration must also be done separately for CommandPost. Refer to CommandPost
Language Configuration.
Note: Fingerprints generated on CommandPost are based on the CommandPost
language configuration. For proper performance of these fingerprints when installed
on a sensor, the sensor should be configured as the CommandPost was for
fingerprint generation.
Even though the sensors and CommandPost do not need to be at the same version of Fidelis
XPS, you should update all sensors first, then update CommandPost. Updating
CommandPost before updating sensors can result in some features not behaving correctly.
If the CommandPost is at an older version of Fidelis XPS and the sensors are at a newer
version, everything will function at the older version. Only after the entire Fidelis XPS system
is upgraded will new version be usable.
Performing an Update leaves CommandPost data intact. The data includes information such
as saved Custom Reports, user information, policy assignments, and alerts.
When using Version Control to update the decoder libraries remember that:
Major releases provide new capabilities for Fidelis XPS. These releases are identified by the
left most numeral in the version, for example, versions 5.0 and 6.0. Updates must be installed
on systems running the last minor release.
Minor releases extend the features and capabilities of the major version. These releases are
identified by the second numeral in the version, for example, versions 5.2 and 5.3. Updates
should usually be applied in sequence from version 5.0 to 5.1 to 5.2 and so on. Refer to the
latest release notes for information.
Maintenance releases provide minor features and correct known software problems. These
releases are identified by the third numeral in the version, for example 5.3.1 and 5.3.2.
Updates are usually applied to the last minor release, not necessarily the last maintenance
release. For example, it may be acceptable to install version 5.3.4 on a system running 5.3.1
without installing the 5.3.2 and 5.3.3 versions. Refer to the release notes for specific
instructions as this may not always apply.
Patch releases provide fixes for known issues, which may be software problems or may be
the result of a change in proprietary network protocols such as webmail, peer-to-peer, instant
messenger, and social networking protocols. Patch releases are given the version number of
the last maintenance release followed by a patch date. For example, 5.4.1-20090924. Patch
releases must be installed in a system running the maintenance version stated in the version
Prepare to Update
Before proceeding with update, refer to the most recent version of the release notes. The release
notes contain information specific to your release and any procedures you might need to follow
before updating.
To prepare for the update:
1. Download the Fidelis XPS update installation file from: www.fidelissecurity.com/support to a
folder on your local workstation. Contact Technical Support if you cannot access this address
or are not sure which file to download. Release Notes are available from the same location
and can be reviewed prior to continuing with the installation.
2. Log into the CommandPost as a system administrator. Your role must provide access to
Version Control to proceed. Refer to Define User Roles.
3. Install the software by following the instructions in the section Run Update.
The update process automatically saves configuration data stored in the database such as policies,
users, and sensors to name a few examples. This configuration data is stored in the /var/FSS-save
directory. If the update fails, the automatic rollback procedure restores configuration data and
returns the system to its previous working version.
Run Update
After downloading the installation file to a folder on your local workstation:
1. Click System>Version Control>Update.
2. Click Browse to navigate to the update installation file.
3. Click Upload New Update.
If the selected file is valid, the following occurs:
Check boxes display next to system names for each system that is a valid candidate for
the selected update.
The Status column states if the Update file is available for each system.
The View Release Notes button becomes operational for an update. Click to see release-
specific information about the update including the time involved in updating the sensors
and the CommandPost.
Update Progress
When an update is in progress for CommandPost a status screen displays that provides messages
about the status of the update. All users attempting to use CommandPost will see this screen.You
cannot access CommandPost until the Update completes.
Schedule Update
Schedule Update enables you to schedule a job up to one month in advance. Keep in mind the
following when scheduling these jobs:
The scheduled Update must be to a newer version than the current version.
You can only schedule one Update per system. To schedule another Update, you must first
cancel a previously scheduled Update.
To schedule an Update, select the appropriate Update file.
If the Update is valid, the following occurs:
Email user-defined
Syslog
SNMP traps
ArcSight
Verdasys Digital Guardian
IBM SiteProtector
Fidelis Archive
You need to be a CommandPost administrator with alerts and alert details permissions. All saved
exports are available to users with these privileges. Refer to Define User Roles.
Refer to Define Exports for instructions on setting up a new export.
Export Methods
This topic provides specific information for each of the export methods. For general instructions
about creating an export, refer to Define Exports.
Fidelis Archive
For this export method, the remote server name, login, and directory information need to be set up
at the System>Components>CommandPost Config>Archive page. Refer to Archive.
Specify the remote directory for export at Destination.
Select Include Recorded Objects to include in the export, if desired.
When exported, a file named archive.<extension> will be created and sent to your remote system
and placed into the directory specified in the Destination field. Notes about Fidelis Archive exports:
https://<commandpost>/j/alert.html?%ALERTID%
The destination for e-mail is provided by a single or comma-separated list of e-mail addresses. The
destination for Syslog is the name or IP address of your external Syslog server.
%ACTION% The action taken by the sensor in String: Can be alert, quarantine,
response to the violation. prevent, or throttle.
Can also include valid
combinations of actions, such as
quarantine and notify.
%TIME% Time when the alert was detected. String in the format: YYYY-MM-DD
hh:mm:ss
You can use the default column list or select columns from the Column Choices box and click
to move them to the column list. At the column list, you can order choices using and .
Remove a column from the Column List by selecting it and clicking .
IBM SiteProtector
IBM SiteProtector may be selected if you need to export alert information to a SiteProtector server.
Enter an IP address or a host name at Destination to identify the SiteProtector server.
Note: Fidelis alert integration requires SiteProtector 2.0 Service Pack 7 with Database
Service Pack (DBSP) 7.19 or higher. Contact your IBM representative or refer to the IBM
SiteProtector documentation.
To use the SiteProtector export, you will also need to do the following:
Define Exports
This topic provides instructions on setting up an export. Refer to Export Methods for information
specific to each export delivery method.
1. Click System>Export. A list of available exports displays. The first time Exports is accessed,
the list is empty.
3. Select an export delivery method. The Export Editor changes to reflect your choice. Refer to
Export Methods.
4. Enter a Destination. This can be an e-mail address, directory name, or IP address depending
on the export method.
Note: Destination does not support the use of non-ASCII characters.
5. Select to export either All alerts or alerts By Criteria.
Allenables you to select all available alerts. Exporting all alerts in your database can
take time. With this option, you might want to limit this export by selecting a maximum
number of alerts.
By Criteriaenables you to select alerts based on multiple search criteria. These criteria
vary depending on the export method.
6. Select criteria as needed to determine the alerts you want to export. You can select multiple
entries.
For Duration, you can select a specific time such as 24 hours or 7 days or enter a date or
Manuallyexports alerts only when you run the export by clicking the Run Now button.
This method is useful to test communication with the external system and for Fidelis
Archive. It is less useful for other export methods.
Every Alertexports all new alerts that meet selected criteria. Exporting for each new
alert is guaranteed to export each alert exactly once. The Export occurs immediately
when the alert is received from the sensor. This method is recommended for integration
with external systems. It is not available for Fidelis Archive.
Periodicallyenables you to specify a time and day to run the export. This method is
recommended only for Fidelis Archive, e-mail, and Syslog exports. All other types of
exports should be performed on Every Alert to provide synchronization between the
Fidelis system and the external system.
8. Select the maximum number of alerts to be sent.This option is very useful when testing
communication to external systems and is not recommended in any other case. When you
choose this option, the selected alerts will be random, based on your alert criteria. You should
not depend on the exact alerts exported when this option is selected.
9. Enter a name for the export in Save As. You must save the Export before you can run it.
Clicking Reset restores settings to what was last saved.
10. Click Run Now to export.
If the Export Frequency is set to Every Alert, Run Now will export exactly one alert, if one can
be found to match the criteria of the alert. This alert will be transported to the external system
and handled accordingly.
If the Export Frequency is set to Manual or Periodic, all alerts that match your criteria will be
exported to the external system. Note that this can be millions of alerts and can take a very
long time to execute. You can use the maximum number of alerts to limit the size of the
export for testing purposes.
Run Now can only be performed after the Export is saved. If you make any changes on the Export
page, the Run Now button will be disabled until you either Reset or Save.
Delete Exports
To delete an export:
1. Click System>Export.
2. Click Delete next to the appropriate export.
3. Click OK at the confirmation dialog box. The Export is removed from the Exports page.
CommandPost user actions that change system configuration, including sensor configuration,
sensor registration, and policy updates to sensors.
CommandPost user actions to remove or export data from the system. This includes alert
purge, alert export, and user-generated reports.
CommandPost user actions to add, modify, or remove system components such as policies
and policy components, users, groups, roles, sensors, etc.
User actions taken at sensor or CommandPost front panel keypad and LCD display. Actions
performed at the sensor will be recorded to the CommandPost to which the sensor is
registered.
You can access the Audit Log from the CommandPost GUI to find audit entries.
Note: Fidelis recommends that you restrict audit log access to system administrators
and network security personnel. A user with Audit access can see all auditable actions.
Access Audit
Click System>Audit at the main menu. The Audit Log displays.
Category The general type of action that occurred. For example, roles, users, audit.
Action The specific action that occurred. Most actions relate to the section of the
CommandPost used to trigger the action. For example. Alerts, Policies,
and Reports. The Action column may also include information about what
occurred, such as login or a policy update.
Click a row to display more detailed information about an audit log entry. Expand all displays more
details about all rows. Detailed information includes the effect and a description of the action.
Search Terms
Entering an ID number returns one and only row. For example, entering 21 matches only 21 and
not 211. Ranges are not supported for ID searches.
Enter specific terms in the Find: text box. Searching for term will match any audit entry containing
term in the chosen field. This will match audit entries with words such as term, terminate, and
exterminate.
Entering multiple words such as
term1term2
matches any audit entry containing both term1 and term2. The terms can be found in any order and
with any amount of separation between them.
The use of quotes around a phrase will be treated as a single search term. The phrase term1
term2 will match any audit entry containing the exact phrase within the quotes. Any spaces in the
phrase will match any space characters in the audit entry, including a space, a tab, a new line, etc.
Matching is done on the character boundaries, not word boundaries. Therefore, a phrase of top
secret will match an audit entry containing a phrase such as stop secrets.
Multiple phrases such as a literal phrase 1 and a literal phrase 2 can be included in the Find
field. This will match any audit entries containing all of the phrases listed.
Time Periods
To specify a new time period, select a value from the During Last list, select hours or days, and
click Go. Options range from 1 hour to 96 days and also include the default value of all.
Before and after extensive changes have been made to the system that you want to preserve
Before upgrading
Important:
The Fidelis XPS software must remain at the same version between Backup and Restore.
Restore stipulates that the CommandPost host name and IP address remain the same
between Backup and Restore.
Restore restores the database to the backup that was previously saved. Data added after that
backup will be lost.
Note: CommandPost has a recovery disk supplied by Fidelis Security Systems to
restore the Fidelis XPS software, but using this disk wipes out all file and database
objects.
Backup CommandPost
All objects of a CommandPost system are backed up including file and database objects.
Important: These instructions use SCP or your site's preferred method of file transfer
and external data storage.
1. As root user on the CommandPost appliance, stop all services:
/etc/init.d/httpd stop
/etc/init.d/tomcat stop
/etc/init.d/pman stop
/etc/init.d/rconfigd stop
/etc/init.d/mysql stop
2. Copy the database files to a backup location:
Fidelis XPS User Guide Version 6.0 Backup and Restore 144
cd /var/lib/mysql/
tar cvzf <db-archive-name>.tgz fss* policies4 mysql
scp <db-archive-name>.tgz <user>@<host>:/path/to/backup/storage/
rm <db-archive-name>.tgz
Where <db-archive-name> is the name of your database output file
Where <user>@<host> is the destination location of the database output file
3. Copy the configuration files to a backup location:
cd /
tar cvzf /var/lib/mysql/<conf-archive-name>.tgz /FSS /etc/passwd
/etc/shadow /etc/sudoers /etc/group /etc/cron* /etc/sysconfig/
scp /var/lib/mysql/<conf-archive-name>.tgz
<user>@<host>:/path/to/backup/storage/
rm /var/lib/mysql/<conf-archive-name>.tgz
# NOTE: above files are created in /var/lib/mysql because of space
requirements
# NOTE: above does not preserve spool files and log files, but
audit data is saved in the database
Where <conf-archive-name> is the file name
4. Restart key services:
/etc/init.d/mysql start
/etc/init.d/rconfigd start
/etc/init.d/pman start
/etc/init.d/tomcat start
/etc/init.d/httpd start
Restore CommandPost
All objects of a CommandPost system are restored.
1. As root user on the CommandPost appliance, stop all services:
/etc/init.d/httpd stop
/etc/init.d/tomcat stop
/etc/init.d/pman stop
/etc/init.d/rconfigd stop
/etc/init.d/mysql stop
2. Copy the database files to the CommandPost database location:
cd /var/lib/mysql/
scp <user>@<host>:/path/to/backup/storage/<db-archive-name>.tgz .
tar xvzf <db-archive-name>.tgz
rm <db-archive-name>.tgz
Copy the configuration files to the CommandPost location:
cd /
scp <user>@<host>:/path/to/backup/storage/<conf-archive-name>.tgz
/var/lib/mysql/
tar xvzf /var/lib/mysql/<conf-archive-name>.tgz
rm /var/lib/mysql/<conf-archive-name>.tgz
# NOTE: above files are placed in /var/lib/mysql because of space
requirements
# NOTE: above does not restore spool files and log files, but audit
data is saved in the database
4. Restart key services:
Fidelis XPS User Guide Version 6.0 Backup and Restore 145
/etc/init.d/mysql start
/etc/init.d/rconfigd start
/etc/init.d/pman start
/etc/init.d/tomcat start
/etc/init.d/httpd start
5. Sync the database:
/FSS/bin/db_installer --update --yes
Fidelis XPS User Guide Version 6.0 Backup and Restore 146
Chapter 15 Archive
Archive enables you to take alert and session data on the CommandPost and FTP it to another
server.
Note: To access Archive, you need full system administrator permissions to Alerts
and Alert Details.
Archive also requires access to the command line interface. Access to this interface is reserved for
advanced administrators thoroughly familiar with Linux.
To archive CommandPost data, you need to set up the FTP server and configure it, export data to
another server, then verify that the data is on the server. You can then import the exported files, if
needed.
Note: Archive and Export are available from the CommandPost GUI. Refer to Archive
and Export.