Trellix Device Deployment Guide

2024.2
Contents

Planning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Deployment overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Virtual machine requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Hardware requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Network requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Management path requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

AWS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

AWS requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

AWS specifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Deploying virtual Network Security appliances on Amazon Web Services (AWS). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Using an AWS CloudFormation template to deploy a Network Security instance. . . . . . . . . . . . . . . . . . . . . . . . 13

Manually deploying a Network Security instance in AWS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Creating the Network Security instance (manual method only). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Configuring Network Security network interfaces on AWS (manual method only). . . . . . . . . . . . . . . . . . 19

Configuring the activation code and initial admin password (manual method only). . . . . . . . . . . . . . . . . 22

Configuring a static IP address for the ether1 interface (manual method only). . . . . . . . . . . . . . . . . . . . . 23

Performing the initial Network Security configuration using AWS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Configuring monitoring ports on the Network Security instance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Deploying Network Security instances in AWS in inline mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Use case scenario 1: Deploying a Network Security instance in AWS using VPC ingress routing. . . . . . . 31

Use case scenario 2: Deploying a Network Security instance in AWS between internal Web Servers and a
NAT device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Use case scenario 3: Deploying a Network Security instance in AWS between virtual desktop clients and
the internet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
 Use case scenario 4: Deploying a Network Security instance in AWS between on-premises clients and
the internet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Use Case Scenario 5: Deploying a Network Security instance in AWS using Gateway Load Balancer
(GWLB). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Configuring traffic mirroring on AWS for TAP or SPAN mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Enabling HTTP health checks for Network Security monitoring ports on AWS. . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Deploying virtual Central Management appliances on Amazon Web Services (AWS). . . . . . . . . . . . . . . . . . . . . . . . . . 52

Launching a Central Management instance on AWS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Configuring the activation code and initial Admin password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Configuring a static IP address for the ether1 interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Performing the initial Central Management configuration using AWS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Deploying virtual Email Security appliances on Amazon Web Services (AWS). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Launching an Email Security instance on AWS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Configuring the activation code and initial Admin password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Configuring a static IP address for the ether1 interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Performing the initial Email Security configuration using AWS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Configuring multiple network interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Deploying virtual Virtual Execution appliances on Amazon Web Services (AWS). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Launching a virtual Virtual Execution instance on AWS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Configuring the activation code and initial Admin password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Configuring a static IP address for the ether1 interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Performing the initial Virtual Execution configuration using AWS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Deploying virtual File Protect appliances on Amazon Web Services (AWS). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Launching a File Protect instance on AWS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Configuring the activation code and initial Admin password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Configuring a static IP address for the ether1 interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Performing the Initial File Protect Configuration Using AWS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Changing an AWS instance type. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Azure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Azure requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Azure specifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
 Deploying virtual Network Security appliances in Microsoft Azure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Deploying a virtual machine using an Azure ARM template. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Deploying a virtual machine using the Azure ARM template in marketplace. . . . . . . . . . . . . . . . . . . . . . . 98

Deploying a virtual machine using the standalone Azure ARM template. . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Deploying a Network Security virtual machine using the private products listing in marketplace. . . . . . . . . 100

Creating the Network Security virtual machine using the private products listing in marketplace. . . . 101

Creating Network Security network interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Attaching network interfaces to the virtual machine. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

Performing the Network Security initial configuration on Microsoft Azure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Configuring monitoring ports on the Network Security appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Deploying virtual Network Security appliances in Azure in inline mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Deploying virtual Network Security appliances in Azure in inline mode with load balancing. . . . . . . . . . . . . 114

Deploying virtual Network Security appliances in Azure in inline mode with gateway load balancing. . . . . . 116

Deploying virtual Network Security appliances in Azure in TAP or SPAN mode. . . . . . . . . . . . . . . . . . . . . . . . . 118

Deploying virtual Central Management appliances in Microsoft Azure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Creating a Central Management virtual machine using the private products listing in marketplace. . . . . . . 122

Performing the Central Management initial configuration on Microsoft Azure. . . . . . . . . . . . . . . . . . . . . . . . . 124

Deploying a virtual Central Management High Availability cluster in Microsoft Azure. . . . . . . . . . . . . . . . . . . . . . . . 128

Creating the virtual machines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Logging in to the CLI for the first time. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Assigning a "dummy" static IP address. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

Configuring virtual network peering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

Performing the Central Management HA initial configuration on Microsoft Azure. . . . . . . . . . . . . . . . . . . . . . 132

Changing an Azure virtual machine size. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

ESXi. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

VMware and ESXi requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

ESXi Specifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

VMware limitations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Deploying virtual Network Security, File Protect, and Central Management appliances. . . . . . . . . . . . . . . . . . . . . . 142

Installing a virtual Network Security,File Protect, and Central Management appliances. . . . . . . . . . . . . . . . . 143
 Performing the initial Network Security, File Protect, or Central Management configuration. . . . . . . . . . . . . 147

Configuring a virtual Network Security, File Protect, or Central Management network. . . . . . . . . . . . . . . . . . 160

Deploying Virtual Email Security appliances. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Installing a virtual Email Security appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

Performing the initial Email Security configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

Configuring a virtual Email Security network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Deploying virtual Intelligent Virtual Execution - Server appliances. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

Installing a virtual IVX appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

Performing the initial IVX configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

Configuring a virtual IVX network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

KVM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

KVM requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

KVM specifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

Deploying virtual Network Security appliances on KVM Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

Installing a virtual Network Security appliance using the KVM UI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

Performing the initial Network Security configuration for the virtual appliance. . . . . . . . . . . . . . . . . . . . . . . . 210

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

Defining multiple queues for data ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

Deploying virtual Central Management appliances on KVM Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

Installing a virtual Central Management appliance on KVM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

Performing the initial Central Management configuration for the virtual appliance. . . . . . . . . . . . . . . . . . . . . 219

Deploying Virtual FX appliances on KVM Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223

Installing a Virtual FX appliances on KVM Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223

Performing the initial configuration for the virtual FX appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

Hyper-V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233

Microsoft Hyper-V requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233

Hyper-V specifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233

Hyper-V limitations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

Deploying virtual Network Security appliances using Microsoft Hyper-V Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . 235

Installing a virtual Network Security appliance using Microsoft Hyper-V Manager. . . . . . . . . . . . . . . . . . . . . . 235
 Performing the initial Network Security configuration using Microsoft Hyper-V Manager. . . . . . . . . . . . . . . . 238

Configuring a virtual Network Security network using Microsoft Hyper-V Manager. . . . . . . . . . . . . . . . . . . . . 245

Deploying virtual Network Security appliances using Hyper-V Manager in inline mode. . . . . . . . . . . . . 245

Deploying Virtual Network Security Appliances Using Hyper-V Manager in TAP Mode. . . . . . . . . . . . . . 246

Deploying virtual Central Management System appliances using Microsoft Hyper-V manager. . . . . . . . . . . . . . . . 247

Installing a virtual Central Management appliance using Microsoft Hyper-V Manager. . . . . . . . . . . . . . . . . . . 247

Performing the initial Central Management configuration using Microsoft Hyper-V Manager. . . . . . . . . . . . 249

Deploying virtual File Protect appliances using Microsoft Hyper-V Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256

Installing a Virtual File Protect Appliance Using Microsoft Hyper-V Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . 257

Performing the initial File Protect configuration using Microsoft Hyper-V Manager. . . . . . . . . . . . . . . . . . . . . 259

Configuring a virtual File Protect Network using Microsoft Hyper-V Manager. . . . . . . . . . . . . . . . . . . . . . . . . . 266

Physical. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

Installing hardware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

Performing the initial configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

Configuring Initial Settings Using a Keyboard and Monitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

Configuring initial settings using the serial console port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268

Using a Windows or Mac laptop. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268

Using a Linux System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269

Using a Terminal Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269

Configuration wizard steps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270

Configuring the IPMI interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292

Configuring IPv6 addresses for the IPMI interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294

Administration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296

Working with virtual appliances. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296

Understanding virtual appliance licensing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296

Viewing virtual appliance license status using the CLI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297

Viewing system entropy status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301

Viewing system entropy status using the CLI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301

Technical Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303

1| Planning

Planning
• Deployment overview
• Virtual machine requirements
• Hardware requirements
• Network requirements

Deployment overview
Most Trellix devices are available in both virtual and physical form factors. Virtual appliance cloud deployments include AWS and
Azure. Virtual appliance on-premises deployments include ESXi, KVM, and Hyper-V.

This guide describes how to install and deploy them in your network. It includes the following sections:

• AWS
• Azure
• ESXi
• KVM
• Hyper-V
• Physical
• Administration
For information about configuring the deployment and operational mode for the appliance, see its System Administration Guide,
Administration Guide, or User Guide.

Additional configuration is required for devices that are part of a Trellix platform, such as a Helix or Intelligent Virtual Execution -
Server cluster deployment.

• For information about integrating your devices with Helix, see the Helix Integration Guide.
• For information about integrating your devices in an MVX cluster deployment, see the Cloud MVX Guide or MVX Smart Grid
Guide.

Note

This guide covers Malware Analysis, Central Management System, Email Security — Server, File Protect, Network Security,
and Intelligent Virtual Execution - Server devices. For deployment information about other Trellix devices such as Endpoint
Security (HX), Network Investigator, and Packet Capture, see the documentation for those devices.

Virtual machine requirements

The following sections list virtual machine requirements.

Trellix Device Deployment Guide 2024.2 7

1| Planning

• AWS requirements
• Azure requirements
• VMware and ESXi requirements
• KVM requirements
• Microsoft Hyper-V requirements

Hardware requirements
See the Hardware Administration Guide for the specific appliance model for its specifications.

Network requirements
The following basic network requirements must be met:

• Connectivity with the DTI network (one-way, one-way with override, or two-way sharing).
• Network access to the ports listed in the "Multi-Vector Execution (MVX) Platforms" section of the Trellix Ports and Protocols
Guide.

For network requirements for specific deployments, see the following:

• Cloud MVX Guide

• MVX Smart Grid Guide
• Helix Integration Guide

Management path requirements

Trellix appliances can download software updates (security content, system images, and guest images) from the Trellix Dynamic
Threat Intelligence (DTI) network. With a two-way content license, the appliance can also upload threat intelligence information
to the DTI network. The Central Management System appliance and standalone appliances have a direct connection to the
DTI network. By default, managed appliances receive software updates from the DTI network though the Central Management
System appliance.

The Central Management System appliance and standalone appliances use the ether1 port to communicate with the DTI
network. Managed appliances use the ether1 port to communicate with the Central Management System appliance. The ether1
port on both the Central Management System appliance and the managed appliances requires a static IP address or reserved
DHCP address and subnet mask.

Environments that restrict outbound access to certain IP addresses

If your security policy requires that you restrict outbound access to certain IP addresses, you cannot use the DTI network.
Instead, point to staticcloud.fireeye.com for DTI updates, and allow access to the *incapdns.net domain.

8 Trellix Device Deployment Guide 2024.2

1| Planning

If your appliance gets threat intelligence from the DTI cloud, you need to enable access to the Amazon Web Services (AWS) cloud
for ATI communication. The intel context service is hosted in multiple AWS regions and resolves to multiple IP addresses based
on geographic location.

To configure and access staticcloud.fireeye.com:

1. Enable CLI configuration mode.

hostname > enablehostname # configure terminal

2. Enter the following command from the appliance CLI:

hostname (config) # fenet dti source default DTI

3. Save your configuration.

hostname (config) # write mem

4. Add IP addresses as listed here to the firewall.

To allow access to *incapdns.net:

1. Add the block of IP addresses found here to the firewall.

2. Allow access to the *.incapdns.net domain at the proxy device.

To allow access to the AWS cloud for threat intelligence:

1. Go to https://dnschecker.org/#A/context.fireeye.com to determine the IP addresses for your location.

2. See the AWS IP address range documentation for information about whitelisting the IP addressses.

Domain-Based Proxy ACL Rules

If your configuration includes domain-based proxy ACL rules, allow access to *.fireeye.com.

Trellix Device Deployment Guide 2024.2 9

2| AWS

AWS
• AWS requirements
• Deploying virtual Network Security appliances on Amazon Web Services (AWS)
• Deploying virtual Central Management System instances on Amazon Web Services (AWS)
• Deploying virtual Malware Analysis instances on Amazon Web Services (AWS)
• Deploying virtual Intelligent Virtual Execution - Server appliances on Amazon Web Services (AWS)
• Deploying virtual File Protect appliances on Amazon Web Services (AWS)
• Changing an AWS instance type

AWS requirements
The following resources are required for an AWS deployment:

• Trellix AMIs in the US West region are copied to My AMIs in your region.
• Access to the AWS Management Console.
• Network Security only: The AWS CloudFormation template file if you use the template deployment method.
• Items from your AWS administrator, such as the network, subnet, and IP addresses for the instance, and key pairs and
security groups to secure the instance.
• Items from Trellix, such as the activation code and licenses for your instance.
• Network Security only: Admin role to configure monitor interface addressing on the Network Security instance.
• Network Security only: Operator or Admin role to enable HTTP health checks for AWS network load balancing (NLB) on the
Network Security instance.

Limitation

• TAP/SPAN mode is not supported on virtual Email Security — Server appliances.

AWS specifications

Each virtual appliance launched in AWS must meet the following specifications.

Network Security requirements

A single AWS virtual Network Security generic model called the FireEyeNXCloudVec2nitro must be deployed on the AWS Nitro
System.

10 Trellix Device Deployment Guide 2024.2

2| AWS

Note

All instance types have 10 virtual NICs (one management, one submission, eight monitoring) and 512 GB (EBS) disk space.
Review the other specifications shown in the AWS Management Console as you select the instance type that meets your
requirements. You can also view Network Security specifications in the Trellix data sheet here.

The following AWS instance types are supported for a Network Security instance. Their availability may vary by region.

• c5.2xlarge • m5.xlarge • m6i.xlarge • r5.xlarge

• c5.4xlarge • m5.2xlarge • m6i.2xlarge • r5.2xlarge
• c5.9xlarge • m5.4xlarge • m6i.4xlarge • r5.4xlarge
• c5.12xlarge • m5.8xlarge • m6i.8xlarge • r5.8xlarge
• c5.18xlarge • m5.12xlarge • m6i.12xlarge • r5.12xlarge
• c5.24xlarge • m5.16xlarge • m6i.16xlarge • r5.16xlarge
• m5.24xlarge • m6i.24xlarge • r5.24xlarge

Central Management System requirements

A single AWS virtual Central Management System generic model called the FireEyeCMCloudVec2nitro must be deployed on the
AWS Nitro System.

Note

All instance types have 4 virtual NICs and 1024 GB (EBS) disk space. Review the other specifications shown in the AWS
Management Console as you select the instance type that meets your requirements.

The following AWS instance types are supported for a Central Management System instance. Their availability may vary by
region.

• c5.large • m5.large • r5.large

• c5.xlarge • m5.xlarge • r5.xlarge
• c5.2xlarge • m5.2xlarge • r5.2xlarge
• c5.4xlarge • m5.4xlarge • r5.4xlarge
• c5.9xlarge • m5.8xlarge • r5.8xlarge
• c5.12xlarge • m5.12xlarge • r5.12xlarge
• c5.18xlarge • m5.16xlarge • r5.16xlarge
• c5.24xlarge • m5.24xlarge • r5.24xlarge

Trellix Device Deployment Guide 2024.2 11

2| AWS

Email Security — Server requirements

A single AWS virtual Email Security — Server generic model called the FireEyeEX7700CloudEc2c5metal must be deployed on the
AWS Nitro System.

Note

The Email Security — Server instance supports one virtual NIC and 1024 GB (EBS) disk space.

The following AWS instance type is supported for a Email Security — Server instance.

• c5.metal

Intelligent Virtual Execution - Server requirements

A single AWS virtual Intelligent Virtual Execution - Server generic model called the FireEyeVX12550CloudEc2c5metal must be
deployed on the AWS Nitro System.

Note

The Intelligent Virtual Execution - Server instance supports one virtual NIC and 1024 GB (EBS) disk space.

The following AWS instance type is supported for a Intelligent Virtual Execution - Server instance.

• c5.metal

File Protect requirements

A single AWS virtual File Protect generic model called the FireEyeFXCloudVec2nitro must be deployed on the AWS Nitro System.

Note

All instance types have 4 virtual NICs and 1024 GB (EBS) disk space. Review the other specifications shown in the AWS
Management Console as you select the instance type that meets your requirements.

The following AWS instance types are supported for a File Protect instance. Their availability may vary by region.

• m5.2xlarge • m5.12xlarge
• m5.4xlarge • m5.16xlarge
• m5.24xlarge

12 Trellix Device Deployment Guide 2024.2

2| AWS

• m5.8xlarge

Deploying virtual Network Security appliances on Amazon Web

Services (AWS)
An AMI (Amazon Machine Image) is a template that contains the software configuration needed to deploy a virtual Network
Security appliance (known as an instance in AWS). The software configuration includes the operating system, application server,
and applications that are needed to deploy the appliance.

You can use AWS CloudFormation to quickly deploy a Network Security instance with fewer manual steps. You define the
resources for the instance by entering values in an AWS CloudFormation template. You can alternatively use a more manual
process to deploy the virtual machine. Both methods are covered in the following topics:

• Using an AWS CloudFormation template to deploy a Network Security instance

• Manually deploying a Network Security instance in AWS

Note

This document provides the basic steps for launching Trellix virtual appliances, and assumes familiarity with launching virtual
machines in AWS. For comprehensive information, see the AWS documentation provided by Amazon.

Using an AWS CloudFormation template to deploy a Network Security instance

Note

For more information about AWS CloudFormation, see the Amazon AWS CloudFormation documentation.

The following table summarizes the steps to deploy a Network Security instance in AWS using a CloudFormation template.

Task Description

1. Ensure that requirements are met. AWS requirements

2. Deploy the CloudFormation template to create the Template and instructions

instance.

3. Start the instance and perform the initial Performing the initial Network Security configuration
configuration. using AWS

Trellix Device Deployment Guide 2024.2 13

2| AWS

Task Description

4. Configure IP addressing for the monitoring Configuring monitoring ports on the Network
interfaces on the Network Security instance. Security instance

5. Inline mode: Perform the procedures in a Deploying Network Security instances in AWS in
supported use case scenario. inline mode

6. TAP or SPAN mode: Create traffic mirror sessions to Configuring traffic mirroring on AWS for TAP or SPAN
copy the traffic from network interfaces. mode

7. Optional: Enable HTTP health checks for AWS Enabling HTTP health checks for network load
network load balancing (NLB). balancing on AWS

8. Optional: If you determine your instance is too Changing an AWS instance type
small or too large for your needs, you can change
the instance type.

Note

Network interfaces are placed in the following VRF namespaces:

• ether1, ether2—vrf0
• pether3, pether4—vrfA
• pether5, pether6—vrfB
• pether7, pether8—vrfC
• pether9, pether10—vrfD
For details about virtual routing and forwarding (VRF), see the "Layer 3 Forwarding Using VRF Instances" information in the
Network Security System Administration Guide.

Manually deploying a Network Security instance in AWS

The following table summarizes the steps to manually deploy a Network Security instance in AWS.

Task Description

1. Ensure that requirements are met. AWS requirements

14 Trellix Device Deployment Guide 2024.2

2| AWS

Task Description

2. Launch the instance. Creating the Network Security instance

3. Create and attach the network interfaces. Configuring Network Securitynetwork interfaces on
AWS

4. (Optional) Apply the activation code and configure Configuring the activation code and initial admin
the initial admin password for the instance. password

5. If using a static IP address for the ether1 interface: Configuring a static IP address for the ether1
Configure the IP address. interface

6. Start the instance and perform the initial Performing the initial Network Security configuration
configuration. using AWS

7. Configure IP addressing for the monitoring Configuring monitoring ports on the Network
interfaces on the Network Security instance. Security instance

8. Inline mode: Perform the procedures in a Deploying Network Security instances in AWS in
supported use case scenario. inline mode

9. TAP or SPAN mode: Create traffic mirror sessions to Configuring traffic mirroring on AWS for TAP or SPAN
copy the traffic from network interfaces. mode

10. (Optional) Enable HTTP health checks for AWS Enabling HTTP health checks for network load
network load balancing (NLB). balancing on AWS

11. Optional: If you determine your instance is too Changing an AWS instance type
small or too large for your needs, you can change
the instance type.

Note

You can alternatively create the virtual appliance using an AWS CloudFormation template, described in AWS CloudFormation
template deployment.

Creating the Network Security instance (manual method only)

Trellix Device Deployment Guide 2024.2 15

2| AWS

This topic describes how to launch a Network Security instance on AWS using the manual deployment method only. Do not
perform this procedure if you are using the AWS CloudFormation template method.

Important

The navigation instructions and user interface may vary based on the AWS Management Console version that is running
when you deploy your appliances.

Note

This procedure covers the required settings for a Trellix virtual appliance. You can accept the default values for the other
settings, or specify values that are appropriate for your environment.

To launch a Network Security instance on AWS:

1. Go to the AWS login page and log in using your AWS ID.
2. On the Profile page, select your AWS role and then click AWS Console URL.
3. On the next page, click AWS Console login. The AWS Management Console opens.
4. In the navigation bar at the top of the console, select the region for the instance.
5. In the AWS services section, select EC2.
6. Click Launch Instance in the Create Instance section.
7. On the Choose an Amazon Machine Image (AMI) page, locate the AMI for the Network Security sensor. For example, locate
"FireEyeNXCloudVec2nitro." Then click Select.
8. On the Choose an Instance Type page, select a type that meets your requirements as listed in Network Security
Requirements. Then select Next: Configure Instance Details.
9. On the Configure Instance Details page:
a. Select the management network and subnet from the Network and Subnet drop-down lists, and specify other
settings provided by your network administrator. Click Next: Add Storage.

Note

Trellix recommends that you configure a static IP address in the Primary IP field in the Network interfaces section
at the bottom of the page.

16 Trellix Device Deployment Guide 2024.2

2| AWS

10. On the Add Storage page, keep the default settings and then click Next: Add Tags.

11. (If required by your AWS administrator) On the Add Tags page, provide key and value combinations. Then click Next:
Configure Security Group.

12. On the Configure Security Group page, select or add the security group that defines firewall rules that control traffic to the
sensor. Then click Review and Launch.

Important

Trellix recommends using a security group applicable to your organization instead of using the default security group,
which is less secure.

Trellix Device Deployment Guide 2024.2 17

2| AWS

13. On the Review Instance Launch page, review the details about your instance. Click the appropriate Edit link if you need to
make changes. When you are satisfied with the details, click Launch.
14. In the Select an existing key pair or create a new key pair dialog box:
a. Select an existing pair or create a new one. To use the key pair you created when you were set up to use Amazon EC2,
click Choose an existing key pair, and then select that key.

Important

Store the name of the key pair and the private key in a secure location.

b. Select the checkbox to confirm that you agree to the acknowledgement statement, and then click Launch Instances.
15. In the Select an existing key pair or create a new key pair dialog box:

a. Select an existing pair or create a new one. To use the key pair you created when you were set up to use Amazon EC2,
click Choose an existing key pair, and then select that key.

Important

Store the name of the key pair and the private key in a secure location.

b. Select the checkbox to confirm that you agree to the acknowledgment statement, and then click Launch Instances.

18 Trellix Device Deployment Guide 2024.2

2| AWS

Configuring Network Security network interfaces on AWS (manual method only)

The ether1 interface on the Network Security instance is the only interface that is created by default. If you are using the
manual deployment method, you must create the optional submission interface (ether2) and the monitoring interfaces (pether3,
pether4, and so on), and then attach them to the instance. Source and destination checking must be disabled on monitoring
interfaces to ensure that all network traffic reaches the instance.

The following table shows the mapping between AWS devices and Network Security interfaces.

AWS Device Network Security Interface Purpose

eth0 ether1 Management interface,

Submission interface to MVX
cluster (Cloud MVX, MVX Smart
Grid)

eth1 ether2 (Optional) Dedicated submission

interface to MVX cluster (Cloud
MVX, MVX Smart Grid)

eth2 pether3 Monitoring interface

eth3 pether4 Monitoring interface

Creating Network Interfaces

This section describes how to create a network interface for your Network Security instance if you are using the manual
deployment method.

To create a network interface:

Trellix Device Deployment Guide 2024.2 19

2| AWS

1. Open the Amazon EC2 console.

2. In the left pane, select Network & Security > Network Interfaces.
3. Click Create Network Interface.

4. Enter information that uniquely identifies the interface in the Description field.
5. Select the subnet for the interface in the Subnet drop-down list.

Important

Each interface must be in a separate subnet.

6. Select Custom to manually configure a static IPv4 address.

7. Enter the custom static IPv4 address in the IPv4 address field.
8. Complete the Elastic Fabric Adapter and Security groups fields as directed by your AWS administrator.
9. Click Create.
10. Repeat this procedure for each network interface.
11. Continue to Attaching network interfaces.

Attaching Network Interfaces

This section describes how to attach a network interface to your instance if you are using the manual deployment method.

To attach a network interface:

1. Open the EC2 console.

2. Select Instances > Instances in the left pane.

20 Trellix Device Deployment Guide 2024.2

2| AWS

3. Right-click the instance and then select Networking > Attach Network Interface. The Attach Network Interface dialog box
opens.

4. Select the interface with the lowest number in the Network Interface drop-down list (for example, ether2) and then click
Attach.
5. Repeat the previous step for each network interface.

Important

Attach the interfaces in numeric order. For example, attach pether3 before pether4.

6. Disable source and destination checks on each monitor interface.

a. Select the interface.
b. Right-click and select Change Source/Dest. Check. The Source/Dest. Check dialog box opens.
c. Select Disabled and then click Save.

7. Stop the instance:

a. Select Instances in the navigation pane.
b. Select the instance, right-click, and then select Instance State > Stop.
8. Restart the instance:

• Select the instance, right-click, and then select Instance State > Start.

Trellix Device Deployment Guide 2024.2 21

2| AWS

Important

Do not perform this step if you plan to perform the following optional procedure (Configuring the activation code and
initial admin password).

Note

Network interfaces are placed in the following VRF namespaces:

• ether1, ether2—vrf0
• pether3, pether4—vrfA
• pether5, pether6—vrfB
• pether7, pether8—vrfC
• pether9, pether10—vrfD
For details about virtual routing and forwarding (VRF), see the "Layer 3 Forwarding Using VRF Instances" information in the
Network Security System Administration Guide.

Configuring the activation code and initial admin password (manual method only)

Note

Perform this procedure for the manual deployment method only. Do not perform this procedure if you are using the AWS
CloudFormation template method.

This topic describes how to apply the activation code to the virtual appliance instance and configure a password for the initial
admin user.

Important

This procedure is optional and should only be used with the manual deployment method. (It should not be performed with
the AWS CloudFormation template method.) If you skip this procedure, you will be prompted to enter the activation code and
change the password when you log into the initial SSH session to perform the initial configuration of the appliance.

To apply the activation code to the instance:

1. Open the EC2 Management Console.

2. Select Instances > Instances in the left pane.
3. Select the instance, right-click, and then select Instance Settings > View/Change User Data.

22 Trellix Device Deployment Guide 2024.2

2| AWS

4. Copy and paste the following script in the User Data field. Replace <code> with the activation code for the instance that
was included in the onboarding email from Trellix and replace <password> with the new password for the initial admin
user.

{ "va_bootstrap": {
"activation_code": "<code>",
"reset_admin_password": "<password>"

}
}

Important

The syntax (including the indentation) must match what is shown in this step. Otherwise, you will be unable to establish
a password-authenticated SSH session with the instance.

5. Click Save.
6. Right-click the instance, and select Instance State > Start.

Note

Trellix recommends that you clear the user data field after the virtual Network Security appliance is deployed.

Configuring a static IP address for the ether1 interface (manual method only)

Trellix Device Deployment Guide 2024.2 23

2| AWS

Note

Perform this procedure only if you are using the manual deployment method.

This topic describes how to manually configure a static IP address for the ether1 (management) interface.

Important

If you do not follow this procedure, you will lose SSH access to the management interface. To restore access, you must stop
and then restart the instance from the EC2 Management Console.

Note

Perform this procedure before you start the configuration jump-start wizard. If you already started the wizard, enter CTRL+C
to exit it before you respond to the "Use DHCP on ether1 interface?" step.

To configure a static IP address:

1. Go to CLI configuration mode:

hostname > enable

hostname # configure terminal

2. Configure the IP address and subnet mask:

hostname (config) # interface <interface name> ip address <ip address> /<mask>

IMPORTANT: Configure the same values you configured when you launched the instance on AWS.
3. Configure the default gateway:
hostname (config) # ip default-gateway <gateway IP>

4. Save your changes:

hostname (config) # write memory

5. Enter the configuration wizard:

hostname (config) # configuration jump-start

6. Perform the initial configuration of the appliance.

Important

Enter no to the "Use DHCP on ether1 interface?" step.

Performing the initial Network Security configuration using AWS

24 Trellix Device Deployment Guide 2024.2

2| AWS

The management interface is the port through which the virtual sensor is managed and administered. It is also the port through
which integration of the Central Management System appliance and a managed sensor is managed. With the single-port address
type, the management interface is also the port through which a managed sensor requests and downloads software updates
from the DTI network.

Initial settings need to be configured to set up the management interface and to allow access to the network, change the default
administrator password, and so on.

To perform the initial configuration of a virtual Network Security appliance:

1. Connect to the sensor through an SSH client.

2. At the login prompt, enter admin.
3. Do one of the following:

• Use the ssh -i command to use the private key file to establish the SSH session. For example, ssh -i /
path/<my-key-pair>.pem admin@<instance>. When prompted, change the password using the username admin
password <new password> command. You will be logged out. Log in again using the new password.

• At the password prompt, enter the initial password you configured in Configuring the activation code and initial
admin password.

4. Accept the license agreement. The configuration jump-start wizard begins.

5. Answer the wizard questions as described in the following table.

Important

If you want to configure a static IP address instead of using DHCP, see Configuring a static IP address for the ether1
interface.

Note

If you enter yes in the "Use DHCP on ether1 interface?" step, the ether1 interface will obtain its IP address from the AWS
eth0 device.

Step Response

Enter activation code? Enter the activation code for the appliance. (This
step is skipped if you provided the activation code
in Configuring the activation code and initial admin
password.)

Hostname? Enter the hostname for the appliance.

Trellix Device Deployment Guide 2024.2 25

2| AWS

Step Response

Admin password? (Optional) Enter a new administrator password.

Confirm admin password? Re-enter the new administrator password.

Enable remote access for 'admin' user? Enter yes to enable the administrator to log in to
the appliance remotely. Enter no to disable remote
access.

Use DHCP on ether1 interface?

Important
See the first two notes preceding this table
before responding to this step. Enter yes to
use Dynamic Host Configuration Protocol (DHCP)
to configure the appliance IP address and
other network parameters. Enter no to manually
configure your IP address and network settings.
(If you enter yes, the zeroconf and static IP
addressing steps are skipped.)

Use zeroconf on ether1 interface? Enter yes to use zero-configuration (zeroconf)

networking. Enter no to specify a static IP address
and network mask. (If you specify yes, the next
step is skipped.) NOTE: Do not use zeroconf on the
primary interface.

Primary IP address and masklen? Enter the IP address for the management interface
in A.B.C.D format and enter the network mask (for
example, 1.1.1.2 /24).

Important
Configure the same values you configured when
you launched the instance on AWS.

26 Trellix Device Deployment Guide 2024.2

2| AWS

Step Response

Default gateway? Enter the gateway IP address for the management

interface.

Primary DNS server? Enter the IP address of the DNS server.

Domain name? Enter the domain for the management interface (for
example, it.acme.com).

Enable Incident Response or Compromise Enter no. These features are not supported in an
Assessment? AWS deployment.

Enable fenet service? Enter yes to enable access to the DTI network.

Enable fenet license update service? Enter yes to enable the licensing service to
automatically download your licenses from the
DTI network and install them. (If licenses are
downloaded and installed successfully, the wizard
skips the step that prompts for the product license
key and the step that prompts for the security-
content updates key.)

Sync appliance time with fenet? Enter yes to synchronize the appliance time with
the DTI server time. If you enabled the licensing
service, synchronization prevents a feature from
being temporarily unlicensed due to a time gap. The
wizard makes three attempts to perform this step
before it gives up and moves to the next step.

Update licenses from fenet? Enter yes to download and install your licenses. The
wizard makes three attempts to perform this step
before it gives up and moves to the next step.

Enable NTP? Enter yes to enable automatic time synchronization

with one or more Network Time Protocol (NTP)
servers. Enter no to manually set the time and
date on the appliance. (This step is skipped if
you entered yes in the "Sync appliance time with
fenet?" or "Enable Incident Response or Compromise

Trellix Device Deployment Guide 2024.2 27

2| AWS

Step Response

Assessment" step.) If you enter no, specify the time

and date in subsequent steps.

Enable FaaS VPN? Enter yes to enable the appliance to connect

to Managed Defense (formerly called Trellix as
a Service) over the Internet using a secure
SSL VPN connection. (This step is skipped if
no MD_ACCESS license is installed. This step is
performed automatically if you entered yes in
the "Enable Incident Response or Compromise
Assessment?" step.

Set time (<hh>:<mm>:<ss>)? Enter the appliance time in Greenwich Mean Time
(GMT) (UTC+0). (This step and the next step are
skipped if you entered yes in the "Sync appliance
time with fenet?" or "Enable NTP?" step.

Set date (<yyyy>/<mm>/<dd>)? Enter the appliance date in Greenwich Mean Time
(GMT) (UTC+0).

Enable IPv6? Enter yes to enable IPv6 protocol, which changes

network IP routing from IPv4 to IPv6. (This step and
the next two steps are skipped if you entered yes
in the "Enable Incident Response or Compromise
Assessment?" step. This step and the next two steps
will be automatically performed if you entered yes in
the "Enable FaaS VPN" step.)

Enable IPv6 autoconfig (SLAAC) on ether1 interface? Enter yes to enable IPv6 autoconfig on the ether1
(management interface) port. (This step is skipped if
you entered no in the "Enable IPv6?" step.)

Enable DHCPv6 on ether1 interface? Enter yes to use DHCPv6 to configure IPv6 hosts with
IP addresses. (This step is skipped if you entered no
in the "Use DHCP on ether1 interface?" or "Enable
IPv6?" step.)

Submission: Interface? Press Enter to accept ether1 as the interface through

which sensors and brokers communicate. Otherwise,

28 Trellix Device Deployment Guide 2024.2

2| AWS

Step Response

enter the name of the other interface. (If you accept

ether1, the next three steps are skipped.)

Note:
To keep management and data traffic separate,
Trellix recommends that you use another
management interface, such as ether2, and not
a monitoring interface.

Use DHCP on <name> interface? Enter yes to use Dynamic Host Configuration
Protocol (DHCP) to configure the submission
interface IP address and other network parameters.
Enter no to manually configure the IP address and
network settings. (If you enter yes, the static IP
addressing steps are skipped.)

Submission: IP address and masklen? Enter the IP address for the submission interface
in A.B.C.D format and enter the network mask (for
example, 10.1.1.1 /24).

Submission: Default IPv4 gateway? Enter the gateway IP address for the submission
interface.

Product license key? Enter the product license key you obtained from
Trellix, or press Enter to install a 15-day evaluation
license. (This step and the next step are skipped if
you entered yes in the "Enable fenet license update
service?" step and if licenses were successfully
installed as a result.)

Security-content updates key? Enter the security-content license key you obtained
from Trellix, or press Enter to skip this step and
install the license later.

Configuring monitoring ports on the Network Security instance

Trellix Device Deployment Guide 2024.2 29

2| AWS

After you create and attach the network interfaces on AWS, you must configure the same IP addressing for the corresponding
monitoring ports on the Network Security instance. For example, you must configure the IP address and subnet mask configured
on the AWS eth2 device on the Network Security pether3 port, and configure the IP address and subnet mask configured on the
AWS eth3 device on the Network Security pether4 port.

Note

For the mappings of AWS devices to Network Security monitoring ports, see Configuring Network Security network interfaces
on AWS.

To configure monitoring port addressing:

1. Log in to the Network Security Web UI.

2. Select Settings > Network.
3. Locate the Monitor Port IP Configurations section.
4. In the Monitor Port drop-down list, select the first monitoring interface you created on AWS.
5. In the IPv4 address and Subnet Mask fields, enter the exact values that you configured for the interface in AWS (see
Creating network interfaces).
6. Click Save.
7. Repeat these steps for each additional monitoring port you created on AWS.
8. Continue to one of the following:

• Deploying Network Security instances in AWS in inline mode

• Configuring traffic mirroring on AWS for TAP or SPAN mode

Deploying Network Security instances in AWS in inline mode

The following Network Security inline deployment use cases in Amazon Web Services (AWS) are supported:

• Use Case Scenario 1: Deploying a Network Security Instance in AWS Using VPC Ingress Routing
• Use Case Scenario 2: Deploying a Network Security Instance in AWS Between Internal Web Servers and a NAT Device
• Use Case Scenario 3: Deploying a Network Security Instance in AWS Between Virtual Desktop Clients and the Internet
• Use Case Scenario 4: Deploying a Network Security Instance in AWS Between On-Premises Clients and the Internet
• Use Case Scenario 5: Deploying a Network Security instance in AWS using Gateway Load Balancer (GWLB)
Note the following:

• The scenarios are single Amazon Virtual Private Cloud (Amazon VPC) deployments.
• Only one default gateway is supported in scenarios where the Network Security instance is used as a forwarding device,
and that gateway is used as the exit interface for the monitoring ports. A mechanism such as a jump host should be set
up for management port access to the Network Security Web UI and CLI.

30 Trellix Device Deployment Guide 2024.2

2| AWS

Important

The implementation details in these use case descriptions are examples and are provided for illustration only.

Note

The ip route vrf vrfA* command in these use case descriptions are available in Network Security Release 9.0.0 and later.

Use case scenario 1: Deploying a Network Security instance in AWS using VPC ingress routing

This section describes how to use Amazon VPC ingress routing to deploy a Network Security instance. In this scenario, the
Network Security instance is deployed inline in AWS between an external Web client and an internal Web server. The traffic
between the Web client and the Web server flows through the Network Security instance, which protects the Web server.

All incoming and outgoing traffic is routed through an AWS Internet gateway. The Internet gateway forces incoming traffic to flow
directly to the Network Security instance for processing before it reaches the Web server. Outgoing traffic from the Web server is
likewise routed to the Network Security appliance and the Internet gateway before it reaches the Web client.

Note

This procedure assumes that security groups and network access control lists are already configured in AWS.
The network mask of the IP addresses in this scenario is 255.255.225.224 (10.88.9.xxx/27).

This scenario involves the following components:

• Web server—A Web server with an elastic IP address (EIP) on a private subnet in the VPC.

Trellix Device Deployment Guide 2024.2 31

2| AWS

• Network Security instance—A Network Security EC2 instance deployed inline. The monitoring interfaces are connected
to subnets 2 and 3. The pether3 interface has an elastic IP address (EIP).
• External Web client—An external Internet-connected device that attempts to connect to the Web server using the public
domain names of the sites it wants to reach. A DNS server resolves the domain names to public IP addresses.
• Internet gateway—An AWS internet gateway attached to the VPC that routes all incoming traffic (requests) to the
Network Security pether3 interface and routes all outgoing traffic (responses) to the external Web clients.

Perform the following tasks to configure this deployment scenario.

1. Configure a Network Security monitoring interface as the default gateway for redirected traffic.
2. Configure the internet gateway as the default gateway for outgoing traffic.
3. Configure the internet gateway route table.
4. Configure an edge association.
5. Add a satic route for outgoing Web Server traffic.
6. Add a static route for outgoing Network Security traffic.

Configure a Network Security monitoring interface as the default gateway for redirected traffic

A Network Security monitoring interface must be the default gateway for the Web server. This allows the Web server to send
destination traffic through the Network Security instance.

The following illustration shows the example AWS subnet 3 route table configuration.

Configure the Internet gateway as the default gateway for outgoing traffic

The subnet 2 route table needs a route that sends outgoing traffic from the Network Security pether3 interface to the Internet
gateway.

The following illustration shows the example AWS subnet 2 route table configuration.

32 Trellix Device Deployment Guide 2024.2

2| AWS

Configure the internet gateway route table

The Internet gateway route table needs a route that redirects incoming traffic through the Network Security pether3 interface to
the subnet that hosts the Web server.

The following illustration shows the example AWS route table configuration.

For more information about Internet gateway route tables and detailed instructions for implementing them, see the Amazon
AWS VPC Internet gateway documentation.

Configure an edge association

The Internet gateway route table must be associated with the Internet gateway to redirect incoming Web server traffic to the
Network Security pether3 interface.

To configure an edge association:

1. Navigate to the VPC dashboard in the AWS Management Console.

2. Select Route Tables in the navigation pane.
3. Select the Internet Gateway route table.
4. Select the Edge Associations tab.
5. Select the gateway ID row and click Save.

The following illustration shows the example AWS edge association.

Trellix Device Deployment Guide 2024.2 33

2| AWS

For more information about edge associations and detailed instructions for implementing them, see the Amazon AWS VPC route
tables documentation.

Add a static route for outgoing Web Server traffic

A static route must be created in the Web server configuration that allows the Web server to use the IP address of the Network
Security monitoring interface as the next-hop gateway for outgoing traffic.

The following is an excerpt from the routing table for the Web server used in this example. In this excerpt, 10.88.9.64 is the IP
address of the subnet that hosts the Web server and 10.88.9.74 is the Network Security pether4 IP address.

Kernel IP routing table

Destination Gateway
...
0.0.0.0 10.88.9.74
10.88.9.64 0.0.0.0
...

Add a static route for outgoing Network Security traffic

A static route must be created in the Network Security configuration that allows outgoing traffic to reach the Internet gateway.

The following command creates a static route in the example scenario:

nx-hostname (config) # ip route vrf vrfA 0.0.0.0 /0 10.88.9.33

nx-hostname (config) # show ip route
Destination Mask Gateway Interface Source
default 0.0.0.0 10.88.9.33 pether3 static
10.88.9.0 255.255.255.224 0.0.0.0 ether1 interface
10.88.9.32 225.225.255.224 0.0.0.0 pether3 interface
10.88.9.64 255.255.255.224 0.0.0.0 pether4 interface

34 Trellix Device Deployment Guide 2024.2

2| AWS

For details, see the "Layer 3 Forwarding Using VRF instances" information in the Network Security System Administration Guide.

Use case scenario 2: Deploying a Network Security instance in AWS between internal Web
Servers and a NAT device

This section describes how to deploy a virtual Network Security instance in a scenario in which a Network Security instance is
deployed inline in Amazon Web Services (AWS) between Web servers in a private subnet and a Network Address Translation
(NAT) device. In this scenario, the NAT device acts as a third-party virtual firewall and performs the address translation between
the public Internet and the private subnet hosting the Web servers. Web clients connect to the Web servers through the public
IP address of the NAT device. The traffic between the Web clients and Web servers flows through the Network Security instance,
which protects the Web servers.

Note

This procedure assumes that security groups and network access control lists are already configured in AWS.
The network mask of the IP addresses in this scenario is 255.255.255.224 (10.88.9.xxx/27).

This scenario involves the following components:

• NAT device—An Ubuntu Linux EC2 instance with destination network address translation (DNAT) configured and IP
forwarding enabled to translate a public destination IP address to a private destination IP address.
• Web servers—Web servers on a private subnet. External Web clients connect to the Web servers through the public IP
address configured on the NAT device.
• Network Security instance—A Network Security EC2 instance deployed inline. Port pair A is the inline port pair. One
monitoring interface is connected to the same subnet as the NAT instance and the other monitoring interface is
connected to the private subnet that hosts the Web servers.

Trellix Device Deployment Guide 2024.2 35

2| AWS

• Web clients—External Internet-connected devices that attempt to connect to the Web servers using the public DNS
domain names of the Web servers. A DNS server resolves the domain names to the public IP addresses.

Perform the following tasks to configure this deployment scenario.

1. Configure a Network Security monitoring Interface as the default gateway for the Web Servers
2. Configure the NAT private IP address as the default gateway for the other monitoring interface
3. Configure an HTTP proxy device for management port connectivity
4. Configure the NAT instance

Configure a Network Security monitoring interface as the default gateway for the Web Servers

A Network Security monitoring interface must be the default gateway for the Web servers hosted on the private subnet. This
allows the Web servers to send traffic to the Network Security instance.

To configure the monitoring interface as the default gateway:

1. Add a default route in the route table associated with the private subnet that hosts the Web servers.
2. Set the destination to 0.0.0.0/0.
3. Set the target to the Network Security network interface (also known as elastic network interface, or ENI) that is connected
to the private subnet (pether4 in this example).

The following illustration shows the example AWS route table configuration.

For more information about route tables and detailed instructions for implementing them, see the Amazon AWS VPC route table
documentation.

36 Trellix Device Deployment Guide 2024.2

2| AWS

Configure the NAT private IP address as the default gateway for the other Network Security monitoring
interface

The private IP address of the NAT instance must be configured as the default gateway for the other Network Security monitoring
interface. This procedure creates a static IP default gateway and removes the DHCP default gateway from the configuration.

To configure the NAT private IP address as the default gateway:

1. Configure a default gateway to point to the NAT instance public IP address through the monitoring port interface (pether3
in this example) connected on that subnet. In this example, <NAT ether1 IP> is 10.88.9.79.
nx-hostname (config) # ip route vrf vrfA 0.0.0.0 /0 <NAT ether1 IP>

2. Verify your changes.

nx-hostname (config) # show ip route

3. Save your changes.

nx-hostname (config) # write memory

The following Network Security routing table shows that the static gateway is the only default gateway that exists on the instance.

nx-hostname (config) # show ip route

Destination Mask Gateway Interface Source
default 0.0.0.0 10.88.9.79 pether3 static
10.88.9.64 255.255.255.224 0.0.0.0 pether3 interface
10.88.9.96 255.255.255.224 0.0.0.0 pether4 interface
10.88.9.192 255.255.255.224 0.0.0.0 ether1 interface

Custom table routes

Destination Mask Gateway Interface Table
nx-hostname (config) #

Configure an HTTP proxy device for management port connectivity

This procedure describes how to configure an HTTP proxy device on a Network Security instance to establish management port
connectivity for services that operate over the management interface and require access to the Internet.

Important

The HTTP proxy device must have a public IP address that can communicate with the Network Security ether1 interface IP
address.

Note

If the Network Security instance is managed by a Central Management System appliance, this procedure must be performed
on the Central Management System appliance instead of the Network Security instance.

Trellix Device Deployment Guide 2024.2 37

2| AWS

To configure and enable an HTTP proxy device:

1. Configure the proxy device hostname or IP address, and the port (if you do not want to use the default port 8080):

nx-hostname (config) # fenet proxy host <hostname or IP address>:[<port>]

2. Enable the proxy device:

nx-hostname (config) # fenet proxy enable

3. Verify your changes:

nx-hostname (config) # show fenet

4. Save your changes:

nx-hostname (config) # write memory

For details about configuring an HTTP proxy on a Network Security instance or Central Management System appliance, see the
Network Security System Administration Guide or the Central Management System Administration Guide.

Configure the NAT instance

The NAT instance must simulate a third-party firewall that provides NAT functionality. In addition to configuring DNAT and
enabling IP forwarding, you should create a static route in the NAT configuration that allows the Web servers to use the IP
address of the Network Security monitoring interface configured for the NAT instance (pether3 in this example) as the next-hop
gateway.

The following is an excerpt from the routing table for the NAT instance used in this example. In this excerpt, 10.88.9.107 and
10.88.9.111 are the Web server IP addresses and 10.88.9.77 is the Network Security pether3 IP address.

Kernel IP routing table

Destination Gateway
...
10.88.9.107 10.88.9.77
10.88.9.111 10.88.9.77
...

For details about using an Amazon Linux AMI as a NAT instance, see the Amazon AWS VPC NAT instance documentation.

Use case scenario 3: Deploying a Network Security instance in AWS between virtual desktop
clients and the internet

This section describes how to deploy a virtual Network Security instance in a scenario in which the Network Security instance is
deployed inline in AWS between AWS virtual desktop clients in a private subnet and a Network Address Translation (NAT) device.
In this example scenario, the NAT device acts as a third-party virtual firewall and performs the address translation between
public Internet servers and the private subnet hosting the desktop clients. The desktop clients connect to the Internet servers
through the public IP address of the NAT device. The traffic between the desktop clients and the Internet servers flows through
the Network Security instance, which protects the desktop clients.

38 Trellix Device Deployment Guide 2024.2

2| AWS

Note

This procedure assumes that security groups and network access control lists are already configured in AWS.
The network mask of the IP addresses in this scenario is 255.255.255.224 (10.88.9.xxx/27).

This scenario involves the following components:

• NAT device—An Ubuntu Linux EC2 instance with source network address translation (SNAT) configured and IP
forwarding enabled to translate the internal source IP addresses of the desktop clients to keep them private.
• AWS virtual desktop clients—Ubuntu Linux EC instances (internal AWS EC2 instances) on a private subnet. They can be
desktop instances in an AWS virtual desktop infrastructure (VDI).
The Network Security instance protects the desktop clients. The desktop clients connect to the Internet servers through
the public IP address configured on the NAT device.
• Network Security instance—A Network Security EC2 instance deployed inline. Port pair A is the inline port pair. One
monitoring interface is connected to the NAT instance and the other monitoring interface is connected to the private
subnet that hosts the desktop clients.
• Internet servers—Internet servers (or on-premises enterprise servers) with which the desktop clients communicate.
Perform the following tasks to configure this deployment scenario.

1. Configure an Network Security monitoring interface as the default gateway for the desktop clients
2. Configure the NAT private IP address as the default gateway for the other Network Security monitoring interface

1. Configure an HTTP proxy device for management port connectivity

2. Configure the NAT instance

Trellix Device Deployment Guide 2024.2 39

2| AWS

Configure a Network Security monitoring interface as the default gateway for the desktop clients

A Network Security monitoring interface must be the default gateway for the desktop clients hosted on the private subnet. This
allows the desktop clients to send traffic to the Network Security instance.

To configure the monitoring interface as the default gateway:

1. Add a default route in the route table associated with the private subnet that hosts the desktop clients.
2. Set the destination to 0.0.0.0/0.
3. Set the target to the Network Security network interface (also known as elastic network interface, or ENI) that is connected
to the private subnet (pether4 in this example).

The following illustration shows the example AWS route table configuration.

For more information about route tables and detailed instructions for implementing them, see the Amazon AWS VPC route table
documentation.

Configure the NAT private IP address as the default gateway for the other Network Security monitoring
Interface

The private IP address of the NAT instance must be configured as the default gateway for the other Network Security monitoring
interface. This procedure creates a static IP default gateway and removes the DHCP default gateway from the configuration.

To configure the NAT private IP address as the default gateway:

1. Configure a default gateway to point to the NAT instance public IP address through the monitoring port interface (pether3
in this example) connected on that subnet. In this scenario, <NAT ether1 IP> is 10.88.9.79.
nx-hostname (config) # ip route vrf vrfA 0.0.0.0 /0 <NAT ether1 IP>

40 Trellix Device Deployment Guide 2024.2

2| AWS

2. Verify your changes.

nx-hostname (config) # show ip route

3. Save your changes.

nx-hostname (config) # write memory

The following Network Security routing table shows that the static gateway is the only default gateway that exists on the instance.

nx-hostname (config) # show ip route

Destination Mask Gateway Interface Source
default 0.0.0.0 10.88.9.79 pether3 static
10.88.9.64 255.255.255.224 0.0.0.0 pether3 interface
10.88.9.96 255.255.255.224 0.0.0.0 pether4 interface
10.88.9.192 255.255.255.224 0.0.0.0 ether1 interface

Custom table routes

Destination Mask Gateway Interface Table
nx-hostname (config) #

Configure an HTTP proxy device for management port connectivity

This procedure describes how to configure an HTTP proxy device on a Network Security instance to establish management port
connectivity for services that operate over the management interface and require access to the Internet.

Important

The HTTP proxy device must have a public IP address that can communicate with the Network Security ether1 interface IP
address.

Note

If the Network Security instance is managed by a Central Management System appliance, this procedure must be performed
on the Central Management System appliance instead of the Network Security instance.

To configure and enable an HTTP proxy device:

1. Configure the proxy device hostname or IP address, and the port (if you do not want to use the default port 8080):
nx-hostname (config) # fenet proxy host <hostname or IP address>:[<port>]

2. Enable the proxy device:

nx-hostname (config) # fenet proxy enable

3. Verify your changes:

nx-hostname (config) # show fenet

4. Save your changes:

nx-hostname (config) # write memory

Trellix Device Deployment Guide 2024.2 41

2| AWS

For details about configuring an HTTP proxy on a Network Security instance or Central Management System appliance, see the
Network Security System Administration Guide or the Central Management System Administration Guide.

Configure the NAT instance

The NAT instance must simulate a third-party firewall that provides NAT functionality. In addition to configuring SNAT and
enabling IP forwarding, you should create a static route in the NAT configuration that ensures that the Internet traffic flows
through the Network Security instance before it reaches the desktop clients. The static route sets the Network Security
monitoring interface IP address configured for the NAT instance (pether3 in this example) as the next-hop gateway.

The following is an excerpt from the routing table for the NAT instance used in this scenario. In this excerpt, 10.88.9.107 and
10.88.9.111 are the desktop client IP addresses and 10.88.9.77 is the Network Security pether3 address.

Kernel IP routing table

Destination Gateway
...
10.88.9.107 10.88.9.77
10.88.9.111 10.88.9.77
...

For details about using an Amazon Linux AMI as a NAT instance, see the Amazon AWS VPC NAT gateway documentation.

Use case scenario 4: Deploying a Network Security instance in AWS between on-premises
clients and the internet

This section describes how to deploy a virtual Network Security instance in a scenario in which the Network Security instance is
deployed inline in AWS and protects on-premises enterprise clients that communicate with external sites on the public Internet
through a cloud proxy server deployed in AWS.

The enterprise client Web browsers are configured to communicate with the cloud proxy server. The proxy server has a public IP
address (elastic IP address) allocated by AWS to which the Web browsers point. All connections and traffic to and from the clients
go through the Internet to the proxy server.

The proxy server initiates its own connections with the external sites the clients are trying to reach. This traffic is routed through
the Network Security instance in AWS and out again to the Internet to the external sites through a Network Address Translation
(NAT) device that acts as a virtual third-party firewall and performs the address translation between the public Internet and the
private subnet hosting the proxy server.

Note

This procedure assumes that security groups and network access control lists are already configured in AWS.
The network mask of the IP addresses in this scenario is 255.255.255.224 (10.88.9.xxx/27).

42 Trellix Device Deployment Guide 2024.2

2| AWS

This scenario involves the following components:

• NAT device—An Ubuntu Linux EC2 instance with source network address translation (SNAT) configured and IP
forwarding enabled.
• Proxy server—An Ubuntu EC2 instance running Squid proxy and deployed in explicit two-ARM mode. The ether0
interface is the external interface with a public IP address. The ether1 interface is on the private subnet that hosts
the Network Security instance.
• Network Security instance—A Network Security EC2 instance deployed inline. Port pair A is the inline port pair. One
monitoring interface is connected to the NAT instance and the other monitoring interface is connected to the private
subnet that hosts the proxy server.
• On-premises enterprise clients—On-premises workstations that communicate with external servers in the Internet.
Outbound traffic goes through the cloud proxy server in AWS due to the explicit proxy configuration in the client Web
browsers.

Perform the following tasks to configure this deployment scenario.

1. Configure a Network Security monitoring Interface as the default gateway for the proxy Server
2. Configure the NAT Private IP address as the default gateway for the other Network Security monitoring Interface
3. Configure an HTTP proxy device for management port connectivity
4. Configure the NAT instance

Configure a Network Security monitoring interface as the default gateway for the proxy Server

A Network Security monitoring interface must be the default gateway for the proxy server ether1 interface, which is on the
same subnet as this Network Security monitoring interface. This ensures that the traffic forwarded from the proxy server to the
external Internet servers flows through the Network Security instance.

Trellix Device Deployment Guide 2024.2 43

2| AWS

To configure the monitoring interface as the default gateway:

1. Add a default route in the route table associated with the private subnet between the proxy server and the Network
Security instance.
2. Set the destination to 0.0.0.0/0.
3. Set the target to the Network Security network interface (also known as elastic network interface, or ENI) that is connected
to the private subnet (pether4 in this example).

The following illustration shows the example AWS route table configuration.

For more information about route tables and detailed instructions for implementing them, see the Amazon AWS VPC route table
documentation.

Configure the NAT private IP address as the default gateway for the other Network Security monitoring
interface

The private IP address of the NAT instance must be configured as the default gateway for the other Network Security monitoring
interface. This procedure creates a static IP default gateway and removes the DHCP default gateway from the configuration.

To configure the NAT private IP address as the default gateway:

1. Configure a default gateway to point to the NAT instance public IP address through the monitoring port interface (pether3
in this example) connected on that subnet. In this scenario, <NAT ether1 IP> is 10.88.9.79.
nx-hostname (config) # ip route vrf vrfA 0.0.0.0 /0 <NAT ether1 IP>

2. Verify your changes.

nx-hostname (config) # show ip route

3. Save your changes.

nx-hostname (config) # write memory

44 Trellix Device Deployment Guide 2024.2

2| AWS

The following Network Security routing table shows that the static gateway is the only default gateway that exists on the instance.

nx-hostname (config) # show ip route

Destination Mask Gateway Interface Source
default 0.0.0.0 10.88.9.79 pether3 static
10.88.9.64 255.255.255.224 0.0.0.0 pether3 interface
10.88.9.96 255.255.255.224 0.0.0.0 pether4 interface
10.88.9.192 255.255.255.224 0.0.0.0 ether1 interface

Custom table routes

Destination Mask Gateway Interface Table
nx-hostname (config) #

Configure an HTTP proxy device for management port connectivity

This procedure describes how to configure an HTTP proxy device on a Network Security instance to establish management port
connectivity for services that operate over the management interface and require access to the Internet.

Important

The HTTP proxy device must have a public IP address that can communicate with the Network Security ether1 interface IP
address.

Note

If the Network Security instance is managed by a Central Management System appliance, this procedure must be performed
on the Central Management System appliance instead of the Network Security instance.

To configure and enable an HTTP proxy server:

1. Configure the proxy server hostname or IP address, and the port (if you do not want to use the default port 8080):
nx-hostname (config) # fenet proxy host <hostname or IP address>:[<port>]

2. Enable the proxy server:

nx-hostname (config) # fenet proxy enable

3. Verify your changes:

nx-hostname (config) # show fenet

4. Save your changes:

nx-hostname (config) # write memory

For details about configuring an HTTP proxy on a Network Security instance or Central Management System appliance, see the
Network Security System Administration Guide or the Central Management System Administration Guide.

Trellix Device Deployment Guide 2024.2 45

2| AWS

Configure the NAT instance

The NAT instance must simulate a third-party firewall that provides NAT functionality. In addition to configuring SNAT and
enabling IP forwarding, you should create a static route in the NAT configuration that ensures that return path traffic from the
Internet to the cloud proxy server flows through the Network Security instance. The static route sets the cloud proxy server IP
address as the target, and sets the Network Security monitoring interface IP address configured for the NAT instance (pether3 in
this example) as the next-hop gateway.

The following is an excerpt from the routing table for the NAT instance used in this scenario. In this excerpt, 10.88.9.107 is the
proxy server ether1 IP address and 10.88.9.77 is the Network Security pether3 IP address.

Kernel IP routing table

Destination Gateway
...
10.88.9.107 10.88.9.77
...

For details about using an Amazon Linux AMI as a NAT instance, see the Amazon AWS VPC NAT gateway documentation.

Use Case Scenario 5: Deploying a Network Security instance in AWS using Gateway Load
Balancer (GWLB)

This section provides a high-level overview of the integration between AWS Gateway Load Balancer (GWLB) and Network Security
Virtual NX instance. For specific instructions on configuring GWLB, check the AWS documentation.

In this setup, the Network Security instance is deployed in a security VPC while the Web Server is deployed in a service provider
VPC. The traffic between the Web Client and the Web Server follows any of these modes of deployment: Inline or Tap. Depending
on the mode, the traffic either passes through the Network Security instance or mirrored to the Network Security Instance.

Note

This section assumes that AWS components such as subnets, routes, security groups, and network access control lists are
already configured.

The main components are:

Component Description

Web Server A Web server with an elastic IP address (EIP) on a

private subnet in the VPC.

Network Security instance A Network Security EC2 instance deployed

in an appropriate subnet. The Management

46 Trellix Device Deployment Guide 2024.2

2| AWS

Component Description

and monitoring interfaces are connected to

different subnets.

GWLB A Gateway Load Balancer enables you to deploy,

scale, and manage virtual appliances, such as
firewalls, intrusion prevention systems. It combines
a transparent network gateway (that is, a single entry
and exit point for all traffic) and distributes traffic to
the virtual appliances.

GWLB Endpoint A Gateway Load Balancer endpoint is a VPC endpoint

that provides private connectivity between virtual
appliances in the service provider VPC and the
Gateway Load Balancer and virtual appliances in the
security VPC.

Deploying Network Security Virtual NX in inline mode (Inline operational mode)

In this scenario, the Network Security instance is deployed in inline mode, positioned between an external Web Client and an
internal Web Server. The arrangement ensures that all the traffic between the Web Client and the Web Server should pass
through the Network Security instance, providing comprehensive protection for the Web Server.

The incoming traffic is routed through a GWLB endpoint, GWLB, and the Network Security instance. The gateway load balancer
directs incoming traffic to the Network Security instance for initial processing before it proceeds to the Web Server. Similarly,
outgoing traffic from the Web Server is channeled through the Network Security appliance in the reverse direction, ultimately
reaching the Web Client. Throughout this process, the Network Security instance inspects traffic in both directions, determining
whether to forward or block it. It also generates alerts as necessary. The diagram illustrates the traffic flow with incremental
numbers indicating the sequence of the path.

Note

• Complete all the steps of the Network Security instance deployment.

• Enable the health monitoring at the interface as outlined in section Enabling HTTP health checks for Network Security
monitoring ports on AWS.

Trellix Device Deployment Guide 2024.2 47

2| AWS

SSL decryption Network Security virtual NX in TAP mode (Tap operational mode)

In this scenario, the SSL traffic from the GWLB undergoes decryption using Mira Security's Encrypted Traffic Orchestrator (ETO)
appliance. Subsequently, the traffic is mirrored to the Network Security appliance configured in Tap mode. The mirrored traffic
is encapsulated with VXLAN. However, currently the Network Security appliance does not support Inline mode for decrypted
mirrored traffic.

Note

Please see mirasecurity.com and the Virtual ETO Getting Started Guide in their website for deploying Mira security ETO. The
ETO will be in Inline-Passive deployment.

48 Trellix Device Deployment Guide 2024.2

2| AWS

Deploying Network Security Virtual NX in TAP mode ( Tap operational mode)

In this specific scenario, the Network Security instance is deployed in Tap mode. Consequently, all traffic between the Web Client
and the Web Server is mirrored through the GWLB endpoint and GWLB to the Network Security instance for monitoring and
analysis. Appropriate alerts are also generated. The diagram llustrates the traffic flow with incremental numbers and letters
indicating the sequence of the path.

Note

• Complete all the steps of the Network Security instance deployment.

• Enable the health monitoring at the interface as outlined in section Enabling HTTP health checks for Network Security
monitoring ports on AWS.

Trellix Device Deployment Guide 2024.2 49

2| AWS

Configuring traffic mirroring on AWS for TAP or SPAN mode

Configure traffic mirror using AWS documentation and deploy a virtual Network Security instance in AWS in TAP or SPAN mode.
Traffic mirroring copies the traffic to the network interfaces that are attached to your Network Security instance.

Traffic mirroring uses the following items:

• Source—The source of the mirrored traffic.

• Target—The destination for the mirrored traffic (a monitoring interface on the Network Security instance).
• Filter—A set of rules that defines the traffic that is copied in a traffic mirror session.
• Session—An entity that establishes the relationship between the source and target using the filter created for the traffic.
Traffic mirroring requires the following tasks:

1. Identifying the traffic mirror source and making sure the requirements for it are met (for example, making sure the source
has a route table entry for the traffic mirror target).
2. Creating the traffic mirror filter and filter rules.
3. Configuring the traffic mirror target.
4. Creating the traffic mirror session.

For more information about traffic mirroring and detailed instructions for implementing it, see the Amazon AWS VPC traffic
monitoring documentation.

Enabling HTTP health checks for Network Security monitoring ports on AWS

You can enable an HTTP server running on monitoring ports to respond to HTTP health check heartbeats. The health check
functionality can be used to monitor the health of the Network Security instance.

50 Trellix Device Deployment Guide 2024.2

2| AWS

To enable HTTP health checks:

1. Log in to the Network Security CLI.

2. Go to CLI configuration mode:
hostname > enable hostname # configure terminal

3. Enable HTTP health checks:

hostname (config) # policymgr interface <port-pair> health-check http port <port>

where interface is the interface pair and port is the port number (1–65535) on which the HTTP server is running.
4. Verify your changes:
hostname (config) # show policymgr interfaces

To disable HTTP health checks:

1. Log in to the Network Security CLI.

2. Go to CLI configuration mode:
hostname > enable hostname # configure terminal

3. Disable HTTP health checks.

To disable health checks on all HTTP ports configured on an interface:
hostname (config) # no policymgr interface <port-pair> health-check http

To disable health checks on a specific HTTP port configured on an interface:

hostname (config) # no policymgr interface <port-pair> health-check http port <port>

4. Verify your changes:

hostname (config) # show policymgr interfaces

Examples

The following example enables HTTP health checks on interface pair A using port 80.

hostname (config) # policymgr interface A health-check http port 80

hostname (config) # show policymgr interfaces

Policy enabled: yes

Interface A
Active : yes
op mode : block (enforcing)
fail-safe : close
policy : mixed
tolerance : 1
Ports : pether3 pether4
QinQ : no
QinQ-evt : 0x88a8
Health Port : 80

The following example disables HTTP health checks on interface pair A.

Trellix Device Deployment Guide 2024.2 51

2| AWS

hostname (config) # no policymgr interface A health-check http

hostname (config) # show policymgr interfaces

Interface A
...
Health Port :

Deploying virtual Central Management appliances on Amazon Web

Services (AWS)
An AMI (Amazon Machine Image) is a template that contains the software configuration needed to deploy a virtual Central
Management System appliance (known as an instance in AWS). The software configuration includes the operating system,
application server, and applications that are needed to launch the instance.

The following table summarizes the steps to launch a Central Management System instance in Amazon Web Services (AWS).

Note

This document provides the basic steps for launching Trellix virtual appliances, and assumes familiarity with launching virtual
machines in AWS. For comprehensive information, see the AWS documentation provided by Amazon.

Task Description

1. Launch the instance. Some settings are defined by your system

administrator. Other settings are required for
the Central Management System instance. For
instructions, see Launching a virtual CM instance on
AWS.

2. (Optional) Apply the activation code and configure See Configuring the activation code and initial admin
the initial admin password for the appliance. password.

3. (If using a static IP address for the ether1 interface) See Configuring a static IP address for the ether1
Configure the IP address. interface.
NOTE: This step is required if you use a static IP
address for the interface. If you use DHCP instead,
make sure the lease is persistent to maintain the
connection with the managed appliances.

4. Perform the initial configuration of the appliance. See Performing the initial CM configuration .
CAUTION: In the "Primary IP address and masklen?"
step of the configuration jump-start wizard, enter

52 Trellix Device Deployment Guide 2024.2

2| AWS

Task Description

the same values you configured when you launched

the instance on AWS.

5. Optional: If you determine your instance is too Changing an AWS instance type
small or too large for your needs, you can change
the instance type.

Launching a Central Management instance on AWS

This topic describes how to launch a Central Management System instance on AWS.

Important

The navigation instructions and user interface may vary based on the AWS Management Console version that is running
when you deploy your appliances.

Note

This procedure covers the required settings for a Trellix virtual appliance. You can accept the default values for the other
settings, or specify values that are appropriate for your environment.

To launch a Central Management System instance on AWS:

1. Go to the AWS login page and log in using your AWS ID.
2. On the Profile page, select your AWS role and then click AWS Console URL.
3. On the next page, click AWS Console login. The AWS Management Console opens.
4. In the navigation bar at the top of the console, select the region for the instance.
5. In the AWS services section, select EC2.
6. Click Launch Instance in the Create Instance section.
7. On the Choose an Amazon Machine Image (AMI) page, locate the AMI for the Central Management System model. For
example, locate "FireEyeCMCloudVec2nitro." Then click Select.
8. On the Choose an Instance Type page, select a type that meets your requirements as listed in Central Management System
Requirements. Then click Next: Configure Instance Details.
9. On the Configure Instance Details page, select the management network and subnet from the Network and Subnet
drop-down lists, and specify other settings provided by your network administrator. Click Next: Add Storage.

Trellix Device Deployment Guide 2024.2 53

2| AWS

Note

Trellix recommends that you configure a static IP address in the Primary IP field in the Network interfaces section at
the bottom of the page.

10. On the Add Storage page, keep the default settings and then click Next: Add Tags.
11. (If required by your AWS administrator) On the Add Tags page, provide key and value combinations. Then click Next:
Configure Security Group.
12. On the Configure Security Group page, select or add the security group that defines firewall rules that control traffic to the
Central Management System instance. Then click Review and Launch.

Important

Trellix recommends using a security group applicable to your organization instead of using the default security group,
which is less secure.

13. On the Review Instance Launch page, review the details about your instance. Click the appropriate Edit link if you need to
make changes. When you are satisfied with the details, click Launch.
14. In the Select an existing key pair or create a new key pair dialog box:
a. Select an existing pair or create a new one. To use the key pair you created when you were set up to use Amazon EC2,
click Choose an existing key pair, and then select that key.

Important

Store the name of the key pair and the private key in a secure location.

b. Select the checkbox to confirm that you agree to the acknowledgement statement, and then click Launch Instances.

Configuring the activation code and initial Admin password

This topic describes how to apply the activation code to the virtual appliance instance and configure a password for the initial
admin user.

Important

This procedure is optional. If you skip this procedure, you will be prompted to enter the activation code and change the
password when you log into the initial SSH session to perform the initial configuration of the appliance.

To apply the activation code to the instance:

1. Open the EC2 Management Console.

54 Trellix Device Deployment Guide 2024.2

2| AWS

2. Select Instances > Instances in the left pane.

3. Right-click the instance, and select Instance State > Stop.
4. Right-click the instance, and select Instance Settings > View/Change User Data.

5. Copy and paste the following script in the User Data field. Replace <code> with the activation code for the instance that
was included in the onboarding email from Trellix and replace <password> with the new password for the initial admin
user.

{ "va_bootstrap": {
"activation_code": "<code>",
"reset_admin_password": "<password>"

}
}

Important

The syntax (including the indentation) must match what is shown in this step. Otherwise, you will be unable to establish
a password-authenticated SSH session with the instance.

6. Click Save.
7. Right-click the instance, and select Instance State > Start.

Note

Trellix recommends that you clear the user data field after the virtual appliance is deployed.

Trellix Device Deployment Guide 2024.2 55

2| AWS

Configuring a static IP address for the ether1 interface

This topic describes how to manually configure a static IP address for the ether1 (management) interface.

Important

If you do not follow this procedure, you will lose SSH access to the management interface. To restore access, you must stop
and then restart the instance from the EC2 Management Console.

Note

Perform this procedure before you start the configuration jump-start wizard. If you already started the wizard, enter CTRL+C
to exit it before you respond to the "Use DHCP on ether1 interface?" step.

To configure a static IP address:

1. Go to CLI configuration mode:

hostname > enable

hostname # configure terminal

2. Configure the IP address and subnet mask:

hostname (config) # interface <interface name> ip address <ip address> /<mask>

IMPORTANT: Configure the same values you configured when you launched the instance on AWS.
3. Configure the default gateway:
hostname (config) # ip default-gateway <gateway IP>

4. Save your changes:

hostname (config) # write memory

5. Enter the configuration wizard:

hostname (config) # configuration jump-start

6. Perform the initial configuration of the appliance.

Important

Enter no to the "Use DHCP on ether1 interface?" step.

Performing the initial Central Management configuration using AWS

The management interface is the port through which the Central Management System instance is managed and administered. It
is also the port through which integration of the Central Management System instance and managed appliances is managed.

56 Trellix Device Deployment Guide 2024.2

2| AWS

Initial settings need to be configured to set up the management interface and to allow access to the network, change the default
admin password, and so on.

To perform the initial configuration of a Central Management System instance:

1. Connect to the sensor through an SSH client.

2. At the login prompt, enter admin.
3. Do one of the following:

• Use the ssh -i command to use the private key file to establish the SSH session. For example, ssh -i /
path/<my-key-pair>.pem admin@<instance>. When prompted, change the password using the username admin
password <new password> command. You will be logged out. Log in again using the new password.

• At the password prompt, enter the initial password you configured in Configuring the activation code and initial
Admin password.

4. Accept the license agreement. The configuration jump-start wizard begins.

5. Answer the wizard questions as described in the following table.

Important

If you want to configure a static IP address instead of using DHCP, see Configuring a static IP address for the ether1
interface.

Note

If you enter yes in the "Use DHCP on ether1 interface?" step, the ether1 interface will obtain its IP address from the AWS
eth0 device.

Step Response

Enter activation code? Enter the activation code for the appliance. (This
step is skipped if you provided the activation code
in Configuring the Activation Code and Initial Admin
Password on page 1.)

Hostname? Enter the hostname for the appliance.

Admin password? (Optional) Enter a new administrator password.

Confirm admin password? Re-enter the new administrator password.

Trellix Device Deployment Guide 2024.2 57

2| AWS

Step Response

Enable remote access for 'admin' user? Enter yes to enable the administrator to log in to
the appliance remotely. Enter no to disable remote
access.

Use DHCP on ether1 interface?

Important
See the first two notes preceding this table
before responding to this step.

Enter yes to use Dynamic Host Configuration

Protocol (DHCP) to configure the appliance IP
address and other network parameters. Enter no
to manually configure your IP address and network
settings. (If you enter yes, the zeroconf and static IP
addressing steps are skipped.)

Use zeroconf on ether1 interface? Enter yes to use zero-configuration (zeroconf)

networking. Enter no to specify a static IP address
and network mask. (If you specify yes, the next
step is skipped.) NOTE: Do not use zeroconf on the
primary interface.

Primary IP address and masklen? Enter the IP address for the management interface
in A.B.C.D format and enter the network mask (for
example, 1.1.1.2 /24).

Note:
Configure the same values you configured when
you launched the instance on AWS.

Default gateway? Enter the gateway IP address for the management

interface.

Primary DNS server? Enter the IP address of the DNS server.

58 Trellix Device Deployment Guide 2024.2

2| AWS

Step Response

Domain name? Enter the domain for the management interface (for
example, it.acme.com).

Enable fenet service? Enter yes to enable access to the DTI network. (If you
enter no, the next three steps are skipped.)

Enable fenet license update service? Enter yes to enable the licensing service to
automatically download your licenses from the
DTI network and install them. (If licenses are
downloaded and installed successfully, the wizard
skips the step that prompts for the product license
key and the step that prompts for the security-
content updates key.)

Sync appliance time with fenet? Enter yes to synchronize the appliance time with
the DTI server time. If you enabled the licensing
service, synchronization prevents a feature from
being temporarily unlicensed due to a time gap. The
wizard makes three attempts to perform this step
before it gives up and moves to the next step.

Update licenses from fenet? Enter yes to download and install your licenses. The
wizard makes three attempts to perform this step
before it gives up and moves to the next step.

Enable NTP? Enter yes to enable automatic time synchronization

with one or more Network Time Protocol (NTP)
servers. Enter no to manually set the time and
date on the appliance. (This step is skipped if you
entered yes in the "Sync appliance time with fenet?"
step.) If you enter no, specify the time and date in
subsequent steps.

Enable FaaS VPN? Enter yes to enable the appliance to connect

to Managed Defense (formerly called Trellix as a
Service) over the Internet using a secure SSL VPN
connection. (This step is skipped if no MD_ACCESS
license is installed.)

Trellix Device Deployment Guide 2024.2 59

2| AWS

Step Response

Set time (<hh>:<mm>:<ss>)? Enter the appliance time in Greenwich Mean Time
(GMT) (UTC+0). (This step and the next step are
skipped if you entered yes in the "Sync appliance
time with fenet?" or "Enable NTP?" step.

Set date (<yyyy>/<mm>/<dd>)? Enter the appliance date in Greenwich Mean Time
(GMT) (UTC+0).

Enable IPv6? Enter yes to enable IPv6 protocol, which changes

network IP routing from IPv4 to IPv6. This step and
the next two steps will be automatically performed if
you entered yes in the "Enable FaaS VPN" step.)

Enable IPv6 autoconfig (SLAAC) on ether1 interface? Enter yes to enable IPv6 autoconfig on the ether1
(management interface) port. (This step is skipped if
you entered no in the "Enable IPv6?" step.)

Enable DHCPv6 on ether1 interface? Enter yes to use DHCPv6 to configure IPv6 hosts with
IP addresses. (This step is skipped if you entered no
in the "Use DHCP on ether1 interface?" or "Enable
IPv6?" step.)

Configure CMS HA? Enter yes to configure the Central Management

System appliance in a high availability (HA)
environment. (For the remaining HA configuration
steps, see the Central Management System High
Availability Guide.)

Note:
Central Management System HA is not supported
on all virtual CM models.

Product license key? Enter the product license key you obtained from
Trellix, or press Enter to install a 15-day evaluation
license. (This step and the next step are skipped if
you entered yes in the "Enable fenet license update

60 Trellix Device Deployment Guide 2024.2

2| AWS

Step Response

service?" step and if licenses were successfully

installed as a result.)

Security-content updates key? Enter the security-content license key you obtained
from Trellix, or press Enter to skip this step and
install the license later.

Deploying virtual Email Security appliances on Amazon Web Services

(AWS)
An AMI (Amazon Machine Image) is a template that contains the software configuration needed to deploy a virtual Email Security
— Server appliance (known as an instance in AWS). The software configuration includes the operating system, application server,
and applications that are needed to launch the instance. The software configuration also contains the guest images that you
need to install after the Email Security — Server appliance is deployed.

Important

The Email Security — Server appliance is deployed using a bare metal instance. The appliance runs in MVX integrated mode,
not MVX sensor mode. It processes its own submissions instead of sending them to a Cloud MVX or MVX Smart Grid cluster.

The following table summarizes the steps to launch a virtual Email Security — Server instance in Amazon Web Services (AWS).

Note

This document provides the basic steps for launching Trellix virtual appliances, and assumes familiarity with launching virtual
machines in AWS. For comprehensive information, see the AWS documentation provided by Amazon.

Task Description

1. Launch the instance. Some settings are defined by your system

administrator. Other settings are required for the
Email Security — Server appliance. For instructions,
see Launching a virtual Email Security — Server
instance on AWS.

Trellix Device Deployment Guide 2024.2 61

2| AWS

Task Description

2. (Optional) Apply the activation code and configure See Configuring the activation code and initial Admin
the initial admin password for the appliance. password.

3. (If using a static IP address for the ether1 interface) See Configuring a static IP address for the ether1
Configure the IP address. interface.

Note:
This step is required if you use a static IP address
for the interface. It is recommended that you
instead use DHCP to assign the interface.

4. Perform the initial configuration of the appliance. See Performing the initial Email Security — Server
configuration using AWS.

5. Configure multiple network interfaces. See Configuring multiple network interfaces.

6. Install guest images. Run the

guest-images install
command from the Email Security — Server CLI.

Prerequisites

• Trellix AMI in the US West region are copied to My AMIs in your region.
• Access to the AWS Management Console.
• Items from your AWS administrator, such as the network, subnet, and IP addresses for the instance, and key pairs and
security groups to secure the instance.
• Items from Trellix, such as the activation code and licenses for your instance.

Launching an Email Security instance on AWS

This topic describes how to launch an Email Security — Server instance on AWS.

Important

The navigation instructions and user interface may vary based on the AWS Management Console version that is running
when you deploy your appliances.

62 Trellix Device Deployment Guide 2024.2

2| AWS

Note

This procedure covers the required settings for a Trellix virtual appliance. You can accept the default values for the other
settings, or specify values that are appropriate for your environment.

To launch an Email Security — Server instance on AWS:

1. Go to the AWS login page and log in using your AWS ID.
2. On the Profile page, select your AWS role and then click AWS Console URL.
3. On the next page, click AWS Console login. The AWS Management Console opens.
4. In the navigation bar at the top of the console, select the region for the instance.
5. In the AWS services section, select EC2.
6. Click Launch Instance in the Create Instance section.
7. On the Choose an Amazon Machine Image (AMI) page, locate the AMI for the Email Security — Server model
(FireEyeEX7700CloudEc2c5metal). Then click Select.
8. On the Choose an Instance Type page, select c5.metal. Then click Next: Configure Instance Details.
9. On the Configure Instance Details page, select the management network and subnet from the Network and Subnet
drop-down lists, and specify other settings provided by your network administrator. Click Next: Add Storage.

Note

Trellix recommends that you configure a static IP address in the Primary IP field in the Network interfaces section at
the bottom of the page.

10. On the Add Storage page, keep the default settings and then click Next: Add Tags.
11. (If required by your AWS administrator) On the Add Tags page, provide key and value combinations. Then click Next:
Configure Security Group.
12. On the Configure Security Group page, select or add the security group that defines firewall rules that control traffic to the
Email Security — Server instance. Then click Review and Launch.

Important

Trellix recommends using a security group applicable to your organization instead of using the default security group,
which is less secure.

13. On the Review Instance Launch page, review the details about your instance. Click the appropriate Edit link if you need to
make changes. When you are satisfied with the details, click Launch.
14. In the Select an existing key pair or create a new key pair dialog box:
a. Select an existing pair or create a new one. To use the key pair you created when you were set up to use Amazon EC2,
click Choose an existing key pair, and then select that key.

Trellix Device Deployment Guide 2024.2 63

2| AWS

Important

Store the name of the key pair and the private key in a secure location.

b. Select the checkbox to confirm that you agree to the acknowledgement statement, and then click Launch Instances.

Configuring the activation code and initial Admin password

This topic describes how to apply the activation code to the virtual appliance instance and configure a password for the initial
admin user.

Important

This procedure is optional. If you skip this procedure, you will be prompted to enter the activation code and change the
password when you log into the initial SSH session to perform the initial configuration of the appliance.

To apply the activation code to the instance:

1. Open the EC2 Management Console.

2. Select Instances > Instances in the left pane.
3. Right-click the instance, and select Instance State > Stop.
4. Right-click the instance, and select Instance Settings > View/Change User Data.

5. Copy and paste the following script in the User Data field. Replace <code> with the activation code for the instance that
was included in the onboarding email from Trellix and replace <password> with the new password for the initial admin
user.

64 Trellix Device Deployment Guide 2024.2

2| AWS

{ "va_bootstrap": {
"activation_code": "<code>",
"reset_admin_password": "<password>"

}
}

Important

The syntax (including the indentation) must match what is shown in this step. Otherwise, you will be unable to establish
a password-authenticated SSH session with the instance.

6. Click Save.
7. Right-click the instance, and select Instance State > Start.

Note

Trellix recommends that you clear the user data field after the virtual appliance is deployed.

Configuring a static IP address for the ether1 interface

This topic describes how to manually configure a static IP address for the ether1 (management) interface.

Important

If you do not follow this procedure, you will lose SSH access to the management interface. To restore access, you must stop
and then restart the instance from the EC2 Management Console.

Note

Perform this procedure before you start the configuration jump-start wizard. If you already started the wizard, enter CTRL+C
to exit it before you respond to the "Use DHCP on ether1 interface?" step.

To configure a static IP address:

1. Go to CLI configuration mode:

hostname > enable

hostname # configure terminal

2. Configure the IP address and subnet mask:

hostname (config) # interface <interface name> ip address <ip address> /<mask>

Trellix Device Deployment Guide 2024.2 65

2| AWS

Important

Configure the same values you configured when you launched the instance on AWS.

3. Configure the default gateway:

hostname (config) # ip default-gateway <gateway IP>

4. Save your changes:

hostname (config) # write memory

5. Enter the configuration wizard:

hostname (config) # configuration jump-start

6. Perform the initial configuration of the appliance.

Important

Enter no to the "Use DHCP on ether1 interface?" step.

Performing the initial Email Security configuration using AWS

The management interface is the port through which the Email Security — Server appliance is managed and administered. It is
also the port through which the integration of a Central Management System appliance and managed appliances is managed.

Initial settings need to be configured to set up the management interface and to allow access to the network, change the default
admin password, and so on.

To perform the initial configuration of a Email Security — Server instance:

1. Connect to the sensor through an SSH client.

2. At the login prompt, enter admin.
3. Do one of the following:

• Use the ssh -i command to use the private key file to establish the SSH session. For example, ssh -i /
path/<my-key-pair>.pem admin@<instance>. When prompted, change the password using the username admin
password <new password> command. You will be logged out. Log in again using the new password.

• At the password prompt, enter the initial password you configured in Configuring the activation code and iInitial
Admin password.

4. Accept the license agreement. The configuration jump-start wizard begins.

5. Answer the wizard questions as described in the following table.

66 Trellix Device Deployment Guide 2024.2

2| AWS

Important

If you want to configure a static IP address instead of using DHCP, see Configuring a static IP address for the ether1
interface.

Note

If you enter yes in the "Use DHCP on ether1 interface?" step, the ether1 interface will obtain its IP address from the AWS
eth0 device.

Step Response

Enter activation code? Enter the activation code for the appliance. (This
step is skipped if you provided the activation code
in Configuring the activation code and initial Admin
password.)

Hostname? Enter the hostname for the appliance.

Admin password? (Optional) Enter a new administrator password.

Confirm admin password? Re-enter the new administrator password.

Enable remote access for 'admin' user? Enter yes to enable the administrator to log in to
the appliance remotely. Enter no to disable remote
access.

Use DHCP on ether1 interface?

Important
See the first two notes preceding this table
before responding to this step.

Enter yes to use Dynamic Host Configuration

Protocol (DHCP) to configure the appliance IP
address and other network parameters. Enter no
to manually configure your IP address and network
settings. (If you enter yes, the zeroconf and static IP
addressing steps are skipped.)

Trellix Device Deployment Guide 2024.2 67

2| AWS

Step Response

Use zeroconf on ether1 interface? Enter yes to use zero-configuration (zeroconf)

networking. Enter no to specify a static IP address
and network mask. (If you specify yes, the next
step is skipped.) NOTE: Do not use zeroconf on the
primary interface.

Primary IP address and masklen? Enter the IP address for the management interface
in A.B.C.D format and enter the network mask (for
example, 1.1.1.2 /24).

Important
Configure the same values you configured when
you launched the instance on AWS.

Default gateway? Enter the gateway IP address for the management

interface.

Primary DNS server? Enter the IP address of the DNS server.

Domain name? Enter the domain for the management interface (for
example, it.acme.com).

Enable fenet service? Enter yes to enable access to the DTI network. (If you
enter no, the next three steps are skipped.)

Enable fenet license update service? Enter yes to enable the licensing service to
automatically download your licenses from the
DTI network and install them. (If licenses are
downloaded and installed successfully, the wizard
skips the step that prompts for the product license
key and the step that prompts for the security-
content updates key.)

Sync appliance time with fenet? Enter yes to synchronize the appliance time with
the DTI server time. If you enabled the licensing

68 Trellix Device Deployment Guide 2024.2

2| AWS

Step Response

service, synchronization prevents a feature from

being temporarily unlicensed due to a time gap. The
wizard makes three attempts to perform this step
before it gives up and moves to the next step.

Update licenses from fenet? Enter yes to download and install your licenses. The
wizard makes three attempts to perform this step
before it gives up and moves to the next step.

Enable NTP? Enter yes to enable automatic time synchronization

with one or more Network Time Protocol (NTP)
servers. Enter no to manually set the time and
date on the appliance. (This step is skipped if you
entered yes in the "Sync appliance time with fenet?"
step.) If you enter no, specify the time and date in
subsequent steps.

Enable FaaS VPN? Enter yes to enable the appliance to connect

to Managed Defense (formerly called Trellix as a
Service) over the Internet using a secure SSL VPN
connection. (This step is skipped if no MD_ACCESS
license is installed.)

Set time (<hh>:<mm>:<ss>)? Enter the appliance time in Greenwich Mean Time
(GMT) (UTC+0). (This step and the next step are
skipped if you entered yes in the "Sync appliance
time with fenet?" or "Enable NTP?" step.

Set date (<yyyy>/<mm>/<dd>)? Enter the appliance date in Greenwich Mean Time
(GMT) (UTC+0).

Enable IPv6? Enter yes to enable IPv6 protocol, which changes

network IP routing from IPv4 to IPv6. This step and
the next two steps will be automatically performed if
you entered yes in the "Enable FaaS VPN" step.)

Trellix Device Deployment Guide 2024.2 69

2| AWS

Step Response

Enable IPv6 autoconfig (SLAAC) on ether1 interface? Enter yes to enable IPv6 autoconfig on the ether1
(management interface) port. (This step is skipped if
you entered no in the "Enable IPv6?" step.)

Enable DHCPv6 on ether1 interface? Enter yes to use DHCPv6 to configure IPv6 hosts with
IP addresses. (This step is skipped if you entered no
in the "Use DHCP on ether1 interface?" or "Enable
IPv6?" step.)

Product license key? Enter the product license key you obtained from
Trellix, or press Enter to install a 15-day evaluation
license. (This step and the next step are skipped if
you entered yes in the "Enable fenet license update
service?" step and if licenses were successfully
installed as a result.)

Security-content updates key? Enter the security-content license key you obtained
from Trellix, or press Enter to skip this step and
install the license later.

Configuring multiple network interfaces

The ether1 interface on the Email Security — Server AWS instance is the only interface that is created by default. You can create
multiple network interfaces (ether2, ether3, and so on) and attach them to your Email Security — Server AWS instance.

The following table shows the default Email Security — Server interfaces and their purpose.

Email Security — Server Interface Purpose

ether1 Management interface

pether3 Network monitoring interface

70 Trellix Device Deployment Guide 2024.2

2| AWS

Creating network interfaces

This section describes how to create a network interface for your Email Security — Server instance.

To create a network interface:

1. Open the Amazon EC2 console.

2. In the left pane, select Network & Security > Network Interfaces.
3. Click Create Network Interface.

4. Enter information that uniquely identifies the interface in the Description field.
5. Select the subnet for the interface in the Subnet drop-down list.

Important

Each interface must be in a separate subnet.

6. Select Custom to manually configure a static IPv4 address.

7. Enter the custom static IPv4 address in the IPv4 address field.
8. Complete the Elastic Fabric Adapter and Security groups fields as directed by your AWS administrator.
9. Click Create.
10. Repeat this procedure for each network interface.
11. Continue to Attaching Network Interfaces.

Trellix Device Deployment Guide 2024.2 71

2| AWS

Attaching network interfaces

This section describes how to attach a network interface to your Email Security — Server instance.

To attach a network interface:

1. Open the EC2 console.

2. Select Instances > Instances in the left pane.
3. Right-click the instance and then select Networking > Attach Network Interface. The Attach Network Interface dialog box
opens.

4. Select the interface with the lowest number in the Network Interface drop-down list (for example, ether2) and then click
Attach.
5. Repeat the previous step for each network interface.

Important

Attach the interfaces in numeric order. For example, attach pether3 before pether4.

6. Disable source and destination checks on each monitor interface.

a. Select the interface.
b. Right-click and select Change Source/Dest. Check. The Source/Dest. Check dialog box opens.
c. Select Disabled and then click Save.

72 Trellix Device Deployment Guide 2024.2

2| AWS

7. Stop the instance:

a. Select Instances in the navigation pane.
b. Select the instance, right-click, and then select Instance State > Stop.
8. Restart the instance:

• Select the instance, right-click, and then select Instance State > Start.

Important

Do not perform this step if you plan to perform the following optional procedure (Configuring the Activation Code and
Initial Admin Password).

Configuring the interface for email analysis

1. Enable the interface:

hostname (config) # no interface <interface name> shutdown

Ignore the error that may be displayed; it doesn't hinder the operation.
2. Set the IP address for the interface manually:

hostname (config) # <interface name> ip address <ip address>/<mask>

3. (Optional) Enable other interfaces in a similar manner.

4. Configure the interface for email analysis:

hostname (config) # email-analysis interface <interface_name>

5. (Optional) If the Destination MTA is not on the same subnet as the newly configured interface, you need to add a static
route to reach the destination MTA (next-hop) IP for the solution to work.

Trellix Device Deployment Guide 2024.2 73

2| AWS

In this example, the default gateway (172.16.1.1) will be on ether1, but a different gateway will be on pether3 for SMTP
traffic. As shown below, a static IP route is configured for the next-hop MTA (10.2.74.131) to use a different gateway
(10.2.75.254).

hostname (config) # interface ether1 ip address 172.16.216.60 /12

hostname (config) # interface pether3 ip address 10.2.75.13 /24
hostname (config) # ip default-gateway 172.16.1.1
hostname (config) # ip route 10.2.74.130 255.255.255.255 10.2.75.254
hostname (config) # ip route 10.2.74.131 255.255.255.255 10.2.75.254

Configuring advanced URL defense

1. To set up Advanced URL Defense on the interface to separate the live traffic:

hostname (config) # analysis live live-interface <interfaceName>

2. Configure the IP address of the live analysis data interface. Make sure to use the IP address of the new interface that was
configured for email analysis.

hostname (config) # analysis live external ip <ipaddress> <mask>

3. Check the live analysis configuration:

hostname (config) # analysis live check-connection

Deploying virtual Virtual Execution appliances on Amazon Web

Services (AWS)
An AMI (Amazon Machine Image) is a template that contains the software configuration needed to deploy a virtual Intelligent
Virtual Execution - Server appliance (known as an instance in AWS). The software configuration includes the operating system,
application server, and applications that are needed to launch the appliance. The software configuration also contains the guest
images that you need to install after the Intelligent Virtual Execution - Server appliance is deployed.

Important

The Intelligent Virtual Execution - Server appliance is deployed using a bare metal instance. You form an MVX cluster with
virtual Intelligent Virtual Execution - Server appliances the same way you form a cluster with physical Intelligent Virtual
Execution - Server appliances. An MVX cluster must be comprised of all virtual Intelligent Virtual Execution - Server appliances
or all physical Intelligent Virtual Execution - Server, not a combination of both. Any sensor or hybrid appliance can send
submissions to an MVX cluster comprised of virtual Intelligent Virtual Execution - Server appliances.

The following table summarizes the steps to launch a Intelligent Virtual Execution - Server instance in Amazon Web Services
(AWS).

74 Trellix Device Deployment Guide 2024.2

2| AWS

Note

This document provides the basic steps for deploying Trellix virtual appliances, and assumes familiarity with launching virtual
machines in AWS. For comprehensive information, see the AWS documentation provided by Amazon.

Task Description

1. Launch the instance. Some settings are defined by your system

administrator. Other settings are required for the
Intelligent Virtual Execution - Server appliance. For
instructions, see Launching a virtual Intelligent
Virtual Execution - Server instance on AWS.

2. (Optional) Apply the activation code and configure See Configuring the activation code and initial Admin
the initial admin password for the appliance in the password.
AWS Management Console.

3. Configure a static IP address for the ether1 See Configuring a static IP address for the ether1
interface. interface.

4. Perform the initial configuration of the appliance. See Performing the initial Intelligent Virtual
Execution - Server configuration using AWS.

5. Install guest images. Run the

guest-images install
command from the Intelligent Virtual Execution -
Server CLI.

Prerequisites

• Trellix AMIs in the US West region are copied to My AMIs in your region.
• Access to the AWS Management Console.
• Items from your AWS administrator, such as the network, subnet, and IP addresses for the instance, and key pairs and
security groups to secure the instance.
• Items from Trellix, such as the activation code and licenses for your instance.

Launching a virtual Virtual Execution instance on AWS

This topic describes how to launch a Intelligent Virtual Execution - Server instance on AWS.

Trellix Device Deployment Guide 2024.2 75

2| AWS

Important

The navigation instructions and user interface may vary based on the AWS Management Console version that is running
when you deploy your appliances.

Note

This procedure covers the required settings for a Trellix virtual appliance. You can accept the default values for the other
settings, or specify values that are appropriate for your environment.

To launch a Intelligent Virtual Execution - Server instance on AWS:

1. Go to the AWS login page and log in using your AWS ID.
2. On the Profile page, select your AWS role and then click AWS Console URL.
3. On the next page, click AWS Console login. The AWS Management Console opens.
4. In the navigation bar at the top of the console, select the region for the instance.
5. In the AWS services section, select EC2.
6. Click Launch Instance in the Create Instance section.
7. On the Choose an Amazon Machine Image (AMI) page, locate the AMI for the Intelligent Virtual Execution - Server
appliance (FireEyeVX12550CloudEc2c5metal). Then click Select.
8. On the Choose an Instance Type page, select c5.metal. Then select Next: Configure Instance Details.
9. On the Configure Instance Details page, select the management network and subnet from the Network and Subnet
drop-down lists, and specify other settings provided by your network administrator. Click Next: Add Storage.

Note

Trellix recommends that you configure a static IP address in the Primary IP field in the Network interfaces section at
the bottom of the page.

10. On the Add Storage page, keep the default settings and then click Next: Add Tags.
11. (If required by your AWS administrator) On the Add Tags page, provide key and value combinations. Then click Next:
Configure Security Group.
12. On the Configure Security Group page, select or add the security group that defines firewall rules that control traffic to the
sensor. Then click Review and Launch.

Important

Trellix recommends using a security group applicable to your organization instead of using the default security group,
which is less secure.

76 Trellix Device Deployment Guide 2024.2

2| AWS

13. On the Review Instance Launch page, review the details about your instance. Click the appropriate Edit link if you need to
make changes. When you are satisfied with the details, click Launch.
14. In the Select an existing key pair or create a new key pair dialog box:
a. Select an existing pair or create a new one. To use the key pair you created when you were set up to use Amazon EC2,
click Choose an existing key pair, and then select that key.

Important

Store the name of the key pair and the private key in a secure location.

b. Select the checkbox to confirm that you agree to the acknowledgment statement, and then click Launch Instances.

Configuring the activation code and initial Admin password

This topic describes how to apply the activation code to the virtual appliance instance and configure a password for the initial
admin user.

Important

This procedure is optional. If you skip this procedure, you will be prompted to enter the activation code and change the
password when you log into the initial SSH session to perform the initial configuration of the appliance.

To apply the activation code to the instance:

1. Open the EC2 Management Console.

2. Select Instances > Instances in the left pane.
3. Right-click the instance, and select Instance State > Stop.
4. Right-click the instance, and select Instance Settings > View/Change User Data.

Trellix Device Deployment Guide 2024.2 77

2| AWS

5. Copy and paste the following script in the User Data field. Replace <code> with the activation code for the instance that
was included in the onboarding email from Trellix and replace <password> with the new password for the initial admin
user.

{ "va_bootstrap": {
"activation_code": "<code>",
"reset_admin_password": "<password>"

}
}

Important

The syntax (including the indentation) must match what is shown in this step. Otherwise, you will be unable to establish
a password-authenticated SSH session with the instance.

6. Click Save.
7. Right-click the instance, and select Instance State > Start.

Note

Trellix recommends that you clear the user data field after the virtual appliance is deployed.

Configuring a static IP address for the ether1 interface

This topic describes how to manually configure a static IP address for the ether1 (management) interface.

78 Trellix Device Deployment Guide 2024.2

2| AWS

Important

If you do not follow this procedure, you will lose SSH access to the management interface. To restore access, you must stop
and then restart the instance from the EC2 Management Console.

Note

Perform this procedure before you start the configuration jump-start wizard. If you already started the wizard, enter CTRL+C
to exit it before you respond to the "Use DHCP on ether1 interface?" step.

To configure a static IP address:

1. Go to CLI configuration mode:

hostname > enable

hostname # configure terminal

2. Configure the IP address and subnet mask:

hostname (config) # interface <interface name> ip address <ip address> /<mask>

Important

Configure the same values you configured when you launched the instance on AWS.

3. Configure the default gateway:

hostname (config) # ip default-gateway <gateway IP>

4. Save your changes:

hostname (config) # write memory

5. Enter the configuration wizard:

hostname (config) # configuration jump-start

6. Perform the initial configuration of the appliance.

Important

Enter no to the "Use DHCP on ether1 interface?" step.

Performing the initial Virtual Execution configuration using AWS

The management interface is the port through which an appliance is managed and administered. It is also the port through
which integration of the Central Management System appliance and the Intelligent Virtual Execution - Server appliance is

Trellix Device Deployment Guide 2024.2 79

2| AWS

managed. With the single-port address type, the management interface is also the port through which a managed appliance
requests and downloads software updates from the DTI network.

Initial settings need to be configured to set up the management interface and to allow access to the network, change the default
administrator password, and so on.

To perform the initial configuration of a virtual Intelligent Virtual Execution - Server appliance:

1. Connect to the sensor through an SSH client.

2. At the login prompt, enter admin.
3. Do one of the following:

• Use the ssh -i command to use the private key file to establish the SSH session. For example, ssh -i /
path/<my-key-pair>.pem admin@<instance>. When prompted, change the password using the username admin
password <new password> command. You will be logged out. Log in again using the new password.

• At the password prompt, enter the initial password you configured in Configuring the activation code and initial
Admin password.

4. Accept the license agreement. The configuration jump-start wizard begins.

5. Answer the wizard questions as described in the following table.

Important

Before you run the jump-start wizard, complete the procedure described in Configuring a static IP address for the
ether1 interface.

Step Response

Enter activation code? Enter the activation code for the appliance. (This
step is skipped if you provided the activation code
in Configuring the Activation Code and Initial Admin
Password.)

Hostname? Enter the hostname for the appliance.

Admin password? (Optional) Enter a new administrator password.

Confirm admin password? Re-enter the new administrator password.

80 Trellix Device Deployment Guide 2024.2

2| AWS

Step Response

Enable remote access for 'admin' user? Enter yes to enable the administrator to log in to
the appliance remotely. Enter no to disable remote
access.

Use DHCP on ether1 interface? DHCP is not supported on the management

interface. Enter no to manually configure your IP
address and network settings.

Use zeroconf on ether1 interface? Enter yes to use zero-configuration (zeroconf)

networking. Enter no to specify a static IP address
and network mask. (If you specify yes, the next
step is skipped.) NOTE: Do not use zeroconf on the
primary interface.

Primary IPv4 address and masklen? Enter the IP address for the management interface
in A.B.C.D format and enter the network mask (for
example, 1.1.1.2 /24).

Important
Configure the same values you configured when
you launched the instance on AWS.

Default gateway? Enter the gateway IP address for the management

interface.

Primary DNS server? Enter the IP address of the DNS server.

Domain name? Enter the domain for the management interface (for
example, it.acme.com).

Enable fenet service? Enter yes to enable access to the DTI network. (If you
enter no, the next three steps are skipped.)

Enable fenet license update service? Enter yes to enable the licensing service to
automatically download your licenses from the

Trellix Device Deployment Guide 2024.2 81

2| AWS

Step Response

DTI network and install them. (If licenses are

downloaded and installed successfully, the wizard
skips the step that prompts for the product license
key and the step that prompts for the security-
content updates key.)

Sync appliance time with fenet? Enter yes to synchronize the appliance time with
the DTI server time. If you enabled the licensing
service, synchronization prevents a feature from
being temporarily unlicensed due to a time gap. The
wizard makes three attempts to perform this step
before it gives up and moves to the next step.

Update licenses from fenet? Enter yes to download and install your licenses. The
wizard makes three attempts to perform this step
before it gives up and moves to the next step.

Enable NTP? Enter yes to enable automatic time synchronization

with one or more Network Time Protocol (NTP)
servers. Enter no to manually set the time and date
on the appliance. (This step is skipped if you entered
yes in the "Sync appliance time with fenet?" step.)

Set time (<hh>:<mm>:<ss>)? Enter the appliance time in Greenwich Mean Time
(GMT) (UTC+0). (This step and the next step are
skipped if you entered yes in the "Sync appliance
time with fenet?" or "Enable NTP?" step.

Set date (<yyyy>/<mm>/<dd>)? Enter the appliance date in Greenwich Mean Time
(GMT) (UTC+0).

Enable IPv6? Enter no. IPv6 is not supported on Intelligent Virtual

Execution - Server appliances that are nodes in an
MVX cluster.

Submission: Configure interface? Press Enter to accept ether1 as the interface through
which sensors and brokers communicate.

82 Trellix Device Deployment Guide 2024.2

2| AWS

Step Response

Submission: Use DHCP on <name> interface? DHCP is not supported on the submission interface.
Enter no to manually configure the IP address and
network settings.

Submission: IP address and masklen? Enter the IP address for the submission interface
in A.B.C.D format and enter the network mask (for
example, 10.1.1.1 /24).

Submission: Default IPv4 gateway? Enter the IP address for the submission interface
default gateway in A.B.C.D format.

Cluster: Configure interface? Press Enter to accept ether1 as the interface through
which brokers and compute nodes communicate.

Cluster: Use DHCP on <name> interface? DHCP is not supported on the cluster interface. Enter
no to manually configure the address settings.

Cluster: IP address and masklen? Enter the IP address for the cluster interface in
A.B.C.D format and enter the network mask (for
example, 10.1.1.2 /24).

Product license key? Enter the product license key you obtained from
Trellix, or press Enter to install a 15-day evaluation
license. (This step and the next step are skipped if
you entered yes in the "Enable fenet license update
service?" step and if licenses were successfully
installed as a result.)

Security-content updates key? Enter the security-content license key you obtained
from Trellix, or press Enter to skip this step and
install the license later.

Deploying virtual File Protect appliances on Amazon Web Services

(AWS)

Trellix Device Deployment Guide 2024.2 83

2| AWS

An AMI (Amazon Machine Image) is a template that contains the software configuration needed to deploy a virtual File Protect
appliance (known as an instance in AWS). The software configuration includes the operating system, application server, and
applications that are needed to launch the instance. The File Protect instance can scan Amazon S3 buckets.

The following table summarizes the steps to launch a File Protect instance in Amazon Web Services (AWS).

Note

This document provides the basic steps for launching Trellix virtual appliances, and assumes familiarity with launching virtual
machines in AWS. For comprehensive information, see the AWS documentation provided by Amazon.

Task Description

1. Launch the instance. Some settings are defined by your system

administrator. Other settings are required for the
File Protect instance. For instructions, see Launching
a File Protect instance on AWS.

2. (Optional) Apply the activation code and configure See Configuring the activation code and initial Admin
the initial admin password for the appliance. password.

3. (If using a static IP address for the ether1 interface) See Configuring a static IP address for the ether1
Configure the IP address. interface.

Note:
This step is required if you use a static IP address
for the interface. If you use DHCP instead, make
sure the lease is persistent to maintain the
connection with the managed appliances.

4. Perform the initial configuration of the appliance. See Performing the initial File Protect configuration
using AWS.

84 Trellix Device Deployment Guide 2024.2

2| AWS

Task Description

Caution
In the "Primary IP address and masklen?" step
of the configuration jump-start wizard, enter the
same values you configured when you launched
the instance on AWS.

5. Optional: If you determine your instance is too Changing an AWS instance type
small or too large for your needs, you can change
the instance type.

Launching a File Protect instance on AWS

This topic describes how to launch a File Protect instance on AWS.

Important

The navigation instructions and user interface may vary based on the AWS Management Console version that is running
when you deploy your appliances.

Note

This procedure covers the required settings for a Trellix virtual appliance. You can accept the default values for the other
settings, or specify values that are appropriate for your environment.

To launch a File Protect instance on AWS:

1. Go to the AWS login page and log in using your AWS ID.
2. On the Profile page, select your AWS role and then click AWS Console URL.
3. On the next page, click AWS Console login. The AWS Management Console opens.
4. In the navigation bar at the top of the console, select the region for the instance.
5. In the AWS services section, select EC2.
6. Click Launch Instance in the Create Instance section.
7. On the Choose an Amazon Machine Image (AMI) page, locate the AMI for the File Protect model. For example, locate
"FireEyeFXCloudVec2nitro." Then click Select.

Trellix Device Deployment Guide 2024.2 85

2| AWS

8. On the Choose an Instance Type page, select a type that meets your requirements as listed in File Protect requirements.
Then click Next: Configure Instance Details.
9. On the Configure Instance Details page, select the management network and subnet from the Network and Subnet
drop-down lists, and specify other settings provided by your network administrator. Click Next: Add Storage.

Note

Trellix recommends that you configure a static IP address in the Primary IP field in the Network interfaces section at
the bottom of the page.

10. On the Add Storage page, keep the default settings and then click Next: Add Tags.
11. (If required by your AWS administrator) On the Add Tags page, provide key and value combinations. Then click Next:
Configure Security Group.
12. On the Configure Security Group page, select or add the security group that defines firewall rules that control traffic to the
File Protect instance. Then click Review and Launch.

Important

Trellix recommends using a security group applicable to your organization instead of using the default security group,
which is less secure.

13. On the Review Instance Launch page, review the details about your instance. Click the appropriate Edit link if you need to
make changes. When you are satisfied with the details, click Launch.
14. In the Select an existing key pair or create a new key pair dialog box:
a. Select an existing pair or create a new one. To use the key pair you created when you were set up to use Amazon EC2,
click Choose an existing key pair, and then select that key.

Important

Store the name of the key pair and the private key in a secure location.

b. Select the checkbox to confirm that you agree to the acknowledgement statement, and then click Launch Instances.

Configuring the activation code and initial Admin password

This topic describes how to apply the activation code to the virtual appliance instance and configure a password for the initial
admin user.

86 Trellix Device Deployment Guide 2024.2

2| AWS

Important

This procedure is optional. If you skip this procedure, you will be prompted to enter the activation code and change the
password when you log into the initial SSH session to perform the initial configuration of the appliance.

To apply the activation code to the instance:

1. Open the EC2 Management Console.

2. Select Instances > Instances in the left pane.
3. Right-click the instance, and select Instance State > Stop.
4. Right-click the instance, and select Instance Settings > View/Change User Data.

5. Copy and paste the following script in the User Data field. Replace <code> with the activation code for the instance that
was included in the onboarding email from Trellix and replace <password> with the new password for the initial admin
user.

{ "va_bootstrap": {
"activation_code": "<code>",
"reset_admin_password": "<password>"

}
}

Important

The syntax (including the indentation) must match what is shown in this step. Otherwise, you will be unable to establish
a password-authenticated SSH session with the instance.

6. Click Save.

Trellix Device Deployment Guide 2024.2 87

2| AWS

7. Right-click the instance, and select Instance State > Start.

Note

Trellix recommends that you clear the user data field after the virtual appliance is deployed.

Configuring a static IP address for the ether1 interface

This topic describes how to manually configure a static IP address for the ether1 (management) interface.

Important

If you do not follow this procedure, you will lose SSH access to the management interface. To restore access, you must stop
and then restart the instance from the EC2 Management Console.

Note

Perform this procedure before you start the configuration jump-start wizard. If you already started the wizard, enter CTRL+C
to exit it before you respond to the "Use DHCP on ether1 interface?" step.

To configure a static IP address:

1. Go to CLI configuration mode:

hostname > enable

hostname # configure terminal

2. Configure the IP address and subnet mask:

hostname (config) # interface <interface name> ip address <ip address> /<mask>

Important

Configure the same values you configured when you launched the instance on AWS.

3. Configure the default gateway:

hostname (config) # ip default-gateway <gateway IP>

4. Save your changes:

hostname (config) # write memory

5. Enter the configuration wizard:

hostname (config) # configuration jump-start

88 Trellix Device Deployment Guide 2024.2

2| AWS

6. Perform the initial configuration of the appliance.

Important

Enter no to the "Use DHCP on ether1 interface?" step.

Performing the Initial File Protect Configuration Using AWS

The management interface is the port through which the File Protect instance is managed and administered. It is also the port
through which integration of the Central Management System instance and managed appliances is managed.

Initial settings need to be configured to set up the management interface and to allow access to the network, change the default
admin password, and so on.

To perform the initial configuration of a File Protect instance:

1. Connect to the sensor through an SSH client.

2. At the login prompt, enter admin.
3. Do one of the following:

• Use the ssh -i command to use the private key file to establish the SSH session. For example, ssh -i /
path/<my-key-pair>.pem admin@<instance>. When prompted, change the password using the username admin
password <new password> command. You will be logged out. Log in again using the new password.

• At the password prompt, enter the initial password you configured in Configuring the activation code and initial
Admin password.

4. Accept the license agreement. The configuration jump-start wizard begins.

5. Answer the wizard questions as described in the following table.

Important

If you want to configure a static IP address instead of using DHCP, see Configuring a static IP address for the ether1
interface.

Note

If you enter yes in the "Use DHCP on ether1 interface?" step, the ether1 interface will obtain its IP address from the AWS
eth0 device.

Trellix Device Deployment Guide 2024.2 89

2| AWS

Step Response

Enter activation code? Enter the activation code for the appliance. (This
step is skipped if you provided the activation code
in Configuring the Activation Code and Initial Admin
Password.)

Hostname? Enter the hostname for the appliance.

Admin password? (Optional) Enter a new administrator password.

Confirm admin password? Re-enter the new administrator password.

Enable remote access for 'admin' user? Enter yes to enable the administrator to log in to
the appliance remotely. Enter no to disable remote
access.

Use DHCP on ether1 interface? Enter no to manually configure your IP address and
network settings.

Use zeroconf on ether1 interface? Enter yes to use zero-configuration (zeroconf)

networking. Enter no to specify a static IP address
and network mask. (If you specify yes, the next
step is skipped.) NOTE: Do not use zeroconf on the
primary interface.

Primary IP address and masklen? Enter the IP address for the management interface
in A.B.C.D format and enter the network mask (for
example, 1.1.1.2 /24).

Default gateway? Enter the gateway IP address for the management

interface.

Primary DNS server? Enter the IP address of the DNS server.

Domain name? Enter the domain for the management interface (for
example, it.acme.com).

90 Trellix Device Deployment Guide 2024.2

2| AWS

Step Response

Enable fenet service? Enter yes to enable access to the DTI network. (If you
enter no, the next three steps are skipped.)

Enable fenet license update service? Enter yes to enable the licensing service to
automatically download your licenses from the
DTI network and install them. (If licenses are
downloaded and installed successfully, the wizard
skips the step that prompts for the product license
key and the step that prompts for the security-
content updates key.)

Sync appliance time with fenet? Enter yes to synchronize the appliance time with
the DTI server time. If you enabled the licensing
service, synchronization prevents a feature from
being temporarily unlicensed due to a time gap. The
wizard makes three attempts to perform this step
before it gives up and moves to the next step.

Update licenses from fenet? Enter yes to download and install your licenses. The
wizard makes three attempts to perform this step
before it gives up and moves to the next step.

Enable NTP? Enter yes to enable automatic time synchronization

with one or more Network Time Protocol (NTP)
servers. Enter no to manually set the time and
date on the appliance. (This step is skipped if
you entered yes in the "Sync appliance time with
fenet?" or "Enable Incident Response or Compromise
Assessment" step.) If you enter no, specify the time
and date in subsequent steps.

Set time (<hh>:<mm>:<ss>)? Enter the appliance time in Greenwich Mean Time
(GMT) (UTC+0). (This step and the next step are
skipped if you entered yes in the "Sync appliance
time with fenet?" or "Enable NTP?" step.

Set date (<yyyy>/<mm>/<dd>)? Enter the appliance date in Greenwich Mean Time
(GMT) (UTC+0).

Trellix Device Deployment Guide 2024.2 91

2| AWS

Step Response

Enable IPv6? Enter yes to enable IPV6 protocol, which changes

network routing from IPv4 to IPv6.

Enable IPv6 autoconfig (SLAAC) on ether1 interface? Enter yes to enable IPv6 autoconfig on the ether1
(management interface) port. (This step is skipped if
you entered no in the "Enable IPv6" step.)

Enable DHCPv6 on ether1 interface? Enter yes to use DHCPv6 to configure IPv6 hosts with
IP addresses. (This step is skipped if you entered no
in the "Use DHCP on ether1 interface" or "Enable
IPv6" step.)

Submission: Configure interface? Press Enter to accept ether1 as the interface through
which sensors and brokers communicate. Otherwise,
enter the name of another interface. (If you accept
ether1, the next three steps are skipped.)

Submission: Interface? Enter the name of the other interface. NOTE: To

keep management and data traffic separate, Trellix
recommends that you use another management
interface, such as ether2, and not a monitoring
interface.

Submission: Use DHCP on <name> interface? Enter yes to use Dynamic Host Configuration
Protocol (DHCP) to configure the submission
interface IP address and other network parameters.
Enter no to manually configure the IP address and
network settings. (If you enter yes, the static IP
addressing steps are skipped.)

Submission: IP address and masklen? Enter the IP address for the submission interface
in A.B.C.D format and enter the network mask (for
example, 10.1.1.1 /24).

Submission: Default IPv4 gateway? Enter the gateway IP address for the submission
interface.

92 Trellix Device Deployment Guide 2024.2

2| AWS

Step Response

Product license key? Press Enter to install a 15-day evaluation license.

Security-content updates key? Press Enter to skip this step and install the license
later.

Changing an AWS instance type

You can change the size of a Network Security or Central Management System instance if you determine that is over-utilized
because it is too small, or under-utilized because it is too large.

Important

After you change a Network Security instance type, you must reboot the instance twice for the change to take effect.

To change the AWS instance type:

1. Log in to the EC2 console.

2. Stop the instance:
a. Select Instances in the navigation pane.
b. Right-click the instance and select Stop instance.
3. Change the instance type:
a. Right-click the instance.
b. Select Instance settings > Change instance type.
c. Select the new instance type and click Apply.
4. Start the instance:

• Right-click the instance and select Start instance.

5. Reboot the instance:
a. Right-click the instance and select Reboot instance.
a. Wait for the instance state to be Running.
6. (Network Security instances only) Reboot the instance again:
a. Log in to the Network Security CLI.
b. Reboot the instance:

hostname (config) # reload

Trellix Device Deployment Guide 2024.2 93

2| AWS

Important

This step is mandatory because two reboots are needed for the change to take effect.

94 Trellix Device Deployment Guide 2024.2

3| Azure

Azure
• Azure requirements
• Deploying virtual Network Security appliances in Microsoft Azure
• Deploying virtual Central Management System appliances in Microsoft Azure
• Deploying a virtual Central Management System high availability cluster in Microsoft Azure
• Changing an Azure virtual machine size

Azure requirements
The following resources are required for an Azure deployment:

• Access to the Azure portal.

• The virtual machine image in the Private Products Listing in Marketplace—The Cloud Delivery Enablement Service
enables you to obtain the virtual machine image from Trellix, which is delivered as a private product at My Marketplace
> Private products page. For instructions on how to obtain the virtual machine image, see this community article: Cloud
Image Delivery User Guide.
• The Azure ARM template file if you use the template deployment method.
• Items from your Azure administrator, such as the network and subnet for the appliance, security groups to secure the
instance, and tags to apply to your Azure resources.
• Items from Trellix, such as the activation code and licenses for your instance.
• Network Security only: Admin role to configure monitor interface addressing on the Network Security instance.
• Network Security only: Accelerated networking is enabled for virtual machines with a rated bandwidth of at least 1 Gbps.
To do so, run the following command in a PowerShell session:

az network nic update --name <intf name> --resource-group <group name> --subscription <subscription>
--accelerated networking true

• Central Management System High Availability only: Ports 22, 443, and 3470-3480 must be open for the connection
between the two cluster nodes.

Azure specifications

This section shows the generic models and supported virtual machine (VM) sizes for Network Security and Central Management
System virtual machines deployed on Microsoft Azure.

Note

The VM specifications are displayed when you make your selection in the Azure portal. You can also view Network Security
specifications in the Trellix data sheet here.

Trellix Device Deployment Guide 2024.2 95

3| Azure

Network Security model and sizes

A single generic model called the FireEyeNXCloudVaz must be used in Network Security Azure deployments. The following
general-purpose VM sizes are supported. Their availability may vary by region.

Standard_D3_v2 Standard_D16_v3 Standard_D8s_v3 Standard_D64s_v3

Standard_D4_v2 Standard_D32_v3 Standard_D16s_v3
Standard_D5_v2 Standard_D48_v3 Standard_D32s_v3
Standard_D8_v3 Standard_D64_v3 Standard_D48s_v3

Central Management model and sizes

A single generic model called the FireEyeCMCloudVaz must be used in Central Management System Azure deployments. The
following general-purpose VM sizes are supported. Their availability may vary by region.

Standard_D1_v2 Standard_D1s_v2 Standard_D2_v3 Standard_D2s_v3

Standard_D2_v2 Standard_D2s_v2 Standard_D8_v3 Standard_D8s_v3
Standard_D3_v2 Standard_D3s_v2 Standard_D16_v3 Standard_D16s_v3
Standard_D4_v2 Standard_D4s_v2 Standard_D32_v3 Standard_D32s_v3
Standard_D5_v2 Standard_D5s_v2 Standard_D48_v3 Standard_D48s_v3
Standard_D64_v3 Standard_D64s_v3

Deploying virtual Network Security appliances in Microsoft Azure

The following table summarizes the methods you can use to deploy a Network Security appliance (known as a virtual machine) in
Microsoft Azure.

The first and second methods use an Azure Resource Manager (ARM) template to quickly deploy a Network Security virtual
machine. You define the resources for the virtual machine by entering values in an Azure ARM template. The template methods
offer more flexibility and require fewer steps. The third method uses the image available in the Private Products Listing in
Marketplace to deploy the virtual machine.

Method Description

Private products in Marketplace Uses the ARM template listing available at Private
Products in Marketplace to open a custom user
interface to create a virtual machine with four

96 Trellix Device Deployment Guide 2024.2

3| Azure

Method Description

network interfaces and associated resources. You

can optionally create and attach two additional
network interfaces if your instance size supports six
interfaces. A new or empty resource group must be
used to comply with Azure Marketplace restrictions
at the time of this writing.
See Deploying a virtual machine using the Azure
ARM template in marketplace.

Standalone ARM template Uses a standalone ARM template downloaded from

the Trellix Customer Support site to open a custom
user interface to create a virtual machine with the
minimum requirement of four network interfaces
and associated resources. You can optionally create
and attach two additional network interfaces if your
instance size supports six interfaces. A new or
existing resource group must be used.
See Creating the virtual machine using the
standalone Azure ARM template.

Private products in Marketplace Uses the Private Products listing in Marketplace to

open the default Azure user interface to create a
virtual machine with a single network interface. An
existing or new resource group can be used. You
must create and attach three additional network
interfaces for proper functioning. You can optionally
create and attach two additional network interfaces
if your instance size supports six interfaces.
See Deploying a Network Security virtual machine
using the private products listing in marketplace.

Trellix Device Deployment Guide 2024.2 97

3| Azure

Note

This document provides the basic steps for launching virtual Trellix appliances, and assumes familiarity with launching virtual
machines in Azure. For comprehensive information, see the Azure documentation provided by Microsoft.
Network interfaces are placed in the following VRF namespaces:

• ether1, ether2—vrf0
• pether3, pether4—vrfA
• pether5, pether6—vrfB
• pether7, pether8—vrfC
• pether9, pether10—vrfD
For details about virtual routing and forwarding (VRF), see the "Layer 3 Forwarding Using VRF Instances" information in the
Network Security System Administration Guide

Deploying a virtual machine using an Azure ARM template

The following topics describe the two methods you can use to deploy a Network Security virtual machine in Microsoft Azure
using an ARM template.

• Deploying a virtual machine using the Azure ARM template marketplace listing
• Creating the virtual machine using the standalone Azure ARM template

Note

For more information about the templates, see the Microsoft Azure ARM template documentation.

Deploying a virtual machine using the Azure ARM template in marketplace

The following table summarizes the steps to deploy a Network Security virtual machine in Microsoft Azure using the Azure ARM
template available at Private Products in Marketplace.

Task Description

1. Ensure that requirements are met. Azure requirements

2. Optional: If your instance size supports six network Creating Network Security network interfaces
interfaces, create two additional network interfaces.

2. Create the virtual machine. 1. In the Azure portal, navigate to the Marketplace.
2. In the left pane, under My Marketplace, click
Private products.

98 Trellix Device Deployment Guide 2024.2

3| Azure

Task Description

2. Type Trellix in the search field and select the Trellix

Network Security with ARM Template listing.
3. Click Create.
4. Complete the fields in the page that opens.

3. If you created additional network interfaces, stop Attaching network interfaces to the virtual machine
the virtual machine and attach the interfaces.

4. Start the virtual machine and perform the initial Performing the Network Security initial configuration
configuration. on Microsoft Azure

5. Configure the deployment mode. Deploying virtual Network Security appliances in

Azure in inline mode
Deploying virtual Network Security appliances in
Azure in inline mode with load balancing
Deploying virtual Network Security appliances in
Azure in TAP or SPAN mode

Deploying a virtual machine using the standalone Azure ARM template

The following table summarizes the steps to deploy a Network Security virtual machine in Microsoft Azure using the standalone
ARM template.

Task Description

1. Ensure that requirements are met. Azure requirements

2. Optional: If your instance size supports six network Creating Network Security network interfaces
interfaces, create two additional network interfaces.

3. Create the virtual machine. Template and instructions

4. If you created additional network interfaces, stop Attaching network interfaces to the virtual machine
the virtual machine and attach the interfaces.

Trellix Device Deployment Guide 2024.2 99

3| Azure

Task Description

5. Start the virtual machine and perform the initial Performing the Network Security initial configuration
configuration. on Microsoft Azure

6. Configure the deployment mode. Deploying virtual Network Security appliances in

Azure in inline mode
Deploying virtual Network Security appliances in
Azure in inline mode with load balancing
Deploying Virtual Network Security appliances in
Azure in TAP or SPAN mode

Deploying a Network Security virtual machine using the private products listing in marketplace

The following table summarizes the steps to deploy a Network Security virtual machine using the Private Products listing in
Marketplace.

Task Description

1. Ensure that requirements are met. Azure requirements

2. Create network interfaces to attach to the virtual Creating Network Security network interfaces
machine you will deploy.

3. Create the virtual machine. Creating the virtual machine using the default Azure
marketplace listing

4. Stop the virtual machine and attach the network Attaching network interfaces to the virtual machine
interfaces.

5. Start the virtual machine and perform the initial Performing the Network Security initial configuration
configuration of the appliance. on Microsoft Azure

6. Configure the deployment mode. Deploying virtual Network Security appliances in

Azure in inline mode on page 1
Deploying virtual Network Security appliances in
Azure in inline mode with load balancing

100 Trellix Device Deployment Guide 2024.2

3| Azure

Task Description

Deploying virtual Network Security appliances in

Azure in TAP mode

Important

The navigation instructions and user interface may vary based on the Azure portal version that is running when you create
your virtual appliance. These procedures show only one way to navigate to resources in the Azure portal.

Note

These procedures cover the required settings for a virtual Trellix appliance. You can accept the default values for the other
settings, or specify values that are appropriate for your environment.

Creating the Network Security virtual machine using the private products listing in
marketplace

This topic describes how to create a Network Security virtual machine using the Private Products listing in Marketplace.

Prerequisite: Ensure the Azure requirements are met.

To create a Network Security virtual machine:

1. In the Azure portal, navigate to the Marketplace.

2. In the left pane, under My Marketplace, click Private products.
3. Type Trellix in the search field and select the Trellix Network Security listing.
4. Click Create.
5. Select the tabs at the top of the Create a virtual machine page that opens, and configure settings as described in the
following sections.

Trellix Device Deployment Guide 2024.2 101

3| Azure

Note

Settings that are not required for a Trellix virtual appliance are not covered in these sections. You can accept the default
values for the other settings, or specify values that are appropriate for your environment.

Basics

The Basics page contains the following sections.

Project details

• Make sure the correct Subscription and Resource group are selected.
Instance details

• Enter a Virtual machine name.

• Make sure the correct Region is selected.
• Make sure the correct Image is selected.
• Select the virtual machine Size based on your requirements. The specifications are displayed when you make your
selection.

Note

For a list of the sizes supported for a Network Security virtual machine, see Network Security model and sizes.

Administrator account
You can use this section to configure an SSH key to authenticate the initial admin user in the appliance CLI.

• The Username will be ignored during the first CLI login attempt, because the first login user is always "admin." You can
create additional admin user accounts later from the appliance Web UI or CLI.

102 Trellix Device Deployment Guide 2024.2

3| Azure

• If you enter a Password, it cannot be used when you initially log in to the virtual appliance from the Azure console or
an SSH session. You must log in to the Azure console using "admin" as the username and "admin" as the password, and
then immediately change the password. You can then log in to the virtual appliance CLI in an SSH session, and run the
configuration jump-start wizard. You can optionally change the password again in the wizard. You can then configure SSH
public keys from the virtual appliance Web UI or CLI.
• If you enter an SSH public key, you will be unable to log into the Azure console, but you can use the key to log in to the
virtual appliance CLI in an SSH session. After you run the configuration jump-start wizard and set a password, you can
use that password to log in to the Azure console.

Important

You cannot change the SSH key from the Azure portal after the virtual machine is created. You must use the virtual appliance
Web UI or CLI to change it.

Inbound port rules

• Select Allow selected ports for Public inbound ports.

• Select HTTPS (443) and SSH (22) for Select inbound ports.

Networking

• Make sure the correct Virtual network and Subnet are selected.
• Accept the default Public IP, unless you plan to deploy the virtual machine in a VPN or behind a NAT device.
• Click Advanced for NIC network security group.
• Select the correct security group for Configure network security group.
• Optional for virtual machines with a rated bandwidth of 500 Mbps or less: Set Accelerated networking to Off. Accelerated
networking is required for virtual machines with a rated bandwidth of at least 1 Gbps and must be enabled using the
Azure CLI as described in Azure Requirements on page 1.

Tags

• Define name and value pairs for the tags to apply to the virtual machine.

Review + create

• Click Create after the validation passes and you confirm the information on the page.

Creating Network Security network interfaces

Trellix Device Deployment Guide 2024.2 103

3| Azure

The ether1 interface on the Network Security virtual machine is the only interface that Azure creates by default using the default
Azure Marketplace listing. You must create the optional submission interface (ether2) and the monitoring interfaces (pether3,
pether4, and so on), and then attach them to the virtual machine. (If your virtual machine was created using an ARM template,
the ether1, ether2, pether3, and pether4 interfaces are already created for you.) You can optionally create two additional
network interfaces (pether 5 and pether6) for instance sizes that support six interfaces.

IP forwarding must be enabled on monitoring interfaces to ensure that all network traffic reaches the Network Security
appliance.

To create a network interface:

1. In the Azure portal, select All services, and then click Network interfaces under Networking.

2. Click Add. The Create network interface page opens.

3. Make sure the correct Subscription is selected.
4. Select the correct Resource group.
5. Enter a meaningful Name for the interface.
6. Make sure the correct Region, Virtual network, and Subnet are selected.

Important

Each interface must be in a separate subnet.

7. Recommended: Click Static and enter a static IP address to assign to the interface. Otherwise, select Dynamic.
8. Select the correct Network security group.
9. Select the Private IP address (IPv6) check box if the subnet uses IPv6 addresses.
10. Click Next: Add tags and specify name and value pairs for the tags to apply to the network interface.
11. Click Review + create.
12. Click Create after the validation passes and you confirm the information on the page.

Attaching network interfaces to the virtual machine

You must attach network interfaces you create in Azure to the Network Security virtual machine.

104 Trellix Device Deployment Guide 2024.2

3| Azure

Important

Attach the interfaces in numeric order. For example, attach ether2, pether3, and then pether4.

To attach an interface:

1. Select All services > Virtual Machines.

2. Select the virtual machine.
3. If the virtual machine is running, click Stop.
4. Select Networking under Settings.
5. Click Attach network interface.
6. Select the first network interface and click OK.

7. Repeat the previous step for each network interface.

8. Select the virtual machine and click Run.

Note

Network interfaces are placed in the following VRF namespaces:

• ether1, ether2—vrf0
• pether3, pether4—vrfA
• pether5, pether6—vrfB
• pether7, pether8—vrfC
• pether9, pether10—vrfD
For details about virtual routing and forwarding (VRF), see the "Layer 3 Forwarding Using VRF Instances" information in the
Network Security System Administration Guide.

Trellix Device Deployment Guide 2024.2 105

3| Azure

Performing the Network Security initial configuration on Microsoft Azure

The management interface is the port through which the virtual appliance is managed and administered. It is also the port
through which integration of the Central Management System appliance and a managed appliance is managed. With the single-
port address type, the management interface is also the port through which a managed appliance requests and downloads
software updates from the DTI network.

Initial settings need to be configured to set up the management interface and to allow access to the network, and so on.

To perform the initial configuration of a virtual Network Security appliance:

1. Use one of the following methods to log in.

Password authentication:
a. Open the console for the virtual appliance in the Azure portal.
b. At the login prompt, enter admin.
c. At the password prompt, enter admin.
d. When prompted to change the password, go to CLI configuration mode and create another password:

hostname > en
hostname # configure terminal
hostname (config) # username admin password <new password>

The system will log you out.

a. Log in using the new password.
SSH public key authentication:
1. Open an SSH client.
2. Log in using the SSH public key. For example, ssh -i <SSH key> admin@<IP address>
2. Accept the license agreement. The configuration jump-start wizard starts.
3. Answer the wizard questions as described in the following table.

Step Response

Enter activation code? Enter the activation code for the appliance.

Hostname? Enter the hostname for the appliance.

Admin password? (Optional) Enter a new administrator password.

Confirm admin password? Re-enter the new administrator password.

106 Trellix Device Deployment Guide 2024.2

3| Azure

Step Response

Enable remote access for 'admin' user? Enter yes to enable the administrator to log in to
the appliance remotely. Enter no to disable remote
access.

Use DHCP on ether1 interface? Enter yes to use Dynamic Host Configuration
Protocol (DHCP) to configure the appliance IP
address and other network parameters. If you enter
yes, the ether1 interface will obtain its IP address
from the default Azure ether1 interface. (If you enter
yes, the zeroconf and static IP addressing steps are
skipped.) Enter no to manually configure your IP
address and network settings.

Use zeroconf on ether1 interface? Enter yes to use zero-configuration (zeroconf)

networking. Enter no to specify a static IP address
and network mask. (If you specify yes, the next
step is skipped.) NOTE: Do not use zeroconf on the
primary interface.

Primary IP address and masklen? Enter the IP address for the management interface
in A.B.C.D format and enter the network mask
(for example, 1.1.1.2 /24). IMPORTANT: Enter the IP
address that Azure assigned to the ether1 interface.

Default gateway? Enter the gateway IP address for the management

interface.

Primary DNS server? Enter the IP address of the DNS server.

Domain name? Enter the domain for the management interface (for
example, it.acme.com).

Enable Incident Response or Compromise Enter no. These features are not supported in Azure
Assessment? deployments.

Enable fenet service? Enter yes to enable access to the DTI network.

Trellix Device Deployment Guide 2024.2 107

3| Azure

Step Response

Enable fenet license update service? Enter yes to enable the licensing service to
automatically download your licenses from the
DTI network and install them. (If licenses are
downloaded and installed successfully, the wizard
skips the step that prompts for the product license
key and the step that prompts for the security-
content updates key.)

Sync appliance time with fenet? Enter yes to synchronize the appliance time with
the DTI server time. If you enabled the licensing
service, synchronization prevents a feature from
being temporarily unlicensed due to a time gap. The
wizard makes three attempts to perform this step
before it gives up and moves to the next step.

Update licenses from fenet? Enter yes to download and install your licenses. The
wizard makes three attempts to perform this step
before it gives up and moves to the next step.

Enable NTP? Enter yes to enable automatic time synchronization

with one or more Network Time Protocol (NTP)
servers. Enter no to manually set the time and
date on the appliance. (This step is skipped if
you entered yes in the "Sync appliance time with
fenet?" or "Enable Incident Response or Compromise
Assessment" step.) If you enter no, specify the time
and date in subsequent steps.

Enable FaaS VPN? Enter yes to enable the appliance to connect

to Managed Defense (formerly called FireEye
as a Service) over the Internet using a secure
SSL VPN connection. (This step is skipped if
no MD_ACCESS license is installed. This step is
performed automatically if you entered yes in
the "Enable Incident Response or Compromise
Assessment?" step.

108 Trellix Device Deployment Guide 2024.2

3| Azure

Step Response

Set time (<hh>:<mm>:<ss>)? Enter the appliance time in Greenwich Mean Time
(GMT) (UTC+0). (This step and the next step are
skipped if you entered yes in the "Sync appliance
time with fenet?" or "Enable NTP?" step.

Set date (<yyyy>/<mm>/<dd>)? Enter the appliance date in Greenwich Mean Time
(GMT) (UTC+0).

Enable IPv6? Enter yes to enable IPv6 protocol, which changes

network IP routing from IPv4 to IPv6. (This step and
the next two steps are skipped if you entered yes
in the "Enable Incident Response or Compromise
Assessment?" step. This step and the next two steps
will be automatically performed if you entered yes in
the "Enable FaaS VPN" step.)

Enable IPv6 autoconfig (SLAAC) on ether1 interface? Enter yes to enable IPv6 autoconfig on the ether1
(management interface) port. (This step is skipped if
you entered no in the "Enable IPv6?" step.)

Enable DHCPv6 on ether1 interface? Enter yes to use DHCPv6 to configure IPv6 hosts with
IP addresses. (This step is skipped if you entered no
in the "Use DHCP on ether1 interface?" or "Enable
IPv6?" step.)

Submission: Interface? Press Enter to accept ether1 as the interface through

which sensors and brokers communicate. Otherwise,
enter the name of the other interface. (If you accept
ether1, the next three steps are skipped.) NOTE: To
keep management and data traffic separate, Trellix
recommends that you use another management
interface, such as ether2, and not a monitoring
interface.

Use DHCP on <name> interface? Enter yes to use Dynamic Host Configuration
Protocol (DHCP) to configure the submission
interface IP address and other network parameters.
Enter no to manually configure the IP address and

Trellix Device Deployment Guide 2024.2 109

3| Azure

Step Response

network settings. (If you enter yes, the static IP

addressing steps are skipped.)

Submission: IP address and masklen? Enter the IP address for the submission interface
in A.B.C.D format and enter the network mask (for
example, 10.1.1.1 /24).

Submission: Default IPv4 gateway? Enter the gateway IP address for the submission
interface.

Product license key? Enter the product license key you obtained from
Trellix, or press Enter to install a 15-day evaluation
license. (This step and the next step are skipped if
you entered yes in the "Enable fenet license update
service?" step and if licenses were successfully
installed as a result.)

Security-content updates key? Enter the security-content license key you obtained
from Trellix, or press Enter to skip this step and
install the license later.

Configuring monitoring ports on the Network Security appliance

After you create and attach the network interfaces on Azure, you must configure the same IP addressing for the corresponding
monitoring ports on the Network Security appliance. For example, you must configure the IP address and subnet mask
configured on the pether3 interface in Azure on the Network Security pether3 port, and configure the IP address and subnet
mask configured on the pether4 interface in Azure on the Network Security pether4 port.

To configure monitoring port addressing:

1. Log in to the Network Security Web UI.

2. Select Settings > Network.
3. Locate the Monitor Port IP Configurations section.
4. In the Monitor Port drop-down list, select the first monitoring interface you created in Azure.
5. In the IPv4 address and Subnet Mask fields, enter the exact values that you configured for the interface in Azure (see
Creating Network Security network interfaces).
6. Click Save.
7. Repeat these steps for each additional monitoring port you created in Azure.

110 Trellix Device Deployment Guide 2024.2

3| Azure

Deploying virtual Network Security appliances in Azure in inline mode

This topic describes how to deploy a virtual Network Security appliance in inline mode.

Note

This procedure assumes that the interface pair is configured in inline mode on the Network Security appliance.

IP forwarding must be enabled on each monitoring interface from the Azure portal. This disables source and destination checks
and ensures that all network traffic reaches the appliance.

To enable IP forwarding:

1. Select Home > Virtual Machines.

2. Select the Network Security virtual machine.
3. Select Networking under Settings and then select an interface.
4. Select IP configurations.
5. Select Enabled under IP forwarding settings.
6. Repeat these steps for each interface.

Configuring IP routing

In a typical Network Security inline deployment, port pair A is the inline port pair. The pether3 monitoring interface is connected
to the subnet that hosts the on-premises enterprise clients (the client subnet) and the pether4 monitoring interface is connected
to a subnet that hosts the Network Security appliance (the server subnet). The following example addresses are used in this
section:

• Client subnet—10.100.1.64/27
• Network Security pether3 interface—10.100.1.69
• Server subnet—10.100.1.96/27
• Network Security pether4 interface—10.100.1.100
Azure routes traffic from one subnet to another based on a route in each subnet's route table. You must add a table and route
for each subnet.

Note

The following procedures describe how to configure IP routing for the subnets connected to the interfaces in port pair A.
Repeat the procedures for each applicable port pair.

Trellix Device Deployment Guide 2024.2 111

3| Azure

Adding a route table and route for the client subnet

This procedure shows how to add a route that sends traffic from the client subnet to the Network Security appliance.

To add the route table and route:

1. Select All services, and then select Route tables under Networking.

2. Click Add.
3. Enter a meaningful Name for the route table.
4. Make sure the correct Subscription, Resource group, and Location are selected.
5. Click Create.
6. Click the new route table.
7. Select Routes under Settings. The Routes page opens.

8. Click Add.
9. On the Add route page:
a. Enter a meaningful Route name.
b. For Address prefix, enter the IP address and network prefix for the destination subnet (the Network Security
appliance subnet).
c. Select Virtual appliance as the Next hop type.
d. Enter the IP address of the Network Security pether3 interface as the Next hop address.
e. Click OK.

Example

The following example shows the route table for the client subnet.

112 Trellix Device Deployment Guide 2024.2

3| Azure

Adding a route table and route for the server subnet

This procedure shows how to add a route that sends traffic from the Network Security appliance to the client subnet.

To add the route table and route:

1. Select All services, and then select Route tables under Networking.
2. Click Add.
3. Enter a meaningful Name for the route table.
4. Make sure the correct Subscription, Resource group, and Location are selected.
5. Click Create.
6. Click the new route table.
7. Select Routes under Settings.
8. Click Add.
9. On the Add route page:
a. Enter a meaningful Route name.
b. For Address prefix, enter the IP address and network prefix for the destination subnet (the client subnet).
c. Select Virtual appliance as the Next hop type.
d. Enter the IP address of the Network Security pether4 interface as the Next hop address.
e. Click OK.

Example

The following example shows the route table for the server subnet.

Trellix Device Deployment Guide 2024.2 113

3| Azure

Deploying virtual Network Security appliances in Azure in inline mode with load balancing

This topic describes how to deploy a virtual Network Security appliance in inline mode with an HTTP load balancer that
distributes incoming network traffic between two Web servers. Various load balancing algorithms and methods can be used. For
example, the "round robin" method distributes new requests to the servers sequentially, and the "least connections" method
sends a new request to the server with the fewest existing connections.

In this scenario, a Web client sends requests through the ingress port of the load balancer, where it is routed to one of two
egress ports, based on the selected server.

Note

This procedure assumes that security groups and network ACLs are already configured in Azure.
The network mask of the IP addresses in this scenario is 255.255.225.224 (10.158.9.xxx/27).

This scenario involves the following components:

• Web servers—Two Web servers on separate private subnets.

• Network Security appliances—Two virtual Network Security appliances deployed inline on separate private subnets.
Port pair A is the inline port pair on each appliance. One monitoring interface on each appliance is connected to a subnet
that hosts one of two load balancer ports. The other monitoring interface is connected to a subnet that hosts one of two
Web servers.
• External Web client—An Internet-connected device that attempts to connect to a Web server.
• F5 HTTP load balancer—A load balancer that distributes incoming network traffic from the Web client between the Web
servers, based on the load balancer configuration. The load balancer is available on Azure Marketplace.

114 Trellix Device Deployment Guide 2024.2

3| Azure

Note

This procedure assumes familiarity with load balancers. See the documentation provided by F5 Networks for
configuration information.

Enabling IP forwarding

IP forwarding must be enabled on each monitoring interface from the Azure portal. This disables source and destination checks
and ensures that all network traffic reaches the appliance.

To enable IP forwarding:

1. Select Home > Virtual Machines.

2. Select the Network Security virtual machine.
3. Select Networking under Settings and then select an interface.
4. Select IP configurations.
5. Select Enabled under IP forwarding settings.
6. Repeat these steps for each interface.

Configuring IP routing

The following static routes need to be configured in this example scenario. (Subnet 1, which hosts the management interface of
each device, is not included.)

Load Balancer

route add -net 10.158.9.128/27 gw 10.158.9.109

route add -net 10.158.9.64/27 gw 10.158.9.40

vNX-1

ip route vrf vrfA 10.158.9.192 255.255.255.224 10.158.9.108

Server-1

route add -net 10.158.9.192/27 gw 10.158.9.141

route add -net 10.158.9.96/27 gw 10.158.9.141

vNX-2

ip route vrf vrfA 10.158.9.192 255.255.255.224 10.158.9.39

Trellix Device Deployment Guide 2024.2 115

3| Azure

Server-2

route add -net 10.158.9.192/27 gw 10.158.9.83

route add -net 10.158.9.32/27 gw 10.158.9.83

Deploying virtual Network Security appliances in Azure in inline mode with gateway load balancing

This topic describes how to deploy a virtual Network Security appliance in inline mode with a gateway load balancer (GWLB). The
GWLB intercepts network traffic flow between the Instance Level Public IP (ILPIP) (associated with Azure VM) or the frontends of
public load balancer, and the Network Virtual Appliance (NVA) deployed in another virtual network.

A standard public load balancer or a virtual machine configured with a public IP can be connected to a GWLB. Once connected,
no other configuration is needed to ensure the flow of traffic between the GWLB and the application endpoint.

In this setup, the virtual Network Security appliance is deployed in a security virtual network while the web server is deployed in
a service virtual network.

Note

The virtual Network Security appliance is supported only in inline mode. Tap mode is not supported.
This section assumes that Azure components such as subnets, routes, Network Security groups, are already configured.

The main components of the setup are:

• Web Server: A web server on a private subnet in the virtual network.

• Network Security VM: A Network Security VM is deployed in an appropriate subnet. The management and monitoring
interfaces are connected to different subnets.

116 Trellix Device Deployment Guide 2024.2

3| Azure

• GWLB: A gateway load balancer enables you to deploy, scale, and manage virtual appliances, such as firewalls, intrusion
prevention systems. It combines a transparent network gateway (that is, a single entry and exit point for all traffic) and
distributes traffic to the virtual appliances.
• Standard load balancer: A native load balancer load balances traffic to different virtual machines.
The flow of traffic takes place as follows:

1. The virtual Network Security appliance is deployed in inline mode, positioned between an external Web Client and an
internal Web Server. The arrangement ensures that all the traffic between the Web Client and the Web Server should pass
through the virtual Network Security appliance, providing comprehensive protection for the Web Server.
2. The incoming traffic is routed through a standard load balancer, GWLB, and the virtual Network Security appliance.
3. The GWLB directs incoming traffic to the virtual Network Security appliance for initial processing before it proceeds to the
Web Server.
4. Similarly, outgoing traffic from the Web Server is channeled through the virtual Network Security appliance in the reverse
direction, ultimately reaching the Web Client.
5. Throughout this process, the virtual Network Security appliance inspects traffic in both directions, determining whether to
forward or block it. It also generates alerts as necessary.
6. The diagram illustrates the traffic flow with incremental numbers indicating the sequence of the path.

Complete the following steps to deploy the virtual Network Security appliance:

1. Enable the health monitoring at the interface.

hostname (config) # policymgr interface A health-check http port 80

2. Configure the default route.

hostname (config) # ip route vrf vrfA 0.0.0.0 /0 <subnet GW IP>

3. Configure the VXLAN parameters. You can configure the VXLAN parameters for the internal and external ports and
identifiers for gateway load balancer using the Web UI or CLI.

• Requirements for VXLAN parameters

• Configure VXLAN parameters using the Web UI
• Configure VXLAN parameters using the CLI
These parameters must match the ones configured in the Azure GWLB Web UI.

Requirements for VXLAN parameters:

• All the four parameters should be configured.

• The internal port should have a value between 1 - 65535.
• The internal identifier should have a value between 800-1000.
• The external port should have a value between 1 - 65535.
• The external identifier should have a value between 800-1000.
• The internal and external ports cannot have the same value.

Trellix Device Deployment Guide 2024.2 117

3| Azure

• The internal and external identifiers cannot have the same value.
• Default VXLAN port 4789 cannot be used as the internal or external port.
To configure the VXLAN parameters for gateway load balancer using the Web UI:

1. In the Web UI, choose Settings > Inline Operational Modes.

2. In Azure Configuration section, select Add to add a new set of parameters. You can add up to 10 sets of configurations.

3. The new set of parameters will be added to the table.

4. Click on a radio button to select a set of VXLAN parameters.
5. Use the Delete button to delete any set of parameters.

To configure the VXLAN parameters for gateway load balancer using the CLI:

1. Log in to the appliance CLI.

2. Go to CLI configuration mode.

hostname > enable

hostname # configure terminal

3. Configure the parameters.

hostname (config) # fe-fastpath vxlan in-port * in-vni * ex-port * ex-vni *

4. Save your changes.

hostname (config) # write memory

5. Display the configuration.

hostname (config) # show fe-fastpath vxlan config

Vxlan Configuration:
Internal port Internal identifier External port External identifier
10800 800 10801 801

Deploying virtual Network Security appliances in Azure in TAP or SPAN mode

Keysight CloudLens

Deploy Keysight CloudLens and Network Security virtual machines in TAP or SPAN mode as shown in the below figure. In this
integration, traffic flows from the CloudLens sensors to the Network Security virtual machine.

118 Trellix Device Deployment Guide 2024.2

3| Azure

Note

This topic provides high-level integration steps. For details, see the Microsoft Azure and CloudLens documentation. For
assistance with the CloudLens configuration, contact [email protected].

Prerequisites

• Make sure that the Network Security monitor port (destination) is set up in the TAP mode and has been allocated an IP
address.
• Verify if the destination port and the source port (the VM where the CloudLens agent is installed) are reachable and has
the required routes configured.
• CloudLens 6.0 or later.
• In Azure Networking, make sure the following rules are added to allow the VXLAN tunnel traffic to flow: On the source, an
outbound allow rule for UDP 4789, and on the Trellix destination monitor port, an inbound allow rule for UDP 4789.
• CloudLens Manager Portal and CloudLens agent are installed using the commands and instructions provided in the
CloudLens documentation.

Task list

Traffic mirroring in Azure requires the following basic tasks:

1. Make sure the prerequisites listed in the previous section are met.
2. Go to the CloudLens portal.
3. Create a project.
4. Create a source group and a tool group for the project, based on the filters that meet your requirements. When creating the
tool group, give the aggregation interface the same name as the Trellix monitor port NIC, for example: pether3.

Trellix Device Deployment Guide 2024.2 119

3| Azure

5. Create a static destination specifying the IP address of the Trellix destination monitor port.
6. Define a secure visibility path between the source and tool groups. A VXLAN tunnel is automatically established after the
path is defined.

Gigamon GigaVUE

Use the Gigamon Azure-GigaVUE V Series VMs and Network Security virtual machines in TAP mode. All traffic is mirrored from
the G-vTAP Agent to the Trellix Network Security virtual machine.

Note

This brief overview provides a summary of the integration steps. For comprehensive instructions, refer to the Cloud Suite for
Azure-GigaVUE V Series Guide. For additional assistance, reach out to Gigamon support.

Prerequisites

• Make sure that the Network Security monitor port (destination) is set up in the TAP mode and has been allocated an IP
address.
• Verify if the destination port and the source port (the VM where the G-vTAP agent is installed) are reachable and has the
required routes configured.
• Ensure that you have configured GigaVUE and deployed the following components:

Important

For configuration instructions, see the latest GigaVUE documentation.

120 Trellix Device Deployment Guide 2024.2

3| Azure

GigaVUE-FM
G-vTAP controller
GigaVUE-Vserier node

Task list

1. Login to the GigaVUE-FM.

2. Define the source and destination ports. Set the source port mtu 1450 or lower.
3. Establish VXLAN mirror tunnel and monitoring session.

Deploying virtual Central Management appliances in Microsoft Azure

The following table summarizes the steps to launch a Central Management System virtual machine in Microsoft Azure using the
Private Products Listing in Marketplace

Note

This document provides the basic steps for launching Trellix virtual appliances, and assumes familiarity with launching virtual
machines in Azure. For comprehensive information, see the Azure documentation provided by Microsoft.

Task Description

1. Ensure that the required resources are created for Azure requirements
your subscription.

2. Create the virtual machine. Creating a Central Management System virtual

machine

3. Start the virtual machine and perform the initial Performing the Central Management System initial
configuration of the appliance. configuration on Microsoft Azure

Important

The navigation instructions and user interface may vary based on the Azure portal version that is running when you launch
your instances. These procedures show only one way to navigate to resources in the Azure portal.

Trellix Device Deployment Guide 2024.2 121

3| Azure

Note

This procedure covers the required settings for a virtual Trellix appliance. You can accept the default values for the other
settings, or specify values that are appropriate for your environment.

Creating a Central Management virtual machine using the private products listing in marketplace

This topic describes how to create a Central Management System virtual machine using the Private Products listing in
Marketplace.

Prerequisite: Ensure the Azure Requirements are met.

To create a Central Management System virtual machine:

1. In the Azure portal, navigate to the Marketplace.

2. In the left pane, under My Marketplace, click Private products.
3. Type Trellix in the search field and select the Trellix Central Management System listing.
4. Click Create.
5. Select the tabs at the top of the Create a virtual machine page that opens, and configure settings as described in the
following sections.

Note

Settings that are not required for a Trellix virtual appliance are not covered in these sections. You can accept the default
values for the other settings, or specify values that are appropriate for your environment.

Basics

The Basics page contains the following sections.

Project details

• Make sure the correct Subscription and Resource group are selected.
Instance details

• Enter a Virtual machine name.

• Make sure the correct Region is selected.
• Make sure the correct Image is selected.
• Select the virtual machine Size based on your requirements. The specifications are displayed when you make your
selection.

122 Trellix Device Deployment Guide 2024.2

3| Azure

Note

For a list of the sizes supported for asvirtual machine, see Central Management System Model and Sizes.

Administrator account
You can use this section to configure an SSH key to authenticate the initial admin user in the appliance CLI.

• The Username will be ignored during the first CLI login attempt, because the first login user is always "admin." You can
create additional admin user accounts later from the appliance Web UI or CLI.
• If you enter a Password, it cannot be used when you initially log in to the virtual appliance from the Azure console or
an SSH session. You must log in to the Azure console using "admin" as the username and "admin" as the password, and
then immediately change the password. You can then log in to the virtual appliance CLI in an SSH session, and run the
configuration jump-start wizard. You can optionally change the password again in the wizard. You can then configure SSH
public keys from the virtual appliance Web UI or CLI.
• If you enter an SSH public key, you will be unable to log into the Azure console, but you can use the key to log in to the
virtual appliance CLI in an SSH session. After you run the configuration jump-start wizard and set a password, you can
use that password to log in to the Azure console.

Important

You cannot change the SSH key from the Azure portal after the virtual machine is created. You must use the virtual appliance
Web UI or CLI to change it.

Inbound port rules

• Select Allow selected ports for Public inbound ports.

• Select HTTPS (443) and SSH (22) for Select inbound ports.

Networking

• Make sure the correct Virtual network and Subnet are selected.
• Accept the default Public IP, unless you plan to deploy the virtual machine in a VPN or behind a NAT device.
• Click Advanced for NIC network security group.
• Select the correct security group for Configure network security group.
• Make sure Accelerated networking is Off.

Tags

• Define name and value pairs for the tags to apply to the virtual machine.

Trellix Device Deployment Guide 2024.2 123

3| Azure

Review + create

• Click Create after the validation passes and you confirm the information on the page.

Performing the Central Management initial configuration on Microsoft Azure

The management interface is the port through which the Central Management System instance is managed and administered. It
is also the port through which integration of the Central Management System instance and managed appliances is managed.

Important

If you use DHCP, make sure the lease is persistent to maintain the connection with the managed appliances.

Initial settings need to be configured to set up the management interface and to allow access to the network, change the default
admin password, and so on.

To perform the initial configuration of a Central Management System instance:

1. Use one of the following methods to log in.

Password authentication:
a. Open the console for the virtual appliance in the Azure portal.
b. At the login prompt, enter admin.
c. At the password prompt, enter admin.
d. When prompted to change the password, go to CLI configuration mode and create another password:

hostname > en
hostname # configure terminal
hostname (config) # username admin password <new password>

The system will log you out.

a. Log in using the new password.
SSH public key authentication:
1. Open an SSH client.
2. Log in using the SSH public key. For example, ssh -i <SSH key> admin@<IP address>
2. Accept the license agreement. The configuration jump-start wizard starts.
3. Answer the wizard questions as described in the following table.

Step Response

Enter activation code? Enter the activation code for the appliance.

124 Trellix Device Deployment Guide 2024.2

3| Azure

Step Response

Hostname? Enter the hostname for the appliance.

Admin password? (Optional) Enter a new administrator password.

Confirm admin password? Re-enter the new administrator password.

Enable remote access for 'admin' user? Enter yes to enable the administrator to log in to
the appliance remotely. Enter no to disable remote
access.

Use DHCP on ether1 interface? Enter yes to use Dynamic Host Configuration
Protocol (DHCP) to configure the appliance IP
address and other network parameters. If you enter
yes, the ether1 interface will obtain its IP address
from the default Azure ether1 interface. (If you enter
yes, the zeroconf and static IP addressing steps are
skipped.)
Enter no to manually configure your IP address and
network settings.

Use zeroconf on ether1 interface? Enter yes to use zero-configuration (zeroconf)

networking. Enter no to specify a static IP address
and network mask. (If you specify yes, the next
step is skipped.) NOTE: Do not use zeroconf on the
primary interface.

Primary IP address and masklen? Enter the IP address for the management interface
in A.B.C.D format and enter the network mask (for
example, 1.1.1.2 /24).

Important
Enter the IP address that Azure assigned to the
ether1 interface.

Trellix Device Deployment Guide 2024.2 125

3| Azure

Step Response

Default gateway? Enter the gateway IP address for the management

interface.

Primary DNS server? Enter the IP address of the DNS server.

Domain name? Enter the domain for the management interface (for
example, it.acme.com).

Enable fenet service? Enter yes to enable access to the DTI network. (If you
enter no, the next three steps are skipped.)

Enable fenet license update service? Enter yes to enable the licensing service to
automatically download your licenses from the
DTI network and install them. (If licenses are
downloaded and installed successfully, the wizard
skips the step that prompts for the product license
key and the step that prompts for the security-
content updates key.)

Sync appliance time with fenet? Enter yes to synchronize the appliance time with
the DTI server time. If you enabled the licensing
service, synchronization prevents a feature from
being temporarily unlicensed due to a time gap. The
wizard makes three attempts to perform this step
before it gives up and moves to the next step.

Update licenses from fenet? Enter yes to download and install your licenses. The
wizard makes three attempts to perform this step
before it gives up and moves to the next step.

Enable NTP? Enter yes to enable automatic time synchronization

with one or more Network Time Protocol (NTP)
servers. Enter no to manually set the time and
date on the appliance. (This step is skipped if you
entered yes in the "Sync appliance time with fenet?"
step.) If you enter no, specify the time and date in
subsequent steps.

126 Trellix Device Deployment Guide 2024.2

3| Azure

Step Response

Enable FaaS VPN? Enter yes to enable the appliance to connect

to Managed Defense (formerly called Trellix as a
Service) over the Internet using a secure SSL VPN
connection. (This step is skipped if no MD_ACCESS
license is installed.)

Set time (<hh>:<mm>:<ss>)? Enter the appliance time in Greenwich Mean Time
(GMT) (UTC+0). (This step and the next step are
skipped if you entered yes in the "Sync appliance
time with fenet?" or "Enable NTP?" step.

Set date (<yyyy>/<mm>/<dd>)? Enter the appliance date in Greenwich Mean Time
(GMT) (UTC+0).

Enable IPv6? Enter yes to enable IPv6 protocol, which changes

network IP routing from IPv4 to IPv6. This step and
the next two steps will be automatically performed if
you entered yes in the "Enable FaaS VPN" step.)

Enable IPv6 autoconfig (SLAAC) on ether1 interface? Enter yes to enable IPv6 autoconfig on the ether1
(management interface) port. (This step is skipped if
you entered no in the "Enable IPv6?" step.)

Enable DHCPv6 on ether1 interface? Enter yes to use DHCPv6 to configure IPv6 hosts with
IP addresses. (This step is skipped if you entered no
in the "Use DHCP on ether1 interface?" or "Enable
IPv6?" step.)

Configure CMS HA? Enter no.

Note:
If you are configuring Central Management
System HA in an Azure deployment, use
the procedures and configuration jump-start
information described in Deploying a Virtual
Central Management System High Availability
Cluster in Microsoft Azure

Trellix Device Deployment Guide 2024.2 127

3| Azure

Step Response

Product license key? Enter the product license key you obtained from
Trellix, or press Enter to install a 15-day evaluation
license. (This step and the next step are skipped if
you entered yes in the "Enable fenet license update
service?" step and if licenses were successfully
installed as a result.)

Security-content updates key? Enter the security-content license key you obtained
from Trellix, or press Enter to skip this step and
install the license later.

Deploying a virtual Central Management High Availability cluster in

Microsoft Azure
This section describes how to deploy two Central Management System virtual appliances (nodes) in Azure in a high availability
(HA) cluster. It covers the following deployment options:

• The two HA nodes are in the same Azure region.

• The two HA nodes are in different Azure regions. Azure virtual network peering must be used for the nodes to
communicate with each other.

Note

For comprehensive information about Central Management System HA features and operation, see the Central Management
System High Availability Guide.

The procedures in this section assume that the IP addresses for the nodes are obtained from a DHCP server. Because a Central
Management System HA cluster requires a static IP address for the default HA interface, you must assign a "dummy" static IP
address for it. You must assign the "dummy" IP address before you do the initial configuration of the appliances; otherwise a
DHCP release will be issued immediately. If you are using the second deployment option, you must configure virtual network
peering before you assign the "dummy" IP address.

Task lists

The following table summarizes the tasks to perform for each deployment option.

128 Trellix Device Deployment Guide 2024.2

3| Azure

Important

You must perform the tasks in the listed order.

Single Azure Region

1. Ensure that requirements are met. See Azure requirements.

2. Create the virtual machines. See Creating a Central Management System virtual machine.
3. Log in for the first time, change the "admin" password (if using password authentication), and accept the license agreement.
See Logging in for the first time.
4. Assign a "dummy" static IP address to the ether1 interface. See Assigning a "dummy" static IP address.
5. Perform the initial configuration. See Performing the Central Management System HA initial configuration on Microsoft
Azure.
6. Repeat steps 2—5 on the other node.
7. See the Central Management System High Availability Guide for information about monitoring, administering, and
troubleshooting the HA cluster.

Different Azure Regions

1. Ensure that requirements are met. See Azure requirements.

2. Create the virtual machines. See Creating a Central Management System virtual machine.
3. Log in to the node for the first time, change the "admin" password (if using password authentication), and accept the
license agreement. See Logging in for the first time.
4. Configure Azure virtual network peering to allow the nodes to communicate with each other. Configuring virtual network
peering
5. Assign a "dummy" static IP address to the ether1 interface. See Assigning a "dummy" static IP address.
6. Perform the initial configuration. See Performing the Central Management System HA initial configuration on Microsoft
Azure.
7. Repeat steps 2—6 on the other node.
8. See the Central Management System High Availability Guide for information about monitoring, administering, and
troubleshooting the HA cluster.

Important

The navigation instructions and user interface may vary based on the Azure portal version that is running when you launch
your instances. These procedures show only one way to navigate to resources in the Azure portal.

Trellix Device Deployment Guide 2024.2 129

3| Azure

Note

This procedure covers the required settings for a virtual Trellix appliance deployed in a Central Management System HA
cluster. You can accept the default values for the other settings, or specify values that are appropriate for your environment.
This document provides the basic steps for launching Trellix virtual appliances, and assumes familiarity with launching virtual
machines in Azure. For comprehensive information, see the Azure documentation provided by Microsoft.

Creating the virtual machines

To create the Central Management System virtual machines:

• Create two virtual machines. See Creating a Central Management System virtual machine.

Logging in to the CLI for the first time

This procedure describes how to log in to the Central Management System CLI the first time. The configuration jump-start wizard
starts automatically after you change the "admin" password (if using password authentication) and accept the license agreement.
You must exit the wizard and perform additional tasks before you complete the initial configuration.

To log into a node the first time:

• In the Azure portal, locate the private IP address Azure assigned to the virtual machine. This is displayed in the
Properties > Networking section for the virtual machine.

1. Use one of the following methods to log in to the Central Management System CLI.
Password authentication:
a. Open the console for the virtual appliance in the Azure portal.
b. At the login prompt, enter admin.
c. At the password prompt, enter admin.
d. When prompted to change the password, go to CLI configuration mode and create another password:

hostname > en
hostname # configure terminal
hostname (config) # username admin password <new password>

The system will log you out.

a. Log in using the new password.
SSH public key authentication:
1. Open an SSH client.
2. Log in using the SSH public key. For example, ssh -i <SSH key> admin@<IP address>
2. Accept the license agreement. The configuration jump-start wizard starts.
3. Exit the jump-start wizard by doing one of the following:

• Answer no when you are asked if you want to configure the appliance using the jump-start wizard.
• Enter CTRL+C and then Enter.

130 Trellix Device Deployment Guide 2024.2

3| Azure

1. Repeat the previous steps on the other node.

2. Go to one of the following topics:

• If your virtual machines are in the same Azure region: Assigning a "dummy" static IP address
• If your virtual machines are in different Azure regions: Configuring virtual network peering

Assigning a "dummy" static IP address

This topic describes how to assign a "dummy" static IP address to the ether1 interface for the HA cluster.

Caution

If your virtual machines are in different Azure regions, perform this procedure after you configure virtual network peering as
described in Configuring virtual network peering.

To assign a "dummy" static IP address:

1. In the Azure portal, locate the private IP address Azure assigned to the virtual machine. This is displayed in the Properties >
Networking section for the virtual machine.
2. In the Central Management System CLI, display the ether1 IP address and netmask:

hostname (config) # show interface ether1

3. Assign the static "dummy" IP address:

hostname (config) # interface ether1 ip address <IP address> <netmask>

where IP address and netmask are the values returned by the previous step.
4. Repeat these steps on the other node.
5. Go to Performing the Central Management System HA initial configuration on Microsoft Azure.

Configuring virtual network peering

When the two HA nodes are in different Azure regions, Azure virtual network peering must be used for the nodes to
communicate with each other.

For illustration, the following peering configuration values will be used for the two Central Management System virtual machines.

Field CM-1 CM-2

Virtual network/subnet Net-1/Sub-1 Net-2/Sub-2

This peering link Peer-1 Peer-2

Trellix Device Deployment Guide 2024.2 131

3| Azure

Field CM-1 CM-2

Peering link name (remote) Peer-2 Peer-1

Subscription (remote) Subscript-2 Subscript-1

Virtual network (remote) Net-2/Sub-2 Net-1/Sub-1

To configure virtual network peering:

1. In the Azure portal Dashboard, select Virtual Machines.

2. Select the CM-1 virtual machine.
3. Under Essentials, locate the Virtual network/subnet and Subscription fields and record their values for later use.
4. Select the CM-2 virtual machine and repeat the previous step.
5. In the Azure portal Dashboard, select Virtual Networks.
6. Select Net-1/Sub-1 and then click the Peerings tab.
7. Click Add and complete the fields in the Add peering page as shown in the table above. Specify other settings according to
your network requirements and click Add.
8. Select Net-2/Sub-2 and repeat the previous two steps.
9. Go to Assigning a "dummy" static IP address.

Performing the Central Management HA initial configuration on Microsoft Azure

The management interface is the port through which the Central Management System instance is managed and administered. It
is also the port through which integration of the Central Management System instance and managed appliances is managed, and
is the port through which the connection between the two Central Management System HA nodes is managed.

Important

Make sure the DHCP lease is persistent to maintain the connection between the nodes and the managed appliances.

Initial settings need to be configured to set up the management interface and to allow access to the network, change the default
admin password, enable HA mode, and so on.

132 Trellix Device Deployment Guide 2024.2

3| Azure

Important

This procedure must be performed on both Central Management System virtual appliances (nodes). After you complete the
jump-start wizard on the primary node, the CM HA engine configuration and CM HA engine start. As the wizard instructs, you
must run the show ha status command and wait for the engine to start before performing the initial configuration on the
secondary node.

To perform the initial configuration:

Step Response

Enter activation code? Enter the activation code for the appliance.

Hostname? Enter the hostname for the appliance.

Admin password? (Optional) Enter a new administrator password.

Confirm admin password? Re-enter the new administrator password.

Enable remote access for 'admin' user? Enter yes to enable the administrator to log in to the
appliance remotely.

Use DHCP on ether1 interface? Enter yes to use Dynamic Host Configuration
Protocol (DHCP) to configure the appliance IP
address and other network parameters.

Enable fenet service? Enter yes to enable access to the DTI network. (If you
enter no, the next three steps are skipped.)

Enable fenet license update service? Enter yes to enable the licensing service to
automatically download your licenses from the
DTI network and install them. (If licenses are
downloaded and installed successfully, the wizard
skips the step that prompts for the product license
key and the step that prompts for the security-
content updates key.)

Sync appliance time with fenet? Enter yes to synchronize the appliance time with
the DTI server time. If you enabled the licensing
service, synchronization prevents a feature from
being temporarily unlicensed due to a time gap. The

Trellix Device Deployment Guide 2024.2 133

3| Azure

Step Response

wizard makes three attempts to perform this step

before it gives up and moves to the next step.

Update licenses from fenet? Enter yes to download and install your licenses. The
wizard makes three attempts to perform this step
before it gives up and moves to the next step.

Enable NTP? Enter yes to enable automatic time synchronization

with one or more Network Time Protocol (NTP)
servers. Enter no to manually set the time and
date on the appliance. (This step is skipped if you
entered yes in the "Sync appliance time with fenet?"
step.) If you enter no, specify the time and date in
subsequent steps.

Enable FaaS VPN? Enter no.

Set time (<hh>:<mm>:<ss>)? Enter the appliance time in Greenwich Mean Time
(GMT) (UTC+0). (This step and the next step are
skipped if you entered yes in the "Sync appliance
time with fenet?" or "Enable NTP?" step.

Set date (<yyyy>/<mm>/<dd>)? Enter the appliance date in Greenwich Mean Time
(GMT) (UTC+0).

Enable IPv6? Enter no.

Configure CM HA? Enter yes.

Product license key? Enter the product license key you obtained from
Trellix, or press Enter to install a 15-day evaluation
license. (This step and the next step are skipped if
you entered yes in the "Enable fenet license update
service?" step and if licenses were successfully
installed as a result.)

CM HA uses ether1 as CM HA default interface. Do Enter no.

you want to change CM HA interfaces?

134 Trellix Device Deployment Guide 2024.2

3| Azure

Step Response

Configure this node as primary Central Management Enter yes for the primary node.
HA node? Enter no for the secondary node.

Secondary node only: Enter the "dummy" static IP address you assigned in
CM HA primary node IP address? Assigning a "Dummy" Static IP Address on page 1.

Secondary node only: Enter the password for the primary node's remote
CM HA primary node admin account password? admin user.

Secondary node only: Re-enter the password for the primary node's
Confirm CM HA primary node admin account remote admin user.
password?

1. Restart the configuration jump-start wizard:

hostname (config) # configuration jump-start

2. Answer the steps as described in the following table.

3. Check the status until the HA engine starts:

hostname (config) # show ha status

4. Repeat this procedure on the secondary node.

5. See the Central Management System High Availability Guide for information about cluster monitoring, administration, and
troubleshooting.

Changing an Azure virtual machine size

You can change the size of a Network Security or Central Management System virtual machine if you determine that is over-
utilized because it is too small, or under-utilized because it is too large.

Important

After you change the size of a Network Security virtual machine, you must restart the virtual machine twice for the change to
take effect.

To change the Azure virtual machine size:

Trellix Device Deployment Guide 2024.2 135

3| Azure

1. Log in to the Azure console.

2. Stop the virtual machine:
a. Select the virtual machine.
b. Click Stop.
3. Change the virtual machine size:
a. Click Size under Settings.
b. Select the new size and click Resize.
4. Start the virtual machine:
a. Click Start.
b. Wait for the virtual machine status to be Running.
5. (Network Security virtual machines only) Reload the virtual machine:
a. Log in to the Network Security CLI.
b. Reload the virtual machine:

hostname (config) # reload

Important

This step is mandatory because the virtual machine must be started and then reloaded for the change to take effect.

136 Trellix Device Deployment Guide 2024.2

4| ESXi

ESXi
• VMWare requirements
• Deploying virtual Network Security , File Protect, and Central Management System appliances
• Deploying virtual Email Security — Server appliances
• Deploying virtual IVX appliances

VMware and ESXi requirements

The following VMware resources are required:

• VMware ESXi host version 7.0 and 8.0 are supported. Versions 6.7 and below are no longer supported.
• VMware vSphere Client.
• VMware vCenter Server (recommended). When you use vSphere Client or vSphere Web Client to add your virtual
appliances to vCenter Server, the Deploy OVF Template wizard provides an easy way to enter your activation code.
Otherwise, you must type it in the virtual appliance console, because you cannot paste into this console.
• VMXNET 3 network drivers.
• Link aggregation enabled on ESXi host.
• Virtual Network Security appliances:
Standard virtual switch created for the monitoring ports of the virtual appliances, and attached to a physical
network adapter on the ESXi server.

Important

If the appliance will be deployed in inline operational mode, a separate switch must be created for each
monitoring port pair, and the switch cannot be on the management network.

Sufficient physical network adapters on the ESXi server to accommodate the Network Security monitoring ports.
If the default layer 2 forwarding is enabled on the virtual appliance: Promiscuous security enabled on the virtual
switches created for the monitoring ports (for both inline and out-of-band deployments). If layer 3 is enabled,
promiscuous security is disabled not required. For details, see the "Layer 3 Forwarding Using VRF instances"
information in the Network Security System Administration Guide.
Inline operational mode enabled after the virtual network is created.
The following BIOS flags are enabled. If there are pending processes on your virtual appliance, contact your ESXi
administrator to enable BIOS flags as needed. The flags pertain to all virtual Network Security models, with the
exception of the NX 1500V model.

SSE SSE4_1 AES

Trellix Device Deployment Guide 2024.2 137

4| ESXi

SSE2 SSE4_2 AVX

SSE3 SSSE3 PCLMULQDQ

• For NX 10500 V:
On the physical host:

An Intel or AMD processor on the ESXi host.

I/O memory management unit (IOMMU) support and IOMMU enabled in the BIOS of the ESXi host.
Single root I/O virtualization (SR-IOV) support and enabled in BIOS of the ESXi host.
BIOS settings: "VT-d" & "SR-IOV Support" enabled in BIOS.
ESXi settings:

SR-IOV enabled at the global level and for each physical interface in ESXi host NIC settings:
To edit physical adapter settings to enable SR-IOV, navigate to Configure > Physical adapters ,
click the adapter whose settings you wish to edit and click Edit .
In the SR-IOV section, set the Status to Enabled and set the value of Number of virtual functions
to some value that is larger than 0.
Reboot the ESXi host and check the SR-IOV status of the NICs.
Deploy the NX virtual image and before starting the image check Reserve all the guest memory,
Data ports added to NX 10500V:
Add each network adapter to the vNX.
Select SRIOV passthrough for "Adapter Type".
Select the required physical function.
Assign the mac address in increasing order and allow Guest MTU Change.

• Virtual Email Security — Server appliances:

Standard virtual switch created for the Email Security — Server URL Dynamic Analysis port, and attached to a
physical network adapter on the ESXi server.
Standard virtual switch created for the Email Security — Server SMTP port (if deployed in SPAN/TAP mode), and
attached to a physical network adapter on the ESXi server.
Sufficient physical network adapters on the ESXi server to accommodate the Email Security — Server SMTP and
URL Dynamic Analysis ports.
SPAN/TAP mode only: Promiscuous security enabled on the virtual switch created for the Email Security — Server
SMTP port.

ESXi Specifications

Each virtual appliance running on ESXi servers must meet the following specifications. All CPU cores are Intel Xeon E5-2630 v4,
with 2.20 GHz processor (minimum). All virtual Network Security models (except NX 1500V) running Release 8.2.2 and later must
run on hosts that support the Advanced Vector Extensions (AVX) instruction set on the host processors.

138 Trellix Device Deployment Guide 2024.2

4| ESXi

For NX 10500V, the interfaces should be MAC-ID sorted. To achieve 8.5 Gbps throughput on NX 10500V, the interfaces should be
i40e-based NICs, and Single-root input/output virtualization (SR-IOV) should be supported and enabled on each interface.

Model CPU Cores RAM Virtual NICs Hard Disk Space

NX 10500V 96 384 GB 5 (total): 512 GB

1 (management)
1—4 (monitoring)

NX 1500V 3 10 GB 10 (total): 384 GB

1 (management)
1—8 (monitoring)

NX 2500V 6 16 GB 10 (total): 384 GB

1 or 2
(management)
1—8 (monitoring)

NX 2501V 6 16 GB 10 (total): 256 GB

1 or 2
(management)
1—8 (monitoring)

NX 2550V 8 16 GB 10 (total): 384 GB

1 or 2
(management)
1—8 (monitoring)

NX 4500V 8 32 GB 10 (total): 512 GB

1 or 2
(management)
1—8 (monitoring)

NX 6500V 16 32 GB 10 (total): 512 GB

1 or 2
(management)
1—8 (monitoring)

NX 7500V 24 128 GB 10 (total): 512 GB

Trellix Device Deployment Guide 2024.2 139

4| ESXi

Model CPU Cores RAM Virtual NICs Hard Disk Space

1 or 2
(management)
1—8 (monitoring)

NX 8500V 48 256 GB 10 (total): 512 GB

1 or 2
(management)
1—8 (monitoring)

EX Int 2500V 16 32GB 4 (total): 1TB

1 (management)
2 (network
interface)
1 (for future use)

Note:
EX Int 2500V is
deployed in
integrated
mode. Follow
the
administration
steps to setup
DTI network
and install
Guest
images(GI)
once the
appliance is
deployed.

EX 5500V 8 16 GB 4 (total): 384 GB

1 (management)
2 (network
interface)
1 (for future use)

FX 2500V 8 32 GB 2 (total): 512 GB

1 (management)

140 Trellix Device Deployment Guide 2024.2

4| ESXi

Model CPU Cores RAM Virtual NICs Hard Disk Space

1 (scanning
[optional])

CM 2500V 4 32 GB 4 (total): 512 GB

1 (management)
1—3 (for future
use)

CM 4500V 8 64 GB 4 (total): 1200 GB

1 (management)
1—3 (for future
use)

CM 7500V 16 128 GB 4 (total): 1200 GB

1 (management)
1—3 (for future
use)

vVX 16 32 GB 4 (total): 1 TB
1 (management)
2-4 (submission/
cluster support)

Caution

Use virtual Central Management System and virtual Endpoint Security (HX) servers with Intel-hosted platforms only.

VMware limitations

The following VMware features are not supported:

• Virtual SMP
• Update Manager
• Data Protection
• High Availability (HA)
• vMotion (including Storage vMotion, Enhanced vMotion Compatibility, and Cross-vSwitch vMotion)
• Storage APIs for Data Protection

Trellix Device Deployment Guide 2024.2 141

4| ESXi

• Memory hot add

• Endpoint
• Replication
• Fault Tolerance
• Virtual Volumes
• Offline operational mode

Deploying virtual Network Security, File Protect, and Central

Management appliances
A virtual Network Security sensor is a virtual instance of the Network Security system image. A virtual File Protect sensor is a
virtual instance of the File Protect system image. A virtual sensor provides the same detection efficacy as a physical appliance,
but requires no hardware.

A virtual Central Management System appliance is a virtual instance of the Central Management System system image. The
virtual Central Management System appliance manages sensors and hybrid appliances, but requires no Central Management
System hardware. The same virtual Central Management System appliance can manage both physical and virtual sensors and
hybrid appliances. It can also manage integrated appliances.

Open Virtualization Format (OVF) is an open standard for various virtualization platforms, and is used to package and distribute
the software that runs on virtual machines. A virtual appliance is packaged as an OVA image, which is a compressed file
containing the contents of an OVF folder. The OVF folder contains the Network Security, Central Management System, or File
Protect software image as well as virtual machine files. You install a virtual appliance in a VMware ESXi host.

Caution

VMware ESXi host version 6.0 or later is required. Earlier ESXi versions are not supported, and virtual appliances installed
using those versions will not function properly.

Note

This document assumes familiarity with deploying virtual machines and administering ESXi hosts. This document provides
the basic steps for creating and deploying Trellix virtual appliances. For comprehensive information about deploying virtual
machines, see the documentation provided by VMware, Inc.

The following table describes the steps to deploy a virtual appliance. As noted, the virtual networking steps pertain to a virtual
sensor only, not to a virtual Central Management System appliance.

142 Trellix Device Deployment Guide 2024.2

4| ESXi

Task Instructions

1. Install the virtual appliance. Installing a virtual Network Security, Central

Management System , or File Protect appliance

2. Perform the initial configuration of the appliance. Performing the initial Network Security, File Protect ,
or Central Management System configuration

3. Configure the virtual network. Configuring a virtual Network Security, File Protect ,
or Central Management System network

Important
To prevent broadcast storms, enable inline
operational mode after the virtual network is
configured.

Prerequisites

Note

This guide provides the basic steps for creating and deploying a virtual appliance. For comprehensive information about
deploying virtual machines, see the documentation provided by VMware, Inc.

• Root user account on an ESXi server

• Familiarity with deploying virtual machines and administering ESXi hosts
• Requirements in VMWare requirements

Installing a virtual Network Security,File Protect, and Central Management appliances

This section describes how to install a virtual Network Security, Central Management System, or File Protect appliance.

Important

This procedure uses VMware ESXi version 6.0.0 (build 3568940) and vSphere Client version 6.0.0 (build 3562874) on VMware
vCenter Server version 6.0.0 (build 3018524). The navigation instructions and user interface may vary based on your version
of these products.

Trellix Device Deployment Guide 2024.2 143

4| ESXi

Note

This procedure covers the required settings for a Trellix virtual appliance. You can accept the default values for the other
settings, or specify values that are appropriate for your setup.

To install a virtual appliance:

1. Log in to vSphere Client.

2. From the File menu, select Deploy OVF Template to start the wizard.

3. On the Source screen, paste the URL that Trellix provided that points to the OVA file containing the Network Security,
Central Management System, or File Protect system image, or click Browse and navigate to the OVA file stored in your file
system, and then click Next.

4. On the OVF Template Details screen, review the information. If the information is correct, click Next. Otherwise, click Back
and enter the correct URL or path.

144 Trellix Device Deployment Guide 2024.2

4| ESXi

5. On the Name and Location screen, enter a unique name that describes the virtual appliance.

6. On the Disk Format screen, select Thin Provision, and then click Next.

Trellix Device Deployment Guide 2024.2 145

4| ESXi

7. On the Network Mapping screen, click Next to accept the default settings.

8. On the Properties screen, you can complete fields to configure initial settings as described in Using the properties screen.
(If you do not use this screen, you must type the values into the vSphere Client console manually, because you cannot paste
into this console.)

146 Trellix Device Deployment Guide 2024.2

4| ESXi

9. On the Ready to Complete screen:

a. Verify the information.
b. (Optional) Select the Power on after deployment check box.
c. Click Finish.

Performing the initial Network Security, File Protect, or Central Management configuration

The management interface is the port through which the virtual appliance is managed and administered. It is also the port
through which integration of the Central Management System appliance and a managed appliance is managed. With the single-
port address type, the management interface is also the port through which a managed appliance requests and downloads
software updates from the DTI network.

Initial settings need to be configured to set up the management interface, and to allow access to the network, change the default
administrator password, and so on.

If your virtual appliances are managed by VMware vCenter Server, the Deploy OVF Template wizard includes a Properties screen
that allows you to enter your activation code and supply CLI commands that configure the appliance. You can also reset the
password for the "admin" user on this screen.

If the wizard does not include the Properties screen or if you choose not to use it, you can use the console of the vSphere client
to type the activation code and commands that allow the admin to log in to the CLI or Web UI to configure the appliance. You can
fully configure the appliance from the console, but it might be inconvenient because you cannot paste into the console.

Trellix Device Deployment Guide 2024.2 147

4| ESXi

Using the Properties Screen

The Properties screen is included in the Deploy OVF Template wizard if you connect to your ESXi host through VMware vCenter
Server. For an illustration of this screen and information about the other wizard screens, see Installing a virtual NX series, CM
series, or FX series appliance.

Trellix recommends that you use the Properties screen to do at least the following:

• Enter the activation code for your virtual appliance. The activation code contains many characters. The vSphere Client
prevents you from pasting the activation code into the vSphere Client console, and it is easy to make a typing error.
• Reset the password for the "admin" user if password authentication will be used to log into the CLI or Web UI over the
network. The password must be changed to a password of at least eight characters.

You can also use this screen to provide commands for configuration settings that the system will apply during the initial
boot. This can be convenient if you have a large number of virtual appliances to deploy, because you can create base sets of
commands and then customize them for each deployment.

Note

You can use the system virtual bootstrap reset command to reset the Properties screen values after the virtual
appliance is deployed and running.

The following table describes the fields in the Properties screen.

Field Description

Activation Code The code you received in a secure email from Trellix
that gives the virtual appliance its identity and access
credentials.

Initial CLI commands A Base64-encoded set of commands that at a

minimum allow the appliance to connect to your
network. To use this field, type the commands in
plain-text format, encode them to Base64, and then
paste the encoded string into this field. (You could
use the Linux command
cat <filename>.txt | base64 | tr -d '\n'
to encode the commands.)
Consider using this field for network connectivity
only, because the size of the string could become

148 Trellix Device Deployment Guide 2024.2

4| ESXi

Field Description

unwieldy. The string can be a maximum of 65,535

bytes, and cannot be line-wrapped.

Initial CLI commands URL A URL that points to a file on your network (for
example,
http://acme.com/operations/6500V_config.txt
). To use this field, enter CLI commands that
configure additional settings in plain-text format,
and store the file on an HTTP server in your network.
The virtual appliance needs network connectivity
(which the commands in the Initial CLI commands
field can establish) to access the file referenced in
the URL.

Reset admin password A password of at least eight characters. The initial

"admin" password must be reset to allow the admin
user to log into the CLI or Web UI over the network
unless both of the following are true:

• The CLI commands being executed set an SSH

authorized key for the admin user, which allows
the admin to log in remotely without a password.
• You disable password logins using the
username admin disable password
command.

Using the Console

Trellix recommends that you use the Properties screen to provide initial configuration settings, because you cannot copy and
paste into the vSphere Client console. However, if you do not use this screen, and if the license update feature is not enabled,
Trellix recommends that you accept the evaluation licenses during the initial configuration, because typing the keys is tedious
and prone to error. After the activation code is entered and the admin user has access to the appliance Web UI or CLI , you can
copy and paste the license keys.

To perform the initial configuration of a virtual appliance:

1. Log in to vSphere client.

2. In the left pane, expand the ESXi IP address and then select the virtual appliance.
3. Click the Console tab.

Trellix Device Deployment Guide 2024.2 149

4| ESXi

4. If the console is not running, click the green arrow to launch it.
5. At the login prompt, enter admin.
6. At the password prompt, enter admin.
7. If prompted to change the password, configure a new password using the username admin password <new password>
command. You will be logged out. Log in again with the new password.
8. Start the configuration jump-start wizard:

hostname (config) # configuration jump-start

9. Answer the wizard questions as described in Wizard steps.

Note

To navigate away from the vSphere Client console and return to the vSphere Client user interface or your local machine, press
Ctrl+Alt .

Wizard Steps

The following tables describe the questions the configuration wizard prompts you to answer. As noted in the table, the wizard
skips some steps based on your answers to previous steps.

Note

Press Ctrl+C to exit the configuration wizard. After the management interface is configured, an administrator can use the
configuration jump-start CLI command to run the wizard again.

150 Trellix Device Deployment Guide 2024.2

4| ESXi

Network Security steps

Step Response

Hostname? Enter the hostname for the appliance.

Admin password? (Optional) Enter a new administrator password.

Confirm admin password? Re-enter the new administrator password.

Enable remote access for 'admin' user? Enter yes to enable the administrator to log in to
the appliance remotely. Enter no to disable remote
access.

Use DHCP on ether1 interface? Enter no to manually configure your IP address and
network settings.

Use zeroconf on ether1 interface? Enter yes to use zero-configuration (zeroconf)

networking. Enter no to specify a static IP address
and network mask. (If you specify yes, the next
step is skipped.) NOTE: Do not use zeroconf on the
primary interface.

Primary IP address and masklen? Enter the IP address for the management interface
in A.B.C.D format and enter the network mask (for
example, 1.1.1.2 /24).

Default gateway? Enter the gateway IP address for the management

interface.

Primary DNS server? Enter the IP address of the DNS server.

Domain name? Enter the domain for the management interface (for
example, it.acme.com).

Enable Incident Response or Compromise Enter no. These features are not supported in ESXi
Assessment? deployments.

Enable fenet service? Enter yes to enable access to the DTI network.

Trellix Device Deployment Guide 2024.2 151

4| ESXi

Step Response

Enable fenet license update service? Enter yes to enable the licensing service to
automatically download your licenses from the
DTI network and install them. (If licenses are
downloaded and installed successfully, the wizard
skips the step that prompts for the product license
key and the step that prompts for the security-
content updates key.)

Sync appliance time with fenet? Enter yes to synchronize the appliance time with
the DTI server time. If you enabled the licensing
service, synchronization prevents a feature from
being temporarily unlicensed due to a time gap. The
wizard makes three attempts to perform this step
before it gives up and moves to the next step.

Update licenses from fenet? Enter yes to download and install your licenses. The
wizard makes three attempts to perform this step
before it gives up and moves to the next step.

Enable NTP? Enter yes to enable automatic time synchronization

with one or more Network Time Protocol (NTP)
servers.

Enable IPv6? Enter yes to enable IPv6 protocol, which changes

network IP routing from IPv4 to IPv6. (This step and
the next two steps are skipped if you entered yes
in the "Enable Incident Response or Compromise
Assessment?" step. This step and the next two steps
will be automatically performed if you entered yes in
the "Enable FaaS VPN" step.)

Enable IPv6 autoconfig (SLAAC) on ether1 interface? Enter yes to enable IPv6 autoconfig on the ether1
(management interface) port. (This step is skipped if
you entered no in the "Enable IPv6" step.)

Enable DHCPv6 on ether1 interface? Enter yes to use DHCPv6 to configure IPv6 hosts with
IP addresses. (This step is skipped if you entered no

152 Trellix Device Deployment Guide 2024.2

4| ESXi

Step Response

in the "Use DHCP on ether1 interface" or "Enable

IPv6" step.)

Submission: Configure Interface? Press Enter to accept ether1 as the interface through
which sensors and brokers communicate. Otherwise,
enter the name of the other interface. (If you accept
ether1, the next three steps are skipped.)

Submission: Interface? Enter the name of the other interface.

Note:
To keep management and data traffic separate,
Trellix recommends that you use another
management interface, such as ether2, and not
a monitoring interface.

Submission: Use DHCP on <name> interface? Enter yes to use Dynamic Host Configuration
Protocol (DHCP) to configure the submission
interface IP address and other network parameters.
Enter no to manually configure the IP address and
network settings. (If you enter yes, the static IP
addressing steps are skipped.)

Submission: IP address and masklen? Enter the IP address for the submission interface
in A.B.C.D format and enter the network mask (for
example, 10.1.1.1 /24).

Submission: Default IPv4 gateway? Enter the gateway IP address for the submission
interface.

Product license key? Enter the product license key you obtained from
Trellix, or press Enter to install a 15-day evaluation
license. (This step and the next step are skipped if
you entered yes in the "Enable fenet license update
service?" step and if licenses were successfully
installed as a result.)

Trellix Device Deployment Guide 2024.2 153

4| ESXi

Step Response

Security-content updates key? Enter the security-content license key you obtained
from Trellix, or press Enter to skip this step and
install the license later.

Central Management System steps

Step Response

Hostname? Enter the hostname for the appliance.

Admin password? (Optional) Enter a new administrator password.

Confirm admin password? Re-enter the new administrator password.

Enable remote access for 'admin' user? Enter yes to enable the administrator to log in to
the appliance remotely. Enter no to disable remote
access.

Use DHCP on ether1 interface? Enter no to manually configure your IP address and
network settings.

Use zeroconf on ether1 interface? Enter yes to use zero-configuration (zeroconf)

networking. Enter no to specify a static IP address
and network mask. (If you specify yes, the next step
is skipped.)

Note:
Do not use zeroconf on the primary interface.

Primary IP address and masklen? Enter the IP address for the management interface
in A.B.C.D format and enter the network mask (for
example, 1.1.1.2 /24).

154 Trellix Device Deployment Guide 2024.2

4| ESXi

Step Response

Default gateway? Enter the gateway IP address for the management

interface.

Primary DNS server? Enter the IP address of the DNS server.

Domain name? Enter the domain for the management interface (for
example, it.acme.com).

Enable fenet service? Enter yes to enable access to the DTI network. (If you
enter no, the next three steps are skipped.)

Enable fenet license update service? Enter yes to enable the licensing service to
automatically download your licenses from the
DTI network and install them. (If licenses are
downloaded and installed successfully, the wizard
skips the step that prompts for the product license
key and the step that prompts for the security-
content updates key.)

Sync appliance time with fenet? Enter yes to synchronize the appliance time with
the DTI server time. If you enabled the licensing
service, synchronization prevents a feature from
being temporarily unlicensed due to a time gap. The
wizard makes three attempts to perform this step
before it gives up and moves to the next step.

Update licenses from fenet? Enter yes to download and install your licenses. The
wizard makes three attempts to perform this step
before it gives up and moves to the next step.

Enable NTP? Enter yes to enable automatic time synchronization

with one or more Network Time Protocol (NTP)
servers. Enter no to manually set the time and
date on the appliance. (This step is skipped if you
entered yes in the "Sync appliance time with fenet?"
step.) If you enter no, specify the time and date in
subsequent steps.

Trellix Device Deployment Guide 2024.2 155

4| ESXi

Step Response

Enable FaaS VPN? Enter yes to enable the appliance to connect to

Managed Defense (formerly called FireEye as a
Service) over the Internet using a secure SSL VPN
connection. (This step is skipped if no MD_ACCESS
license is installed.)

Set time (<hh>:<mm>:<ss>)? Enter the appliance time in Greenwich Mean Time
(GMT) (UTC+0). (This step and the next step are
skipped if you entered yes in the "Sync appliance
time with fenet?" or "Enable NTP?" step.)

Set date (<yyyy>/<mm>/<dd>)? Enter the appliance date in Greenwich Mean Time
(GMT) (UTC+0).

Enable IPv6? Enter yes to enable IPv6 protocol, which changes

network IP routing from IPv4 to IPv6. This step and
the next two steps will be automatically performed if
you entered yes in the "Enable FaaS VPN" step.)

Enable IPv6 autoconfig (SLAAC) on ether1 interface? Enter yes to enable IPv6 autoconfig on the ether1
(management interface) port. (This step is skipped if
you entered no in the "Enable IPv6" step.)

Enable DHCPv6 on ether1 interface? Enter yes to use DHCPv6 to configure IPv6 hosts with
IP addresses. (This step is skipped if you entered no
in the "Use DHCP on ether1 interface" or "Enable
IPv6" step.)

Configure CMS HA? Enter no. Central Management System HA is not

supported in an ESXi deployment.

Product license key? Enter the product license key you obtained from
Trellix, or press Enter to install a 15-day evaluation
license. (This step and the next step are skipped if
you entered yes in the "Enable fenet license update
service?" step and if licenses were successfully
installed as a result.)

156 Trellix Device Deployment Guide 2024.2

4| ESXi

Step Response

Security-content updates key? Enter the security-content license key you obtained
from Trellix, or press Enter to skip this step and
install the license later.

File Protect steps

Step Response

Hostname? Enter the hostname for the appliance.

Admin password? (Optional) Enter a new administrator password.

Confirm admin password? Re-enter the new administrator password.

Enable remote access for 'admin' user? Enter yes to enable the administrator to log in to
the appliance remotely. Enter no to disable remote
access.

Use DHCP on ether1 interface? Enter no to manually configure your IP address and
network settings.

Use zeroconf on ether1 interface? Enter yes to use zero-configuration (zeroconf)

networking. Enter no to specify a static IP address
and network mask. (If you specify yes, the next
step is skipped.) NOTE: Do not use zeroconf on the
primary interface.

Primary IP address and masklen? Enter the IP address for the management interface
in A.B.C.D format and enter the network mask (for
example, 1.1.1.2 /24).

Default gateway? Enter the gateway IP address for the management

interface.

Primary DNS server? Enter the IP address of the DNS server.

Trellix Device Deployment Guide 2024.2 157

4| ESXi

Step Response

Domain name? Enter the domain for the management interface (for
example, it.acme.com).

Enable fenet service? Enter yes to enable access to the DTI network. (If you
enter no, the next three steps are skipped.)

Enable fenet license update service? Enter yes to enable the licensing service to
automatically download your licenses from the
DTI network and install them. (If licenses are
downloaded and installed successfully, the wizard
skips the step that prompts for the product license
key and the step that prompts for the security-
content updates key.)

Sync appliance time with fenet? Enter yes to synchronize the appliance time with
the DTI server time. If you enabled the licensing
service, synchronization prevents a feature from
being temporarily unlicensed due to a time gap. The
wizard makes three attempts to perform this step
before it gives up and moves to the next step.

Update licenses from fenet? Enter yes to download and install your licenses. The
wizard makes three attempts to perform this step
before it gives up and moves to the next step.

Enable NTP? Enter yes to enable automatic time synchronization

with one or more Network Time Protocol (NTP)
servers. Enter no to manually set the time and
date on the appliance. (This step is skipped if
you entered yes in the "Sync appliance time with
fenet?" or "Enable Incident Response or Compromise
Assessment" step.) If you enter no, specify the time
and date in subsequent steps.

Set time (<hh>:<mm>:<ss>)? Enter the appliance time in Greenwich Mean Time
(GMT) (UTC+0). (This step and the next step are
skipped if you entered yes in the "Sync appliance
time with fenet?" or "Enable NTP?" step.

158 Trellix Device Deployment Guide 2024.2

4| ESXi

Step Response

Set date (<yyyy>/<mm>/<dd>)? Enter the appliance date in Greenwich Mean Time
(GMT) (UTC+0).

Enable IPv6? Enter yes to enable IPV6 protocol, which changes

network routing from IPv4 to IPv6.

Enable IPv6 autoconfig (SLAAC) on ether1 interface? Enter yes to enable IPv6 autoconfig on the ether1
(management interface) port. (This step is skipped if
you entered no in the "Enable IPv6" step.)

Enable DHCPv6 on ether1 interface? Enter yes to use DHCPv6 to configure IPv6 hosts with
IP addresses. (This step is skipped if you entered no
in the "Use DHCP on ether1 interface" or "Enable
IPv6" step.)

Submission: Configure interface? Press Enter to accept ether1 as the interface through
which sensors and brokers communicate. Otherwise,
enter the name of another interface. (If you accept
ether1, the next three steps are skipped.)

Note:
Ether1 is the only supported submission
interface on File Protect sensors deployed on
ESXi hosts.

Submission: Interface? Enter the name of the other interface. NOTE: To

keep management and data traffic separate, Trellix
recommends that you use another management
interface, such as ether2, and not a monitoring
interface.

Submission: Use DHCP on <name> interface? Enter yes to use Dynamic Host Configuration
Protocol (DHCP) to configure the submission
interface IP address and other network parameters.
Enter no to manually configure the IP address and
network settings. (If you enter yes, the static IP
addressing steps are skipped.)

Trellix Device Deployment Guide 2024.2 159

4| ESXi

Step Response

Submission: IP address and masklen? Enter the IP address for the submission interface
in A.B.C.D format and enter the network mask (for
example, 10.1.1.1 /24).

Submission: Default IPv4 gateway? Enter the gateway IP address for the submission
interface.

Product license key? Press Enter to install a 15-day evaluation license.

Security-content updates key? Press Enter to skip this step and install the license
later.

Configuring a virtual Network Security, File Protect, or Central Management network

After you create a virtual appliance, by default, all its virtual ports are connected to vSwitch0 on the ESXi host. The vSwitch0
virtual switch should include:

• The Management Network, which includes the physical management interface for the ESXi host (VMkernel Port)
• The Virtual Machine (VM Network) port group, which includes the virtual appliances
In the following example, the VM Network port group in vSwitch0 includes one Network Security sensor.

Network Security networking

The number of virtual and physical adapters you need for a virtual Network Security sensor depends on the virtual Network
Security model and the deployment mode. An Network Security sensor deployed in an inline deployment mode uses both ports
of each monitoring interface pair. A sensor deployed in an out-of-band mode uses one port of a monitoring port pair for each
connection to the external network. To configure virtual networking for an Network Security sensor, you must do the following:

160 Trellix Device Deployment Guide 2024.2

4| ESXi

1. For each monitoring port, create a virtual port group on a vSphere standard switch that is bound to a physical adapter on
the ESXi server.

Important

If the Network Security sensor will be deployed in inline operational mode, a separate switch must be created for each
monitoring port pair, and the switch cannot be on the management network.

2. If the default layer 2 forwarding is enabled: Enable "promiscuous" security on each of the virtual switches described in the
previous step. This allows all traffic from the external network to reach the monitoring interfaces on the Network Security
sensor. This is required for both inline and out-of-band deployment modes. (If layer 3 forwarding is enabled, promiscuous
security is disabled not required. For details, see the "Layer 3 Forwarding Using VRF Instances" information in the Network
Security System Administration Guide.
3. Move the adapters on the virtual sensor from the VM Network port group to the associated virtual port groups you created
in this procedure.

Important

To prevent broadcast storms, enable inline operational mode after the virtual network is configured.

The procedures in the following sections use VMware ESXi version 6.0.0 (build 3568940) and vSphere Client version 6.0.0
(build 3562874) on VMware vCenter Server version 6.0.0 (build 3018524). The navigation instructions and user interface may
vary based on your version of these products.

Note

You can create sub-interfaces of the monitoring ports of a virtual Network Security sensor based on VLAN or CIDR. However,
this is beyond the scope of this document.

Creating a port group for a monitoring interface

To create a port group:

1. Log in to vSphere Client.

2. In the left pane, select the ESXi server IP address.
3. Click the Configuration tab.
4. In the Hardware section, click Networking.
5. Click Add Networking to open the Add Network Wizard.

Trellix Device Deployment Guide 2024.2 161

4| ESXi

6. On the Connection Type screen, select Virtual Machine. Click Next.

7. On the Network Access screen, select a virtual switch that is attached to a physical adapter, and then click Next. This
selects the physical adapter that provides external network connectivity.

162 Trellix Device Deployment Guide 2024.2

4| ESXi

8. On the Connection Settings screen, enter a unique and descriptive name for the port group. In this example, the label
indicates that the port group is for the pether3 interface on the virtual sensor. Click Next.

9. On the Summary screen, click Finish.

Trellix Device Deployment Guide 2024.2 163

4| ESXi

Enabling promiscuous security

Note

Do not perform this procedure if layer 3 forwarding is enabled. Use the show policymgr layer3-mode status command to
determine whether it is enabled.

To enable promiscuous security:

1. Select the ESXi server IP address in the left navigation pane.

2. Click the Configuration tab.
3. Select Networking.
4. Locate the virtual switch with the new port group and then click Properties.

5. Click Edit.

164 Trellix Device Deployment Guide 2024.2

4| ESXi

6. Click the Security tab.

7. Select Accept in the Promiscuous Mode drop-down list.

8. Click OK.

Moving the monitoring port to the new port group

The network adapter number on the Hardware tab maps to the number of the interface on the virtual appliance. For example,
Network adapter 1 maps to the ether1 interface, Network adapter 3 maps to the pether3 interface, and so on.

To move the monitoring port:

1. Right-click the virtual Network Security sensor in the left pane and then select Edit Settings.
2. If a Restricted Virtual Machine Settings message opens, click OK.
3. In the Virtual Machine Properties dialog box, click the Hardware tab, if it is not already selected.
4. In the Network Connection section, select the new port group you created on the virtual switch.

Trellix Device Deployment Guide 2024.2 165

4| ESXi

5. Click OK.
6. Verify the configuration:
a. Click the ESXi server IP address in the left pane of vSphere Client.
b. Click the Configuration tab.
c. In the Hardware section, click Networking.
d. Examine the diagram to verify the configuration.

Example

This example shows a virtual network with two virtual Network Security sensors that are deployed in inline mode. The pether3
monitoring interface is mapped to vSwitch1, which is bound to the vmnic1 physical adapter, and the pether4 monitoring
interface is mapped to vSwitch2, which is bound to the vmnic3 physical adapter.

166 Trellix Device Deployment Guide 2024.2

4| ESXi

Central Management System networking

A virtual Central Management System appliance requires no additional virtual network configuration.

File Protect networking

A virtual File Protect appliance requires no additional virtual network configuration. However, if you are using the ether2
interface to access storage, the ether1 and ether2 interfaces must be on different networks. You can use the following CLI
command to configure a non-default gateway to reach the storage server from the ether2 interface:

hostname (config) # ip route <networkPrefix> {<netmask>} | <maskLength>} {<nextHopIPAddress> |

<interfaceName>} <interface name>

Deploying Virtual Email Security appliances

A virtual Email Security — Server sensor is a virtual instance of the Email Security — Server system image. A virtual sensor
provides the same detection efficacy as a physical appliance, but requires no hardware.

Open Virtualization Format (OVF) is an open standard for various virtualization platforms, and is used to package and distribute
the software that runs on virtual machines. A virtual appliance is packaged as an OVA image, which is a compressed file
containing the contents of an OVF folder. The OVF folder contains the appliance software image as well as virtual machine files.
You install a virtual appliance in a VMware ESXi host.

Trellix Device Deployment Guide 2024.2 167

4| ESXi

Caution

VMware ESXi host version 6.0 or later is required. Earlier ESXi versions are not supported, and virtual appliances installed
using those versions will not function properly.

Note

This document assumes familiarity with deploying virtual machines and administering ESXi hosts. This document provides
the basic steps for creating and deploying Trellix virtual appliances. For comprehensive information about deploying virtual
machines, see the documentation provided by VMware, Inc.

Prerequisites

Note

This guide provides the basic steps for creating and deploying a virtual appliance. For comprehensive information about
deploying virtual machines, see the documentation provided by VMware, Inc.

• Root user account on an ESXi server

• Familiarity with deploying virtual machines and administering ESXi hosts
• Requirements in VMWare requirements

Installing a virtual Email Security appliance

This section describes how to install a virtual appliance.

Important

This procedure uses VMware ESXi version 6.5.0 (build 8294253) and vSphere Web Client version 6.5.0.13000 (build 7515524)
on VMware vCenter Server version 6.5.0 (build 7515524). The navigation instructions and user interface may vary based on
your version of these products.

Note

This procedure covers the required settings for a Trellix virtual appliance. You can accept the default values for the other
settings, or specify values that are appropriate for your setup.

To install a virtual appliance:

1. Log in to vSphere Web Client.

2. Select the host in the Navigator pane and then select Actions > Deploy OVF Template to start the wizard.

168 Trellix Device Deployment Guide 2024.2

4| ESXi

3. On the Select template screen, paste the URL that Trellix provided that points to the OVA file containing the Email Security
— Server system image, or click Browse and navigate to the OVA file stored in your file system. Click Next.

4. On the Select name and location screen, enter the name of the virtual appliance, and then select its location on the
Browse tab.

Trellix Device Deployment Guide 2024.2 169

4| ESXi

5. On the Select a resource screen, select the host or other resource where you want to run the virtual appliance.

6. On the Review Details screen, review the information. If the information is correct, click Next. Otherwise, click Back and
enter the correct information.

170 Trellix Device Deployment Guide 2024.2

4| ESXi

7. On the Select storage screen, select Thin provision from the Select virtual disk format drop-down menu.

8. On the Select networks screen, click Next to accept the default settings.

Trellix Device Deployment Guide 2024.2 171

4| ESXi

9. On the Customize template screen, you can complete fields to configure initial settings as described in Using the customize
template screen. (If you do not use this screen, you must type the values into the vSphere Web Client console manually,
because you cannot paste into this console.)

10. On the Ready to complete screen, verify the information and then click Finish.

172 Trellix Device Deployment Guide 2024.2

4| ESXi

Performing the initial Email Security configuration

The management interface is the port through which the virtual appliance is managed and administered. It is also the port
through which integration of the Central Management System appliance and a managed appliance is managed. With the single-
port address type, the management interface is also the port through which a managed appliance requests and downloads
software updates from the DTI network.

Initial settings need to be configured to set up the management interface, and to allow access to the network, change the default
administrator password, and so on.

If your virtual appliances are managed by VMware vCenter Server, the Deploy OVF Template wizard includes a Customize
template screen that allows you to enter your activation code and supply CLI commands that configure the appliance. You can
also reset the password for the "admin" user on this screen.

If the wizard does not include the Customize template screen or if you choose not to use it, you can use the console of the
vSphere Web Client to type the activation code and commands that allow the admin to log in to the CLI or Web UI to configure
the appliance. You can fully configure the appliance from the console, but it might be inconvenient because you cannot paste
into the console.

Using the customize template screen

The Customize template screen is included in the Deploy OVF Template wizard if you connect to your ESXi host through VMware
vCenter Server. For an illustration of this screen and information about the other wizard screens, see Installing a virtual EX series
appliance.

Trellix recommends that you use the Customize template screen to do at least the following:

Trellix Device Deployment Guide 2024.2 173

4| ESXi

• Enter the activation code for your virtual appliance. The activation code contains many characters. The vSphere Web
Client prevents you from pasting the activation code into the vSphere Web Client console, and it is easy to make a typing
error.
• Reset the password for the "admin" user if password authentication will be used to log into the CLI or Web UI over the
network. The password must be changed to a password of at least eight characters.

You can also use this screen to provide commands for configuration settings that the system will apply during the initial
boot. This can be convenient if you have a large number of virtual appliances to deploy, because you can create base sets of
commands and then customize them for each deployment.

Note

You can use the system virtual bootstrap reset command to reset the Customize template screen values after the
virtual appliance is deployed and running.

The following table describes the fields in the Customize template screen.

Field Description

Activation Code The code you received in a secure email from Trellix
that gives the virtual appliance its identity and access
credentials.

Initial CLI commands A Base64-encoded set of commands that at a

minimum allow the appliance to connect to your
network. To use this field, type the commands in
plain-text format, encode them to Base64, and then
paste the encoded string into this field. (You could
use the Linux command
cat <filename>.txt | base64 | tr -d '\n'
to encode the commands.)
Consider using this field for network connectivity
only, because the size of the string could become
unwieldy. The string can be a maximum of 65,535
bytes, and cannot be line-wrapped.

Initial CLI commands URL A URL that points to a file on your network (for
example,
http://acme.com/operations/6500V_config.txt
). To use this field, enter CLI commands that
configure additional settings in plain-text format,
and store the file on an HTTP server in your network.

174 Trellix Device Deployment Guide 2024.2

4| ESXi

Field Description

The virtual appliance needs network connectivity

(which the commands in the Initial CLI commands
field can establish) to access the file referenced in
the URL.

Reset admin password A password of at least eight characters. The initial

"admin" password must be reset to allow the admin
user to log into the CLI or Web UI over the network
unless both of the following are true:

• The CLI commands being executed set an SSH

authorized key for the admin user, which allows
the admin to log in remotely without a password.
• You disable password logins using the
username admin disable password
command.

Using the Console

Trellix recommends that you use the Customize template screen to provide initial configuration settings, because you cannot
copy and paste into the vSphere Web Client console. However, if you do not use this screen, and if the license update feature is
not enabled, Trellix recommends that you accept the evaluation licenses during the initial configuration, because typing the keys
is tedious and prone to error. After the activation code is entered and the admin user has access to the appliance Web UI or CLI ,
you can copy and paste the license keys.

To perform the initial configuration of a virtual appliance:

1. Log in to vSphere Web Client.

2. In the left pane, expand the ESXi IP address and then select the virtual appliance.
3. Click the icon next to the appliance name.

Note

If the virtual appliance is not running, click the green arrow next to this icon to start it. (The arrow in the illustration
above is dimmed because the virtual appliance is already running.)

4. At the login prompt, enter admin.

Trellix Device Deployment Guide 2024.2 175

4| ESXi

5. At the password prompt, enter admin.

6. If prompted to change the password, configure a new password using the username admin password <new password>
command. You will be logged out. Log in again with the new password.
7. Start the configuration jump-start wizard:

hostname (config) # configuration jump-start

8. Answer the wizard questions as described in Wizard Steps.

Email Security — Server Wizard Steps

The following table describes the questions the configuration wizard prompts you to answer. As noted in t he table, the wizard
skips some steps based on your answers to previous steps.

Note

Press Ctrl+C to exit the configuration wizard. After the management interface is configured, an administrator can use the
configuration jump-start CLI command to run the wizard again.

Step Response

Hostname? Enter the hostname for the appliance.

Admin password? (Optional) Enter a new administrator password.

Confirm admin password? Re-enter the new administrator password.

Enable remote access for 'admin' user? Enter yes to enable the administrator to log in to
the appliance remotely. Enter no to disable remote
access.

Use DHCP on ether1 interface? Enter no to manually configure your IP address and
network settings.

Use zeroconf on ether1 interface? Enter yes to use zero-configuration (zeroconf)

networking. Enter no to specify a static IP address
and network mask. (If you specify yes, the next
step is skipped.) NOTE: Do not use zeroconf on the
primary interface.

176 Trellix Device Deployment Guide 2024.2

4| ESXi

Step Response

Primary IP address and masklen? Enter the IP address for the management interface
in A.B.C.D format and enter the network mask (for
example, 1.1.1.2 /24).

Default gateway? Enter the gateway IP address for the management

interface.

Primary DNS server? Enter the IP address of the DNS server.

Domain name? Enter the domain for the management interface (for
example, it.acme.com).

Enable fenet service? Enter yes to enable access to the DTI network.

Enable fenet license update service? Enter yes to enable the licensing service to
automatically download your licenses from the
DTI network and install them. (If licenses are
downloaded and installed successfully, the wizard
skips the step that prompts for the product license
key and the step that prompts for the security-
content updates key.)

Sync appliance time with fenet? Enter yes to synchronize the appliance time with
the DTI server time. If you enabled the licensing
service, synchronization prevents a feature from
being temporarily unlicensed due to a time gap. The
wizard makes three attempts to perform this step
before it gives up and moves to the next step.

Update licenses from fenet? Enter yes to download and install your licenses. The
wizard makes three attempts to perform this step
before it gives up and moves to the next step.

Enable NTP? Enter yes to enable automatic time synchronization

with one or more Network Time Protocol (NTP)
servers.

Trellix Device Deployment Guide 2024.2 177

4| ESXi

Step Response

Enable FaaS VPN? Enter yes to enable the appliance to connect

to Managed Defense (formerly called FireEye
as a Service) over the Internet using a secure
SSL VPN connection. (This step is skipped if
no MD_ACCESS license is installed. This step is
performed automatically if you entered yes in
the "Enable Incident Response or Compromise
Assessment?" step.

Enable IPv6? Enter yes to enable IPV6 protocol, which changes

network routing from IPv4 to IPv6.

Enable IPv6 autoconfig (SLAAC) on ether1 interface? Enter yes to enable IPv6 autoconfig on the ether1
(management interface) port. (This step is skipped if
you entered no in the "Enable IPv6" step.)

Enable DHCPv6 on ether1 interface? Enter yes to use DHCPv6 to configure IPv6 hosts with
IP addresses. (This step is skipped if you entered no
in the "Use DHCP on ether1 interface" or "Enable
IPv6" step.)

Submission: Interface? Press Enter to accept ether1 as the interface through

which sensors and brokers communicate. Otherwise,
enter the name of the other interface. (If you accept
ether1, the next three steps are skipped.) NOTE: To
keep management and data traffic separate, Trellix
recommends that you use another management
interface, such as ether2, and not a monitoring
interface.

Use DHCP on <name> interface? Enter yes to use Dynamic Host Configuration
Protocol (DHCP) to configure the submission
interface IP address and other network parameters.
Enter no to manually configure the IP address and
network settings. (If you enter yes, the static IP
addressing steps are skipped.)

178 Trellix Device Deployment Guide 2024.2

4| ESXi

Step Response

Submission: IP address and masklen? Enter the IP address for the submission interface
in A.B.C.D format and enter the network mask (for
example, 10.1.1.1 /24).

Submission: Default IPv4 gateway? Enter the gateway IP address for the submission
interface.

Product license key? Enter the product license key you obtained from
Trellix, or press Enter to install a 15-day evaluation
license. (This step and the next step are skipped if
you entered yes in the "Enable fenet license update
service?" step and if licenses were successfully
installed as a result.)

Security-content updates key? Enter the security-content license key you obtained
from Trellix, or press Enter to skip this step and
install the license later.

Configuring a virtual Email Security network

After you create a virtual appliance, by default, all its virtual ports are connected to vSwitch0 on the ESXi host. The vSwitch0
virtual switch should include:

• The Management Network, which includes the physical management interface for the ESXi host (VMkernel Port)
• The Virtual Machine (VM Network) port group, which includes the virtual appliances
In the following example, the VM Network port group in vSwitch0 includes one Email Security — Server sensor.

Trellix Device Deployment Guide 2024.2 179

4| ESXi

The number of virtual and physical adapters you need for a virtual Email Security — Server sensor depends on whether you want
to deploy the network interfaces on separate networks or physical adapters. All network interfaces can use the same physical
adapter.

Trellix recommends that you keep the URL Dynamic Analysis interface (ether 2) logically separate from the main network traffic
so the ether1 management interface resides on a different subnet from the ether2 interface. In SPAN/TAP mode, you must keep
the SMTP interface (pether3) separate from the main network traffic. This enables you to enable promiscuous security on that
interface only to allow all SMTP traffic from the external network to reach the Email Security — Server sensor.

Note

For details about deployment options, see the Email Security — Server System Administration Guide. For details about URL
Dynamic Analysis, see the Email Security — Server User Guide.

Task List for the Virtual EX Network

The following table lists tasks to perform if one or both of the scenarios pertain to your deployment.

Scenario Tasks

URL Dynamic Analysis is implemented. 1. Create a new virtual port group on a vSphere
standard switch that is bound to a physical adapter
on the ESXi server. See Creating a port group for a
network interface.
2. Move the adapter on the virtual sensor that is
associated with the URL Dynamic Analysis interface

180 Trellix Device Deployment Guide 2024.2

4| ESXi

Scenario Tasks

from the VM Network port group to the new virtual

port group. See Moving an interface to the new port
group.

SPAN/TAP is the deployment mode. 1. Create a new virtual port group on a vSphere
standard switch that is bound to a physical adapter
on the ESXi server. See Creating a port group for a
network interface.
2. Move the adapter on the virtual sensor that is
associated with the pether3 interface from the VM
Network port group to the new virtual port group.
See Moving an interface to the new port group.
3. Enable "promiscuous" security on the new port
group to allow all SMTP traffic from the external
network to reach the Email Security — Server sensor.
See Enabling promiscuous security.

Note

You can create sub-interfaces of the network ports of a virtual Email Security — Server sensor based on VLAN or CIDR.
However, this is beyond the scope of this document.

Important

This procedure uses VMware ESXi version 6.5.0 (build 8294253) and vSphere Web Client version 6.5.0.13000 (build 7515524)
on VMware vCenter Server version 6.5.0 (build 7515524). The navigation instructions and user interface may vary based on
your version of these products.

Creating a port group for a network interface

This procedure shows how to create a port group for the ether2 interface. Follow the same steps to create a port group for a
different interface.

To create a port group:

1. Log in to vSphere Web Client.

2. In the left pane, select the ESXi server IP address.
3. Click the Configure tab.

Trellix Device Deployment Guide 2024.2 181

4| ESXi

4. In the Networking section, click Virtual switches.

5. Click the Add host networking icon to open the Add Networking wizard.

6. On the Select connection type screen, select Virtual Machine Port Group for a Standard Switch. Click Next.

7. On the Select target device screen, select Select an existing standard switch. Click Browse.

182 Trellix Device Deployment Guide 2024.2

4| ESXi

8. In the Select Switch dialog box, select a virtual switch that is attached to a physical adapter, and then click OK. This selects
the physical adapter that provides external network connectivity. Click Next on the Select target device screen to advance
to the next screen.

9. On the Connection settings screen, enter a unique and descriptive name for the port group (ether2 is used in this
example). Click Next.

10. On the Ready to complete screen, click Finish.

Trellix Device Deployment Guide 2024.2 183

4| ESXi

Moving an interface to the new port group

The network adapter number on the Hardware tab maps to the number of the interface on the virtual appliance. For example,
Network adapter 1 maps to the ether1 interface, Network adapter 3 maps to the pether3 interface, and so on.

To move an interface:

1. Select the virtual Email Security — Server sensor in the left pane.
2. Select the Configure tab and then select VM Hardware. Click Edit.

3. Click the VM Network menu next to the network adapter mapped to the interface. This procedure uses ether2 as an
example, so Network adapter 2 is selected. If you need to move the pether3 interface, click the menu next to Network
adapter 3.

184 Trellix Device Deployment Guide 2024.2

4| ESXi

4. Select the new port group you created on the virtual switch, and click OK. The new port group is displayed.

5. Verify the configuration:

a. Click the ESXi server IP address in the left pane of vSphere Web Client.
b. Click the Configure tab.
c. In the Networking section, click Virtual switches.
d. Select the virtual switch and examine the diagram to verify the configuration.

Trellix Device Deployment Guide 2024.2 185

4| ESXi

Enabling promiscuous security

In SPAN/TAP mode, you must enable promiscuous security on the port group used by the pether3 interface. This allows all SMTP
traffic from the external network to reach Email Security — Server sensors.

Important

Do not perform this procedure if your Email Security — Server sensors are deployed in Message Transfer Agent (MTA) or BCC
mode.

To enable promiscuous security:

1. Select the ESXi server IP address in the left navigation pane.

2. Click the Configure tab.
3. Select Networking > Virtual Switches.
4. Locate the virtual switch and select the port group you created for the pether3 interface. Click the Edit settings icon.

5. Select the Security tab.

6. Select the Override checkbox and then select Accept in the Promiscuous mode drop-down list.

7. Click OK.

186 Trellix Device Deployment Guide 2024.2

4| ESXi

Examples

In this example, three network interfaces are in the VM Network port group, and the ether2 interface is in a new port group
(ether2). All port groups are on the vSwitch0, which is bound to the vmnic0 physical adapter on the ESXi server.

In this example for a SPAN/TAP mode deployment, two interfaces are in the VM Network port group, the ether2 interface is in
a new port group (ether2), and the pether3 interface is in another new port group (pether3) and is configured in promiscious
mode, which allows all SMTP traffic from the external network to reach the pether3 interface. All port groups are on the vSwitch0,
which is bound to the vmnic0 physical adapter on the ESXi server.

Trellix Device Deployment Guide 2024.2 187

4| ESXi

Deploying virtual Intelligent Virtual Execution - Server appliances

A virtual IVX sensor is a virtual instance of the IVX system image. A virtual sensor provides the same detection efficacy as a
physical appliance, but requires no hardware.

Open Virtualization Format (OVF) is an open standard for various virtualization platforms, and is used to package and distribute
the software that runs on virtual machines. A virtual appliance is packaged as an OVA image, which is a compressed file
containing the contents of an OVF folder. The OVF folder contains the IVX appliance software image as well as virtual machine
files. You install a virtual appliance in a VMware ESXi host.

Caution

VMware ESXi host version 6.7 or later is required. Earlier ESXi versions are not supported, and virtual appliances installed
using those versions will not function properly.

Note

• This document assumes familiarity with deploying virtual machines and administering ESXi hosts. This document
provides the basic steps for creating and deploying Trellix virtual appliances. For comprehensive information about
deploying virtual machines, see the documentation provided by VMware, Inc.
• Virtual VX deployment is supported only on Intel platforms.

Prerequisites

Note

This guide provides the basic steps for creating and deploying a virtual appliance. For comprehensive information about
deploying virtual machines, see the documentation provided by VMware, Inc.

• Root user account on an ESXi server

• Familiarity with deploying virtual machines and administering ESXi hosts
• Requirements in VMWare requirements

Installing a virtual IVX appliance

This section describes how to install a virtual Network Security appliance.

188 Trellix Device Deployment Guide 2024.2

4| ESXi

Important

This procedure uses VMware ESXi version 6.7.0 and 7.0.3. The navigation instructions and user interface may vary based on
your version of these products.

Note

This procedure covers the required settings for a Trellix virtual appliance. You can accept the default values for the other
settings, or specify values that are appropriate for your setup.

To install a virtual appliance:

Note

This deployment is based on ESXi Host Client version 7.0.3.

1. Log in to ESXi Host Client.

2. In the Navigator pane, select the host and then select Create/Register VM > Deploy OVF Template to start the wizard.

3. In the New virtual machine window, select Deploy a virtual machine from an OVF or OVA file and then click Next.

Trellix Device Deployment Guide 2024.2 189

4| ESXi

4. Enter the name of the virtual machine and select the virtual VX OVA file from the downloaded location. Click Next.

5. Under Select storage, click Standard and then click Next.

190 Trellix Device Deployment Guide 2024.2

4| ESXi

6. Under Deployment options, perform the following steps:

1. In Network Mappings, select the required network from the drop down list or use the default VM Network.
2. In Disk Provisioning, select the option Thin.
3. In Power on automatically, select the checkbox.
4. Click Next.

7. Under Additional settings, perform the following steps:provide the Activation code and can set the admin password or
leave all blank and configure in later stage.
1. Enter the Activation Code.
2. You can skip Initial CLI commands and Initial CLI commands URL fields. They can be configured later.
3. Enter a password under Reset admin password. You can configure the password later as well.

Trellix Device Deployment Guide 2024.2 191

4| ESXi

4. Click Next.

8. Under Ready to complete, verify your settings and then click Finish to deploy the virtual VX machine.

9. On the Recent Tasks screen, monitor the status of virtual VX machine.

Performing the initial IVX configuration

192 Trellix Device Deployment Guide 2024.2

4| ESXi

The management interface is the port through which the virtual appliance is managed and administered. It is also the port
through which integration of the Central Management System appliance and a managed appliance is managed. With the single-
port address type, the management interface is also the port through which a managed appliance requests and downloads
software updates from the DTI network.

Initial settings need to be configured to set up the management interface, and to allow access to the network, change the default
administrator password, and so on.

Using the Console

Trellix recommends that you accept the evaluation licenses during the initial configuration, because typing the keys is tedious
and prone to error. After the activation code is entered and the admin user has access to the appliance Web UI or CLI , you can
copy and paste the license keys.

To perform the initial configuration of a virtual appliance:

1. Log in to ESXi Host client.

2. In the left pane, expand Virtual Machines and then select the virtual appliance.
3. Click the Console tab on the top left of the window.

4. At the login prompt, enter admin.

Trellix Device Deployment Guide 2024.2 193

4| ESXi

5. At the password prompt, enter admin.

6. If prompted to change the password, configure a new password using the username admin password <new password>
command. You will be logged out. Log in again with the new password.

7. On logging in again, select Yes to accept License Agreement.

8. Select Yes if prompted to use the wizard for initial configuration.
9. If you do not receive the above prompt, start the configuration jump-start wizard:

hostname (config) # configuration jump-start

10. Answer the wizard questions as described in Wizard steps.

194 Trellix Device Deployment Guide 2024.2

4| ESXi

Wizard Steps

The following tables describe the questions the configuration wizard prompts you to answer. As noted in the table, the wizard
skips some steps based on your answers to previous steps.

Note

Press Ctrl+C to exit the configuration wizard. After the management interface is configured, an administrator can use the
configuration jump-start CLI command to run the wizard again.

Intelligent Virtual Execution steps

Step Response

Hostname? Enter the hostname for the appliance.

Admin password? (Optional) Enter a new administrator password.

Confirm admin password? Re-enter the new administrator password.

Enable remote access for 'admin' user? Enter yes to enable the administrator to log in to
the appliance remotely. Enter no to disable remote
access.

Use DHCP on ether1 interface? Enter no to manually configure your IP address and
network settings.

Use zeroconf on ether1 interface? Enter yes to use zero-configuration (zeroconf)

networking. Enter no to specify a static IP address
and network mask. (If you specify yes, the next
step is skipped.) NOTE: Do not use zeroconf on the
primary interface.

Primary IPv4 address and masklen? Enter the IPv4 address for the management interface
in A.B.C.D format and enter the network mask (for
example, 1.1.1.2 /24).

Trellix Device Deployment Guide 2024.2 195

4| ESXi

Step Response

Default gateway? Enter the gateway IP address for the management

interface.

Primary DNS server? Enter the IP address of the DNS server.

Domain name? Enter the domain for the management interface (for
example, it.acme.com).

Enable fenet service? Enter yes to enable access to the DTI network.

Enable fenet license update service? Enter yes to enable the licensing service to
automatically download your licenses from the
DTI network and install them. (If licenses are
downloaded and installed successfully, the wizard
skips the step that prompts for the product license
key and the step that prompts for the security-
content updates key.)

Sync appliance time with fenet? Enter yes to synchronize the appliance time with
the DTI server time. If you enabled the licensing
service, synchronization prevents a feature from
being temporarily unlicensed due to a time gap. The
wizard makes three attempts to perform this step
before it gives up and moves to the next step.

Update licenses from fenet? Enter yes to download and install your licenses. The
wizard makes three attempts to perform this step
before it gives up and moves to the next step.

Enable NTP? Enter yes to enable automatic time synchronization

with one or more Network Time Protocol (NTP)
servers.

Enable IPv6 on management interface? Enter yes to enable IPv6 protocol, which changes
network IP routing from IPv4 to IPv6. (This step and
the next two steps are skipped if you entered yes
in the "Enable Incident Response or Compromise
Assessment?" step. This step and the next two steps

196 Trellix Device Deployment Guide 2024.2

4| ESXi

Step Response

will be automatically performed if you entered yes in

the "Enable FaaS VPN" step.)

Enable IPv6 autoconfig (SLAAC) on ether1 interface? Enter yes to enable IPv6 autoconfig on the ether1
(management interface) port. (This step is skipped if
you entered no in the "Enable IPv6" step.)

Enable DHCPv6 on ether1 interface? Enter yes to use DHCPv6 to configure IPv6 hosts with
IP addresses. (This step is skipped if you entered no
in the "Use DHCP on ether1 interface" or "Enable
IPv6" step.)

Product license key? Enter the product license key you obtained from
Trellix, or press Enter to install a 15-day evaluation
license. (This step and the next step are skipped if
you entered yes in the "Enable fenet license update
service?" step and if licenses were successfully
installed as a result.)

Security-content updates key? Enter the security-content license key you obtained
from Trellix, or press Enter to skip this step and
install the license later.

Submission: Interface? Enter the name of the interface.

Note:
You can skip this step and assign the submission
interface after initial configuration also. If you do
not assign a submission interface, ether1 is used
as the submission interface by default.
If you choose to keep it unchanged, the next two
steps will be automatically skipped.

Submission: IP address and masklen? Enter the IP address for the submission interface
in A.B.C.D format and enter the network mask (for
example, 10.1.1.1 /24).

Trellix Device Deployment Guide 2024.2 197

4| ESXi

Step Response

Submission: Default IPv4 gateway? Enter the gateway IP address for the submission
interface.

Cluster: Interface? Enter the name of the interface.

Note:
You can skip this step and assign the cluster
interface after initial configuration also. If you do
not assign a cluster interface, ether1 is used as
the cluster interface by default.
If you choose to keep it unchanged, the next step
will be automatically skipped.

Cluster: IP address and masklen? Enter the IP address for the submission interface
in A.B.C.D format and enter the network mask (for
example, 10.1.1.1 /24).

Send a request to be managed by CMS? Enter yes if appliance needs to be managed by a

Central Management System appliance else enter
no.

Configuring a virtual IVX network

After you create a virtual appliance, by default, all its virtual ports are connected to vSwitch on the ESXi host. The vSwitch virtual
switch should include:

• The Management Network, which includes the physical management interface for the ESXi host (VMkernel Port)
• The Virtual Machine (VM Network) port group, which includes the virtual appliances
In the following example, the VM Network port group in vSwitch includes one Intelligent Virtual Execution - Server sensor.

198 Trellix Device Deployment Guide 2024.2

4| ESXi

Intelligent Virtual Execution networking

To configure virtual networking for an Intelligent Virtual Execution - Server sensor, you must do the following:

1. For each submission/cluster port, create a virtual port group on an ESXi Host standard switch that is bound to a physical
adapter on the ESXi server.
2. Move the adapters on the virtual sensor from the VM Network port group to the associated virtual port groups you created
in this procedure.

Important

The procedures in the following sections use VMware ESXi versions 6.7.0 and 7.0.3. The navigation instructions and user
interface may vary based on your version of these products.

Creating a port group for an interface

To create a port group:

1. Log in to ESXi Host Client.

2. In the left pane, select Networking.
a. Select Port groups tab.
b. Click Add port group in the top-right of the window.

Trellix Device Deployment Guide 2024.2 199

4| ESXi

3. The Add port group popup window will appear.

a. Enter a Name for the new port group.
b. Select the VLAN ID for the new port group from the scroll box.
c. Select the required Virtual switch from the drop down menu.
d. Click Add button to add the new port group.

Creating a submission/cluster interface

To create a submission/cluster interface:

1. Log in to ESXi Host Client.

2. In the left pane, select Networking.
a. Select Virtual switches tab.
b. Click Add standard virtual switch in the top-right of the window.

200 Trellix Device Deployment Guide 2024.2

4| ESXi

3. The Add standard virtual switch popup window will appear.

a. Enter a vSwitch name.
b. Select the value of MTU from the scrollbox.
c. Select the Uplink 1 value from the drop down menu.
d. Click Add button to add the new interface.

Moving the submission/cluster port to the new port group

The network adapter number on the Hardware tab maps to the number of the interface on the virtual appliance. For example,
Network adapter 1 maps to the ether1 interface, Network adapter 3 maps to the ether3 interface, and so on.

1. Login to ESXi Host Client.

Trellix Device Deployment Guide 2024.2 201

4| ESXi

2. In the left pane, select vVX-prod to open the vVX-prod page in the right pane.
3. Right-click on the vVX-prod page and select Edit settings.

4. The Edit settings popup window will appear.

5. Assign the required interfaces to the respective Network Adapters from their dropdown menus.

202 Trellix Device Deployment Guide 2024.2

5| KVM

KVM
• KVM requirements
• Deploying virtual Network Security appliances on KVM Servers
• Deploying virtual Central Management System appliances on KVM Servers
• Deploying virtual File Protect appliances on KVM Servers

KVM requirements
The following KVM (Kernel-based Virtual Machine) resources are required.

• Ubuntu 18.4 or later, CentOS 7.4 or later, or RHEL 7.3 (Network Security appliances and File Protect appliances only).
• Standard virtual switch, connected to an external network and shared by the operating system
• Software bridge (for example, "bro0") in the operating system for the management connection to the virtual appliance.
The software bridge should be configured with the physical NIC mapping on the host, which is then used for
management access to the virtual appliance. (For instructions, see the documentation provided by Ubuntu.)
• A NIC for each virtual appliance interface. You must provision a NIC for each interface because KVM needs to know the
total number of interfaces, even if some of those interfaces are not used.
• Network Security and File Protect appliances:
Two Rx queues and two Tx queues for each data port to enable the Port Mirroring and SSL Decryption Mirroring
features. See Defining multiple queues for data ports.
The following BIOS flags are enabled. If there are pending processes on your virtual appliance, contact your KVM
administrator to enable BIOS flags as needed.

SSE SSE4_1 AES

SSE2 SSE4_2 AVX
SSE3 SSSE3 PCLMULQDQ

• Ubuntu:
KVM version (kvm -version): QEMU emulator version 2.11.1 (Debian 1: 2.11 + dfsg-1ubuntu 7.9)
libvirtd version: libvirtd (libvirt) 4.0.0
virt-manager version: 1.5.1

• CentOS:
KVM version: QEMU emulator version 1.5.3 (qemu-kvm-1.5.3-160.el7)
libvirtd version: libvirtd (libvirt) 4.5.0
virt-manager version: 1.5.0

• Network Security appliances only: Red Hat Enterprise Linux:

Trellix Device Deployment Guide 2024.2 203

5| KVM

RHEL 7.3
libvirtd version: libvirtd (libvirt) 4.5.0
virt-manager version: 1.4.0

• The following packages:

bridge-utils
ifupdown (networking)
librbd1-devel
libvirt
libvirt-bin
libvirt-clients
libvirt-daemon-system
libvirt-python
network-manager
qemu
qemu-img
qemu-kvm
virt-install
virt-manager
virt-viewer

KVM specifications

Each virtual appliance running on KVM servers must meet the following specifications. All CPU cores are Intel Xeon E5-2630 v4,
with 2.20 GHz processor (minimum). All virtual Network Security models (except NX 1500V) running Release 8.2.2 and later must
run on hosts that support the Advanced Vector Extensions (AVX) instruction set on the host processors.

Model CPU Cores RAM Virtual NICs Hard Disk Space

NX 2500V 6 16 GB 10 (total): 384 GB

1 or 2
(management)
1—8 (monitoring)

NX 2501V 6 16 GB 10 (total): 256 GB

1 or 2
(management)
1—8 (monitoring)

204 Trellix Device Deployment Guide 2024.2

5| KVM

Model CPU Cores RAM Virtual NICs Hard Disk Space

NX 2550V 8 16 GB 10 (total): 384 GB

1 or 2
(management)
1—8 (monitoring)

NX 4500V 8 32 GB 10 (total): 512 GB

1 or 2
(management)
1—8 (monitoring)

NX 6500V 16 32 GB 10 (total): 512 GB

1 or 2
(management)
1—8 (monitoring)

NX 7500V 24 128 GB 10 (total): 512 GB

1 or 2
(management)
1—8 (monitoring)

NX 8500V 48 256 GB 10 (total): 512 GB

1 or 2
(management)
1—8 (monitoring)

CM 2500V 4 32 GB 4 (total): 512 GB

1 (management)
1—3 (for future
use)

CM 4500V 8 64 GB 4 (total): 1200 GB

1 (management)
1—3 (for future
use)

CM 7500V 16 128 GB 4 (total): 1200 GB

1 (management)

Trellix Device Deployment Guide 2024.2 205

5| KVM

Model CPU Cores RAM Virtual NICs Hard Disk Space

1—3 (for future

use)

CM 9500V 32 256 GB 4 (total): 1200 GB

1 (management)
1—3 (for future
use)

For File Protect:

Each virtual appliance running on KVM servers must meet the following specifications. All CPU cores are Intel Xeon E5-2630 v4,
with 2.20 GHz processor (minimum). KVM support for virtual File Protect model is available for FX2500V starting from version
10.0.1 and later only.

Model CPU Cores RAM Virtual NICs Hard Disk Space

FX 2500V 2 8 GB 2 512 GB

Important

Trellix recommends to install with 8 CPU Cores and 16 GB RAM.

Deploying virtual Network Security appliances on KVM Servers

The following sections describe how to deploy a virtual NX appliance on KVM (Kernel-based Virtual Machine) servers. KVM is
open-source hardware virtualization software through which you can create and run multiple Linux and Windows-based virtual
machines simultaneously.

• Installing a virtual Network Security appliance using the KVM UI

• Performing the initial Network Security configuration for the virtual appliance
• Configuring a virtual Network Security network
• Defining multiple queues for data ports

Installing a virtual Network Security appliance using the KVM UI

This section describes how to install a virtual Network Security appliance on a KVM server using the KVM Virtual Machine
Manager UI.

206 Trellix Device Deployment Guide 2024.2

5| KVM

Important

This procedure uses KVM version libvert 4.5 on Ubuntu 18.04. The navigation instructions and user interface may vary if you
are using CentOS or a different version of Ubuntu.

Note

This procedure covers the required settings for a Trellix virtual appliance. You can accept the default values for the other
settings, or specify values that are appropriate for your setup.

Before starting the virtual appliance installation, ensure you have the required prerequisite software installed. See KVM
requirements .

In the following procedure, you will create the virtual appliance and configure its management, OOB, and data ports.

Important

A virtual Network Security appliance supports ten NICs: one management interface, one out-of-band interface, and eight
monitoring (data) interfaces. You must provision a NIC for each interface. This is because KVM needs to know the total
number of interfaces, even if some of those interfaces are not used.

To install a virtual appliance using the KVM Virtual Machine Manager UI:

Screen Action

Step 1 of 4
• Select Import existing disk image.
• Click Forward.

Step 2 of 4
1. Browse to and select the folder to which you
extracted the
.zip
file in the first step.
2. Select the
.qcow2
file, such as
image-wmps-fireeyenx4500v.qcow2
, and click Choose Volume.
3. Select OS type Linux and in Version select your
version of CentOS or Ubuntu.

Trellix Device Deployment Guide 2024.2 207

5| KVM

Screen Action

4. Click Forward.

Step 3 of 4
1. Set Memory and CPU settings to the values for
your virtual Network Security model.
The base platform must have the required
amount of disk space, memory, and CPU cores
to support the specific virtual Network Security
model.
For example, for model NX 4500V, enter 32GB
(32768MB) for Memory (RAM) and 8 for CPUs.
2. Click Forward.

Step 4 of 4
1. Enter a name, such as
Fireeye-NX-4500V
.
2. Click Customize configuration before install
and select Network selection
Bridge br0
. This software bridge is the management
(ether1) connection to the virtual Network
Security appliance. The bridge must already
exist in the host OS, as described in KVM
Requirements.
3. Click Finish.

The KVM installation page opens.

Tab Action

Overview
1. Enter a domain name, such as
Fireeye-NX-4500V
, for the virtual Network Security appliance
in Name and optionally enter a Title and
Description.

208 Trellix Device Deployment Guide 2024.2

5| KVM

Tab Action

2. Click Apply.

VirtIO Disk 1
1. Click Advanced options.
2. Select
SCSI
in the Disk bus field.
3. Click Apply.

Tab Action

Controller
1. InType, select SCSI.
2. In Model, select VirtIO SCSI.
3. Click Finish.

Network (for OOB) Add the OOB (ether2) port for the virtual Network
Security appliance.

1. In Network source, to use the management

bridge that you created in the Create a new
virtual machine wizard, select the existing
software bridge, such as
br0
. Otherwise, you can select another software
bridge that is associated with a non-
management physical interface, such as
br1
.
If the base OS has an equivalent NIC that
corresponds to the virtual Network Security
appliance NIC, associate them accordingly.
Otherwise, use the Dummy software bridge.
2. In Device mode, select
virtio
.

Trellix Device Deployment Guide 2024.2 209

5| KVM

Tab Action

3. Click Finish.

Network (for data ports) Repeat the following steps to configure each of the
data ports required for your virtual Network Security
appliance.

1. In Network source, if the base OS has

an equivalent NIC that matches the virtual
Network Security appliance NIC, associate them
accordingly.
IMPORTANT: Set the network source to
macvtap
and set the source mode to
Passthrough
.
If the base OS does not have an equivalent NIC,
use the Dummy software bridge.
2. Click Finish.

1. Download the Network Security KVM deployment .zip file from the Trellix DTI network to a KVM server and extract
the files within it. The .zip file name is based on your appliance model. For example, the .zip file for NX 4500 is
image-wmps-fireeyenx4500v.zip.

2. In KVM Virtual Machine Manager, select File > New Virtual Machine.
3. Complete the Create a new virtual machine screens:
4. In the KVM installation page, configure the basic information and disk IO for the virtual Network Security appliance:
5. In the KVM installation page, add the virtual hardware for the controller and networks:
a. At the bottom left of the KVM installation page, click Add Hardware.
b. In the Add New Virtual Hardware page, select the tab for the type of hardware to add and enter the values according
to the following table.
You must click Finish after adding each hardware entry and click Add Hardware again to select the next type of
hardware to add.
6. After adding the data ports, click Begin installation.
7. Check the console for the virtual Network Security appliance boot status.
Continue with Performing the initial Network Security configuration for the virtual appliance.

Performing the initial Network Security configuration for the virtual appliance

210 Trellix Device Deployment Guide 2024.2

5| KVM

The management interface is the port through which the virtual appliance is managed and administered. It is also the port
through which integration of the Central Management System appliance and a managed appliance is managed. With the single-
port address type, the management interface is also the port through which a managed appliance requests and downloads
software updates from the DTI network.

Initial settings need to be configured to set up the management interface, and to allow access to the network, change the default
administrator password, and so on.

Trellix recommends that you use the KVM Virtual Machine Manager console. If the license update feature is not enabled, Trellix
recommends that you accept the evaluation licenses during the initial configuration, because typing the keys is tedious and
prone to error. After the activation code is entered and the admin user has access to the appliance Web UI or CLI , you can copy
and paste the license keys.

To perform the initial configuration of a virtual appliance:

1. Open the KVM Virtual Machine Manager.

2. Open the virtual appliance you just installed, such as Trellix NX 4500.
3. At the login prompt, enter admin.
4. At the password prompt, enter admin.
5. When prompted to change the password, configure a new password using the username admin password <new password>
command. You will be logged out. Log in again with the new password.
6. Accept the license agreement. The configuration jump-start wizard begins.
7. Answer the wizard questions as described in Wizard steps.

Wizard Steps

The following table describes the questions the configuration wizard prompts you to answer. As noted in the table, the wizard
skips some steps based on your answers to previous steps.

Note

Press Ctrl+C to exit the configuration wizard. After the management interface is configured, an administrator can use the
configuration jump-start CLI command to run the wizard again.

Step Response

Activation code? Enter the activation code you obtained from Trellix.

Hostname? Enter the hostname for the appliance.

Trellix Device Deployment Guide 2024.2 211

5| KVM

Step Response

Admin password? (Optional) Enter a new administrator password.

Confirm admin password? Re-enter the new administrator password.

Enable remote access for 'admin' user? Enter yes to enable the administrator to log in to
the appliance remotely. Enter no to disable remote
access.

Use DHCP on ether1 interface? Enter no to manually configure your IP address and
network settings.

Use zeroconf on ether1 interface? Enter yes to use zero-configuration (zeroconf)

networking. Enter no to specify a static IP address
and network mask. (If you specify yes, the next
step is skipped.) NOTE: Do not use zeroconf on the
primary interface.

Primary IP address and masklen? Enter the IP address for the management interface
in A.B.C.D format and enter the network mask (for
example, 1.1.1.2 /24).

Default gateway? Enter the gateway IP address for the management

interface.

Primary DNS server? Enter the IP address of the DNS server.

Domain name? Enter the domain for the management interface (for
example, it.acme.com).

Enable Incident Response or Compromise Enter no. These features are not supported in KVM
Assessment? deployments.

Enable fenet service? Enter yes to enable access to the DTI network.

Enable fenet license update service? Enter yes to enable the licensing service to
automatically download your licenses from the
DTI network and install them. (If licenses are

212 Trellix Device Deployment Guide 2024.2

5| KVM

Step Response

downloaded and installed successfully, the wizard

skips the step that prompts for the product license
key and the step that prompts for the security-
content updates key.)

Sync appliance time with fenet? Enter yes to synchronize the appliance time with
the DTI server time. If you enabled the licensing
service, synchronization prevents a feature from
being temporarily unlicensed due to a time gap. The
wizard makes three attempts to perform this step
before it gives up and moves to the next step.

Update licenses from fenet? Enter yes to download and install your licenses. The
wizard makes three attempts to perform this step
before it gives up and moves to the next step.

Enable NTP? Enter yes to enable automatic time synchronization

with one or more Network Time Protocol (NTP)
servers. Enter no to manually set the time and
date on the appliance. (This step is skipped if
you entered yes in the "Sync appliance time with
fenet?" or "Enable Incident Response or Compromise
Assessment" step.) If you enter no, specify the time
and date in Greenwich Mean Time (GMT).

Enable FaaS VPN? Enter yes to enable the appliance to connect

to Managed Defense (formerly called Trellix as
a Service) over the Internet using a secure
SSL VPN connection. (This step is skipped if
no MD_ACCESS license is installed. This step is
performed automatically if you entered yes in
the "Enable Incident Response or Compromise
Assessment?" step.

Set time (<hh>:<mm>:<ss>)? Enter the appliance time in Greenwich Mean Time
(GMT) (UTC+0). (This step and the next step are
skipped if you entered yes in the "Sync appliance
time with fenet?" or "Enable NTP?" step.

Trellix Device Deployment Guide 2024.2 213

5| KVM

Step Response

Set date (<yyyy>/<mm>/<dd>)? Enter the appliance date in Greenwich Mean Time
(GMT) (UTC+0).

Enable IPv6? Enter yes to enable IPv6 protocol, which changes

network IP routing from IPv4 to IPv6. (This step and
the next two steps are skipped if you entered yes
in the "Enable Incident Response or Compromise
Assessment?" step. This step and the next two steps
will be automatically performed if you entered yes in
the "Enable FaaS VPN" step.)

Enable IPv6 autoconfig (SLAAC) on ether1 interface? Enter yes to enable IPv6 autoconfig on the ether1
(management interface) port. (This step is skipped if
you entered no in the "Enable IPv6?" step.)

Enable DHCPv6 on ether1 interface? Enter yes to use DHCPv6 to configure IPv6 hosts with
IP addresses. (This step is skipped if you entered no
in the "Use DHCP on ether1 interface?" or "Enable
IPv6?" step.)

Submission: Interface? Press Enter to accept ether1 as the interface through

which sensors and brokers communicate. Otherwise,
enter the name of the other interface. (If you accept
ether1, the next three steps are skipped.)

Note:
To keep management and data traffic separate,
Trellix recommends that you use another
management interface, such as ether2, and not
a monitoring interface.

Submission: Use DHCP on <name> interface? Enter yes to use Dynamic Host Configuration
Protocol (DHCP) to configure the submission
interface IP address and other network parameters.
Enter no to manually configure the IP address and
network settings. (If you enter yes, the static IP
addressing steps are skipped.)

214 Trellix Device Deployment Guide 2024.2

5| KVM

Step Response

Submission: IP address and masklen? Enter the IP address for the submission interface
in A.B.C.D format and enter the network mask (for
example, 10.1.1.1 /24).

Submission: Default IPv4 gateway? Enter the gateway IP address for the submission
interface.

Product license key? Enter the product license key you obtained from
Trellix, or press Enter to install a 15-day evaluation
license. (This step and the next step are skipped if
you entered yes in the "Enable fenet license update
service?" step and if licenses were successfully
installed as a result.)

Security-content updates key? Enter the security-content license key you obtained
from Trellix, or press Enter to skip this step and
install the license later.

Your virtual Network Security appliance on KVM may require additional virtual network configuration.

Important

For information about enabling Port Mirroring and SSL Decryption Mirroring, see Defining multiple queues for data ports.

Enabling IPv6 communication for data traffic

If you deployed using the Virtual Machine Manager UI and are using IPv6 traffic within the network, you must add parameters to
the XML file associated with the installed virtual Network Security appliance. The parameters must be added in the NIC section
for each data port.

To enable IPv6 communication:

1. Shut down the virtual Network Security appliance.

2. Edit its XML file using the virsh edit command, such as virsh edit TrellixFireeye-NX-4500V.

Trellix Device Deployment Guide 2024.2 215

5| KVM

Note

Trellix-NX-4500V is the domain name given during the installation. See Installing a Network Security virtual appliance
using the KVM UI.

3. Add the attribute trustGuestRxFilters='yes' under the NIC sections for each of the data ports:
<interface type='direct' trustGuestRxFilters='yes'>

Example

<interface type='direct' trustGuestRxFilters='yes'>

<mac address='52:54:00:12:13:83'/>
<source dev='enp5s0f0' mode='passthrough'/>
<model type='virtio'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
<interface type='direct' trustGuestRxFilters='yes'>
<mac address='52:54:00:98:b7:91'/>
<source dev='enp5s0f1' mode='passthrough'/>
<model type='virtio'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
</interface>

Defining multiple queues for data ports

Two receive (Rx) queues and two transmit (Tx) queues must be defined for each data port of Network Security virtual appliances
deployed on KVM servers. This enables the Port Mirroring and SSL Decryption Mirroring features. (See the Network Security User
Guide for information about these features.)

If you are deploying a new virtual appliance using the bundled XML template, no configuration is needed because two Rx queues
and two Tx queues are defined by default in the template. However, configuration is needed in the following cases, because the
virtual appliance will come up with only one Rx queue and one Tx queue:

• You are upgrading an existing virtual appliance from a release prior to Network Security release 8.3.2.
• You are deploying a new virtual appliance using the KVM Virtual Machine Manager UI.
The queues must be manually defined in the XML template that is created for the virtual appliance when it is deployed. This
configuration cannot be performed using the KVM Virtual Machine Manager UI.

To configure the queue:

1. Shut down the virtual appliance.

2. Add the following line to each <interface> section that corresponds to a data port in the XML template for the virtual
appliance:
<driver name='vhost' queues='2'/>

3. Start the virtual appliance.

The following example configures two Rx queues on a virtual appliance:

216 Trellix Device Deployment Guide 2024.2

5| KVM

<interface type='direct' trustGuestRxFilters='yes'>

<mac address='xx' />
<source dev='ensXX' mode='passthrough'/>
<model type='virtio' />
<driver name='vhost' queues='2'/>
</interface>

Deploying virtual Central Management appliances on KVM Servers

The following sections describe how to deploy a virtual Central Management System appliance on KVM (Kernel-based Virtual
Machine) servers. KVM is an open-source hardware virtualization software through which you can create and run multiple Linux
and Windows-based virtual machines simultaneously.

Supported virtual CM models include CM 4500V and CM 7500V.

• KVM requirements
• Installing a virtual Central Management System appliance on KVM
• Performing the initial Central Management System configuration for the virtual appliance

Installing a virtual Central Management appliance on KVM

This section describes how to install a virtual Central Management System appliance on a KVM server using the KVM Virtual
Machine Manager UI.

Important

This procedure uses KVM version libvert 4.5 on Ubuntu 18.04. The navigation instructions and user interface may vary if you
are using CentOS or a different version of Ubuntu.

Note

This procedure covers the required settings for a Trellix virtual appliance. You can accept the default values for the other
settings, or specify values that are appropriate for your setup.

Before starting the virtual appliance installation, ensure you have the required prerequisite software installed. See KVM
requirements.

The following packages are required for a successful virtual Central Management System appliance deployment on KVM:

• qemu-kvm
• qemu-img
• virt-manager
• libvirt

Trellix Device Deployment Guide 2024.2 217

5| KVM

• libvirt-python
• libvirt-client
• virt-install
• virt-viewer
• librbd1-devel
In the following procedure, you will create the virtual appliance and configure its management port.

To install a virtual appliance using the KVM Virtual Machine Manager UI:

1. Download the Central Management System KVM deployment .zip file from the Trellix DTI network to a KVM server and
extract the files within it to the /home/admin/images directory.
The .zip file name is based on your appliance model. For example, the .zip for the CM 7500V is image-cms-
fireeyecm4500v.zip.
2. In KVM Virtual Machine Manager, select File > New Virtual Machine.
3. Complete the Create a new virtual machine screens:

Screen Action

Step 1 of 4 1. Select Import existing disk image.

2. Click Forward.

Step 2 of 4 1. Browse to and select the folder to which you

extracted the
.zip
file in the first step.
2. Select the
.qcow2
file, such as
image-cms-fireeyecm4500v.qcow2
, and click Choose Volume.
3. Select OS type Linux and in the Version field,
select your version of CentOS or Ubuntu.
4. Click Forward.

Step 3 of 4 1. Set Memory and CPU settings to the values

for your virtual CM model.
2. Click Forward.

Step 4 of 4 1. Enter a name, such as Trellix-CM-4500V.

2. Click Customize configuration before install
and select Network selection Bridge br0. The

218 Trellix Device Deployment Guide 2024.2

5| KVM

Screen Action

bridge must have already been created in

the host OS. This is the management (ether1)
port for the virtual appliance.
3. Click Finish.
The KVM installation page opens.

4. In the KVM installation page, configure the basic information and disk I/O for the virtual Central Management System
appliance.

Tab Action

Overview 1. Enter a domain name, such as

Trellix-CM-4500V, for the virtual Central
Management System appliance in the Name
field and optionally enter a Title and
Description.
2. Click Apply.

VirtIO Disk 1 1. Click Advanced options.

2. Select SCSI in the Disk bus field.
3. Click Apply.

5. In the KVM installation page, add the virtual hardware for the controller:
a. At the bottom left of the KVM installation page, click Add Hardware.
b. In the Add New Virtual Hardware page, select the Controller tab and then select the following values:

• Type—SCSI
• Model—VirtIO SCSI
c. Click Finish.
6. Click Begin installation.
7. After the installation is complete, proceed to Performing the initial Central Management System configuration for the virtual
appliance.

Performing the initial Central Management configuration for the virtual appliance

Trellix Device Deployment Guide 2024.2 219

5| KVM

The management interface is the port through which the virtual appliance is managed and administered. It is also the port
through which integration of the Central Management System appliance and a managed appliance is managed. With the single-
port address type, the management interface is also the port through which a managed appliance requests and downloads
software updates from the DTI network.

Initial settings need to be configured to set up the management interface, and to allow access to the network, change the default
administrator password, and so on.

Trellix recommends that you use the KVM Virtual Machine Manager console. If the license update feature is not enabled, Trellix
recommends that you accept the evaluation licenses during the initial configuration, because typing the keys is tedious and
prone to error. After the activation code is entered and the admin user has access to the appliance Web UI or CLI, you can copy
and paste the license keys.

To perform the initial configuration of a virtual appliance:

1. Open the KVM Virtual Machine Manager.

2. Open the virtual appliance you just installed, such as Trellix-NX 4500.
3. At the login prompt, enter admin.
4. At the password prompt, enter admin.
5. When prompted to change the password, configure a new password using the username admin password <new password>
command. You will be logged out. Log in again with the new password.
6. Accept the license agreement. The configuration jump-start wizard begins.
7. Answer the wizard questions as described in Wizard steps.

Wizard Steps

The following table describes the questions the configuration wizard prompts you to answer. As noted in the table, the wizard
skips some steps based on your answers to previous steps.

Note

Press Ctrl+C to exit the configuration wizard. After the management interface is configured, an administrator can use the
configuration jump-start CLI command to run the wizard again.

Step Response

Activation code? Enter the activation code you obtained from Trellix.

Hostname? Enter the hostname for the appliance.

220 Trellix Device Deployment Guide 2024.2

5| KVM

Step Response

Admin password? (Optional) Enter a new administrator password.

Confirm admin password? Re-enter the new administrator password.

Enable remote access for 'admin' user? Enter yes to enable the administrator to log in to
the appliance remotely. Enter no to disable remote
access.

Use DHCP on ether1 interface? Enter no to manually configure your IP address and
network settings.

Use zeroconf on ether1 interface? Enter yes to use zero-configuration (zeroconf)

networking. Enter no to specify a static IP address
and network mask. (If you specify yes, the next
step is skipped.) NOTE: Do not use zeroconf on the
primary interface.

Primary IP address and masklen? Enter the IP address for the management interface
in A.B.C.D format and enter the network mask (for
example, 1.1.1.2 /24).

Default gateway? Enter the gateway IP address for the management

interface.

Primary DNS server? Enter the IP address of the DNS server.

Domain name? Enter the domain for the management interface (for
example, it.acme.com).

Enable fenet service? Enter yes to enable access to the DTI network. (If you
enter no, the next three steps are skipped.)

Enable fenet license update service? Enter yes to enable the licensing service to
automatically download your licenses from the
DTI network and install them. (If licenses are
downloaded and installed successfully, the wizard
skips the step that prompts for the product license

Trellix Device Deployment Guide 2024.2 221

5| KVM

Step Response

key and the step that prompts for the security-

content updates key.)

Sync appliance time with fenet? Enter yes to synchronize the appliance time with
the DTI server time. If you enabled the licensing
service, synchronization prevents a feature from
being temporarily unlicensed due to a time gap. The
wizard makes three attempts to perform this step
before it gives up and moves to the next step.

Update licenses from fenet? Enter yes to download and install your licenses. The
wizard makes three attempts to perform this step
before it gives up and moves to the next step.

Enable NTP? Enter yes to enable automatic time synchronization

with one or more Network Time Protocol (NTP)
servers. Enter no to manually set the time and
date on the appliance. (This step is skipped if you
entered yes in the "Sync appliance time with fenet?"
step.) If you enter no, specify the time and date in
subsequent steps.

Enable FaaS VPN? Enter yes to enable the appliance to connect

to Managed Defense (formerly called Trellix as a
Service) over the Internet using a secure SSL VPN
connection. (This step is skipped if no MD_ACCESS
license is installed.)

Set time (<hh>:<mm>:<ss>)? Enter the appliance time in Greenwich Mean Time
(GMT) (UTC+0). (This step and the next step are
skipped if you entered yes in the "Sync appliance
time with fenet?" or "Enable NTP?" step.

Set date (<yyyy>/<mm>/<dd>)? Enter the appliance date in Greenwich Mean Time
(GMT) (UTC+0).

Enable IPv6? Enter yes to enable IPv6 protocol, which changes

network IP routing from IPv4 to IPv6. (This step and

222 Trellix Device Deployment Guide 2024.2

5| KVM

Step Response

the next two steps will be automatically performed if

you entered yes in the "Enable FaaS VPN" step.)

Enable IPv6 autoconfig (SLAAC) on ether1 interface? Enter yes to enable IPv6 autoconfig on the ether1
(management interface) port. (This step is skipped if
you entered no in the "Enable IPv6?" step.)

Enable DHCPv6 on ether1 interface? Enter yes to use DHCPv6 to configure IPv6 hosts with
IP addresses. (This step is skipped if you entered no
in the "Use DHCP on ether1 interface?" or "Enable
IPv6?" step.)

Configure CMS HA? Enter no. Central Management System HA is not

supported in a KVM deployment.

Product license key? Enter the product license key you obtained from
Trellix, or press Enter to install a 15-day evaluation
license. (This step and the next step are skipped if
you entered yes in the "Enable fenet license update
service?" step and if licenses were successfully
installed as a result.)

Security-content updates key? Enter the security-content license key you obtained
from Trellix, or press Enter to skip this step and
install the license later.

Deploying Virtual FX appliances on KVM Servers

The following sections describe how to deploy a virtual File Protect appliance on KVM (Kernel-based Virtual Machine) servers.
KVM is open-source hardware virtualization software through which you can create and run multiple Linux and Windows-based
virtual machines simultaneously.

Installing a virtual File Protect appliance using the KVM UI

Performing the initial File Protect configuration for the virtual appliance

Installing a Virtual FX appliances on KVM Servers

Trellix Device Deployment Guide 2024.2 223

5| KVM

This section describes how to install a virtual File Protect appliance on a KVM server using the KVM Virtual Machine Manager UI.

Important

This procedure uses KVM version libvert 4.5 on Ubuntu 18.04. The navigation instructions and user interface may vary if you
are using CentOS or a different version of Ubuntu.

Note

This procedure covers the required settings for a Trellix virtual appliance. You can accept the default values for the other
settings, or specify values that are appropriate for your setup.

Before starting the virtual appliance installation, ensure you have the required prerequisite software installed. See KVM
requirements .

In the following procedure, you will create the virtual appliance and configure its management, OOB, and data ports.

Important

A virtual File Protect appliance supports ten NICs: one management interface, one out-of-band interface, and eight
monitoring (data) interfaces. You must provision a NIC for each interface. This is because KVM needs to know the total
number of interfaces, even if some of those interfaces are not used.

To install a virtual appliance using the KVM Virtual Machine Manager UI:

Tab Action

Controller
1. InType, select SCSI.
2. In Model, select VirtIO SCSI.
3. Click Finish.

Network (for OOB) Add the OOB (ether2) port for the virtual File Protect
appliance.

1. In Network source, to use the management

bridge that you created in the Create a new
virtual machine wizard, select the existing
software bridge, such as
br0

224 Trellix Device Deployment Guide 2024.2

5| KVM

Tab Action

. Otherwise, you can select another software

bridge that is associated with a non-
management physical interface, such as
br1
.
If the base OS has an equivalent NIC
that corresponds to the virtual File Protect
appliance NIC, associate them accordingly.
Otherwise, use the Dummy software bridge.
2. In Device mode, select
virtio
.
3. Click Finish.

Network (for data ports) Repeat the following steps to configure each of the
data ports required for your virtual Network Security
appliance.

1. In Network source, if the base OS has

an equivalent NIC that matches the virtual
Network Security appliance NIC, associate them
accordingly.
IMPORTANT: Set the network source to
macvtap
and set the source mode to
Passthrough
.
If the base OS does not have an equivalent NIC,
use the Dummy software bridge.
2. Click Finish.

1. Download the File Protect KVM deployment .zip file from the Trellix DTI network to a KVM server and extract the files
within it. The .zip file name is based on your appliance model. For example, the .zip file for FX 2500 is image-wmps-
Trellixfx2500v.zip.

2. In KVM Virtual Machine Manager, select File > New Virtual Machine.
3. Complete the Create a new virtual machine screens:

Trellix Device Deployment Guide 2024.2 225

5| KVM

Screen Action

Step 1 of 4 1. Select Import existing disk image.

2. Click Forward.

Step 2 of 4 1. Browse to and select the folder to which you

extracted the
.zip
file in the first step.
2. Select the
.qcow2
file, such as
image-fmps-fireeyefx2500v.qcow2
, and click Choose Volume.
3. Select OS type Linux and in Version select
your version of CentOS or Ubuntu.
4. Click Forward.

Step 3 of 4 1. Set Memory and CPU settings to the values

for your virtual File Protect model.
The base platform must have the required
amount of disk space, memory, and CPU
cores to support the specific virtual File
Protect model.
For example, for model FX 2500V, enter
16GB (16384MB) for Memory (RAM) and 8 for
CPUs.
2. Click Forward.

Step 4 of 4 1. Enter a name, such as

Trellix-FX-2500V
.
2. Click Customize configuration before install
and select Network selection
Bridge br0
. This software bridge is the management
(ether1) connection to the virtual File Protect
appliance. The bridge must already exist
in the host OS, as described in KVM
Requirements.
3. Click Finish.

226 Trellix Device Deployment Guide 2024.2

5| KVM

Screen Action

The KVM installation page opens.

4. In the KVM installation page, configure the basic information and disk IO for the virtual File Protect

Tab Action

Overview 1. Enter a domain name, such as

Trellix-FX-2500V
, for the virtual File Protect appliance in
Name and optionally enter a Title and
Description.
2. Click Apply.

VirtIO Disk 1 1. Click Advanced options.

2. Select
SCSI
in the Disk bus field.
3. Click Apply.

5. In the KVM installation page, add the virtual hardware for the controller and networks:
a. At the bottom left of the KVM installation page, click Add Hardware.
b. In the Add New Virtual Hardware page, select the tab for the type of hardware to add and enter the values according
to the following table.
You must click Finish after adding each hardware entry and click Add Hardware again to select the next type of
hardware to add.
6. After adding the data ports, click Begin installation.
7. Check the console for the virtual File Protect appliance boot status.
Continue with Performing the initial File Protect configuration for the virtual appliance.

Performing the initial configuration for the virtual FX appliance

The management interface is the port through which the virtual appliance is managed and administered. It is also the port
through which integration of the File Protect appliance and a managed appliance is managed. With the single-port address type,
the management interface is also the port through which a managed appliance requests and downloads software updates from
the DTI network.

Trellix Device Deployment Guide 2024.2 227

5| KVM

Initial settings need to be configured to set up the management interface, and to allow access to the network, change the default
administrator password, and so on.

Trellix recommends that you use the KVM Virtual Machine Manager console. If the license update feature is not enabled, Trellix
recommends that you accept the evaluation licenses during the initial configuration, because typing the keys is tedious and
prone to error. After the activation code is entered and the admin user has access to the appliance Web UI or CLI , you can copy
and paste the license keys.

To perform the initial configuration of a virtual appliance:

1. Open the KVM Virtual Machine Manager.

2. Open the virtual appliance you just installed, such as Trellix FX 2500.
3. At the login prompt, enter admin.
4. At the password prompt, enter admin.
5. When prompted to change the password, configure a new password using the username admin password <new password>
command. You will be logged out. Log in again with the new password.
6. Accept the license agreement. The configuration jump-start wizard begins.
7. Answer the wizard questions as described in Wizard steps.

Wizard Steps

The following table describes the questions the configuration wizard prompts you to answer. As noted in the table, the wizard
skips some steps based on your answers to previous steps.

Note

Press Ctrl+C to exit the configuration wizard. After the management interface is configured, an administrator can use the
configuration jump-start CLI command to run the wizard again.

Step Response

Activation code? Enter the activation code you obtained from Trellix.

Hostname? Enter the hostname for the appliance.

Admin password? (Optional) Enter a new administrator password.

Confirm admin password? Re-enter the new administrator password.

228 Trellix Device Deployment Guide 2024.2

5| KVM

Step Response

Enable remote access for 'admin' user? Enter yes to enable the administrator to log in to
the appliance remotely. Enter no to disable remote
access.

Use DHCP on ether1 interface? Enter no to manually configure your IP address and
network settings.

Use zeroconf on ether1 interface? Enter yes to use zero-configuration (zeroconf)

networking. Enter no to specify a static IP address
and network mask. (If you specify yes, the next
step is skipped.) NOTE: Do not use zeroconf on the
primary interface.

Primary IP address and masklen? Enter the IP address for the management interface
in A.B.C.D format and enter the network mask (for
example, 1.1.1.2 /24).

Default gateway? Enter the gateway IP address for the management

interface.

Primary DNS server? Enter the IP address of the DNS server.

Domain name? Enter the domain for the management interface (for
example, it.acme.com).

Enable Incident Response or Compromise Enter no. These features are not supported in KVM
Assessment? deployments.

Enable fenet service? Enter yes to enable access to the DTI network.

Enable fenet license update service? Enter yes to enable the licensing service to
automatically download your licenses from the
DTI network and install them. (If licenses are
downloaded and installed successfully, the wizard
skips the step that prompts for the product license
key and the step that prompts for the security-
content updates key.)

Trellix Device Deployment Guide 2024.2 229

5| KVM

Step Response

Sync appliance time with fenet? Enter yes to synchronize the appliance time with
the DTI server time. If you enabled the licensing
service, synchronization prevents a feature from
being temporarily unlicensed due to a time gap. The
wizard makes three attempts to perform this step
before it gives up and moves to the next step.

Update licenses from fenet? Enter yes to download and install your licenses. The
wizard makes three attempts to perform this step
before it gives up and moves to the next step.

Enable NTP? Enter yes to enable automatic time synchronization

with one or more Network Time Protocol (NTP)
servers. Enter no to manually set the time and
date on the appliance. (This step is skipped if
you entered yes in the "Sync appliance time with
fenet?" or "Enable Incident Response or Compromise
Assessment" step.) If you enter no, specify the time
and date in Greenwich Mean Time (GMT).

Enable FaaS VPN? Enter yes to enable the appliance to connect

to Managed Defense (formerly called Trellix as
a Service) over the Internet using a secure
SSL VPN connection. (This step is skipped if
no MD_ACCESS license is installed. This step is
performed automatically if you entered yes in
the "Enable Incident Response or Compromise
Assessment?" step.

Set time (<hh>:<mm>:<ss>)? Enter the appliance time in Greenwich Mean Time
(GMT) (UTC+0). (This step and the next step are
skipped if you entered yes in the "Sync appliance
time with fenet?" or "Enable NTP?" step.

Set date (<yyyy>/<mm>/<dd>)? Enter the appliance date in Greenwich Mean Time
(GMT) (UTC+0).

230 Trellix Device Deployment Guide 2024.2

5| KVM

Step Response

Enable IPv6? Enter yes to enable IPv6 protocol, which changes

network IP routing from IPv4 to IPv6. (This step and
the next two steps are skipped if you entered yes
in the "Enable Incident Response or Compromise
Assessment?" step. This step and the next two steps
will be automatically performed if you entered yes in
the "Enable FaaS VPN" step.)

Enable IPv6 autoconfig (SLAAC) on ether1 interface? Enter yes to enable IPv6 autoconfig on the ether1
(management interface) port. (This step is skipped if
you entered no in the "Enable IPv6?" step.)

Enable DHCPv6 on ether1 interface? Enter yes to use DHCPv6 to configure IPv6 hosts with
IP addresses. (This step is skipped if you entered no
in the "Use DHCP on ether1 interface?" or "Enable
IPv6?" step.)

Submission: Interface? Press Enter to accept ether1 as the interface through

which sensors and brokers communicate. Otherwise,
enter the name of the other interface. (If you accept
ether1, the next three steps are skipped.)

Note:
To keep management and data traffic separate,
Trellix recommends that you use another
management interface, such as ether2, and not
a monitoring interface.

Submission: Use DHCP on <name> interface? Enter yes to use Dynamic Host Configuration
Protocol (DHCP) to configure the submission
interface IP address and other network parameters.
Enter no to manually configure the IP address and
network settings. (If you enter yes, the static IP
addressing steps are skipped.)

Trellix Device Deployment Guide 2024.2 231

5| KVM

Step Response

Submission: IP address and masklen? Enter the IP address for the submission interface
in A.B.C.D format and enter the network mask (for
example, 10.1.1.1 /24).

Submission: Default IPv4 gateway? Enter the gateway IP address for the submission
interface.

Product license key? Enter the product license key you obtained from
Trellix, or press Enter to install a 15-day evaluation
license. (This step and the next step are skipped if
you entered yes in the "Enable fenet license update
service?" step and if licenses were successfully
installed as a result.)

Security-content updates key? Enter the security-content license key you obtained
from Trellix, or press Enter to skip this step and
install the license later.

232 Trellix Device Deployment Guide 2024.2

6| Hyper-V

Hyper-V
• Microsoft Hyper-V requirements
• Deploying virtual Network Security appliances using Microsoft Hyper-V Manager
• Deploying virtual Central Management System appliances Using Microsoft Hyper-V Manager
• Installing a virtual File Protect appliance using Microsoft Hyper-V Manager

Microsoft Hyper-V requirements

The following resources are required for a Hyper-V deployment:

• Windows Server 2016 Standard.

• VMMS (Virtual Machine Management Service)/Hyper-V Manager version 10.0.14393 or later.
• Central Management System and File Protect appliances: Standard virtual switch, connected to an external network and
shared by the operating system.
• Network Security appliance:
Two standard virtual switches, connected to an external network and shared by the operating system. One
switch is used by the management interface (ether1). The other switch is used by the submission interface (ether
2).
One or more standard virtual switches, connected to an external network and not shared by the operating
system. These switches are used by the monitoring interfaces. For inline mode, two switches are needed for
each port pair. For TAP mode, one switch is needed for each port pair. At least two monitoring interfaces (pether
3 and pether4 in port pair A) are required for the appliance to function.
The following BIOS flags are enabled. If there are pending processes on your virtual appliance, contact your
Hyper-V administrator to enable BIOS flags as needed.

SSE SSE4_1 AES

SSE2 SSE4_2 AVX
SSE3 SSSE3 PCLMULQDQ

Hyper-V specifications

Each virtual appliance running on Hyper-V servers must meet the following specifications.

Model CPU Cores RAM Virtual NICs Hard Disk Space

NX 2500V 6 16 GB 10 (total): 384 GB

Trellix Device Deployment Guide 2024.2 233

6| Hyper-V

Model CPU Cores RAM Virtual NICs Hard Disk Space

1 or 2
(management)
1—8 (monitoring)

NX 2501V 6 16 GB 10 (total): 256 GB

1 or 2
(management)
1—8 (monitoring)

NX 2550V 8 16 GB 10 (total): 384 GB

1 or 2
(management)
1—8 (monitoring)

NX 4500V 8 32 GB 10 (total): 512 GB

1 or 2
(management)
1—8 (monitoring)

NX 6500V 16 32 GB 10 (total): 512 GB

1 or 2
(management)
1—8 (monitoring)

FX 2500V 8 32 GB 2 (total): 512 GB

1 (management)
1 (scanning
[optional])

CM 4500V 8 64 GB 4 (total): 1200 GB

1 (management)
1—3 (for future
use)

CM 7500V 16 128 GB 4 (total): 1200 GB

1 (management)
1—3 (for future
use)

234 Trellix Device Deployment Guide 2024.2

6| Hyper-V

Hyper-V limitations

• Hyper-V Manager on Windows Server 2016 supports a maximum of eight network adapters on each virtual machine.
• The following Hyper-V server features are not supported:
Modified virtual machine (VM) configuration that changes the number of CPUs, amount of memory, number of
NICs, or hard drive size
Checkpoints
Replication of the VM
Dynamic Memory

Deploying virtual Network Security appliances using Microsoft Hyper-

V Manager
The following sections describe how to deploy a virtual Network Security sensor using Microsoft Hyper-V.

Caution

Windows Hyper-V version 10.0.14393 or later is required. Earlier versions are not supported, and virtual appliances installed
using those versions will not function properly.

Note

This document assumes familiarity with deploying virtual machines and administering Windows Hyper-V hypervisors. This
document provides the basic steps for creating and deploying Trellix virtual appliances. For comprehensive information about
deploying virtual machines, see the documentation provided by Microsoft.

Prerequisites

• Network Security 9.0.0 or later

• Administrator user account on a Windows Hyper-V hypervisor
• Familiarity with deploying virtual machines and administering Windows Hyper-V hypervisors
• Microsoft Hyper-V requirements

Installing a virtual Network Security appliance using Microsoft Hyper-V Manager

This section describes how to install a virtual Network Security appliance using Microsoft Hyper-V Manager.

Trellix Device Deployment Guide 2024.2 235

6| Hyper-V

Important

This procedure uses Microsoft Hyper-V version 10.0.14393.0. The navigation instructions and user interface may vary based
on your version of this product.

Note

This procedure covers the required settings for a Trellix virtual appliance. You can accept the default values for the other
settings, or specify values that are appropriate for your setup.

To install a virtual appliance using Microsoft's Hyper-V Manager:

1. Download the Network Security Hyper-V deployment .zip file from the Trellix DTI network to a Hyper-V server and extract
the files within it. The .zip file name depends on the model. For example, image-wmps-fireeyenx4500v.
After the files are extracted, verify that the image-wmps-fireeyenx<model>v-hyperv folder contains the Virtual Hard
Disks and Virtual Machines folders. If it does not, contact Trellix Technical Support.

The folder also contains a readme file with brief installation information.
2. In Hyper-V Manager, select Action > Import Virtual Machine. The Import Virtual Machine wizard opens.

3. Complete the wizard screens as described in the following table.

Screen Action

Before You Begin Click Next.

Locate Folder Browse to and select the folder to which you

extracted the
.zip
file in the first step. You only need to select the
top-level folder. Click Next.

Select Virtual Machine Select the virtual machine model associated with
the
.zip

236 Trellix Device Deployment Guide 2024.2

6| Hyper-V

Screen Action

file. Click Next.

Choose Import Type Select Copy the virtual machine (create a new
unique ID). Click Next.

Choose Folders for Virtual Machine Files Click Next to accept the default settings.

Choose Folders to Store Virtual Hard Disks Select the top-level folder into which you extracted
the
.zip
file. This folder includes the Virtual Hard Disks
folder. Click Next.

Connect Network Select a virtual switch to use for the management

port (ether1) on the virtual appliance. Click Next.

Connect Network Select a virtual switch to use for the submission

interface (ether2) on the virtual appliance. Click
Next.

Connect Network Select a virtual switch to use for the first

monitoring interface in the first port pair
(pether3). Click Next.

Connect Network (For inline mode): Select a virtual switch to use for
the other monitoring interface in the first port pair
(pether 4). Click Next.

Completing Import Wizard Verify the information. If you are satisfied, click
Finish to import the virtual appliance. If you need
to make changes, click Previous.

4. (Optional) Right-click the virtual appliance in the Virtual Machines section of Hyper-V Manager, select Rename, and enter a
new name for the virtual appliance.
5. Right-click the virtual appliance, select Settings, and then verify that the virtual appliance settings meet the specifications
listed in Hyper-V specifications.
6. Add additional network adapters as needed:

Trellix Device Deployment Guide 2024.2 237

6| Hyper-V

a. In Hyper-V Manager, select the virtual machine and then click Settings.
b. On the Settings page, click Add Hardware.
c. Select Network Adapter.
d. Select the virtual switch to use for the network adapter.
e. Click OK.
7. The virtual appliance is turned off by default after it is imported. To turn it on, right-click the virtual appliance and select
Start.
8. To open the virtual appliance console, right-click the virtual appliance and select Connect.

Performing the initial Network Security configuration using Microsoft Hyper-V Manager

The management interface is the port through which the virtual appliance is managed and administered. It is also the port
through which integration of the Central Management System appliance and a managed appliance is managed. With the single-
port address type, the management interface is also the port through which a managed appliance requests and downloads
software updates from the DTI network.

Initial settings need to be configured to set up the management interface, and to allow access to the network, change the default
administrator password, and so on.

You can use the set_keys.ps1 PowerShell script provided in the deployment package .zip file to supply some initial settings
for the appliance, including the activation code, a new password for the "admin" user, and initial CLI commands to configure the
appliance. You can then log into the CLI of the virtual appliance and use the configuration wizard to complete the setup.

If you do not use the PowerShell script, you can use the virtual appliance console in Hyper-V Manager to type the activation
code and commands that allow the admin to log in to the CLI or Web UI to configure the appliance. You can fully configure the
appliance from the console, but it might be inconvenient because you cannot paste into the console.

Using the set_keys.ps1 PowerShell script

Trellix recommends that you use the set_keys.ps1 PowerShell script to do at least the following:

• Enter the activation code for your virtual appliance. The activation code contains many characters. You cannot paste into
the console, and it is easy to make a typing error.
• Reset the password for the "admin" user if password authentication will be used to log into the CLI or Web UI over the
network. The password must be changed to a password of at least eight characters.

You can also use this script to provide commands for configuration settings that the system will apply during the initial boot. This
can be convenient if you have a large number of virtual appliances to deploy, because you can create base sets of commands
and then customize them for each deployment.

To use the set_keys.ps1 PowerShell script:

1. Navigate to the directory where you extracted the deployment package .zip file.
2. Locate the set_keys.ps1 file and open it in a text editor.

238 Trellix Device Deployment Guide 2024.2

6| Hyper-V

Note

Alternatively, you can enter values when you run the script in the PowerShell ISE or PowerShell session described later
in this procedure.

3. Change settings in the file by specifying your values within the quotation marks. The settings you can change are all located
between the comments MODIFY THESE AS NEEDED and DON'T MODIFY ANYTHING BELOW. Do not change any other settings
in the file.

4.
The settings are described in the following table.

Field Description

vmName The name of the virtual machine name you

deployed. The name is displayed in the Virtual
Machines section of Hyper-V Manager.

activation_code The code you received in a secure email from

Trellix that gives the virtual appliance its identity
and access credentials.

cli_cmds_init A set of commands that at a minimum allow the

appliance to connect to your network. Type the
commands in plain-text format and then paste the
string into this field.
Consider using this field for network connectivity
only, because the size of the string could become
unwieldy.

Trellix Device Deployment Guide 2024.2 239

6| Hyper-V

Field Description

cli_cmds_init_url A URL that points to a file on your network (for

example,
http://acme.com/operations/2500V_config.txt
). To use this field, create a text file that contains
CLI commands in plain-text format that configure
additional settings, and store the file on an HTTP
server in your network.
The virtual appliance needs network connectivity
(which the commands in the
cli_cmds_init
field can establish) to access the file referenced in
the URL.

reset_admin_password A password of at least eight characters. The initial

admin password must be reset to allow the admin
user to log into the CLI or Web UI over the
network, unless both of the following are true:

• The CLI commands being executed set an

SSH authorized key for the admin user, which
allows the admin to log in remotely without a
password.
• You disable password logins using the
username admin disable password
command.

5. Save the file.

6. Do one of the following:

• Open an administrator Windows PowerShell ISE session, select File > Open, and then navigate to and select
set_keys.ps1.
• Open an administrator Windows PowerShell session, navigate to the directory where you extracted the
deployment package, and then run the set_keys.ps1 script.

7. Enter values in response to the prompts, or press Enter to leave a field blank.

Note

You will not be prompted for values you already provided in the set_keys.ps1 file.

240 Trellix Device Deployment Guide 2024.2

6| Hyper-V

Using the console

Trellix recommends that you use the set_keys.ps1 PowerShell script to provide initial configuration settings, because you
cannot copy and paste into the Hyper-V Manager console. However, if you do not use this script, and if the license update feature
is not enabled, Trellix recommends that you accept the evaluation licenses during the initial configuration, because typing the
keys is tedious and prone to error. After the activation code is entered and the admin user has access to the appliance Web UI or
CLI , you can copy and paste the license keys.

To perform the initial configuration of a virtual appliance:

1. Open Hyper-V Manager.

2. Right-click the row for the virtual appliance and select Connect. The virtual appliance console opens.
3. At the login prompt, enter admin.
4. Do one of the following:

• If you configured a password in the set_keys.ps1 file or script, enter that password.

• Otherwise, enter the default password (admin). When prompted to change the password, go to CLI configuration
mode and create another password:

hostname > en
hostname # configure terminal
hostname (config) # username admin password <new password>

The system will log you out. Log in using the new password.

1. Accept the license agreement. The configuration jump-start wizard starts.

2. Answer the wizard questions as described below.

Network Security wizard steps

The following table describes the questions the configuration wizard prompts you to answer. As noted in the table, the wizard
skips some steps based on your answers to previous steps.

Note

Press Ctrl+C to exit the configuration wizard. After the management interface is configured, an administrator can use the
configuration jump-start CLI command to run the wizard again.

Step Response

Hostname? Enter the hostname for the appliance.

Admin password? (Optional) Enter a new administrator password.

Trellix Device Deployment Guide 2024.2 241

6| Hyper-V

Step Response

Confirm admin password? Re-enter the new administrator password.

Enable remote access for 'admin' user? Enter yes to enable the administrator to log in to
the appliance remotely. Enter no to disable remote
access.

Use DHCP on ether1 interface? Enter no to manually configure your IP address and
network settings.

Use zeroconf on ether1 interface? Enter yes to use zero-configuration (zeroconf)

networking. Enter no to specify a static IP address
and network mask. (If you specify yes, the next
step is skipped.) NOTE: Do not use zeroconf on the
primary interface.

Primary IP address and masklen? Enter the IP address for the management interface
in A.B.C.D format and enter the network mask (for
example, 1.1.1.2 /24).

Default gateway? Enter the gateway IP address for the management

interface.

Primary DNS server? Enter the IP address of the DNS server.

Domain name? Enter the domain for the management interface (for
example, it.acme.com).

Enable Incident Response or Compromise Enter no. These features are not supported in Hyper-
Assessment? V deployments.

Enable fenet service? Enter yes to enable access to the DTI network.

Enable fenet license update service? Enter yes to enable the licensing service to
automatically download your licenses from the
DTI network and install them. (If licenses are
downloaded and installed successfully, the wizard
skips the step that prompts for the product license

242 Trellix Device Deployment Guide 2024.2

6| Hyper-V

Step Response

key and the step that prompts for the security-

content updates key.)

Sync appliance time with fenet? Enter yes to synchronize the appliance time with
the DTI server time. If you enabled the licensing
service, synchronization prevents a feature from
being temporarily unlicensed due to a time gap. The
wizard makes three attempts to perform this step
before it gives up and moves to the next step.

Update licenses from fenet? Enter yes to download and install your licenses. The
wizard makes three attempts to perform this step
before it gives up and moves to the next step.

Enable NTP? Enter yes to enable automatic time synchronization

with one or more Network Time Protocol (NTP)
servers.

Enable IPv6? Enter yes to enable IPv6 protocol, which changes

network IP routing from IPv4 to IPv6. (This step and
the next two steps are skipped if you entered yes
in the "Enable Incident Response or Compromise
Assessment?" step. This step and the next two steps
will be automatically performed if you entered yes in
the "Enable FaaS VPN" step.)

Enable IPv6 autoconfig (SLAAC) on ether1 interface? Enter yes to enable IPv6 autoconfig on the ether1
(management interface) port. (This step is skipped if
you entered no in the "Enable IPv6" step.)

Enable DHCPv6 on ether1 interface? Enter yes to use DHCPv6 to configure IPv6 hosts with
IP addresses. (This step is skipped if you entered no
in the "Use DHCP on ether1 interface" or "Enable
IPv6" step.)

Submission: Configure Interface? Press Enter to accept ether1 as the interface through
which sensors and brokers communicate. Otherwise,

Trellix Device Deployment Guide 2024.2 243

6| Hyper-V

Step Response

enter the name of the other interface. (If you accept

ether1, the next three steps are skipped.)

Submission: Interface? Enter the name of the other interface.

Note:
To keep management and data traffic separate,
Trellix recommends that you use another
management interface, such as ether2, and not
a monitoring interface.

Submission: Use DHCP on <name> interface? Enter yes to use Dynamic Host Configuration
Protocol (DHCP) to configure the submission
interface IP address and other network parameters.
Enter no to manually configure the IP address and
network settings. (If you enter yes, the static IP
addressing steps are skipped.)

Submission: IP address and masklen? Enter the IP address for the submission interface
in A.B.C.D format and enter the network mask (for
example, 10.1.1.1 /24).

Submission: Default IPv4 gateway? Enter the gateway IP address for the submission
interface.

Product license key? Enter the product license key you obtained from
Trellix, or press Enter to install a 15-day evaluation
license. (This step and the next step are skipped if
you entered yes in the "Enable fenet license update
service?" step and if licenses were successfully
installed as a result.)

Security-content updates key? Enter the security-content license key you obtained
from Trellix, or press Enter to skip this step and
install the license later.

244 Trellix Device Deployment Guide 2024.2

6| Hyper-V

Configuring a virtual Network Security network using Microsoft Hyper-V Manager

The number of virtual and physical adapters you need for a virtual Network Security appliance depends on the virtual model and
the deployment mode. A Network Security appliance deployed in an inline deployment mode uses both ports of each monitoring
interface pair. A Network Security appliance deployed in an out-of-band mode uses one port of a monitoring port pair for each
connection to the external network.

The default virtual switch for the management network in the Hyper-V server can be connected to the network adapter for
the ether1 management interface on the Network Security appliance. Other virtual switches are required for the other network
interfaces, as described in Microsoft Hyper-V Requirements.

Note

A Network Security appliance can have up to ten network interfaces—one management interface, one submission interface,
and up to eight monitoring interfaces. However, Hyper-V Manager on Windows Server 2016 supports a maximum of eight
network adapters.
This section assumes that each network adapter is connected to a separate virtual switch. You can create sub-interfaces of
the monitoring ports of a virtual Network Security appliance based on VLAN or CIDR. However, this is beyond the scope of
this document.

To configure Network Security networking:

1. Make sure the required switches exist, as described in Microsoft Hyper-V requirements.
2. Make sure all network adapters are added and connected to a virtual switch as described in Installing a virtual Network
Security appliance using Microsoft Hyper-V Manager.
3. Configure the deployment mode for the virtual Network Security appliance:

• Deploying virtual Network Security appliances using Hyper-V Manager in inline mode
• Deploying virtual Network Security appliances using Hyper-V Manager in TAP mode

Deploying virtual Network Security appliances using Hyper-V Manager in inline mode

In a typical Network Security inline deployment, port pair A is the inline port pair. The pether3 monitoring interface is connected
to the subnet that hosts the on-premises enterprise clients (the client subnet) and the pether4 monitoring interface is connected
to a subnet that hosts the Network Security appliance (the server subnet).

Example addresses for the subnets and interfaces are shown below.Example addresses for the subnets and interfaces are shown
below.

• Client subnet—10.100.1.64/27
• Network Security pether3 interface—10.100.1.69
• Server subnet—10.100.1.96/27
• Network Security pether4 interface—10.100.1.100

Trellix Device Deployment Guide 2024.2 245

6| Hyper-V

Note

This procedure assumes that the interface pair

The following task is required to configure a virtual Network Security appliance in inline mode. No additional tasks are required in
Hyper-V Manager.

• Use the policymgr layer3-mode enable command in the Network Security CLI to enable Layer 3 forwarding. For detailed
information and additional commands, see the "Layer 3 Forwarding Using VRF Instances" information in the Network
Security System Administration Guide.

Deploying Virtual Network Security Appliances Using Hyper-V Manager in TAP Mode

The traffic mirroring feature in Hyper-V Manager is used to deploy a virtual Network Security appliance in TAP mode.

Note

These procedures assume that the interface pairs are configured in TAP mode on the Network Security appliance.

Layer 2 TAP mode

The following steps are required to configure the Network Security monitoring port as the destination for the traffic:

1. In Hyper-V Manager, select the virtual machine.

2. Click Settings.
3. Locate and expand the network adapter.
4. Click Advanced Features.
5. Under Port Mirroring, select Destination as the Mirroring mode.

Layer 3 TAP mode

In a Layer 3 TAP deployment, an external device creates a VXLAN or ERSPAN tunnel through which Layer 2 frames are
encapsulated in Layer 3 packets and sent to the monitoring interfaces on the virtual Network Security appliance.

The following steps are required to configure the Network Security monitoring port as the destination for the traffic:

1. Use the policymgr layer3-mode enable command in the Network Security CLI to enable Layer 3 forwarding. For detailed
information and additional commands, see the "Layer 3 Forwarding Using VRF Instances" information in the Network
Security System Administration Guide.
2. Configure an IP address for the destination network interface in each port pair.

246 Trellix Device Deployment Guide 2024.2

6| Hyper-V

Deploying virtual Central Management System appliances using

Microsoft Hyper-V manager
A virtual Central Management System appliance is a virtual instance of the Central Management System system image. The
virtual Central Management System appliance manages appliances, but requires no Central Management System hardware. The
same virtual Central Management System appliance can manage both physical and virtual sensors and hybrid appliances. It can
also manage integrated appliances.

The following sections describe how to deploy a virtual File Protect sensor using Microsoft Hyper-V.

Caution

Windows Hyper-V version 10.0.14393 or later is required. Earlier versions are not supported, and virtual appliances installed
using those versions will not function properly.

Note

This document assumes familiarity with deploying virtual machines and administering Windows Hyper-V hypervisors. This
document provides the basic steps for creating and deploying Trellix virtual appliances. For comprehensive information about
deploying virtual machines, see the documentation provided by Microsoft.

Prerequisites

• Central Management System 9.0.0 or later

• Administrator user account on a Windows Hyper-V hypervisor
• Familiarity with deploying virtual machines and administering Windows Hyper-V hypervisors
• Microsoft Hyper-V requirements

Installing a virtual Central Management appliance using Microsoft Hyper-V Manager

This section describes how to install a virtual Central Management System appliance using Microsoft Hyper-V Manager.

Important

This procedure uses Microsoft Hyper-V version 10.0.14393.0. The navigation instructions and user interface may vary based
on your version of this product.

Trellix Device Deployment Guide 2024.2 247

6| Hyper-V

Note

This procedure covers the required settings for a Trellix virtual appliance. You can accept the default values for the other
settings, or specify values that are appropriate for your setup.

To install a virtual appliance using Microsoft's Hyper-V Manager:

1. Download the Central Management System Hyper-V deployment .zip file from the Trellix DTI network to a Hyper-V server
and extract the files within it. The .zip file name is image-cms-fireeyecm7500v.
After the files are extracted, verify that the image-cms-fireeyecm7500v-hyperv folder contains the Virtual Hard Disks
and Virtual Machines folders. If it does not, contact Trellix Technical Support.
The folder also contains a readme file with brief installation information.
2. In Hyper-V Manager, select Action > Import Virtual Machine. The Import Virtual Machine wizard opens.

3. Complete the wizard screens as described in the following table.

Screen Action

Before You Begin Click Next.

Locate Folder Browse to and select the folder to which you

extracted the
.zip
file in the first step. You only need to select the
top-level folder. Click Next.

Select Virtual Machine Select the virtual machine model associated with
the
.zip
file. Click Next.

Choose Import Type Select Copy the virtual machine (create a new
unique ID). Click Next.

248 Trellix Device Deployment Guide 2024.2

6| Hyper-V

Screen Action

Choose Folders for Virtual Machine Files Click Next to accept the default settings.

Choose Folders to Store Virtual Hard Disks Select the top-level folder into which you extracted
the
.zip
file. This folder includes the Virtual Hard Disks
folder. Click Next.

Connect Network Select the virtual switch to use for your virtual
appliance. Click Next.

Connect Network (Optional) Select a second virtual switch to use for

your virtual appliance. Click Next.

Completing Import Wizard Verify the information. If you are satisfied, click
Finish to import the virtual appliance. If you need
to make changes, click Previous.

4. (Optional) Right-click the virtual appliance in the Virtual Machines section of Hyper-V Manager, select Rename, and enter a
new name for the virtual appliance.
5. Right-click the virtual appliance, select Settings, and then verify that the virtual appliance settings meet the specifications
listed in Microsoft Hyper-V requirements.
6. The virtual appliance is turned off by default after it is imported. To turn it on, right-click the virtual appliance and select
Start.
7. To open the virtual appliance console, right-click the virtual appliance and select Connect.

Performing the initial Central Management configuration using Microsoft Hyper-V Manager

The management interface is the port through which the virtual appliance is managed and administered. It is also the port
through which integration of the Central Management System appliance and a managed appliance is managed. With the single-
port address type, the management interface is also the port through which a managed appliance requests and downloads
software updates from the DTI network.

Initial settings need to be configured to set up the management interface, and to allow access to the network, change the default
administrator password, and so on.

Trellix Device Deployment Guide 2024.2 249

6| Hyper-V

You can use the set_keys.ps1 PowerShell script provided in the deployment package .zip file to supply some initial settings for
the appliance, including the activation code, a new password for the "admin" user, and initial CLI commands to configure the
appliance. You can then log into the CLI of the virtual appliance and use the configuration wizard to complete the setup.

If you do not use the PowerShell script, you can use the virtual appliance console in Hyper-V Manager to type the activation
code and commands that allow the admin to log in to the CLI or Web UI to configure the appliance. You can fully configure the
appliance from the console, but it might be inconvenient because you cannot paste into the console.

Using the set_keys.ps1 PowerShell Script

Trellix recommends that you use the set_keys.ps1 PowerShell script to do at least the following:

• Enter the activation code for your virtual appliance. The activation code contains many characters. You cannot paste into
the console, and it is easy to make a typing error.
• Reset the password for the "admin" user if password authentication will be used to log into the CLI or Web UI over the
network. The password must be changed to a password of at least eight characters.

You can also use this script to provide commands for configuration settings that the system will apply during the initial boot. This
can be convenient if you have a large number of virtual appliances to deploy, because you can create base sets of commands
and then customize them for each deployment.

To use the set_keys.ps1 PowerShell script:

1. Navigate to the directory where you extracted the deployment package .zip file.
2. Locate the set_keys.ps1 file and open it in a text editor.

Note

Alternatively, you can enter values when you run the script in the PowerShell ISE or PowerShell session described later
in this procedure.

3. Change settings in the file by specifying your values within the quotation marks. The settings you can change are all located
between the comments MODIFY THESE AS NEEDED and DON'T MODIFY ANYTHING BELOW. Do not change any other settings in
the file.

250 Trellix Device Deployment Guide 2024.2

6| Hyper-V

4.
The settings are described in the following table.

Field Description

vmName The name of the virtual machine name you

deployed. The name is displayed in the Virtual
Machines section of Hyper-V Manager.

activation_ code The code you received in a secure email from

Trellix that gives the virtual appliance its identity
and access credentials.

cli_cmds_ init A set of commands that at a minimum allow the

appliance to connect to your network. Type the
commands in plain-text format and then paste the
string into this field.
Consider using this field for network connectivity
only, because the size of the string could become
unwieldy.

cli_cmds_ init_url A URL that points to a file on

your network (for example, http://acme.com/
operations/2500V_config.txt). To use this field,
create a text file that contains CLI commands
in plain-text format that configure additional
settings, and store the file on an

Trellix Device Deployment Guide 2024.2 251

6| Hyper-V

Field Description

HTTP server in your network. The virtual appliance

needs network connectivity (which the commands
in the cli_cmds_init field can establish) to access
the file referenced in the URL.

reset_ admin_ password A password of at least eight characters. The initial

admin password must be reset to allow the admin
user to log into the CLI or Web UI over the
network, unless both of the following are true:

• The CLI commands being executed set an

SSH authorized key for the admin user, which
allows the admin to log in remotely without a
password.
• You disable password logins using the username
admin disable password command.

5. Save the file.

6. Do one of the following:

• Open an administrator Windows PowerShell ISE session, select File > Open, and then navigate to and select
set_keys.ps1.

• Open an administrator Windows PowerShell session, navigate to the directory where you extracted the
deployment package, and then run the set_keys.ps1 script.

7. Enter values in response to the prompts, or press Enter to leave a field blank.

Note

You will not be prompted for values you already provided in the set_keys.ps1 file.

Using the console

Trellix recommends that you use the set_keys.ps1 PowerShell script to provide initial configuration settings, because you cannot
copy and paste into the Hyper-V Manager console. However, if you do not use this script, and if the license update feature is not
enabled, Trellix recommends that you accept the evaluation licenses during the initial configuration, because typing the keys is
tedious and prone to error. After the activation code is entered and the admin user has access to the appliance Web UI or CLI ,
you can cRight-click the row for the virtual appliance and select Connect. The virtual appliance console opens.opy and paste the
license keys.

To perform the initial configuration of a virtual appliance:

252 Trellix Device Deployment Guide 2024.2

6| Hyper-V

1. Open Hyper-V Manager.

2. Right-click the row for the virtual appliance and select Connect. The virtual appliance console opens.
3. At the login prompt, enter admin.
4. Do one of the following:

• If you configured a password in the set_keys.ps1 file or script, enter that password.
• Otherwise, enter the default password (admin). When prompted to change the password, go to CLI configuration
mode and create another password:

hostname > en
hostname # configure terminal
hostname (config) # username admin password <new password>

The system will log you out. Log in using the new password.

5. Accept the license agreement. The configuration jump-start wizard starts.

6. Answer the wizard questions as described below.

Central Management wizard steps

The following table describes the questions the configuration wizard prompts you to answer. As noted in the table, the wizard
skips some steps based on your answers to previous steps.

Note

Press Ctrl+C to exit the configuration wizard. After the management interface is configured, an administrator can use the
configuration jump-start CLI command to run the wizard again.

Step Response

Hostname? Enter the hostname for the appliance.

Admin password? (Optional) Enter a new administrator password.

Confirm admin password? Re-enter the new administrator password.

Enable remote access for 'admin' user? Enter yes to enable the administrator to log in to
the appliance remotely. Enter no to disable remote
access.

Use DHCP on ether1 interface? Enter no to manually configure your IP address and
network settings.

Trellix Device Deployment Guide 2024.2 253

6| Hyper-V

Step Response

Use zeroconf on ether1 interface? Enter yes to use zero-configuration (zeroconf)

networking. Enter no to specify a static IP address
and network mask. (If you specify yes, the next
step is skipped.) NOTE: Do not use zeroconf on the
primary interface.

Primary IP address and masklen? Enter the IP address for the management interface
in A.B.C.D format and enter the network mask (for
example, 1.1.1.2 /24).

Default gateway? Enter the gateway IP address for the management

interface.

Primary DNS server? Enter the IP address of the DNS server.

Domain name? Enter the domain for the management interface (for
example, it.acme.com).

Enable fenet service? Enter yes to enable access to the DTI network. (If you
enter no, the next three steps are skipped.)

Enable fenet license update service? Enter yes to enable the licensing service to
automatically download your licenses from the
DTI network and install them. (If licenses are
downloaded and installed successfully, the wizard
skips the step that prompts for the product license
key and the step that prompts for the security-
content updates key.)

Sync appliance time with fenet? Enter yes to synchronize the appliance time with
the DTI server time. If you enabled the licensing
service, synchronization prevents a feature from
being temporarily unlicensed due to a time gap. The
wizard makes three attempts to perform this step
before it gives up and moves to the next step.

254 Trellix Device Deployment Guide 2024.2

6| Hyper-V

Step Response

Update licenses from fenet? Enter yes to download and install your licenses. The
wizard makes three attempts to perform this step
before it gives up and moves to the next step.

Enable NTP? Enter yes to enable automatic time synchronization

with one or more Network Time Protocol (NTP)
servers. Enter no to manually set the time and
date on the appliance. (This step is skipped if you
entered yes in the "Sync appliance time with fenet?"
step.) If you enter no, specify the time and date in
subsequent steps.

Enable FaaS VPN? Enter yes to enable the appliance to connect

to Managed Defense (formerly called Trellix as a
Service) over the Internet using a secure SSL VPN
connection. (This step is skipped if no MD_ACCESS
license is installed.)

Set time (<hh>:<mm>:<ss>? Enter the appliance time in Greenwich Mean Time
(GMT) (UTC+0). (This step and the next step are
skipped if you entered yes in the "Sync appliance
time with fenet?" or "Enable NTP?" step.

Set date (<yyyy>/<mm><dd>)? Enter the appliance date in Greenwich Mean Time
(GMT) (UTC+0).

Enable IPv6? Enter yes to enable IPv6 protocol, which changes

network IP routing from IPv4 to IPv6. This step and
the next two steps will be automatically performed if
you entered yes in the "Enable FaaS VPN" step.)

Enable IPv6 autoconfig (SLAAC) on ether1 interface? Enter yes to enable IPv6 autoconfig on the ether1
(management interface) port. (This step is skipped if
you entered no in the "Enable IPv6?" step.)

Enable DHCPv6 on ether1 interface? Enter yes to use DHCPv6 to configure IPv6 hosts with
IP addresses. (This step is skipped if you entered no

Trellix Device Deployment Guide 2024.2 255

6| Hyper-V

Step Response

in the "Use DHCP on ether1 interface?" or "Enable

IPv6?" step.)

Configure CMS HA? Enter no. Central Management HA is not supported

in a Hyper- V deployment.

Product license key? Enter the product license key you obtained from
Trellix , or press Enter to install a 15-day evaluation
license. (This step and the next step are skipped if
you entered yes in the "Enable fenet license update
service?" step and if licenses were successfully
installed as a result.)

Security-content updates key? Enter the security-content license key you obtained
from Trellix , or press Enter to skip this step and
install the license later.

Deploying virtual File Protect appliances using Microsoft Hyper-V

Manager
A virtual sensor is a virtual instance of an appliance system image. A virtual sensor provides the same detection efficacy as a
physical appliance, but requires no hardware.

The following sections describe how to deploy a virtual File Protect sensor using Microsoft Hyper-V.

Caution

Windows Hyper-V version 10.0.14393 or later is required. Earlier versions are not supported, and virtual appliances installed
using those versions will not function properly.

Note

This document assumes familiarity with deploying virtual machines and administering Windows Hyper-V hypervisors. This
document provides the basic steps for creating and deploying Trellix virtual appliances. For comprehensive information about
deploying virtual machines, see the documentation provided by Microsoft.

Prerequisites

256 Trellix Device Deployment Guide 2024.2

6| Hyper-V

• File Protect 8.2.0 or later

• Administrator user account on a Windows Hyper-V hypervisor
• Familiarity with deploying virtual machines and administering Windows Hyper-V hypervisors
• Microsoft Hyper-V requirements

Installing a Virtual File Protect Appliance Using Microsoft Hyper-V Manager

This section describes how to install a virtual File Protect appliance using Microsoft Hyper-V Manager.

Important

This procedure uses Microsoft Hyper-V version 10.0.14393.0. The navigation instructions and user interface may vary based
on your version of this product.

Note

This procedure covers the required settings for a Trellix virtual appliance. You can accept the default values for the other
settings, or specify values that are appropriate for your setup.

To install a virtual appliance using Microsoft's Hyper-V Manager:

1. Download the File Protect Hyper-V deployment .zip file from the Trellix DTI network to a Hyper-V server and extract the
files within it. The .zip file name is image-fmps-fireeyefx2500v.
After the files are extracted, verify that the image-fmps-fireeyefx2500v-hyperv folder contains the Virtual Hard Disks
and Virtual Machines folders. If it does not, contact Trellix Technical Support.
The folder also contains a readme file with brief installation information.
2. In Hyper-V Manager, select Action > Import Virtual Machine. The Import Virtual Machine wizard opens.

3. Complete the wizard screens as described in the following table.

Trellix Device Deployment Guide 2024.2 257

6| Hyper-V

Screen Action

Before You Begin Click Next.

Locate Folder Browse to and select the folder to which you

extracted the
.zip
file in the first step. You only need to select the
top-level folder. Click Next.

Select Virtual Machine Select the virtual machine model associated with
the
.zip
file. Click Next.

Choose Import Type Select Copy the virtual machine (create a new
unique ID). Click Next.

Choose Folders for Virtual Machine Files Click Next to accept the default settings.

Choose Folders to Store Virtual Hard Disks Select the top-level folder into which you extracted
the
.zip
file. This folder includes the Virtual Hard Disks
folder. Click Next.

Connect Network Select the virtual switch to use for your virtual
appliance. Click Next.

Connect Network (Optional) Select a second virtual switch to use for

your virtual appliance. Click Next.

Completing Import Wizard Verify the information. If you are satisfied, click
Finish to import the virtual appliance. If you need
to make changes, click Previous.

4. (Optional) Right-click the virtual appliance in the Virtual Machines section of Hyper-V Manager, select Rename, and enter a
new name for the virtual appliance.
5. Right-click the virtual appliance, select Settings, and then verify that the virtual appliance settings meet the specifications
listed in Microsoft Hyper-V requirements.

258 Trellix Device Deployment Guide 2024.2

6| Hyper-V

6. The virtual appliance is turned off by default after it is imported. To turn it on, right-click the virtual appliance and select
Start.
7. To open the virtual appliance console, right-click the virtual appliance and select Connect.

Performing the initial File Protect configuration using Microsoft Hyper-V Manager

The management interface is the port through which the virtual appliance is managed and administered. It is also the port
through which integration of the Central Management appliance and a managed appliance is managed. With the single-port
address type, the management interface is also the port through which a managed appliance requests and downloads software
updates from the DTI network.

Initial settings need to be configured to set up the management interface, and to allow access to the network, change the default
administrator password, and so on.

You can use the set_keys.ps1 PowerShell script provided in the deployment package .zip file to supply some initial settings for
the appliance, including the activation code, a new password for the "admin" user, and initial CLI commands to configure the
appliance. You can then log into the CLI of the virtual appliance and use the configuration wizard to complete the setup.

If you do not use the PowerShell script, you can use the virtual appliance console in Hyper-V Manager to type the activation
code and commands that allow the admin to log in to the CLI or Web UI to configure the appliance. You can fully configure the
appliance from the console, but it might be inconvenient because you cannot paste into the console.

Using the set_keys.ps1 PowerShell script

Trellix recommends that you use the set_keys.ps1 PowerShell script to do at least the following:

• Enter the activation code for your virtual appliance. The activation code contains many characters. You cannot paste into
the console, and it is easy to make a typing error.
• Reset the password for the "admin" user if password authentication will be used to log into the CLI or Web UI over the
network. The password must be changed to a password of at least eight characters.

You can also use this script to provide commands for configuration settings that the system will apply during the initial boot. This
can be convenient if you have a large number of virtual appliances to deploy, because you can create base sets of commands
and then customize them for each deployment.

To use the set_keys.ps1 PowerShell script:

1. Navigate to the directory where you extracted the deployment package .zip file.
2. Locate the set_keys.ps1 file and open it in a text editor.

Note

Alternatively, you can enter values when you run the script in the PowerShell ISE or PowerShell session described later
in this procedure.

Trellix Device Deployment Guide 2024.2 259

6| Hyper-V

3. Change settings in the file by specifying your values within the quotation marks. The settings you can change are all located
between the comments MODIFY THESE AS NEEDED and DON'T MODIFY ANYTHING BELOW. Do not change any other settings in
the file.

4.
The settings are described in the following table.

Field Description

vmName The name of the virtual machine name you

deployed. The name is displayed in the Virtual
Machines section of Hyper-V Manager.

activation_ code The code you received in a secure email from

Trellix that gives the virtual appliance its identity
and access credentials.

cli_cmds_ init Consider using this field for network connectivity

only, because the size of the string could become
unwieldy.
Consider using this field for network connectivity
only, because the size of the string could become
unwieldy.

cli_cmds_ init_url A URL that points to a file on

your network (for example, http://acme.com/
operations/2500V_config.txt). To use this field,
create a text file that contains CLI commands

260 Trellix Device Deployment Guide 2024.2

6| Hyper-V

Field Description

in plain-text format that configure additional

settings, and store the file on an HTTP server in
your network.
The virtual appliance needs network connectivity
(which the commands in the cli_cmds_init field can
establish) to access the file referenced in the URL.

reset_ admin_ password A password of at least eight characters. The initial

admin password must be reset to allow the admin
user to log into the CLI or Web UI over the
network, unless both of the following are true:

• The CLI commands being executed set an

SSH authorized key for the admin user, which
allows the admin to log in remotely without a
password.
• You disable password logins using the
username admin disable password
command.

5. Save the file.

6. Do one of the following:

• Open an administrator Windows PowerShell ISE session, select File > Open, and then navigate to and select
set_keys.ps1.
• Open an administrator Windows PowerShell session, navigate to the directory where you extracted the deployment
package, and then run the set_keys.ps1 script.

7. Enter values in response to the prompts, or press Enter to leave a field blank.

Note

You will not be prompted for values you already provided in the set_keys.ps1 file.

Using the Console

Trellix recommends that you use the set_keys.ps1 PowerShell script to provide initial configuration settings, because you cannot
copy and paste into the Hyper-V Manager console. However, if you do not use this script, and if the license update feature is not
enabled, Trellix recommends that you accept the evaluation licenses during the initial configuration, because typing the keys is
tedious and prone to error. After the activation code is entered and the admin user has access to the appliance Web UI or CLI ,
you can copy and paste the license keys.

Trellix Device Deployment Guide 2024.2 261

6| Hyper-V

To perform the initial configuration of a virtual appliance:

1. Open Hyper-V Manager.

2. Right-click the row for the virtual appliance and select Connect. The virtual appliance console opens.
3. At the login prompt, enter admin.
4. Do one of the following:

• If you configured a password in the set_keys.ps1 file or script, enter that password.
• Otherwise, enter the default password (admin). When prompted to change the password, go to CLI configuration
mode and create another password:

hostname > en
hostname # configure terminal
hostname (config) # username admin password <new password>

The system will log you out. Log in using the new password.

5. Accept the license agreement. The configuration jump-start wizard starts.

6. Answer the wizard questions as described below.

File Protect wizard steps

The following table describes the questions the configuration wizard prompts you to answer. As noted in the table, the wizard
skips some steps based on your answers to previous steps.

Note

Press Ctrl+C to exit the configuration wizard. After the management interface is configured, an administrator can use the
configuration jump-start CLI command to run the wizard again.

Step Response

Hostname? Enter the hostname for the appliance.

Admin password? (Optional) Enter a new administrator password.

Confirm admin password? Re-enter the new administrator password.

Enable remote access for 'admin' user? Enter yes to enable the administrator to log in to
the appliance remotely. Enter no to disable remote
access.

262 Trellix Device Deployment Guide 2024.2

6| Hyper-V

Step Response

Use DHCP on ether1 interface? Enter no to manually configure your IP address and
network settings.

Use zeroconf on ether1 interface? Enter yes to use zero-configuration (zeroconf)

networking. Enter no to specify a static IP address
and network mask. (If you specify yes, the next
step is skipped.) NOTE: Do not use zeroconf on the
primary interface.

Primary IP address and masklen? Enter the IP address for the management interface
in A.B.C.D format and enter the network mask (for
example, 1.1.1.2 /24).

Default gateway? Enter the gateway IP address for the management

interface.

Primary DNS server? Enter the IP address of the DNS server.

Domain name? Enter the domain for the management interface (for
example, it.acme.com). Enter the activation code you
obtained from Trellix .

Enter activation code? Enter the activation code you obtained from Trellix .

Enable fenet service? Enter yes to enable access to the DTI network. (If you
enter no, the next three steps are skipped.)

Enable fenet license update service? Enter yes to enable the licensing service to
automatically download your licenses from the
DTI network and install them. (If licenses are
downloaded and installed successfully, the wizard
skips the step that prompts for the product license
key and the step that prompts for the security-
content updates key.)

Sync appliance time with fenet? Enter yes to synchronize the appliance time with
the DTI server time. If you enabled the licensing
service, synchronization prevents a feature from

Trellix Device Deployment Guide 2024.2 263

6| Hyper-V

Step Response

being temporarily unlicensed due to a time gap. The

wizard makes three attempts to perform this step
before it gives up and moves to the next step.

Update licenses from fenet? Enter yes to download and install your licenses. The
wizard makes three attempts to perform this step
before it gives up and moves to the next step. (This
step and the next step are skipped if you entered yes
in the "Sync appliance time with fenet?" or "Enable
NTP?" step.Enter the appliance date in Greenwich
Mean Time (GMT) (UTC+0).

Enable NTP? Enter yes to enable automatic time synchronization

with one or more Network Time Protocol (NTP)
servers. Enter no to manually set the time and
date on the appliance. (This step is skipped if
you entered yes in the "Sync appliance time with
fenet?" or "Enable Incident Response or Compromise
Assessment" step.) If you enter no, specify the time
and date in subsequent steps.

Set time (<hh>:<mm>:<ss>)? Enter the appliance time in Greenwich Mean Time
(GMT) (UTC+0). (This step and the next step are
skipped if you entered yes in the "Sync appliance
time with fenet?" or "Enable NTP?" step.

Set date (<yyyy>/<mm>/<dd>)? Enter the appliance date in Greenwich Mean Time
(GMT) (UTC+0).

Enable IPv6? Enter yes to enable IPV6 protocol, which changes

network routing from IPv4 to IPv6.

Enable IPv6 autoconfig (SLAAC) on ether1 interface? Enter yes to enable IPv6 autoconfig on the ether1
(management interface) port. (This step is skipped if
you entered no in the "Enable IPv6" step.)

Enable DHCPv6 on ether1 interface? Enter yes to use DHCPv6 to configure IPv6 hosts with
IP addresses. (This step is skipped if you entered no

264 Trellix Device Deployment Guide 2024.2

6| Hyper-V

Step Response

in the "Use DHCP on ether1 interface" or "Enable

IPv6" step.)

Submission: Configure interface? Press Enter to accept ether1 as the interface through
which sensors and brokers communicate. Otherwise,
enter the name of another interface. (If you accept
ether1, the next three steps are skipped.) NOTE:
Ether1 is the only supported submission interface on
File Protect sensors deployed on KVM servers.

Submission: Interface? Enter the name of the other interface.

Note:
To keep management and data traffic separate,
Trellix recommends that you use another
management interface, such as ether2, and not
a monitoring interface.

Submission: Use DHCP on <name> interface? Enter yes to use Dynamic Host Configuration
Protocol (DHCP) to configure the submission
interface IP address and other network parameters.
Enter no to manually configure the IP address and
network settings. (If you enter yes, the static IP
addressing steps are skipped.)

Submission: IP address and masklen? Enter the IP address for the submission interface
in A.B.C.D format and enter the network mask (for
example, 10.1.1.1 /24).

Submission: Default IPv4 gateway? Enter the gateway IP address for the submission
interface.

Product license key? Press Enter to install a 15-day evaluation license.

Security-content updates key? Press Enter to skip this step and install the license
later.

Trellix Device Deployment Guide 2024.2 265

6| Hyper-V

Configuring a virtual File Protect Network using Microsoft Hyper-V Manager

A virtual File Protect appliance requires no additional virtual network configuration. However, if you are using the ether2
interface to access storage, the ether1 and ether2 interfaces must be on different networks. You can use the following CLI
command to configure a non-default gateway to reach the storage server from the ether2 interface:

hostname (config) # ip route <networkPrefix> {<netmask>} | <maskLength>} {<nextHopIPAddress> |

<interfaceName>} <interface name>

266 Trellix Device Deployment Guide 2024.2

7| Physical

Physical
• Installing hardware
• Performing the initial configuration
• Configuring the IPMI interface

Installing hardware
For information about installing a physical appliance, see the Hardware Administration Guide for that hardware model.

For information about basic configuration settings, see Performing the initial configuration.

Performing the initial configuration

The management interface is the port through which an appliance is managed and administered. It is also the port through
which integration of the Central Management System appliance and a managed appliance is managed. With the single-port
address type, the management interface is also the port through which a managed appliance requests and downloads software
updates from the DTI network.

Initial settings need to be configured to set up the management interface, and to allow access to the network, change the default
administrator password, and so on. The following initial configuration methods are available:

• Keyboard and VGA monitor—You can use a keyboard and VGA monitor connected directly to the appliance to log in to
the CLI and configure the initial settings. This is the easiest way to configure the initial settings if you are physically near
the appliance. See Configuring initial settings using a keyboard and monitor.
• Serial console port—You can connect a Windows or Mac laptop, a Linux system, or a terminal server to the serial port on
the back of the appliance to log in to the CLI and configure the initial settings. See Configuring initial settings using the
serial console port.
• LCD panel—A liquid-crystal display (LCD) panel on the front of many appliance models has navigation buttons and
menus you use to select initial settings. For more information, see your Hardware Administration Guide.

Configuring Initial Settings Using a Keyboard and Monitor

You can connect keyboard and video cables to the appliance and then log in to the appliance CLI to perform the initial
configuration. See your Hardware Administration Guide to view the port locations.

To configure initial settings using a keyboard and monitor:

1. Plug in a keyboard and a VGA monitor.

2. When prompted, enter the default username (admin) and password (admin) for the permanent "admin" user.
3. When prompted to change the password, configure a new password using the username admin password <new password>
command. You will be logged out. Log in again with the new password.

Trellix Device Deployment Guide 2024.2 267

7| Physical

1. You are asked to accept the End User License Agreement (EULA). Enter y to accept the terms of the agreement.
2. Enter y when you are prompted to use the Configuration Wizard for initial configuration. Then respond to the prompts as
described in Configuration Wizard Steps.

• After you answer the questions, the wizard summarizes your answers. To change an answer, enter the step number.
Press Enter to save changes.

Configuring initial settings using the serial console port

If you are not using a terminal server, you need to be physically near the appliance to use the serial port. See your Hardware
Administration Guide to view the port location.

The serial port uses the following settings:

• Baud rate: 115200

• Data bits: 8
• Stop bits: 1
• Parity: None
• Flow control: XON/XOFF
You can access the serial port and configure initial settings as described in the following topics:

• Using a Windows or Mac laptop

• Using a Linux system
• Using a Terminal Server

Using a Windows or Mac laptop

Because laptops do not usually have a serial port, you need a USB-to-serial cable to connect the laptop to the serial port (DB-9) of
the appliance. Trellix uses Prolific Technology Inc. adapters.

Important

The USB-to-serial cable is not provided with the appliance.

To configure initial settings from a Windows or Mac laptop:

1. Connect the USB-to-serial cable to the USB port of the appliance.

2. Connect one end of the null modem cable that is provided with the appliance to the USB-to-serial cable.
3. Connect the other end of the null modem cable to the serial port of the appliance.

1. Use a serial application (such as PuTTY) to establish a connection. Specify the COM port assigned to the USB-to-serial cable.
2. When prompted, enter the default username (admin) and password (admin) for the administrator.

268 Trellix Device Deployment Guide 2024.2

7| Physical

3. When prompted to change the password, configure a new password using the username admin password <new password>
command. You will be logged out. Log in again with the new password.
4. You are asked to accept the End User License Agreement (EULA). Enter y to accept the terms of the agreement.
5. Enter y when you are prompted to use the Configuration Wizard for initial configuration. Then respond to the prompts as
described in Configuration wizard steps.

• After you answer the questions, the wizard summarizes your answers. To change an answer, enter the step number.
Press Enter to save changes.

Using a Linux System

You can use a serial cable or a USB-to-serial cable to connect the Linux machine to the serial port of the appliance. Trellix uses
Prolific Technology Inc. adapters.

Important

The USB-to-serial cable is not provided with the appliance.

To configure initial settings from a Linux system:

1. Connect the cable to the serial port of the appliance and to the Linux machine.
2. From a command prompt, establish a connection. If you are using a USB-to-serial cable, specify the COM port assigned to it.
3. When prompted, enter the default username (admin) and password (admin) for the administrator.
4. When prompted to change the password, configure a new password using the username admin password <new password>
command. You will be logged out. Log in again with the new password.
5. You are asked to accept the End User License Agreement (EULA). Enter y to accept the terms of the agreement.
6. Enter y when you are prompted to use the Configuration Wizard for initial configuration. Then respond to the prompts as
described in Configuration wizard steps.
7. After you answer the questions, the wizard summarizes your answers. To change an answer, enter the step number. Press
Enter to save changes.

Using a Terminal Server

To configure initial settings from a terminal server:

1. Set the terminal server to a baud rate of 115200.

2. Plug one end of a serial cable into the serial port (DB-9) on the appliance and plug the other end into the terminal server.
3. In a Telnet application (such as PuTTY), enter the hostname or terminal server IP address, the terminal server port number
that the appliance is using, and the appliance port number.
4. When prompted, enter the default username (admin) and password (admin) for the administrator.

Trellix Device Deployment Guide 2024.2 269

7| Physical

5. When prompted to change the password, configure a new password using the username admin password <new password>
command. You will be logged out. Log in again with the new password.
6. You are asked to accept the End User License Agreement (EULA). Enter y to accept the terms of the agreement.
7. Enter y when you are prompted to use the Configuration Wizard for initial configuration. Then respond to the prompts as
described in Configuration wizard steps.

• After you answer the questions, the wizard summarizes your answers. To change an answer, enter the step number.
Press Enter to save changes.

Configuration wizard steps

The following tables describe the questions the configuration wizard prompts you to answer. As noted in the table, the wizard
skips some steps based on your answers to previous steps.

Note

Press Ctrl+C to exit the configuration wizard. After the management interface is configured, an administrator can use the
configuration jump-start CLI command to run the wizard again.

Network Security steps

The following table describes the wizard steps for a Network Security appliance.

Step Response

Hostname? Enter the hostname for the appliance.

Admin password? (Optional) Enter a new administrator password.

Confirm admin password? Re-enter the new administrator password.

Enable remote access for 'admin' user? Enter yes to enable the administrator to log in to
the appliance remotely. Enter no to disable remote
access.

Use DHCP on ether1 interface? Enter yes to use Dynamic Host Configuration
Protocol (DHCP) to configure the appliance IP
address and other network parameters. Enter no
to manually configure your IP address and network

270 Trellix Device Deployment Guide 2024.2

7| Physical

Step Response

settings. (If you enter yes, the zeroconf and static IP

addressing steps are skipped.)

Use zeroconf on ether1 interface? Enter yes to use zero-configuration (zeroconf)

networking. Enter no to specify a static IP address
and network mask. (If you specify yes, the next
step is skipped.) NOTE: Do not use zeroconf on the
primary interface.

Primary IP address and masklen? Enter the IP address for the management interface
in A.B.C.D format and enter the network mask (for
example, 1.1.1.2 /24).

Default gateway? Enter the gateway IP address for the management

interface.

Primary DNS server? Enter the IP address of the DNS server.

Domain name? Enter the domain for the management interface (for
example, it.acme.com).

Enable Incident Response or Compromise Enter yes to configure an Incident Response or

Assessment? Compromise Assessment deployment. (If you enter
yes, the next four steps are performed automatically,
and the "Enable NTP?" and "Enable IPv6?" steps are
skipped.)

Enable fenet service? Enter yes to enable access to the DTI network. (If you
enter no, the next three steps are skipped.)

Enable fenet license update service? Enter yes to enable the licensing service to
automatically download your licenses from the
DTI network and install them. (If licenses are
downloaded and installed successfully, the wizard
skips the step that prompts for the product license
key and the step that prompts for the security-
content updates key.)

Trellix Device Deployment Guide 2024.2 271

7| Physical

Step Response

Sync appliance time with fenet? Enter yes to synchronize the appliance time with
the DTI server time. If you enabled the licensing
service, synchronization prevents a feature from
being temporarily unlicensed due to a time gap. The
wizard makes three attempts to perform this step
before it gives up and moves to the next step.

Update licenses from fenet? Enter yes to download and install your licenses. The
wizard makes three attempts to perform this step
before it gives up and moves to the next step.

Enable NTP? Enter yes to enable automatic time synchronization

with one or more Network Time Protocol (NTP)
servers. Enter no to manually set the time and
date on the appliance. (This step is skipped if
you entered yes in the "Sync appliance time with
fenet?" or "Enable Incident Response or Compromise
Assessment" step.) If you enter no, specify the time
and date in subsequent steps.

Enable FaaS VPN? Enter yes to enable the appliance to connect

to Managed Defense (formerly called FireEye
as a Service) over the Internet using a secure
SSL VPN connection. (This step is skipped if
no MD_ACCESS license is installed. This step is
performed automatically if you entered yes in
the "Enable Incident Response or Compromise
Assessment?" step.

Set time (<hh>:<mm>:<ss>)? Enter the appliance time in Greenwich Mean Time
(GMT) (UTC+0). (This step and the next step are
skipped if you entered yes in the "Sync appliance
time with fenet?" or "Enable NTP?" step.

Set date (<yyyy>/<mm>/<dd>)? Enter the appliance date in Greenwich Mean Time
(GMT) (UTC+0).

272 Trellix Device Deployment Guide 2024.2

7| Physical

Step Response

Enable IPv6? Enter yes to enable IPV6 protocol, which changes

network routing from IPv4 to IPv6.

Enable IPv6 autoconfig (SLAAC) on ether1 interface? Enter yes to enable IPv6 autoconfig on the ether1
(management interface) port. (This step is skipped if
you entered no in the "Enable IPv6" step.)

Enable DHCPv6 on ether1 interface? Enter yes to use DHCPv6 to configure IPv6 hosts with
IP addresses. (This step is skipped if you entered no
in the "Use DHCP on ether1 interface" or "Enable
IPv6" step.)

Submission: Interface? (This step appears on Press Enter to accept ether1 as the interface through
integrated Network Security appliances after MVX which sensors and brokers communicate. Otherwise,
sensor or hybrid mode is enabled.) enter the name of the other interface. (If you accept
ether1, the next three steps are skipped.)

Note:
To keep management and data traffic separate,
Trellix recommends that you use another
management interface, such as ether2, and not
a monitoring interface.

Submission: Use DHCP on <name> interface? Enter yes to use Dynamic Host Configuration
Protocol (DHCP) to configure the submission
interface IP address and other network parameters.
Enter no to manually configure the IP address and
network settings. (If you enter yes, the static IP
addressing steps are skipped.)

Submission: IP address and masklen? Enter the IP address for the submission interface
in A.B.C.D format and enter the network mask (for
example, 10.1.1.1 /24).

Submission: Default IPv4 gateway? Enter the gateway IP address for the submission
interface gateway in A.B.C.D format.

Trellix Device Deployment Guide 2024.2 273

7| Physical

Step Response

Mirror traffic to a PX appliance? Enter yes to use port mirroring to forward Network
Security traffic to the Packet Capture appliance in
an Incident Response deployment. If you enter no,
you must manually configure your Packet Capture
appliance to receive the proper traffic. (This step is
skipped if you entered no in the "Enable Incident
Response or Compromise Assessment?" step.)

Important
Trellix recommends using port mirroring in an
Incident Response deployment.

Interface pair to mirror traffic to PX? Enter the Network Security interface pair or pairs
whose traffic will be forwarded to the Packet Capture
appliance. If multiple mirror ports are already
configured, this step and the next step are skipped.
If a single mirror port is already configured for one
or more pairs, that pair or pairs are provided as the
default for this step.

Important
Trellix recommends using the default pair (A) if
you are configuring a new appliance. Otherwise,
manual configuration steps may be required.

Interface to mirror traffic to PX? Enter the Network Security interface port that will
forward the traffic to the Packet Capture capture
port. Do not specify a port that belongs to an
interface pair you entered in the previous step. If a
single mirror port is already configured, it is provided
as the default for this step.

274 Trellix Device Deployment Guide 2024.2

7| Physical

Step Response

Important
Trellix recommends using the default port
(pether6) if you are configuring a new appliance.
Otherwise, manual configuration steps may be
required.

Enable forensic analysis? Enter yes to perform full packet capture and analysis
on the mirrored traffic.

IP address of PX? Enter the IP address of the Packet Capture appliance.

(This step is skipped if you entered no in the "Enable
forensic analysis?" step.)

Product license key? Enter the product license key you obtained from
Trellix, or press Enter to install a 15-day evaluation
license. (This step and the next step are skipped if
you entered yes in the "Enable fenet license update
service?" step and if licenses were successfully
installed as a result.)

Security-content updates key? Enter the security-content license key you obtained
from Trellix, or press Enter to skip this step and
install the license later.

Email Security steps

The following table describes the wizard steps for an Email Security — Server appliance.

Step Response

Hostname? Enter the hostname for the appliance.

Admin password? (Optional) Enter a new administrator password.

Trellix Device Deployment Guide 2024.2 275

7| Physical

Step Response

Confirm admin password? Re-enter the new administrator password.

Enable remote access for 'admin' user? Enter yes to enable the administrator to log in to
the appliance remotely. Enter no to disable remote
access.

Use DHCP on ether1 interface? Enter no to manually configure your IP address and
network settings. IMPORTANT: Do not use DHCP
on the ether1 (management) interface. If you have
already done so using the configuration wizard, you
must use the
no interface ether1 dhcp
CLI command) not the configuration wizard) to
disable DHCP. (This step is skipped for new Email
Security — Server appliances.)

Use zeroconf on ether1 interface? Enter no to manually configure your IP address and
network settings.

Primary IP address and masklen? Enter the IP address for the management interface
in A.B.C.D format and enter the network mask (for
example, 1.1.1.2 /24).

Default gateway? Enter the gateway IP address for the management

interface.

Primary DNS server? Enter the IP address of the DNS server.

Domain name? Enter the domain for the management interface (for
example, it.acme.com).

Enable fenet service? Enter yes to enable access to the DTI network. (If you
enter no, the next three steps are skipped.)

Enable fenet license update service? Enter yes to enable the licensing service to
automatically download your licenses from the
DTI network and install them. (If licenses are
downloaded and installed successfully, the wizard

276 Trellix Device Deployment Guide 2024.2

7| Physical

Step Response

skips the step that prompts for the product license

key and the step that prompts for the security-
content updates key.)

Sync appliance time with fenet? Enter yes to synchronize the appliance time with
the DTI server time. If you enabled the licensing
service, synchronization prevents a feature from
being temporarily unlicensed due to a time gap. The
wizard makes three attempts to perform this step
before it gives up and moves to the next step.

Update licenses from fenet? Enter yes to download and install your licenses. The
wizard makes three attempts to perform this step
before it gives up and moves to the next step.

Enable NTP? Enter yes to enable automatic time synchronization

with one or more Network Time Protocol (NTP)
servers. Enter no to manually set the time and
date on the appliance. (This step is skipped if you
entered yes in the "Sync appliance time with fenet?"
step.) If you enter no, specify the time and date in
subsequent steps.

Enable FaaS VPN? Enter yes to enable the appliance to connect

to Managed Defense (formerly called FireEye
as a Service) over the Internet using a secure
SSL VPN connection. (This step is skipped if
no MD_ACCESS license is installed. This step is
performed automatically if you entered yes in
the "Enable Incident Response or Compromise
Assessment?" step.

Set time (<hh>:<mm>:<ss>)? Enter the appliance time in Greenwich Mean Time
(GMT) (UTC+0). (This step and the next step are
skipped if you entered yes in the "Sync appliance
time with fenet?" or "Enable NTP?" step.

Trellix Device Deployment Guide 2024.2 277

7| Physical

Step Response

Set date (<yyyy>/<mm>/<dd>)? Enter the appliance date in Greenwich Mean Time
(GMT) (UTC+0).

Enable IPv6? Enter yes to enable IPV6 protocol, which changes

network routing from IPv4 to IPv6.

Enable IPv6 autoconfig (SLAAC) on ether1 interface? Enter yes to enable IPv6 autoconfig on the ether1
(management interface) port. (This step is skipped if
you entered no in the "Enable IPv6" step.)

Enable DHCPv6 on ether1 interface? Enter yes to use DHCPv6 to configure IPv6 hosts with
IP addresses. (This step is skipped if you entered no
in the "Use DHCP on ether1 interface" or "Enable
IPv6" step.)

Submission: Interface? (This step appears on Press Enter to accept ether1 as the interface through
integrated Email Security — Server appliances after MVX which sensors and brokers communicate. Otherwise,
hybrid mode is enabled.) enter the name of the other interface. (If you accept
ether1, the next three steps are skipped.) NOTE: To
keep management and data traffic separate, Trellix
recommends that you use another management
interface, such as ether2, and not a monitoring
interface.

Submission: Use DHCP on <name> interface? Enter yes to use Dynamic Host Configuration
Protocol (DHCP) to configure the submission
interface IP address and other network parameters.
Enter no to manually configure the IP address and
network settings. (If you enter yes, the static IP
addressing steps are skipped.)

Submission: IP address and masklen? Enter the IP address for the submission interface
in A.B.C.D format and enter the network mask (for
example, 10.1.1.1 /24).

Submission: Default Ipv4 gateway? Enter the IP address for the submission interface
default gateway in A.B.C.D format.

278 Trellix Device Deployment Guide 2024.2

7| Physical

Step Response

Product license key? Enter the product license key you obtained from
Trellix, or press Enter to install a 15-day evaluation
license. (This step and the next step are skipped if
you entered yes in the "Enable fenet license update
service?" step and if licenses were successfully
installed as a result.)

Security-content updates key? Enter the security-content license key you obtained
from Trellix, or press Enter to skip this step and
install the license later.

File Protect steps

The following table describes the wizard steps for a File Protect appliance.

Step Response

Hostname? Enter the hostname for the appliance.

Admin password? (Optional) Enter a new administrator password.

Confirm admin password? Re-enter the new administrator password.

Enable remote access for 'admin' user? Enter yes to enable the administrator to log in to
the appliance remotely. Enter no to disable remote
access.

Use DHCP on ether1 interface? Enter yes to use Dynamic Host Configuration
Protocol (DHCP) to configure the appliance IP
address and other network parameters. Enter no
to manually configure your IP address and network
settings. (If you enter yes, the zeroconf and static IP
addressing steps are skipped.)

Use zeroconf on ether1 interface? Enter yes to use zero-configuration (zeroconf)

networking. Enter no to specify a static IP address

Trellix Device Deployment Guide 2024.2 279

7| Physical

Step Response

and network mask. (If you specify yes, the next

step is skipped.) NOTE: Do not use zeroconf on the
primary interface.

Primary IP address and masklen? Enter the IP address for the management interface
in A.B.C.D format and enter the network mask (for
example, 1.1.1.2 /24).

Default gateway? Enter the gateway IP address for the management

interface.

Primary DNS server? Enter the IP address of the DNS server.

Domain name? Enter the domain for the management interface (for
example, it.acme.com).

Enable fenet service? Enter yes to enable access to the DTI network. (If you
enter no, the next three steps are skipped.)

Enable fenet license update service? Enter yes to enable the licensing service to
automatically download your licenses from the
DTI network and install them. (If licenses are
downloaded and installed successfully, the wizard
skips the step that prompts for the product license
key and the step that prompts for the security-
content updates key.)

Sync appliance time with fenet? Enter yes to synchronize the appliance time with
the DTI server time. If you enabled the licensing
service, synchronization prevents a feature from
being temporarily unlicensed due to a time gap. The
wizard makes three attempts to perform this step
before it gives up and moves to the next step.

Update licenses from fenet? Enter yes to download and install your licenses. The
wizard makes three attempts to perform this step
before it gives up and moves to the next step.

280 Trellix Device Deployment Guide 2024.2

7| Physical

Step Response

Enable NTP? Enter yes to enable automatic time synchronization

with one or more Network Time Protocol (NTP)
servers. Enter no to manually set the time and
date on the appliance. (This step is skipped if you
entered yes in the "Sync appliance time with fenet?"
step.) If you enter no, specify the time and date in
subsequent steps.

Enable FaaS VPN? Enter yes to enable the appliance to connect to

Managed Defense (formerly called FireEye as a
Service) over the Internet using a secure SSL VPN
connection. (This step is skipped if no MD_ACCESS
license is installed.)

Set time (<hh>:<mm>:<ss>)? Enter the appliance time in Greenwich Mean Time
(GMT) (UTC+0). (This step and the next step are
skipped if you entered yes in the "Sync appliance
time with fenet?" or "Enable NTP?" step.

Set date (<yyyy>/<mm>/<dd>)? Enter the appliance date in Greenwich Mean Time
(GMT) (UTC+0).

Enable IPv6? Enter yes to enable IPV6 protocol, which changes

network routing from IPv4 to IPv6.

Enable IPv6 autoconfig (SLAAC) on ether1 interface? Enter yes to enable IPv6 autoconfig on the ether1
(management interface) port. (This step is skipped if
you entered no in the "Enable IPv6" step.)

Enable DHCPv6 on ether1 interface? Enter yes to use DHCPv6 to configure IPv6 hosts with
IP addresses. (This step is skipped if you entered no
in the "Use DHCP on ether1 interface" or "Enable
IPv6" step.)

Submission: Interface? Press Enter to accept ether1 as the interface through

(This step appears on integrated File Protect appliances which sensors and brokers communicate. Otherwise,
after MVX hybrid mode is enabled.) enter the name of the other interface. (If you accept
ether1, the next three steps are skipped.) NOTE: To

Trellix Device Deployment Guide 2024.2 281

7| Physical

Step Response

keep management and data traffic separate, Trellix

recommends that you use another management
interface, such as ether2, and not a monitoring
interface.

Submission: Use DHCP on <name> interface? Enter yes to use Dynamic Host Configuration
Protocol (DHCP) to configure the submission
interface IP address and other network parameters.
Enter no to manually configure the IP address and
network settings. (If you enter yes, the static IP
addressing steps are skipped.)

Submission: IP address and masklen? Enter the IP address for the submission interface
in A.B.C.D format and enter the network mask (for
example, 10.1.1.1 /24).

Submission: Default Ipv4 gateway? Enter the IP address for the submission interface
default gateway in A.B.C.D format.

Product license key? Enter the product license key you obtained from
Trellix, or press Enter to install a 15-day evaluation
license. (This step and the next step are skipped if
you entered yes in the "Enable fenet license update
service?" step and if licenses were successfully
installed as a result.)

Security-content updates key? Enter the security-content license key you obtained
from Trellix, or press Enter to skip this step and
install the license later.

Virtual Execution steps

The following tables describes the wizard steps for a Intelligent Virtual Execution - Server appliance.

282 Trellix Device Deployment Guide 2024.2

7| Physical

Step Response

Hostname? Enter the hostname for the appliance.

Admin password? (Optional) Enter a new administrator password.

Confirm admin password? Re-enter the new administrator password.

Enable remote access for 'admin' user? Enter yes to enable the administrator to log in to
the appliance remotely. Enter no to disable remote
access.

Use DHCP on ether1 interface? DHCP is not supported on the management

interface. Enter no to manually configure your IP
address and network settings.

Use zeroconf on ether1 interface? Enter yes to use zero-configuration (zeroconf)

networking. Enter no to specify a static IP address
and network mask. (If you specify yes, the next
step is skipped.) NOTE: Do not use zeroconf on the
primary interface.

Primary IPv4 address and masklen? Enter the IP address for the management interface
in A.B.C.D format and enter the network mask (for
example, 1.1.1.2 /24).

Default gateway? Enter the gateway IP address for the management

interface.

Primary DNS server? Enter the IP address of the DNS server.

Domain name? Enter the domain for the management interface (for
example, it.acme.com).

Enable fenet service? Enter yes to enable access to the DTI network. (If you
enter no, the next three steps are skipped.)

Enable fenet license update service? Enter yes to enable the licensing service to
automatically download your licenses from the

Trellix Device Deployment Guide 2024.2 283

7| Physical

Step Response

DTI network and install them. (If licenses are

downloaded and installed successfully, the wizard
skips the step that prompts for the product license
key and the step that prompts for the security-
content updates key.)

Sync appliance time with fenet? Enter yes to synchronize the appliance time with
the DTI server time. If you enabled the licensing
service, synchronization prevents a feature from
being temporarily unlicensed due to a time gap. The
wizard makes three attempts to perform this step
before it gives up and moves to the next step.

Update licenses from fenet? Enter yes to download and install your licenses. The
wizard makes three attempts to perform this step
before it gives up and moves to the next step.

Enable NTP? Enter yes to enable automatic time synchronization

with one or more Network Time Protocol (NTP)
servers. Enter no to manually set the time and date
on the appliance. (This step is skipped if you entered
yes in the "Sync appliance time with fenet?" step.)

Set time (<hh>:<mm>:<ss>)? Enter the appliance time in Greenwich Mean Time
(GMT) (UTC+0). (This step and the next step are
skipped if you entered yes in the "Sync appliance
time with fenet?" or "Enable NTP?" step.

Set date (<yyyy>/<mm>/<dd>)? Enter the appliance date in Greenwich Mean Time
(GMT) (UTC+0).

Enable IPv6? Enter no. IPv6 is not supported on Intelligent Virtual

Execution - Server appliances that are nodes in an
MVX cluster.

Product license key? Enter the product license key you obtained from
Trellix, or press Enter to install a 15-day evaluation
license. (This step and the next step are skipped if
you entered yes in the "Enable fenet license update

284 Trellix Device Deployment Guide 2024.2

7| Physical

Step Response

service?" step and if licenses were successfully

installed as a result.)

Security-content updates key? Enter the security-content license key you obtained
from Trellix, or press Enter to skip this step and
install the license later.

Submission: Interface? Press Enter to accept ether1 as the interface through

which sensors and brokers communicate. Otherwise,
enter the name of the other interface. (If you accept
ether1, the next three steps are skipped.) NOTE: To
keep management and data traffic separate, Trellix
recommends that you use another management
interface, such as ether2, and not a monitoring
interface.

Submission: Use DHCP on <name> interface? DHCP is not supported on the submission interface.
Enter no to manually configure the IP address and
network settings.

Submission: IP address and masklen? Enter the IP address for the submission interface
in A.B.C.D format and enter the network mask (for
example, 10.1.1.1 /24).

Submission: Default IPv4 gateway? Enter the IP address for the submission interface
default gateway in A.B.C.D format.

Cluster: Configure interface? Press Enter to accept ether1 as the interface through
which brokers and compute nodes communicate.
Otherwise, enter the name of another interface.
(If you accept ether1, the next three steps are
skipped.) NOTE: To keep management and data
traffic separate, Trellix recommends that you use
another management interface such as ether2, and
not a monitoring interface.

Cluster: Use DHCP on <name> interface? DHCP is not supported on the cluster interface. Enter
no to manually configure the address settings.

Trellix Device Deployment Guide 2024.2 285

7| Physical

Step Response

Cluster: IP address and masklen? Enter the IP address for the cluster interface in
A.B.C.D format and enter the network mask (for
example, 10.1.1.2 /24).

Product license key? Enter the product license key you obtained from
Trellix, or press Enter to install a 15-day evaluation
license. (This step and the next step are skipped if
you entered yes in the "Enable fenet license update
service?" step and if licenses were successfully
installed as a result.)

Security-content updates key? Enter the security-content license key you obtained
from Trellix, or press Enter to skip this step and
install the license later.

Central Management steps

The following table describes the wizard steps for a Central Management System appliance.

Step Response

Hostname? Enter the hostname for the appliance.

Admin password? (Optional) Enter a new administrator password.

Confirm admin password? Re-enter the new administrator password.

Enable remote access for 'admin' user? Enter yes to enable the administrator to log in to
the appliance remotely. Enter no to disable remote
access.

Use DHCP on ether1 interface? Enter yes to use Dynamic Host Configuration
Protocol (DHCP) to configure the appliance IP
address and other network parameters. Enter no
to manually configure your IP address and network

286 Trellix Device Deployment Guide 2024.2

7| Physical

Step Response

settings. (If you enter yes, the zeroconf and static IP

addressing steps are skipped.)

Use zeroconf on ether1 interface? Enter yes to use zero-configuration (zeroconf)

networking. Enter no to specify a static IP address
and network mask. (If you specify yes, the next
step is skipped.) NOTE: Do not use zeroconf on the
primary interface.

Primary IP address and masklen? Enter the IP address for the management interface
in A.B.C.D format and enter the network mask (for
example, 1.1.1.2 /24).

Default gateway? Enter the gateway IP address for the management

interface.

Primary DNS server? Enter the IP address of the DNS server.

Domain name? Enter the domain for the management interface (for
example, it.acme.com).

Enable fenet service? Enter yes to enable access to the DTI network. (If you
enter no, the next three steps are skipped.)

Enable fenet license update service? Enter yes to enable the licensing service to
automatically download your licenses from the
DTI network and install them. (If licenses are
downloaded and installed successfully, the wizard
skips the step that prompts for the product license
key and the step that prompts for the security-
content updates key.)

Sync appliance time with fenet? Enter yes to synchronize the appliance time with
the DTI server time. If you enabled the licensing
service, synchronization prevents a feature from
being temporarily unlicensed due to a time gap. The
wizard makes three attempts to perform this step
before it gives up and moves to the next step.

Trellix Device Deployment Guide 2024.2 287

7| Physical

Step Response

Update licenses from fenet? Enter yes to download and install your licenses. The
wizard makes three attempts to perform this step
before it gives up and moves to the next step.

Enable NTP? Enter yes to enable automatic time synchronization

with one or more Network Time Protocol (NTP)
servers. Enter no to manually set the time and
date on the appliance. (This step is skipped if you
entered yes in the "Sync appliance time with fenet?"
step.) If you enter no, specify the time and date in
subsequent steps.

Set time (<hh>:<mm>:<ss>)? Enter the appliance time in Greenwich Mean Time
(GMT) (UTC+0). (This step and the next step are
skipped if you entered yes in the "Sync appliance
time with fenet?" or "Enable NTP?" step.

Set date (<yyyy>/<mm>/<dd>)? Enter the appliance date in Greenwich Mean Time
(GMT) (UTC+0).

Enable IPv6? Enter yes to enable IPV6 protocol, which changes

network routing from IPv4 to IPv6.

Enable IPv6 autoconfig (SLAAC) on ether1 interface? Enter yes to enable IPv6 autoconfig on the ether1
(management interface) port. (This step is skipped if
you entered no in the "Enable IPv6" step.)

Enable DHCPv6 on ether1 interface? Enter yes to use DHCPv6 to configure IPv6 hosts with
IP addresses. (This step is skipped if you entered no
in the "Use DHCP on ether1 interface" or "Enable
IPv6" step.)

Configure CMS HA? Enter yes to configure the Central Management

System appliance in a high availability (HA)
environment. (For the remaining HA configuration
steps, see the Central Management System High
Availability Guide.)

288 Trellix Device Deployment Guide 2024.2

7| Physical

Step Response

Product license key? Enter the product license key you obtained from
Trellix, or press Enter to install a 15-day evaluation
license. (This step and the next step are skipped if
you entered yes in the "Enable fenet license update
service?" step and if licenses were successfully
installed as a result.)

Security-content updates key? Enter the security-content license key you obtained
from Trellix, or press Enter to skip this step and
install the license later.

Malware Security steps

Step Response

Hostname? Enter the hostname for the appliance.

Admin password? (Optional) Enter a new administrator password.

Confirm admin password? Re-enter the new administrator password.

Enable remote access for 'admin' user? Enter yes to enable the administrator to log in to
the appliance remotely. Enter no to disable remote
access.

Use DHCP on ether1 interface? Enter yes to use Dynamic Host Configuration
Protocol (DHCP) to configure the appliance IP
address and other network parameters. Enter no
to manually configure your IP address and network
settings. (If you enter yes, the zeroconf and static IP
addressing steps are skipped.)

Use zeroconf on ether1 interface? Enter yes to use zero-configuration (zeroconf)

networking. Enter no to specify a static IP address
and network mask. (If you specify yes, the next

Trellix Device Deployment Guide 2024.2 289

7| Physical

Step Response

step is skipped.) NOTE: Do not use zeroconf on the

primary interface.

Primary IP address and masklen? Enter the IP address for the management interface
in A.B.C.D format and enter the network mask (for
example, 1.1.1.2 /24).

Default gateway? Enter the gateway IP address for the management

interface.

Primary DNS server? Enter the IP address of the DNS server.

Domain name? Enter the domain for the management interface (for
example, it.acme.com).

Enable fenet service? Enter yes to enable access to the DTI network. (If you
enter no, the next three steps are skipped.)

Enable fenet license update service? Enter yes to enable the licensing service to
automatically download your licenses from the
DTI network and install them. (If licenses are
downloaded and installed successfully, the wizard
skips the step that prompts for the product license
key and the step that prompts for the security-
content updates key.)

Sync appliance time with fenet? Enter yes to synchronize the appliance time with
the DTI server time. If you enabled the licensing
service, synchronization prevents a feature from
being temporarily unlicensed due to a time gap. The
wizard makes three attempts to perform this step
before it gives up and moves to the next step.

Update licenses from fenet? Enter yes to download and install your licenses. The
wizard makes three attempts to perform this step
before it gives up and moves to the next step.

290 Trellix Device Deployment Guide 2024.2

7| Physical

Step Response

Enable NTP? Enter yes to enable automatic time synchronization

with one or more Network Time Protocol (NTP)
servers. Enter no to manually set the time and
date on the appliance. (This step is skipped if you
entered yes in the "Sync appliance time with fenet?"
step.) If you enter no, specify the time and date in
subsequent steps.

Enable FaaS VPN? Enter yes to enable the appliance to connect to

Managed Defense (formerly called FireEye as a
Service) over the Internet using a secure SSL VPN
connection. (This step is skipped if no MD_ACCESS
license is installed.)

Set time (<hh>:<mm>:<ss>)? Enter the appliance time in Greenwich Mean Time
(GMT) (UTC+0). (This step and the next step are
skipped if you entered yes in the "Sync appliance
time with fenet?" or "Enable NTP?" step.

Set date (<yyyy>/<mm>/<dd>)? Enter the appliance date in Greenwich Mean Time
(GMT) (UTC+0).

Enable IPv6? Enter yes to enable IPV6 protocol, which changes

network routing from IPv4 to IPv6.

Enable IPv6 autoconfig (SLAAC) on ether1 interface? Enter yes to enable IPv6 autoconfig on the ether1
(management interface) port. (This step is skipped if
you entered no in the "Enable IPv6" step.)

Enable DHCPv6 on ether1 interface? Enter yes to use DHCPv6 to configure IPv6 hosts with
IP addresses. (This step is skipped if you entered no
in the "Use DHCP on ether1 interface" or "Enable
IPv6" step.)

Product license key? Enter the product license key you obtained from
Trellix, or press Enter to install a 15-day evaluation
license. (This step and the next step are skipped if
you entered yes in the "Enable fenet license update

Trellix Device Deployment Guide 2024.2 291

7| Physical

Step Response

service?" step and if licenses were successfully

installed as a result.)

Security-content updates key? Enter the security-content license key you obtained
from Trellix, or press Enter to skip this step and
install the license later.

Configuring the IPMI interface

Important

The IPMI interface is not supported on some appliance models running Release 8.0.0 or later with IPMI firmware version 2.07.
For more information, see your System Administration Guide or Administration Guide.

Use the commands in this section to configure the IPMI interface.

Note

See your System Administration Guide for information about using the IPMI interface after it is configured.

To configure the IPMI port:

1. Plug one end of an Ethernet cable into the IPMI port and the other end into an administrative computer or terminal server.
2. Log in to the CLI.
3. Go to CLI configuration mode:

hostname > enable

hostname # configure terminal

4. If you want to configure a static IP address for the IPMI interface, do the following:
a. If DHCP was previously configured for IPMI, change to the static method:

hostname (config) # ipmi lan ipsrc static

b. Configure the IP address for the IPMI interface:

hostname (config) # ipmi lan ipaddr <ip Address>

c. Configure the netmask for the IPMI interface:

292 Trellix Device Deployment Guide 2024.2

7| Physical

hostname (config) # ipmi lan netmask <netmask>

d. Configure the default gateway for the IPMI interface:

hostname (config) # ipmi lan defgw <ip Address>

5. If you want to configure DHCP:

a. Make sure that DHCP is enabled on your network:

hostname (config) # show ip dhcp

b. Enable DHCP:

hostname (config) # ipmi lan ipsrc dhcp

6. By default, the username used to log in to the IPMI Web UI is ADMIN. Configure the password:

hostname (config) # ipmi user set password <password>

The password must be a minimum of five characters, and a maximum of 20 characters.

7. Save your changes:

hostname (config) # write memory

To view the IPMI configuration:

1. Enter the CLI enable mode:

hostname # enable

2. Display the configuration. For example:

hostname (config) # show ipmi interface

IPMI LAN Settings
----------------------------------------
Admin Shut Down : no
Shut Down : no
IP Address Source : Static Address
IP Address : 192.168.42.27Subnet Mask : 0.0.0.0
Default Gateway IP : 0.0.0.0

To revert to the default configuration:

1. Go to CLI configuration mode:

hostname > enable

hostname > configure terminal

2. Revert to the default configuration:

hostname (config) # ipmi lan ipsrc static

Trellix Device Deployment Guide 2024.2 293

7| Physical

3. Save your changes:

hostname (config) # write memory

Note

It is important to use the latest IPMI firmware available for your system. For details, see your System Administration Guide or
Administration Guide.
It is important to use the latest IPMI firmware available for your system. For details, see your System Administration Guide.

Configuring IPv6 addresses for the IPMI interface

Important

You can configure IPv6 addresses for the IPMI interface only for the following appliances:

• CM 7500 and CM 9500

• EX 5500 and EX 8500
• NX 3500, NX 4500, and NX 5500

Use the instructions in this section to configure an IPv6 Address for the IPMI interface using the CLI.

Prerequisites

• One end of an Ethernet cable is plugged in to the IPMI port, and the other end of the cable is plugged in to an
administrative computer or terminal server
• Upgrade IPMI firmware version to 2.37. For details, see your System Administration Guide.
To configure an IPv6 address for the IPMI interface using the CLI:

1. Log in to the appliance CLI.

2. Go to CLI configuration mode.

hostname > enable

hostname # configure terminal

3. Configure the static IPv6 address for the IPMI interface:

hostname (config) # ipmi lan6 ipaddr <valid IPv6 Address> prefix <1-128>

4. To enable DHCP on your network:

hostname (config) # ipmi lan6 dhcp enable

5. Save your changes:

294 Trellix Device Deployment Guide 2024.2

7| Physical

hostname (config) # write memory

6. Display the configuration. For example:

hostname (config) # show ipmi interface

IPMI LAN Settings
----------------------------------------
Admin Shut Down : no
Shut Down : (n/a)
Set in Progress : Set in Progress
IP Address Source : DHCP Address
IPMI LAN6 Settings
----------------------------------------
Static ipv6 Address : 2015:9:19:ffff::da7/64
Dhcp ipv6 Address : 2015:9:19:ffff::da7/64

Trellix Device Deployment Guide 2024.2 295

8| Administration

Administration
• Working with virtual appliances

Working with virtual appliances

Both physical and virtual appliances depend on the Trellix DTI network (cloud.fireeye.com) for automatic license updates and
DTI services such as threat intelligence and software and security content updates. Virtual appliances also depend on the DTI
network for the token server, which continually renews the lease on its product license, and the entropy server, which generates
randomness for more secure connections.

A virtual appliance has a unique activation code, which serves the following purposes:

• Gives the appliance a unique identity (its appliance ID).

• Activates the product (FIREEYE_APPLIANCE) license.
• Allows access to the license token server.
• Provides access to the DTI network.
• Protects you from fraudulent use of the virtual appliance.
• Allows the virtual appliance to initialize—the appliance remains disabled until you apply the activation code.
The activation code is highly sensitive, because it gives the virtual appliance its identity and access credentials. Trellix takes
measures to prevent fraudulent use of activation codes as described in How It Works.

Understanding virtual appliance licensing

Licenses for virtual appliances are based on a unique appliance ID. Trellix sends you two secure emails. One email contains the
appliance ID, a unique activation code, and a link to download the software image for the virtual appliance. The other email
contains the license keys for the virtual appliance.

The FIREEYE_APPLIANCE (product) license for a virtual appliance must be continually validated by a token server. The token
server uses a time-limited token to activate the product license on the virtual appliance. The token also provides a short-term
lease on the product license. The virtual appliance must continually renew this lease to keep its product license active. If the
product license becomes inactive, malware detection is disabled on the appliance.

Note

The start and stop dates for the product license also govern whether the license remains active.

296 Trellix Device Deployment Guide 2024.2

8| Administration

How it works

After the virtual appliance has been activated, it connects to the token server and requests a license token for its product license.
If the DTI credentials the appliance presents are valid, the token server sends the appliance a token that allows the product
license to be active for the duration of the lease.

The duration of a lease is one hour, so the license token must be renewed every hour. The appliance applies for the lease
renewal with enough lead time to keep the appliance functioning if an event such as a brief network outage occurs. The lead
time is 15 minutes by default and can be changed with the assistance of Trellix Technical Support.

The token server grants grace periods to allow for token server failures and network outages. Initially there is no grace period.
After the virtual appliance has been continually licensed for three hours, the token server grants the appliance six hours of grace
time. If the current token expires and the token renewal fails, the product license will remain active for up to six hours while the
appliance continues to send a renewal request every minute to the token server. The grace period is extended to three days if
Trellix determines that your network is down and unable to contact the DTI network. When connectivity is restored, the appliance
automatically requests a new license token.

Trellix takes the following measures to guard against accidental or malicious abuse of the product license.

• Hourly validation. Authentication and authorization take place every hour, because each token request must be
validated against the virtual appliance's DTI credentials.
• Duplicate detection. The token server detects duplicate virtual appliances based on the appliance ID in the activation
code, the universal unique identifier (UUID) of the virtual appliance, and the last license token renewal request that was
presented to the server. A brief period of overlap is allowed to support a legitimate migration of the virtual appliance to
another ESXi server, or a database backup and restore operation.
• Time service. The token server provides a time service to prevent appliance clock manipulation.
SNMP and email event notifications warn you if the product license becomes inactive, if the token server cannot be reached, or if
a duplicate virtual appliance is detected. The identity of the duplicate appliance is kept confidential for security.

Prerequisites

• Monitor, Operator, or Admin access to view licensing information

Viewing virtual appliance license status using the CLI

Use the commands in this section to view current token status and configuration information.

To view license token status:

1. Log in to the virtual appliance.

2. Enable the enable CLI mode:

hostname > enable

Trellix Device Deployment Guide 2024.2 297

8| Administration

3. View the status:

hostname # show licenses tokens

To view license token configuration:

1. Log in to the virtual appliance.

2. Enable the enable CLI mode:

hostname > enable

3. View the configuration:

hostname # show licenses tokens configured

Examples

The following example shows license token configuration information for the vNX-04 virtual sensor.

vNX-04 # show licenses tokens configured

License token configuration:
Query Enabled: yes
Query lead time: 25% (15 min)
Query Retry interval: 1 min

The following example shows the current status of license tokens on the vNX-04 virtual sensor.

vNX-04 # show licenses tokens

Token Summary :

Token Active : yes

Token Required : yes

Token Lease :
Lease Active: yes
Lease Time Remaining : 12 min

Token Grace Period :

Grace Period Active : no
Grace Period Available : yes
Grace Period Remaining : 360 min

Token Server Current Time : 2019/07/25 14:49:21

Token Details :

Next Token :
Sequence Number : 186
Lease Duration : 60 min
Timestamp : 2019/07/25 14:47:21

Active Token :
Sequence Number : 185

298 Trellix Device Deployment Guide 2024.2

8| Administration

Lease Duration : 60 min

Timestamp : 2019/07/25 14:01:21

Previous Token :
Sequence Number : 184
Lease Duration : 60 min
Timestamp : 2019/07/25 13:15:21

Output Fields

The following table describes the show licenses tokens configured command output fields.

Field Description

Query Enabled Whether the virtual appliance is enabled to request

license token renewals.

Query Lead time The percentage of the lease duration before the
active lease expires at which the virtual appliance
should request license token renewal. This value is
25 percent of the lease duration (15 minutes).

Query Retry interval How soon the license token renewal is tried again
after an unsuccessful attempt. This value is one
minute.

The following table describes the show licenses tokens command output fields. The output fields and values depend on the
current license token status. For example, when a token has not been obtained yet, the Next Token field is (not fetched).

Field Description

Token Active Whether the current token is active.

Token Required Whether a token is required to keep the product

license active.

Token Lease

Lease Active Whether the lease on the current token is active.

Trellix Device Deployment Guide 2024.2 299

8| Administration

Field Description

Lease Time Remaining Number of minutes before the lease expires.

Token Grace Period

Grace Period Active Whether the virtual appliance is currently using

grace time because its license token expired.

Grace Period Available Whether the appliance has available grace time to
use if necessary.

Grace Period Remaining The number of minutes remaining in the grace

period. The maximum is 360 minutes (six hours).

Token Server Current Time Current date and time of the token server.

Next Token

Sequence Number Number identifying the next token on the token

server.

Lease Duration Number of minutes the next token will last.

Timestamp Date and time the next token was obtained.

Active Token

Sequence Number Number identifying the license token that is

currently in use.

Lease Duration Number of minutes the lease on the token will last.

Timestamp Date and time the current token was obtained.

Previous Token

Sequence Number Number identifying the last token that was used.

300 Trellix Device Deployment Guide 2024.2

8| Administration

Field Description

Lease Duration Number of minutes the lease on the token lasted.

Timestamp Date and time the previous token was obtained.

Viewing system entropy status

Unpredictability (or randomness) plays a critical role in securing connections between entities. Entropy is a generator of
randomness. As a rule, entities with more randomness have a more secure connection. A lack of entropy can have a negative
impact on security and performance.

Trellix devices must have adequate entropy to generate keys for secure SSL and SSH communication. Physical Trellix appliances
have a built-in source of high-quality entropy. Virtual appliances do not have a built-in source, so they continually obtain entropy
information from a centralized, upstream DTI entropy server.

Prerequisites

• Monitor, Operator, or Admin access

Viewing system entropy status using the CLI

Use the commands in this section to view the current status of system entropy.

To view the status of system entropy:

1. Log into the virtual appliance CLI.

2. View the status:

hostname > show system entropy

Example

The following example shows the status of system entropy on a virtual sensor.

vNX-03 > show system entropy

Entropy bootstrap complete: yes
Entropy bits available: 983
Entropy refresh interval: 900

Entropy last fetch status: success

Entropy last fetch success time: 2019/08/23 06:46:47

Trellix Device Deployment Guide 2024.2 301

8| Administration

Output Fields

Field Description

Entropy bootstrap complete Whether the system got sufficient initial entropy
to generate keys for secure SSL and SSH
communication.

Entropy bits available The number of random bits that are currently
available for applications that need random
numbers.

Entropy refresh interval The interval at which the virtual appliance requests
entropy (every 900 seconds, or 15 minutes).

Entropy last fetch status The status of the last entropy request.

Entropy last fetch success time The date and time the last entropy request
succeeded.

302 Trellix Device Deployment Guide 2024.2

9| Technical Support

Technical Support
For technical support, contact FireEye through the Support portal:

https://www.trellix.com/en-us/support.html

Documentation

Documentation for all FireEye products is available on the FireEye Documentation Portal (login required):

https://docs.fireeye.com/

Trellix | 601 McCarthy Blvd. | Milpitas, CA | 1.408.321.6300 | 1.877.347.3393 | www.fireeye.com/company/contact-us.html

© FireEye Security Holdings US. LLC. All rights

reserved. Trellix is a registered trademark of Trellix
All other brands, products, or service names are
or may be trademarks or service marks of their
respective owners.

Trellix Device Deployment Guide 2024.2 303

COPYRIGHT
Copyright © 2024 Musarubra US LLC.

Trellix and FireEye are the trademarks or registered trademarks of Musarubra US LLC, FireEye Security Holdings US LLC, and their affiliates in the
US and /or other countries. Other names and brands are the property of these companies or may be claimed as the property of others.