Endpoint Security (HX) Virtual

Server 10.x Deployment Guide

Virtual Servers
Contents

Planning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

About the Endpoint Security (HX) server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Server roles and order. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Appliance addressing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

System requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Supported appliance models. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Virtual cloud server features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Virtual appliance requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

VMware limitations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Network requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Software requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

xAgent and server compatibility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Licensing requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Virtual Server Deployment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Virtual server overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Virtual server deployment steps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Installing a virtual server using VMware ESXi. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Installing a virtual server using Microsoft Hyper‑V. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Initial configuration of virtual servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Specifying initial settings using the VMware ESXi Properties screen. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Initial configuration using the VMware ESXi server console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Specifying initial settings using the Windows Hyper-V set_keys.ps1 PowerShell script. . . . . . . . . . . . . . . . . . . . 28

Initial configuration using the Windows Hyper-V server console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Configuration wizard steps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

The Endpoint Security (HX) server Web UI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

License keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

About license keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Automatic license updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Enabling automatic license updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Enabling automatic license updates using the CLI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Forcing license updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Manual license installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Installing licenses using the Web UI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Installing licenses using the CLI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Removing licenses using the Web UI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Removing licenses using the CLI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Viewing license notifications using the Web UI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Validating DTI access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Validating DTI access using the Web UI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Validating DTI access using the CLI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Attaching and detaching DMZ servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Server boot order. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Endpoint Security (HX) server cluster IP address change guidelines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Configuring the server address list. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Adding a server to the server address list. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Adding a server to the server address list using the Web UI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Removing a server from the server address list. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Removing a server from the server address list using the Web UI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Setting up provisioning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Enabling servers for provisioning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Designating provisioning servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Designating the Endpoint Security (HX) server as a provisioning server using the Web UI. . . . . . . . . . . . 56

Designating and enabling a DMZ server as a provisioning server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

 Designating provisioning servers using a split DNS in the Web UI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Canceling provisioning servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Canceling the primary server as a provisioning server using the Web UI. . . . . . . . . . . . . . . . . . . . . . . . . . 59

Canceling a DMZ server as a provisioning server using the Web UI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

How Trellix appliance alerts become Endpoint Security (HX) alerts and Central Management System badges. . . . 61

Integrating Central Management System appliances and Endpoint Security (HX) servers. . . . . . . . . . . . . . . . . . . . . . 62

Replacing integrated Central Management System appliances and Endpoint Security (HX) servers. . . . . . . . . . . . . 66

Integrating Network Security appliances and Endpoint Security (HX) servers directly. . . . . . . . . . . . . . . . . . . . . . . . . 70

SNMP data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Retrieving SNMP data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Providing access to SNMP data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Downloading the MIB. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Retrieving SNMP data using event OIDs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Sending requests for SNMP information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Sending traps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Forwarding CEF logs to Helix and SIEM solutions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Configuring CEF logging for endpoint events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

SIEM example: Setting up an integration connector with ArcSight. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Appendices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Enabling and disabling Endpoint Security (HX) quiesce mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Enabling quiesce mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Disabling quiesce mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Reviewing quiesce mode status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Managing Endpoint Security (HX) PKI certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Reviewing certificates and settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Exporting certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Importing certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Regenerating certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Setting the PKI certificate prefix. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Setting agent certificate authority duration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Setting agent certificate length. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Setting agent certificate duration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Setting certificate authority duration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Setting certificate length. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Setting certificate duration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Setting CRL duration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Importing a CRL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Regenerating the CRL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Regenerating the subordinate PKI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Enabling the provisioning certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Disabling the provisioning certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

1| Planning

Planning
• About the Endpoint Security (HX) server
• System Requirements

About the Endpoint Security (HX) server

Adaptive security requires monitoring of all threat vectors, including fast, accurate assessments of potential cyber attacks tracked
to endpoint activity. The Trellix Endpoint Security (HX) product allows you to detect, analyze, and respond to targeted cyber
attacks and zero-day exploits on the endpoint.

Note

In this guide, you will see the Endpoint Security (HX) server and DMZ server referred to as an Endpoint Security (HX) appliance
or HXD appliance, respectively. These terms refer to the same products.

Using Endpoint Security (HX) servers, you can continuously monitor endpoints for advanced malware and indicators of
compromise (IOCs) that routinely bypass signature-based and defense-in-depth security systems. The Endpoint Security (HX)
servers and DMZ servers allow you to:

• Search for advanced attackers and advanced persistent threats (APTs)

• Investigate alerts from network devices, automatically creating IOCs and alerting users
• Extend Trellix detection services seamlessly to your endpoints
• Use Agent Anywhere technology to analyze remote endpoints outside the corporate network, regardless of their Internet
connection type
• Acquire files, data, and triage collections from endpoints and analyze these collections
• Confirm whether alerts seen on the network actually compromise endpoints
• Contain endpoints, isolating devices when they become compromised
This chapter covers the following topics:

• Server roles and order

• Appliance addressing

Server roles and order

Endpoint Security (HX) software can be deployed on the following appliance forms:

• on-premises (physical) appliances

• virtual servers (VMware ESXi or Windows Hyper-V)
• cloud servers

6 Endpoint Security (HX) Virtual Server 10.x Deployment Guide

1| Planning

You can optionally install DMZ servers and connect them to a single Endpoint Security (HX) server. DMZ servers are installed
in public or Internet-facing network locations and are used to maintain connectivity with externally connected host endpoints.
Installation and setup steps for DMZ servers are the same as for an Endpoint Security (HX) server. Requests from agents to a
DMZ server are proxied to the Endpoint Security (HX) server.

Note

A single Endpoint Security (HX) ecosystem, which includes the Endpoint Security (HX) server and its attached DMZ servers,
can support up to 100,000 agents.
Your Endpoint Security (HX) (and DMZ) servers must run the same version of Endpoint Security (HX) software. If they use
different versions, communication between them will fail.

In each Endpoint Security (HX) ecosystem, provisioning and primary servers must be identified. Provisioning servers are the
servers to which Trellix xAgent connects to provision and establish their cryptographic agent identity. Trellix xAgents with version
numbers less than 20 can only provision against the primary server. xAgents with version numbers of 20 or later can provision
against multiple servers, including a DMZ server.

Important

You must identify the servers that will be your provisioning servers before you download and deploy the Trellix xAgent
installation software to your host endpoints. When agent installation software is downloaded, the IP addresses or DNS names
of the provisioning Endpoint Security (HX) servers are identified in the agent download package.

The Central Management System platform can be used to upgrade and manage Endpoint Security (HX) (and DMZ) servers.

Appliance addressing

Your enterprise can use IP addresses or domain names (DNS) when configuring hostnames for agent communications with
Endpoint Security (HX) servers.

• Configure a single DNS address that resolves to the Endpoint Security (HX) server and DMZ server (also known as
a split DNS). This option is the most flexible arrangement. It allows you to move and renumber appliances without
reconfiguring agents and eliminates unnecessary agent connection attempts to unreachable appliances. However, this
solution requires a more complex DNS configuration. It may be challenging to execute consistently in large networks. See
also Designating provisioning appliances using a split DNS.
• Configure a unique DNS address for each Endpoint Security (HX) server and DMZ server. This option allows you
to move or renumber appliances without reconfiguring agents. However, this option requires consistent internal DNS
resolution of the appliance name and may cause extra connection attempts by external endpoints to internal appliances
that they cannot reach.
• Configure a unique IP address for each Endpoint Security (HX) server and DMZ server. This option provides the most
reliable connections from endpoints and does not require consistent internal DNS configuration throughout a large

Endpoint Security (HX) Virtual Server 10.x Deployment Guide 7

1| Planning

enterprise. However, this option is the least flexible option. If you move or renumber appliances, you may have to
reinstall agents.

Important

You must decide which appliances will be your provisioning appliances before you download the installation software for
your agents. When agent installation software is downloaded, the IP addresses or DNS names of the provisioning Endpoint
Security (HX) servers are identified in the agent download package. See Designating provisioning appliances.

8 Endpoint Security (HX) Virtual Server 10.x Deployment Guide

2| System requirements

System requirements
Before you deploy an Endpoint Security (HX), make sure the following requirements are met.

Note

This guide does not provide information about appliance throughput, performance, or capacity. For information on this, see
your Trellix representative.

Supported appliance models

You can use the following server appliance models with Endpoint Security (HX) software. The "Maximum Number of Endpoints"
column lists the maximum number of endpoints that can be supported by the server appliance model.

Supported Endpoint
Security (HX) Maximum Number of
Model Number Type Software Versions Endpoints

HX 4000, On-premises 3.2 and later 100,000 endpoints

HX 4000D (DMZ) (hardware) HX and HXD
appliances

HX 4400, On-premises HXD 3.2 and later 100,000 endpoints

HX 4400D (DMZ) appliance

HX 4402 On-premises HX 3.2 and later 100,000 endpoints

appliance

HX 4500DV (DMZ) Virtual HXD (DMZ) 4.0 and later 100,000 endpoints
server

HX 4502, A On-premises HX server 4.0 and later 100,000 endpoints

HX4502D
(DMZ)

HX 4502V Virtual or cloud HX 4.0 and later 100,000 endpoints

server

Endpoint Security (HX) Virtual Server 10.x Deployment Guide 9

2| System requirements

Supported Endpoint
Security (HX) Maximum Number of
Model Number Type Software Versions Endpoints

HX 4600, On-premises HXD 5.3 and later 100,000 endpoints

HX 4600D (DMZ) appliance

HX 2500DV (DMZ) Virtual DMZ server 3.5 and later 15,000 endpoints

HX 2502V Virtual or cloud 3.5 and later 15,000 endpoints

Endpoint Security
server

Cloud Endpoint Security (HX) server models are initially deployed by Trellix. Thereafter, you are responsible for maintaining them.
Cloud servers can be maintained in the same manner as other Endpoint Security (HX) servers.

Cloud Endpoint Security (HX) servers have better performance than physical, on-premises, Endpoint Security (HX) servers due
to their storage configurations, which are based on SSD volumes that are designed to deliver guaranteed performance. Virtual
Endpoint Security (HX) server performance will vary depending on the hardware resources you have selected for the appliance.

Virtual servers can be either VMware ESXi or Windows Hyper-V servers. Hyper-V is only supported for the HX 2502V, HX 4502V,
2500DV, and 4500DV server models.

Limitations for Hyper-V server support

For virtual Endpoint Security (HX) servers running version 4.0.2 and higher, you must use Hyper-V Server version 2016. If you
are using Endpoint Security (HX) Server version 4.9.0 or higher, you can use Hyper-V Server version 2019. The following Hyper-V
Server workflows are not supported:

• Modified virtual machine (VM) configuration that changes the number of CPUs, amount of memory, number of NICs, or
hard drive size.
• Hyper-V cluster storage mode is not supported for use with virtual Endpoint Security (HX) instances.
• Use of checkpoints
• Replication of the VM
• Dynamic Memory[1]

10 Endpoint Security (HX) Virtual Server 10.x Deployment Guide

2| System requirements

[1] Trellix recommends that you convert dynamic disks to fixed disks to prevent the host machine from running low on disk space.
If the host machine runs low on disk space, Hyper-V may pause all of the VMs.

Virtual cloud server features

Endpoint Security (HX) virtual cloud appliance models must meet the following specifications when they are deployed for you.

Model Type CPU Cores Memory Disk Space Virtual NICs

HX 2502DV DMZ 4 16 GB 512 GB 2 vmxnet

AWS-EC2 3 interfaces

HX 2502V Regular 4 16 GB 1200 GB 2 vmxnet

3 interfaces

HX 4502DV DMZ 8 64 GB 1200 GB 2 vmxnet

AWS-EC2 3 interfaces

HX 4502V Regular 8 64 GB 3600 GB 2 vmxnet

AWS-EC2 3 interfaces

HX 4600DV DMZ 8 64 GB 5000 GB 2 vmxnet

3 interfaces

HX 4600V Regular 8 64 GB 5000 GB 2 vmxnet

3 interfaces

You can also host an Endpoint Security (HX) instance in your AWS account. For details, see AWS.

Virtual appliance requirements

HX appliances can be deployed on VMware ESXi servers or on Windows Hyper-V servers.

VMWare ESXi requirements

To use VMware ESXi for an Endpoint Security (HX) virtual deployment, the following VMware resources are required:

• VMware ESXi host version 6.0 or later. Earlier ESXi versions are not supported.
• VMware vSphere Client

Endpoint Security (HX) Virtual Server 10.x Deployment Guide 11

2| System requirements

• VMware VCenter Server (recommended). When you use vSphere Client to add your virtual appliances to vCenter Server,
the Deploy OVG Template wizard provides an easy way to enter your activation code. Otherwise, you must type it in the
virtual appliance console, because you cannot paste into this console.
• VMXNET 3 network drivers
• Link aggregation enabled on ESXi host
• Standard virtual switch created for the monitoring ports of the virtual appliances, and attached to a physical network
adapter on the ESXi server.

Windows Hyper-V requirements

To use Windows Hyper-V for Endpoint Security (HX) virtual deployments, the following Windows Hyper-V resources are required:

• Windows Server 2016 Standard or Windows Server 2019 Standard

• VMMS (Virtual Machine Management Service)/Hyper-V Manager version 10.0.14393 or later. Endpoint Security (HX)
server version 4.9 supports Hyper-V Manager 2019 (version 10.0.17763.1).
• Standard virtual switch, connected to an external network and shared by the operating system

VMware limitations
The following VMware features are not supported:

• Virtual SMP
• Update Manager
• Data Protection
• High Availability (HA)
• Storage APIs for Data Protection
• Memory hot add
• Endpoint
• Replication
• Fault Tolerance
• Virtual Volumes
• Offline operational mode

Network requirements
Connectivity with Trellix's Dynamic Threat Intelligence (DTI) network (one-way or two-way sharing) is required.

HX appliances can download software updates (security content and system images) from the Trellix Dynamic Threat Intelligence
(DTI) network. With a two-way content license, the appliance can also upload threat intelligence information to the DTI network.
By default, Central Management System-managed appliances receive software updates from the DTI network through the
Central Management System appliance.

12 Endpoint Security (HX) Virtual Server 10.x Deployment Guide

2| System requirements

Standalone Endpoint Security (HX) appliances that receive DTI updates

The Central Management System appliance and standalone (not managed by Central Management System) appliances use the
ether1 port to communicate directly with the DTI network. In the default configuration, where you receive updates from the DTI
network (cloud.fireeye.com), allow outbound access to all IP addresses on the following ports:

• DNS (UDP/53)
• HTTPS (TCP/443)
Management interface ether1 requires a static IP address or reserved DHCP address and subnet mask.

Environments that restrict outbound access to certain IP addresses

If your security policy requires that you restrict outbound access to certain IP addresses, you cannot use the DTI network.
Instead, point to staticcloud.fireeye.com for DTI updates, and allow access to the *incapdns.net domain.

To configure and access staticcloud.fireeye.com:

1. Enable CLI configuration mode.

hostname > enable

hostname # configure terminal

2. Enter the following command from the appliance CLI:

hostname (config) # fenet dti source default DTI

3. Save your configuration.

hostname (config) # write mem

4. Add the following block of IP addresses to the firewall:

• 199.16.196.0/22

To allow access to *incapdns.net:

1. Add the block of IP addresses found at https://incapsula.zendesk.com/hc/en-us/articles/200627570-Restricting-direct-

access-to-your-website-Incapsula-s-IP-addresses-to the firewall.
2. Allow access to the *.incapdns.net domain at the proxy device.

Domain-based proxy ACL rules

If your configuration includes domain-based proxy ACL rules, allow access to *.fireeye.com.

Endpoint Security (HX) Virtual Server 10.x Deployment Guide 13

2| System requirements

Trellix Endpoint Security (HX) malware definitions

The malware protection provided with Endpoint Security (HX) Series 4.0 and xAgent 26.21 (and later versions) use malware
definitions to detect and identify files infected by malware. These malware definitions are downloaded by Trellix's Dynamic
Threat Intelligence (DTI) cloud and the Endpoint Security (HX) server from avupdate.fireeye.com. However, if your security policy
makes use of a firewall to restrict access to certain IP and web addresses, you need to configure your firewall rules to allow
access to avupdate.fireeye.com. The IP addresses associated with avupdate.fireeye.com vary based on your environment. The
following are some possible solutions.

• Use DNS names instead of IP addresses in the firewall rules. The firewall rules will be automatically applied to the correct
IP addresses as appropriate for avupdate.fireeye.com.
• Do a DNS reverse lookup to identify the IP addresses used by avupdate.fireeye.com in your environment and then use
those IP addresses in the firewall rules.
• Use a caching proxy server to obtain the malware definition updates from avupdate.fireeye.com. Be sure your firewall
rules allow access to *.fireeye.com.

Note

Trellix Endpoint Security (HX) uses HTTP over port 80 to deliver antivirus (AV) content. This allows you to use a caching proxy
to distribute the contents of your download across your endpoints. The manifest for the content is signed with a 2048-bit RSA
private key to prevent tampering. If the content is altered, validation of the content on the endpoint agent will fail and the
content is discarded.

Software requirements
• Endpoint Security (HX) version software supported by the server type. See Supported appliance models.
• Central Management System version 8.0.1 or later.
• Trellix xAgent supported by the Endpoint Security (HX) software version. See Endpoint Security xAgent and server
compatibility.

xAgent and server compatibility

Some Endpoint Security (HX) server features require specific minimum versions of the Trellix xAgent. These minimum versions
are described in the documentation for each feature in the Endpoint Security Agent (HX) Administration Guide and in the Endpoint
Security (HX) Server User Guide.

Agents can provision with on-premises, virtual, or cloud Endpoint Security (HX) servers.

The following compatibility table shows the minimum versions of xAgent required by Endpoint Security (HX) server to obtain full
product functionality. It also identifies, at a high level, the operating system environments supported.

14 Endpoint Security (HX) Virtual Server 10.x Deployment Guide

2| System requirements

Operating system environments

Endpoint
Security (HX) xAgent version Windows macOS Linux

10.x.x 35.x or later Yes Yes Yes

Note

Trellix recommends that you upgrade and deploy your Endpoint Security (HX) server software before you upgrade and deploy
your xAgent software.

Licensing requirements
The following table shows the licenses that can be installed for Endpoint Security (HX) servers.

Required?2
Server Form
License Description Factors1 Server DMZ Server

FIREEYE_APPLIAN Required to All Yes Yes

CE register your
server and use
the product
features.

FIREEYE_SUPPOR Allows your All Yes Yes

T system to receive
software image
updates.

CONTENT_UPDAT Allows your All Yes No

ES system to
access the
Dynamic Threat
Intelligence (DTI)
network.

HX_ADVANCED Provides access to All No No

Endpoint Security

Endpoint Security (HX) Virtual Server 10.x Deployment Guide 15

2| System requirements

Required?2
Server Form
License Description Factors1 Server DMZ Server

(HX) exhaustive
Enterprise Search
requests, data
acquisition
requests, and
bulk acquisition
endpoint
requests via the
API.
This license is
optional. Without
it, you have
no access to
the features
listed above. Your
DMZ servers
do not need
an HX_ADVANCED
license if the
Endpoint Security
(HX) server
associated with
the DMZ server
already has one.

MD_ACCESS Allows Trellix All No No

products to
connect to the
Managed Defense
VPN. Without this
license, Managed
Defense cannot
manage the
appliance.
This license is
optional.

16 Endpoint Security (HX) Virtual Server 10.x Deployment Guide

2| System requirements

Required?2
Server Form
License Description Factors1 Server DMZ Server

1 Server form factors include on-premises, virtual (VMware ESXi and Windows Hyper-V), and cloud Endpoint
Security (HX) servers
2 Cloud Endpoint Security (HX) servers are DMZ servers.

Endpoint Security (HX) Virtual Server 10.x Deployment Guide 17

3| Virtual Server Deployment

Virtual Server Deployment

• Virtual Server Overview
• Virtual Server Deployment Steps
• Installing a Virtual Server using VMware ESXi
• Installing a Virtual Server using Microsoft Hyper-V
• Initial Configuration of Virtual Servers

Virtual server overview

A virtual Endpoint Security (HX) server is a virtual instance of the Endpoint Security (HX) system image.

Caution

VMware ESXi host version 6.0 or later or Windows Hyper-V version 10.0.14393 or later are required. Earlier versions are not
supported, and virtual server installed using those versions will not function properly. If you are using Endpoint Security (HX)
server version 4.9, then you can use Hyper-V 2019 (version 10.0.17763.1).

Note

This document assumes familiarity with deploying virtual machines and administering VMware ESXi hosts or Windows
Hyper-V hypervisors. This document provides the basic steps for creating and deploying Trellix virtual appliances. For
comprehensive information about deploying virtual machines, see the documentation provided by VMware, Inc. and
Microsoft.

Endpoint Security (HX), cloud Endpoint Security (HX), and virtual Endpoint Security (HX) (models HX4500DV and HX4502)
appliances are rated up to 100,000 agents. Cloud Endpoint Security (HX) servers have better performance than on-premises
Endpoint Security (HX) appliances due to their storage configurations, which are based on SSD volumes that are designed
to deliver guaranteed performance. Virtual Endpoint Security (HX) server performance will vary depending on the hardware
resources you have selected for the server.

For information on deploying a virtual server, see Virtual Server Deployment Steps.

Prerequisites

• Deployment of an Endpoint Security (HX) server using a Windows Hyper-V hypervisor is supported for Endpoint Security
(HX) 4.0.2 and later versions. If you are using Endpoint Security (HX) server version 4.9, then you can use Hyper-V 2019
(version 10.0.17763.1). Deployment of an Endpoint Security (HX) server using a VMware ESXi server is supported for
Endpoint Security (HX) 3.5 and later versions.
• Root user account on a VMware ESXi server or a Windows Hyper-V hypervisor

18 Endpoint Security (HX) Virtual Server 10.x Deployment Guide

3| Virtual Server Deployment

• Familiarity with deploying virtual machines and administering VMware ESXi hosts or Windows Hyper-V hypervisors
• Requirements in Virtual Server Requirements

Virtual server deployment steps

Deploy a virtual server by completing the following steps.

Task Instructions

1. Verify that your environment meets the necessary See System Requirements.
requirements.

2. Gather license information from Trellix. Get license keys from Trellix if the license update
service is not enabled. See About License Keys.

3. Gather virtual server information from Trellix . Contact Trellix to obtain:

• The activation code that gives the virtual server

a unique identity (its appliance ID), activates the
product license, provides access to the license
token server and to the DTI network, protects the
server from fraudulent use, and allows the server
to initialize.
• Download the ZIP file from Trellix's Dynamic Threat
Intelligence (DTI) network that contains either a
single OVA file (for VMware ESXi) or multiple files
including a VHDX file (for Microsoft’s Hyper-V).

4. Deploy your Endpoint Security (HX) virtual server.

• Create the virtual server, as described in
Installing a Virtual Server using VMware ESXi
or Installing a Virtual Server using Microsoft
Hyper-V.
• Perform the initial configuration, as described
in Performing the Initial Configuration for
Virtual Servers.

5. Install the required Trellix licenses. Install the SUPPORT and other licenses (if the
license update feature is disabled). See License
Management.

Endpoint Security (HX) Virtual Server 10.x Deployment Guide 19

3| Virtual Server Deployment

Task Instructions

The license update feature enables your appliance

to automatically download and apply licenses to
which you are contractually entitled. This feature is
enabled with the configuration wizard during the
initial configuration and is fully functional after the
configuration wizard is completed.

6. Configure other system administration features See the Trellix System Security Guide and the Endpoint
such as AAA, SSL certificates, and SNMP data access Security (HX) System Administration Guide.

7. Verify that the server is connected to Trellix's See Validating DTI Access.
Dynamic Threat Intelligence (DTI) cloud. If the validation fails, verify that the DTI configuration
is set up correctly. See the Endpoint Security (HX)
System Administration Guide.

8. Attach your DMZ servers to the virtual Endpoint See Attaching and Detaching DMZ Servers.
Security (HX) server.

Note:
Your Endpoint Security (HX) and DMZ servers
must run the same version of Endpoint Security
(HX) software. If they use different versions,
communication between them will fail.

9. Set up the server address list. See Configuring the Server Address List.

10. Identify your provisioning servers. Agents earlier than version 20 can only provision
against a single primary server. Agents version 20 or
later can provision against multiple servers. A virtual
server can be used as a provisioning server.
See Understanding Provisioning.

20 Endpoint Security (HX) Virtual Server 10.x Deployment Guide

3| Virtual Server Deployment

Task Instructions

Note:
You must decide which servers (primary or
DMZ) will be your provisioning servers before
you download the Trellix Endpoint Security
(HX) agent installation software to your host
endpoints. When agent installation software is
downloaded, the IP addresses or DNS names
of the provisioning servers are identified in the
agent download package.

11. Obtain the agent installation package. If your Endpoint Security (HX) server is connected
to DTI, the most recent Windows, macOS and Linux
agent images are automatically downloaded to the
server after the DTI connection is established.
If your primary server is not connected to DTI or if
you need an older agent image than the ones that
have been downloaded, you will need to manually
download the agent image you need.

Important
If you obtain your agent image manually, it must
be uploaded to the server before it can be
deployed to your host endpoints. This ensures
that the correct agent configuration file and
agent certificates are included in the agent
installation package and ensures that proper
agent-server communication is established after
the installation package is deployed on your
endpoints.

See the appropriate version of the Endpoint Security

Agent (HX) Deployment Guide.

12. Install the agent software on your host See the appropriate version of the Endpoint Security
endpoints. Agent (HX) Deployment Guide.

Endpoint Security (HX) Virtual Server 10.x Deployment Guide 21

3| Virtual Server Deployment

Task Instructions

A single virtual
Endpoint Security
(HX) ecosystem,
which includes the
virtual primary
server and any
attached DMZ
servers, can
support up to
100,000 agents.

13. Optionally, connect your Endpoint Security (HX) After you have deployed your Endpoint Security (HX)
server to the Central Management System appliance server and installed the agent software on your
or to a Network Security appliance. endpoints, you can integrate the Endpoint Security
(HX) server with Central Management System and
Network Security appliances. For more information,
see Integration on page 1. Additional information
for managing your Endpoint Security (HX) server
through the Central Management System appliance
is provided in the Endpoint Security (HX) System
Administration Guide.

Installing a virtual server using VMware ESXi

This section describes how to install a virtual server using VMware ESXi. Both Endpoint Security (HX) and DMZ servers can be
virtual servers.

Important

This procedure uses VMware ESXi version 6.0.0 (build 3568940) and vSphere Client version 6.0.0 (build 3562874) on VMware
vCenter Server version 6.0.0 (build 3018524). The navigation instructions and user interface may vary based on your version
of these products.

22 Endpoint Security (HX) Virtual Server 10.x Deployment Guide

3| Virtual Server Deployment

Note

This procedure covers the required settings for a Trellix virtual server. You can accept the default values for the other settings,
or specify values that are appropriate for your setup.

To install a virtual server using VMware ESXi:

1. Log in to vSphere Client.

2. From the File menu, select Deploy OVF Template to start the wizard.
3. On the Source screen, click Browse and navigate to the OVA file containing the Endpoint Security (HX) or Central
Management System Series system image. Then click Next.
4. On the OVF Template Details screen, review the information. If the information is correct, click Next. Otherwise, click Back
and enter the correct URL or path.
5. On the Name and Location screen, enter a unique name that describes the virtual server.
6. On the Disk Format screen, click Next.
7. On the Network Mapping screen, click Next to accept the default settings.
8. On the Properties screen, you can complete fields to configure initial settings as described in Specifying Initial Settings
Using the VMware ESXi Properties Screen. (If you do not use this screen, you must type the values into the vSphere Client
console manually, because you cannot paste into this console.)
9. On the Ready to Complete screen:
a. Verify the information.
b. (Optional) Select the Power on after deployment checkbox.
c. Click Finish.

The server must be configured to set up its management interface, and to allow access to the network, change the default
administrator password, and so on. For complete information, see Initial Configuration of Virtual Servers.

Installing a virtual server using Microsoft Hyper‑V

This section describes how to install a virtual server. Both Endpoint Security (HX) (primary) servers and DMZ servers can be
virtual servers.

Important

This procedure uses Microsoft Hyper-V version 10.0.17763.1. The navigation instructions and user interface may vary based
on your version of this product.

Note

This procedure covers the required settings for a Trellix virtual server. You can accept the default values for the other settings,
or specify values that are appropriate for your setup.

Endpoint Security (HX) Virtual Server 10.x Deployment Guide 23

3| Virtual Server Deployment

To install a virtual server using Microsoft's Hyper-V Manager:

1. Download the Endpoint Security (HX) Hyper-V deployment .zip file from Trellix's Dynamic Threat Intelligence (DTI) network
to a Hyper-V server and extract the files within it. These zip files have names in the format image-hx-fireeyehx<nnnn>v,
where <nnnn> is the Endpoint Security (HX) server model number.
After the file is unzipped, verify that it includes the Virtual Hard Disks and Virtual Machines folders. If it does not, contact
Trellix customer support.
2. Log in to Microsoft's Hyper-V Manager on the Hyper-V server. The Hyper-V Manager console is displayed.
3. In the Actions list, select Import Virtual Machine to start the import wizard. On the Before You Begin screen, click Next.
4. On the Locate Folder screen, browse to and select the folder to which you extracted the .zip file in Step 1. You only need to
select the top-level folder. Click Next.
5. On the Select Virtual Machine screen, select the virtual machine model associated with the .zip file. Click Next.
6. On the Choose Import Type screen, select the option Copy the virtual machine (create a new unique ID). Click Next.
7. On the Choose Folder for Virtual Machine Files screen, click Next.
8. On the Locate Virtual Hard Disks screen, select the top-level folder into which you unzipped the Endpoint Security (HX)
Hyper-V deployment file in Step 1. This should be the folder that includes the Virtual Hard Disks folder. Then click Next.
9. On the Choose Folders to Store Virtual Hard Disks screen, select the top-level folder into which you unzipped the Endpoint
Security (HX) Hyper-V deployment file in Step 1. This folder should include the Virtual Hard Disks folder. Click Next.
10. On the Connect Network screen, select the virtual switch to use for your virtual machine. Click Next.
11. On the second Connect Network screen, select a second virtual switch to use for your virtual machine. Click Next.
12. On the Completing Import Wizard screen, verify the information. If you are satisfied, click Finish to import the virtual
machine. If you need to make changes, click Previous.
After the machine is imported, it appears on the Hyper-V Manager console.
13. Rename the virtual machine by double-clicking its name in the Hyper-V Manager console and entering a new name. Click
Enter when done.
14. Verify that the virtual machine settings meet the specifications listed in Windows Hyper-V Requirements. Highlight the row
for the virtual machine in the Hyper-V Manager console, right-click on the row, and select Settings. If the virtual machine
settings do not meet the documented minimum specifications, contact your Trellix Customer Support representative.
15. The new virtual machine is turned off by default after it is imported. To turn it on, highlight the row for the virtual machine
in the Hyper-V Manager console, right-click on the row, and select Start.
16. Connect to the new virtual machine. Highlight its row in the Hyper-V Manager console, right-clicking on the row and select
Connect

The server needs to be configured to set up its management interface, and to allow access to the network, change the default
administrator password, and so on. For complete information, see Initial Configuration of Virtual Servers.

Initial configuration of virtual servers

The management interface is the port through which the virtual server is managed and administered. It is also the port through
which integration of the Central Management System Series appliance and a managed server is performed. With the single-port

24 Endpoint Security (HX) Virtual Server 10.x Deployment Guide

3| Virtual Server Deployment

address type, the management interface is also the port through which a managed server requests and downloads software
updates from the DTI network.

Initial settings must be configured to set up the management interface of the server, and to allow access to the network, change
the default administrator password, and so on.

Management by VMware vCenter server

If your virtual server is managed by VMware vCenter server, the installation wizard includes a Properties screen that allows you
to enter some initial settings for the server, including your activation code and initial CLI commands to configure the server.
You can also reset the password for the admin user on this screen. If your virtual server does not include a Properties screen
(or you choose not to use it), you can use the configuration wizard in the console of the server to fully configure the server,
including entering the activation code, changing the admin password, and supplying initial startup commands. Whether you use
the Properties screen or not, the configuration wizard must be run to fully set up the server. However, the wizard prompts will
be different if you provide settings on the Properties screen.

Management by Microsoft Hyper-V

If your virtual server is managed by Microsoft Hyper-V, you can use the set_keys.ps1 PowerShell script provided in the Endpoint
Security (HX) Hyper-V deployment .zip file to supply some initial settings for the server, including the activation code, a new
admin password, and initial CLI commands to configure the server. You can then launch the configuration wizard to complete the
setup.

Alternatively, you can skip the set_keys.ps1 PowerShell script and use the configuration wizard in the console of the server
to fully configure the server, including entering the activation code, changing the admin password, and supplying initial startup
commands. However, the wizard prompts will be different if you first provide settings using the set_keys.ps1 PowerShell script.

Note

You cannot paste the virtual server activation code in the configuration wizard prompt in the server console. Instead, the
activation code must be manually entered into the wizard. Trellix recommends that you specify the activation code using the
Properties screen (ESXi appliances) or the set_keys.ps1 PowerShell script (Hyper-V appliances).

This section describes:

• Specifying Initial Settings Using the VMware ESXi Properties Screen

• Initial Configuration Using the VMware ESXi Appliance Console
• Specifying Initial Settings Using the Windows Hyper-V set_keys.ps1 PowerShell Script
• Initial Configuration Using the Windows Hyper-V ServerConsole
• Configuration Wizard Steps

Endpoint Security (HX) Virtual Server 10.x Deployment Guide 25

3| Virtual Server Deployment

Specifying initial settings using the VMware ESXi Properties screen

The Properties screen is included in the Deploy OVF Template wizard if you connect to your ESXi host through VMware vCenter
Server. Installing a Virtual Server using VMware ESXi provides information about the wizard screens.

Trellix recommends that you use the Properties screen to do at least the following:

• Enter the activation code for your virtual server. The activation code contains many characters. The vSphere Client
prevents you from pasting the activation code into the vSphere Client console, and it is easy to make a typing error.
• Reset the password for the admin user, if password authentication will be used to log into the CLI or Web UI over the
network. The password must be changed to a password that is at least eight characters long.

You can also use this screen to provide commands for configuration settings that the system will apply during the initial boot.
This can be convenient if you have a large number of virtual servers to deploy, because you can create base sets of commands,
and then customize them for each deployment.

Note

You can use the system virtual bootstrap reset command to reset the Properties screen values after the virtual server is
deployed and running.

The following table describes the fields in the Properties screen.

Field Description

Activation Code The code you received in a secure email from Trellix
that gives the virtual server its identity and access
credentials.

Initial CLI commands A Base64-encoded set of commands that at a

minimum allow the server to connect to your
network. To use this field, type the commands in
plain-text format, encode them to Base64, and then
paste the encoded string into this field.
Consider using this field for network connectivity
only, because the size of the string could become
unwieldy. The string can be a maximum of 65,535
bytes, and cannot be line-wrapped.

Initial CLI commands URL A URL that points to a file on your network (for
example,
http://acme.com/operations/4500V_config.txt

26 Endpoint Security (HX) Virtual Server 10.x Deployment Guide

3| Virtual Server Deployment

Field Description

). To use this field, create a text file that includes

CLI commands that configure additional settings in
plain-text format, and store the file on an HTTP
server in your network.
The virtual server needs network connectivity (which
the commands in the Initial CLI commands field can
establish) to access the file referenced in the URL.

Reset admin password A password of at least eight characters. The initial

admin
password must be reset to allow the admin user to
log into the CLI or Web UI over the network unless
both of the following are true:

• The CLI commands being executed set an SSH

authorized key for the admin use, which allows the
admin to log in remotely without a password.
• You disable password login using the
username admin disable password
command.

After you have specified these initial settings on the Properties screen, access the virtual server console and run the
configuration wizard to complete the configuration of the virtual machine. See Initial Configuration Using the VMware ESXi
Appliance Console and Configuration Wizard Steps.

Initial configuration using the VMware ESXi server console

Trellix recommends that you use the Properties screen to provide some initial configuration settings, because you cannot copy
and paste into the vSphere Client console. See Specifying Initial Settings Using the VMware ESXi Properties Screen on page 1.
However, if you do not use this screen, you can still complete the server configuration using the configuration wizard in the ESXi
virtual server console.

If the license update feature is not enabled, Trellix recommends that you accept the evaluation licenses during the initial
configuration. Manual entry of license keys is error prone. After the activation code is entered and the admin user has access to
the Endpoint Security (HX) server Web UI or CLI , you can copy and paste the license keys.

To access the VMware ESXi server console and start the configuration wizard:

1. Log in to vSphere client.

2. In the left pane, expand the ESXi IP address and then select the virtual server.

Endpoint Security (HX) Virtual Server 10.x Deployment Guide 27

3| Virtual Server Deployment

3. Click the Console tab.

4. If the console is not running, click the green arrow to launch it.
5. At the login prompt, enter admin.
6. If you did not change the admin password on the Properties screen, enter admin (this is the distributed admin password).
If you changed the admin password on the Properties screen, enter the new admin password.
7. Start the configuration jump-start wizard:

hostname (config) # configuration jump-start

8. Answer the wizard questions as described in Configuration Wizard Steps.

Note

To navigate away from the vSphere Client console and return to the vSphere Client user interface or your local machine, press
Ctrl+Alt.

Specifying initial settings using the Windows Hyper-V set_keys.ps1 PowerShell script

The set_keys.ps1 PowerShell script is included in the Endpoint Security (HX) Hyper-V deployment package you received.

Trellix recommends that you use this PowerShell script to do at least the following:

• Enter the activation code for your virtual server. The activation code contains many characters. You cannot copy and
paste the activation code into the Hyper-V console, and it is easy to make a typing error.
• Reset the password for the admin user, if password authentication will be used to log into the CLI or Web UI over the
network. The password must be changed to a password of at least eight characters.

You can also use this script to provide initial commands for configuration settings that the system will apply during the initial
boot. This can be convenient if you have a large number of virtual servers to deploy, because you can create base sets of
commands and then customize them for each deployment.

To use the set_keys.ps1 PowerShell script:

1. Use Remote Desktop (RDP) to connect to your Hyper-V virtual machine. Make sure you are logged in as an administrator.
2. Change to the directory on your virtual machine where the Endpoint Security (HX) Hyper-V deployment .zip file was
extracted during installation.
3. Open the set_keys.ps1 PowerShell script in the directory using a text editor (such as Notepad).
4. Change appropriate settings in the set_keys.ps1 script, specifying your values in quotation marks for each setting. The
following table describes the settings in the set_keys.ps1 script that you can change. They are all located between the
comments MODIFY THESE AS NEEDED and DON'T MODIFY ANYTHING BELOW in the file. Do not change any other settings in the
PowerShell script.

28 Endpoint Security (HX) Virtual Server 10.x Deployment Guide

3| Virtual Server Deployment

Field Description

activation_code The code you received in a secure email from

Trellix that gives the virtual server its identity and
access credentials.

cli_cmds_init A set of commands that, at a minimum, allow

the server to connect to your network. Type the
commands in plain-text format and then paste the
encoded string into this field.
Consider using this field for network connectivity
only, because the size of the string could become
unwieldy. The string contain multiple lines.

cli_cmds_init_url A URL that points to a file on your network (for

example,
http://acme.com/operations/4500V_config.txt
). To use this field, create a text file that includes
CLI commands that configure additional settings
in plain-text format, and store the file on an HTTP
server in your network.
The virtual server needs network connectivity
(which the commands in the
cli_cmds_init
setting can establish) to access the file referenced
in the URL.

reset_admin_password A password of at least eight characters. The initial

admin
password must be reset to allow the admin user
to log into the CLI or Web UI over the network
unless both of the following are true:

• The CLI commands being executed set an

SSH authorized key for the admin use, which
allows the admin to log in remotely without a
password.
• You disable password login using the
username admin disable password
command.

Endpoint Security (HX) Virtual Server 10.x Deployment Guide 29

3| Virtual Server Deployment

Field Description

$vmName If you changed the name of the virtual machine

during installation, specify the correct virtual
machine name.

5. Save the file.

6. From the directory on your virtual machine where the Endpoint Security (HX) Hyper-V deployment .zip file was extracted
during installation, enter Windows PowerShell.

<drive>:<path> powershell

7. Run the PowerShell script.

<drive>:<path> .\set_keys.ps1

The script applies the values you specified Step 4 to your virtual server.
8. After the PowerShell script has run, access the virtual server console and run the configuration wizard to complete the
configuration of the virtual machine. See Initial Configuration Using the Windows Hyper-V Server Console on page 1 and
Configuration Wizard Steps on page 1.

Initial configuration using the Windows Hyper-V server console

Trellix recommends that you use the set_keys.ps1 PowerShell script to provide some initial configuration settings, because
you cannot copy and paste into the server console. See Specifying Initial Settings Using the Windows Hyper-V set_keys.ps1
PowerShell Script on page 1. However, if you do not use this script, the complete configuration can be performed using the
configuration wizard in the Hyper-V virtual server console.

If the license update feature is not enabled, Trellix recommends that you accept the evaluation licenses during the initial
configuration, because manual entry of license keys is error prone. After the activation code is entered and the admin user has
access to the server Web UI or CLI , you can copy and paste the license keys.

To access the Windows Hyper-V Manager console and start the configuration wizard:

1. Log in to the Windows Hyper-V Manager console.

2. Verify your virtual machine is turned on. To turn it on, highlight its row in the Hyper-V Manager console, right-click on the
row and select Start.
3. Connect to the new virtual machine. Highlighting its row in the Hyper-V Manager console, right-click on the row and select
Connect.
4. At the login prompt, enter admin.
5. If you did not change the admin password in the set_keys.ps1 PowerShell script, enter admin (this is the distributed admin
password). If you changed the admin password in the set_keys.ps1 PowerShell script, enter the new admin password.
6. Start the configuration jump-start wizard:

30 Endpoint Security (HX) Virtual Server 10.x Deployment Guide

3| Virtual Server Deployment

hostname (config) # configuration jump-start

7. Answer the wizard questions as described in Configuration Wizard Steps on page 1.

Configuration wizard steps

The following table describes the questions the configuration wizard prompts you to answer. As noted in the table, the wizard
skips some steps based on your answers to previous steps and whether initial settings were specified on the Properties screen
for ESXi virtual servers or in the set_keys.ps1 PowerShell script for Hyper-V virtual servers.

Note

Press Ctrl+C to exit the configuration wizard. After the management interface is configured, an administrator can use the
configuration jump-start CLI command to run the wizard again.

Step Response

Enter activation code? Enter the activation code you obtained from Trellix.
You will not be prompted for an activation code if
you supplied one on the Properties screen for ESXi
virtual servers or in the
set_keys.ps1
PowerShell script for Hyper-V virtual servers.

Hostname? Enter the hostname for the server.

You will not be prompted for the server hostname if
you supplied one in the
set_keys.ps1
PowerShell script for Hyper-V virtual servers.

Admin password? Enter a new administrator password. The new

password must be from 8–32 characters.
You do not need to supply an updated admin
password if you supplied one on the Properties
screen for ESXi virtual servers or in the
set_keys.ps1
PowerShell script for Hyper-V virtual servers.
NOTE—If you have not changed the admin
password, do so now or the administrator will be
unable to log in to the server.

Endpoint Security (HX) Virtual Server 10.x Deployment Guide 31

3| Virtual Server Deployment

Step Response

Confirm admin password? Re-enter the new administrator password, if you

supplied one in the previous step.

Enable remote access for ‘admin’ user? Enter yes to enable the administrator to log in to the
server remotely. Enter no to disable remote access.

Use DHCP on ether1 interface? Enter yes to use Dynamic Host Configuration
Protocol (DHCP) to configure the server IP address
and other network parameters. Enter no to manually
configure your IP address and network settings. (If
you enter yes, the zeroconf and static IP addressing
steps are skipped.)

Use zeroconf on ether1 interface? Enter yes to use zero-configuration (zeroconf)

networking. Enter no to specify a static IP address
and network mask. (If you specify yes, the next
step is skipped.) NOTE: Do not use zeroconf on the
primary interface.

Primary IPv4 address and masklen? Enter the IP address for the management interface
in A.B.C.D format and enter the network mask, for
example: 1.1.1.2/12.

Default gateway? Enter the gateway IP address for the management

interface.

Primary DNS server? Enter the IP address of the DNS server.

Domain name? Enter the domain for the management interface; for
example: it.acme.com.

Enable fenet service? Enter yes to enable access to the DTI network. (If you
enter no, the next three steps are skipped.)

Enable fenet license update service? Enter yes to enable the licensing service to
automatically download your licenses from the
DTI network and install them. (If licenses are
downloaded and installed successfully, the wizard

32 Endpoint Security (HX) Virtual Server 10.x Deployment Guide

3| Virtual Server Deployment

Step Response

skips the step that prompts for the product license

key and the step that prompts for the security-
content updates key.)

Sync appliance time with fenet? Enter yes to synchronize the server time with
the DTI server time. If you enabled the licensing
service, synchronization prevents a feature from
being temporarily unlicensed due to a time gap. The
wizard makes three attempts to perform this step
before it gives up and moves to the next step.

Update licenses from fenet? Enter yes to download and install your licenses. The
wizard makes three attempts to perform this step
before giving up and moving on to the next step.

Enable NTP? Enter yes to enable automatic time synchronization

with one or more Network Time Protocol (NTP)
servers.

Enable IPv6? Enter no if you want to use IPv4 for your Endpoint
Security (HX) virtual server or enter yes to enable
IPv6 for your Endpoint Security (HX) virtual server.

Product license key? Press Enter to install a 15-day evaluation license.

Endpoint Security (HX) Virtual Server 10.x Deployment Guide 33

4| Configuration

Configuration
• The server Web UI
• License management
• Validating DTI access
• Attaching and detaching HXD appliances
• Configuring the server address list
• Understanding provisioning

The Endpoint Security (HX) server Web UI

The Endpoint Security (HX) Web UI uses HTTPS to provide a secure connection for configuring the server. The Web UI functions
you have access to depend on the privileges granted by your role.

You access the Endpoint Security (HX) Web UI by directing a browser to the management port's IP address or hostname using
HTTPS. The IP address and hostname are set during the initial configuration of the server. The hostname must be resolved by a
DNS server if you use it to access the Web UI.

The Endpoint Security (HX) Web UI includes controls for logging in and out using local, appliance-specific credentials.

Browser support

Use one of the following browsers to access the Endpoint Security (HX) Web UI:

• Internet Explorer 11.0 or higher and Microsoft Edge on supported versions of Windows
• Firefox 51 or higher on supported versions of Windows
• Google Chrome 13.0 or higher on supported versions of Windows

Screen resolution requirements

The Endpoint Security (HX) Web UI supports the following screen resolutions:

1152 x 864 pixels 1440 x 900 pixels

1280 x 800 pixels 1600 x 900 pixels

1280 x 1024 pixels 1680 x 1050 pixels

34 Endpoint Security (HX) Virtual Server 10.x Deployment Guide

4| Configuration

1360 x 768 pixels 1920 x 1080 pixels

1366 x 768 pixels 1920 x 1200 pixels

Logging in to the Endpoint Security (HX) Web UI

To log in to the Endpoint Security (HX) Web UI, you need the server IP address or hostname, and you need the username and
password that the server administrator created for you.

Important

There are two versions of IAM. If the URL you use to access the IAM UI ends with fireeye.com, this document pertains to you.
If the URL you use to access the IAM UI ends with trellix.com, see the Trellix IAM Guide for information regarding IAM.

Prerequisites

• Before the default Admin user can log in to the appliance Web UI and create other user accounts, the manufacturing
default password (admin) must be changed to a new password that is 8 to 32 characters long. This step is included in
"Initial Configuration" in the Endpoint Security (HX) System Administration Guide.
• If you are using single sign-on, refer to your welcome email for instructions to log in to your Cloud IAM instance.
To log in to the Endpoint Security (HX) appliance Web UI:

1. Open a Web browser and enter https://<appliance>:3000 in the address line, where appliance is the IP address or
hostname of the appliance. For example, if the configured IP address of the appliance is 10.1.0.1, enter https://10.1.0.1 .
2. Open a Web browser and enter https://<appliance>:3000 in the address line, where appliance is the IP address or
hostname of the appliance. For example, if the configured IP address of the appliance is 10.1.0.1, enter https://10.1.0.1.
3. In the appliance Web UI login page, enter the local username and password for this appliance as provided by your
administrator.

Endpoint Security (HX) Virtual Server 10.x Deployment Guide 35

4| Configuration

Note

On Endpoint Security (HX) servers with single sign-on enabled, you may be directed to the Cloud IAM login screen. Your
login experience depends on the authentication mode set for the appliance. For more information, see "Single Sign-On
Authentication" in the System Security Guide.

License keys
This section covers the following information:

• About License Keys

• Automatic License Updates
• Manual License Installation
• Viewing License Notifications Using the Web UI

About license keys

License keys are required for system operation. The Endpoint Security (HX) appliance requires three license keys:

FIREEYE_APPLIANCE—Required to register your system and use the product features. The Central Management System license
has either the CMS or CMSHA product type. The CMSHA product type is used in High Availability deployments. Network
Security appliances licensed in Release 7.7.1 or later can run in either the Power or Essentials product edition. Network Security
appliances licensed before Release 7.7.1 run in the classic product edition. The licensed edition is shown in the appliance license
details in the Web UI and CLI. Endpoint Security servers refer to this license as the Endpoint Security (HX) Essentials license.

FIREEYE_SUPPORT—Allows your system to receive software image updates and the latest guest images.

36 Endpoint Security (HX) Virtual Server 10.x Deployment Guide

4| Configuration

CONTENT_UPDATES—Allows your system to access the Dynamic Threat Intelligence (DTI) network, which provides the latest
intelligence on advanced cyber attacks and malware callback destinations. This enables Trellix products to proactively recognize
new threats and block attacks. There are two versions of the content update license:

• The two-way sharing license provides your appliance with malware intelligence from the DTI network and shares data
about malware analyzed by your appliance.
• The one-way sharing license provides your appliance with malware intelligence, but no information is submitted to the
DTI cloud.

The following licenses are optional:

IPS —Allows your appliance to use Trellix integrated Intrusion Prevention System features.

ATI —Allows your appliance to use Advanced Threat Intelligence features.

HX_ADVANCED —Allows access to Endpoint Security exhaustive Enterprise Search requests, data acquisition requests, and bulk
acquisition endpoint requests via the API. This license is referred to as the Endpoint Security (HX) Power license. HXD (DMZ)
appliances do not need an HX_ADVANCED license if the Endpoint Security (master) server associated with the DMZ server already
has one.

MD_ACCESS—Allows Trellix products to connect to the Managed Defense VPN. Without this license, Managed Defense cannot
manage the appliance.

AV_ENGINE_SOPHOS —Allows your appliance to use the integrated Sophos Engine to scan submitted malware samples. For
details, see AV-Check.

DA_HANCOM —Allows your appliance to perform dynamic analysis of Hancom Office files.

Note

The functionality provided by optional licenses is disabled if the FIREEYE_APPLIANCE license is invalid.

If licenses have expired or will expire within 30 days, warnings are displayed on the Appliance License Settings page. For details,
see Viewing License Notifications Using the Web UI.

Automatic license updates

The license update feature enables the Endpoint Security (HX) appliance with basic network connectivity to automatically
download licenses from the DTI network and install them. This feature provides the following benefits:

• Minimal initial configuration—The license update feature is enabled with the configuration jump-start wizard during the
initial system configuration. This means the feature can be fully functional after the jump-start wizard is completed.
• Simplified license management—There is no need to contact Trellix for license keys when new features are added or
when licenses are renewed, because the new licenses are automatically downloaded and installed.

Endpoint Security (HX) Virtual Server 10.x Deployment Guide 37

4| Configuration

• Scalability—Organizations, such as those with a large number of appliances, can benefit from all appliances being
updated automatically, instead of entering license keys manually on each appliance, one at a time.

You can enable automatic license updates on the Endpoint Security (HX) appliance using the configuration wizard or the CLI.

How it works

The license update feature, if enabled, downloads and applies licenses to which the customer is contractually entitled. If an
active license for a feature is already installed and the licensing service downloads an active license for the feature, the installed
license is replaced by the downloaded license only if the downloaded license offers more functionality or a later expiry date. This
process is automatic; however, you can also explicitly update licenses.

The license update feature will not:

• Install a downloaded license that would cause a feature to become temporarily unlicensed.
• Install a product (FIREEYE_APPLIANCE) license that changes licensed features. If this is your intention, you must install the
new license manually.

You can synchronize the system time to the DTI server time to prevent a feature from being temporarily unlicensed due to time
differences. This is a one-time synchronization, but it can be repeated.

When an appliance is managed by the Central Management System appliance, the Central Management System appliance acts
as a proxy between the managed appliance and the licensing service. The license update feature must still be enabled on the
managed appliance. In such an integrated environment, the Central Management System appliance acts as the DTI server for
the managed appliances, so the licensing service uses the Central Management System DTI network credentials instead of the
appliance's credentials.

For more information, see "Enabling Automatic License Updates" in the Endpoint Security (HX) System Administration Guide.

Enabling automatic license updates

This section describes two ways to enable automatic license updates on the Endpoint Security (HX) appliance.

Configuration wizard method

The configuration wizard is typically used to initially configure a new system. The wizard steps, which include the following license
activation steps, allow a customer to have a functioning system with only minimal configuration.

• Enable fenet service?

• Enable fenet license update service?
• Sync appliance time with fenet?
• Update licenses from fenet?
For details about the wizard steps, see Configuration Wizard Steps.

38 Endpoint Security (HX) Virtual Server 10.x Deployment Guide

4| Configuration

For details about the wizard steps, see Configuration Wizard Steps.

CLI Method

The following topic describes how to use CLI commands to enable and work with the license update feature:

• Enabling Automatic License Updates Using the CLI

Prerequisites

• An established connection between the appliance and the Internet.

• Operator or Admin access to enable the license update feature and download and install licenses.
• DTI network access to allow the appliance to get updates directly from the DTI network.
• (Optional) Admin access to synchronize the system clock with the DTI server clock.

Enabling automatic license updates using the CLI

When the license update feature is enabled, license updates are automatic. You can also explicitly update licenses.

To verify and enable automatic license updates:

1. Go to CLI configuration mode:

hostname > enable

hostname # configure terminal

2. Verify the license update feature status:

hostname (config) # show fenet license

fenet License Update Service

Licensing service: Administratively enabled

Last time licensing service was contacted: 2014/08/11 10:50:04

Last time licensing service was contacted successfully: 2014/08/11 10:50:04
Last time keys from licensing service were applied: 2014/08/07 17:50:03

3. If the license update feature service is disabled, enable it:

hostname (config) # fenet license update enable

4. Save your changes:

hostname (config) # write memory

Endpoint Security (HX) Virtual Server 10.x Deployment Guide 39

4| Configuration

Note

See Synchronizing the System Clock to DTI Server Time Using the CLI "Synchronizing the System Clock to DTI Server Time
Using the CLI" in the Endpoint Security (HX) System Administration Guide for an option that prevents potential licensing issues if
there is a time gap between the two clocks.

To explicitly update licenses:

1. Go to CLI configuration mode:

hostname > enable

hostname # configure terminal

2. Update licenses:

hostname (config) # fenet license update

3. Save your changes:

hostname (config) # write memory

To disable automatic license updates:

1. Go to CLI configuration mode:

hostname > enable

hostname # configure terminal

2. Disable the feature:

hostname (config) # no fenet license update enable

3. Save your changes:

hostname (config) # write memory

Forcing license updates

When you force license updates, the licensing service downloads licenses from the DTI server, removes existing licenses if there
are conflicts, and installs the downloaded licenses in their place. The licenses are installed even if they are less functional or of
a shorter duration than the existing licenses, would change licensed features, or would cause a feature to become temporarily
unlicensed.

Caution

Carefully consider the implications of forcing license updates before you perform this procedure.

40 Endpoint Security (HX) Virtual Server 10.x Deployment Guide

4| Configuration

To force license updates:

1. Go to CLI configuration mode.

hostname > enable

hostname # configure terminal

2. Download the licenses and replace existing licenses with them if there are conflicts. The system clearly indicates which
licenses were replaced.

hostname (config) # fenet license update force

3. Save your changes.

hostname (config) # write memory

Examples

• The licensing service replaced an existing license with one that it downloaded:
hostname (config) # fenet license update force
Added license(s) from fenet
LK2-CONTENT_UPDATES-33XX-0X0X-0000-X000-X000-X00X-0XXX-J00
Deleted installed license(s) (superceded by license(s) shown above):
LK2-CONTENT_UPDATES-42XX-44XX-H888-X00X-000R-XX22-XYZ-0

• The licensing service installed a license that did not exist on the appliance:
hostname (config) # fenet license update force
Added license(s) from fenet
LK2-FIREEYE-SUPPORT-000X-XX00-0000-X000-X000-X00X-0XXX-X00X
No license(s) deleted

• All licenses were already installed and did not conflict with downloaded licenses:
hostname (config) # fenet license update force
All licenses fetched from fenet have already been installed

Manual license installation

If the license update feature is not enabled, you need to install license keys manually. Licenses need to be installed when an
evaluation license expires or when a license expires or no longer meets your needs. In addition, replacement licenses need to be
installed after a Return Material Authorization (RMA).

You can obtain your license keys from the Assets tab in the Trellix Customer Support Portal or by sending an email that includes
the MAC address of your appliance to [email protected].

There are two ways to manually install licenses, described in the following topics:

• Installing Licenses Using the Web UI

Endpoint Security (HX) Virtual Server 10.x Deployment Guide 41

4| Configuration

• Installing Licenses Using the CLI

Installing licenses using the Web UI

Use the Appliance License Settings page to install licenses on the Endpoint Security (HX) appliance.

Use the CM License Settings page to install licenses on the Central Management System appliance.

Note

Clicking the Enable VPN link in the Description column for an MD_ACCESS license allows you to connect the appliance to
Managed Defense over the Internet using a secure SSL VPN connection.

Prerequisites

42 Endpoint Security (HX) Virtual Server 10.x Deployment Guide

4| Configuration

• Admin or Operator access.

• The appliance does not already have the type of license key you are installing.
To install license keys using the Web UI:

1. Log in to the managing Central Management System Web UI.

2. Click the Settings tab.
3. Select Appliance Settings from the Admin menu.
4. Click the Appliance Settings subtab.
5. Use the Appliance drop-down list to select a specific Intelligent Virtual Execution - Server appliance.
6. Click Appliance Licenses on the sidebar.
7. Click CM Licenses on the sidebar.
8. Click Add License. The Add License dialog box opens.
9. Paste the license key you obtained from Trellix in the License Key box.
10. Click Add.
The page refreshes to show the license key in the table. If the key is valid, the Valid column shows a check mark and
additional information is displayed about the license.

Installing licenses using the CLI

Use the CLI commands in this topic to install licenses on the Endpoint Security (HX) appliance.

Prerequisites

• Admin or Operator access

To install licenses:

1. Go to CLI configuration mode:

hostname > enable

hostname # configure terminal

2. Install each license:

hostname (config) # license install <key1> <key2> <key3>

Note

You can enter the license keys sequentially separated by spaces as shown above, or enter license install and then
press Enter to be prompted to enter the license keys one at a time.

3. Verify the licenses:

hostname (config) # show licenses

License 1: LK2-FIREEYE_APPLIANCE-0000-0000-0000-0000-0000-0000-0000-0000-0000

Endpoint Security (HX) Virtual Server 10.x Deployment Guide 43

4| Configuration

Feature: FIREEYE_APPLIANCE
Description: FireEye Appliance
Valid: yes
Start date: 2016/11/21 (ok)
Tied to Appl ID: 000000000000 (ok)
Product: eMPS (ok)
Type: PROD (ok)
Agreement: EULA (ok)
Active: yes
...

License 2: LK2-CONTENT_UPDATES-0000-0000-0000-0000-0000-0000-0000-0000-0000
Feature: CONTENT_UPDATES
Description: Content updates
Valid: yes
Start date: 2016/11/21 (ok)
End date: 2017/11/21 (ok)
Tied to Appl ID: 000000000000 (ok)
Sharing: all (ok)
Active: yes

License 3: LK2-FIREEYE_SUPPORT-0000-0000-0000-0000-0000-0000-0000-0000-0000
Feature: FIREEYE_SUPPORT
Description: FireEye Support
Valid: yes
Start date: 2016/11/21 (ok)
End date: 2017/11/21 (ok)
Tied to Appl ID: 000000000000 (ok)
Sharing: all (ok)
Active: yes
...

hostname (config) # show licenses

License 1: LK2-FIREEYE_APPLIANCE-<license details>
Feature: FIREEYE_APPLIANCE
Description: FireEye Appliance Type
Valid: yes
Start date: 2016/12/01 (ok)
Tied to appl ID: 8699351EB1D5 (ok)
Product: HX (ok)
Type: PROD (ok)
Tied to model: FireEyeHXVM (ok)
Agreement: EULA (ok)
Appliance role: master
Active: yes

License 2: LK2-CONTENT_UPDATES-<license details>

Feature: CONTENT_UPDATES
Description: Content updates
Valid: yes
Start date: 2016/12/01 (ok)
End date: 2017/12/01 (ok)
Tied to appl ID: 8699351EB1D5 (ok)
Sharing: all (ok)
Active: yes

License 3: LK2-FIREEYE_SUPPORT-<license details>

Feature: FIREEYE_SUPPORT
Description: FireEye support
Valid: yes
Start date: 2016/12/01 (ok)
End date: 2017/12/01 (ok)
Tied to appl ID: 8699351EB1D5 (ok)

44 Endpoint Security (HX) Virtual Server 10.x Deployment Guide

4| Configuration

Sharing: all (ok)

Active: yes

...

4. Save your changes:

hostname (config) # write memory

Removing licenses using the Web UI

Use the Appliance License Settings page to remove Endpoint Security (HX) licenses.

Use the CMS License Settings page to remove Central Management System licenses.

Prerequisites

• Admin or Operator access

To remove license keys:

1. Log in to the managing Central Management System Web UI.

2. Click the Settings tab.
3. Select Appliance Settings from the Admin menu.
4. Click the Appliance Settings subtab.
5. Use the Appliance drop-down list to select a specific Intelligent Virtual Execution - Server appliance.
6. Click Appliance Licenses on the sidebar.
7. Click CMS Licenses on the sidebar.
8. Click the icon in the Delete column in the row for the license you want to remove.
9. Click Yes in the confirmation message that appears.

Removing licenses using the CLI

Use the CLI commands in this topic to remove licenses.

Prerequisites

• Admin or Operator access

To remove licenses:

1. Go to CLI configuration mode:

hostname > enable

hostname # configure terminal

2. List the installed licenses:

Endpoint Security (HX) Virtual Server 10.x Deployment Guide 45

4| Configuration

hostname (config) # show licenses

License 1: LK2-FIREEYE_APPLIANCE-0000-0000-0000-0000-0000-0000-0000
Feature: FIREEYE_APPLIANCE
Description: FireEye Appliance
Valid: yes
Start date: 2016/11/01 (ok)
Tied to appl ID: 000000000000 (ok)
Product: MPS (ok)
Type: PROD (ok)
Agreement: EULA (ok)
Op Mode: inline (ok)
Active: yes
...

License 2: LK2-CONTENT_UPDATES-0000-0000-0000-0000-0000-0000-0000
Feature: CONTENT_UPDATES
Description: Content updates
Valid: yes
Start date: 2016/11/01 (ok)
End date: 2017/11/01 (ok)
Tied to appl ID: 000000000000 (ok)
Sharing: all (ok)
Active: yes

License 3: LK2-FIREEYE_SUPPORT-0000-0000-0000-0000-0000-0000-0000
Feature: FIREEYE_SUPPORT
Description: FireEye Support
Valid: yes
Start date: 2016/11/01 (ok)
End date: 2017/11/01 (ok)
Tied to appl ID: 000000000000 (ok)
Sharing: all (ok)
Active: yes

hostname (config) # show licenses

License 1: LK2-FIREEYE_APPLIANCE-<license details>
Feature: FIREEYE_APPLIANCE
Description: FireEye Appliance Type
Valid: yes
Start date: 2016/12/01 (ok)
Tied to appl ID: 8699351EB1D5 (ok)
Product: HX (ok)
Type: PROD (ok)
Tied to model: FireEyeHXVM (ok)
Agreement: EULA (ok)
Appliance role: master
Active: yes

License 2: LK2-MD_ACCESS-<license details>

Feature: MD_ACCESS
Description: Managed Defense VPN Access
Valid: yes
Start date: 2016/12/01 (ok)
End date: 2017/12/01 (ok)
Tied to appl ID: 8699351EB1D5 (ok)
Active: yes

License 3: LK2-CONTENT_UPDATES-<license details>

Feature: CONTENT_UPDATES
Description: Content updates
Valid: yes
Start date: 2016/12/01 (ok)
End date: 2017/12/01 (ok)

46 Endpoint Security (HX) Virtual Server 10.x Deployment Guide

4| Configuration

Tied to appl ID: 8699351EB1D5 (ok)

Sharing: all (ok)
Active: yes

License 4: LK2-FIREEYE_SUPPORT-<license details>

Feature: FIREEYE_SUPPORT
Description: FireEye support
Valid: yes
Start date: 2016/12/01 (ok)
End date: 2017/12/01 (ok)
Tied to appl ID: 8699351EB1D5 (ok)
Sharing: all (ok)
Active: yes

3. Specify the license ID to remove an individual license. For example, 4 is the license ID for the Support license shown in the
previous example.

hostname (config) # license delete 4

4. Save your changes.

hostname (config) # write memory

Note

The show licenses command output in this procedure shows the basic licenses installed on a Network Security appliance.
The output is similar for Endpoint Security (HX) appliances.

Viewing license notifications using the Web UI

Functionality associated with a license stops when a license expires. For example, when the FIREEYE_APPLIANCE license expires,
CLI commands (except those that install licenses) are disabled or their execution fails. For example, the report generate
command will not create a report. In addition, the Intelligent Virtual Execution - Server appliance will block access to all Intelligent
Virtual Execution - Server pages except for the Appliance License Settings page. (Intelligent Virtual Execution - Server pages
are accessed only through the managing Central Management System Web UI because the Intelligent Virtual Execution - Server
appliance has no Web UI.)

Functionality associated with a license stops when a license expires. For example, when the FIREEYE_APPLIANCE license expires,
the appliance will block access to all pages except the Appliance License Settings page, and CLI commands (except those that
install licenses) are disabled or their execution fails. For example, the report generate command will not create a report.

To prevent a gap in functionality, the Appliance License Settings CMS License Settings page displays notifications about expired
license and licenses that will expire within 30 days. For example:

Endpoint Security (HX) Virtual Server 10.x Deployment Guide 47

4| Configuration

Note

See Automatic License Updates for information about enabling the appliance to automatically download licenses from the
DTI network when it is time to renew them.

Validating DTI access

Before using the features associated with the DTI network, you must establish communication between the appliance and the
DTI network. Use the following procedures to verify this communication.

Prerequisites

• Operator or Admin access

• Access to the DTI network

Validating DTI access using the Web UI

Use the Trellix System Information andTrellix CMS System Information page to validate DTI cloud communication.

To validate DTI access:

1. If the About tab is not visible, select Appliance Settings from the Admin menu.
2. Click the About tab.
3. Click Health Check on the upper left side.
4. Locate the Dynamic Threat Intelligence Cloud (DTI) section.

5. Verify that the DTI Client field is Enabled.

Validating DTI access using the CLI

Use the commands in this topic to verify DTI communication.

To validate DTI access:

48 Endpoint Security (HX) Virtual Server 10.x Deployment Guide

4| Configuration

1. Go to CLI configuration mode.

hostname > enable

hostname # configure terminal

2. Check the status of the DTI service.

hostname (config) # show fenet status

Dynamic Threat Intelligence Service:

Update source : <online>

Enabled : yes
Download : [email protected]
Upload : [email protected]
Mil : [email protected]

HTTP Proxy:

Address :
Username :
User-agent :

Request Session:

Timeout : 30
Retries : 0
Speed Time : 60
Max Time : 14400
Rate Limit :

Speed Limit : 1

Dynamic Threat Intelligence Lockdown:

Enabled : no
Locked : no
Lock After : 5 failed attempts

UPDATES
Enabled Notify Scheduled Last Updated At
------- ------ -------------- ---------------
Security contents: yes no every 2020/12/03 11:40:00
Stats contents : yes none 2020/12/07 06:13:00

3. Confirm the following information:

• Update source is online.

• DTI service is enabled.
• DTI service username is the name provided with DTI subscription license.
• DTI service address is one of the following:
cloud.fireeye.com.

The IP address of the managing Central Management System appliance.

Endpoint Security (HX) Virtual Server 10.x Deployment Guide 49

4| Configuration

Note

In rare cases, your DTI service address could be a variant of cloud.fireeye.com.

Attaching and detaching DMZ servers

Use the CLI commands in this topic to attach or detach DMZ servers to or from the primary Endpoint Security (HX) server.
Attaching the servers allows them to communicate.

Note

Up to two DMZ servers can be attached to an on-premises Endpoint Security (HX) appliance or virtual Endpoint Security (HX)
server. In cloud environments, only a single DMZ server can be connected to the Endpoint Security (HX) server.
A single Endpoint Security (HX) ecosystem, which includes the Endpoint Security (HX) server and any installed DMZ servers,
can support up to 100,000 agents.

Important

Your servers must run the same version of Endpoint Security (HX) software. If they use different versions, communication
between them will fail.

The Central Management System appliance can be used to upgrade and manage DMZ server, with the following caveats.

• Indicator updates from the Central Management System appliance or from the DTI (Dynamic Threat Intelligence) Cloud
cannot be sent directly to the DMZ server. Instead, they are acquired from the Central Management System appliance or
the DTI by the primary Endpoint Security (HX) server and transferred to the DMZ server.
• If you have problems connecting your Central Management System appliance to your DMZ server, consider the firewalls
your organization has in place. In some circumstances, the DMZ server is not accessible to the Central Management
System appliance because a firewall is blocking the connection.

Prerequisites

• Admin or fe_services access

Attaching a DMZ server to the primary Endpoint Security (HX) server

Follow the instructions below to attach a DMZ server to the primary Endpoint Security (HX) server.

To attach a DMZ server to the primary Endpoint Security (HX) server:

1. On the DMZ server, enable CLI configuration mode:

hostname > enablehostname # configure terminal

2. Verify the server's current role:

50 Endpoint Security (HX) Virtual Server 10.x Deployment Guide

4| Configuration

hostname (config) # show hx ecosystem

The DMZ server displays:

Appliance Role: dmz

3. Generate a passphrase for the DMZ server:

hostname (config) # hx ecosystem dmz attach-initiate

The system displays a passphrase that you must use on the primary Endpoint Security (HX) server by the expiration time
shown.
For example:

Attach passphrase: $J^N%n@rsZ6F

This passphrase will expire at 2014-11-20 21:29:54 UTC.

If you do not use it in that time, you will need to re-initiate the listener.

Note

Reinitiating the listener means repeating this step to generate a new passphrase.

4. On the primary Endpoint Security (HX) server, enable CLI configuration mode:

hostname > enablehostname # configure terminal

5. Attach the DMZ server to the primary Endpoint Security (HX) server:

hostname (config) # hx ecosystem dmz attach <dmz-hostname-or-IP> passphrase <passphrase>

6. Verify that the DMZ server is attached.

• View ecosystem roles:

hostname (config) # show hx ecosystem

A primary Endpoint Security (HX) server configuration with an attached DMZ server displays:

Appliance Role: master

DMZ Appliance: {<IP address or domain name of DMZ appliance>}

• View the DMZ server attachment in the PKI settings:

hostname (config) # show hx pki

The response includes certification and ping times, which should be the same for both servers.

Detaching a DMZ server from the primary Endpoint Security (HX) server

Follow the instructions below to detach a DMZ server from the primary Endpoint Security (HX) server.

Endpoint Security (HX) Virtual Server 10.x Deployment Guide 51

4| Configuration

To detach a DMZ server from the primary Endpoint Security (HX) server:

1. On the primary Endpoint Security (HX) server, enable CLI configuration mode:

hostname > enable

hostname # configure terminal

2. Detach the DMZ server:

hostname (config) # no hx ecosystem dmz <dmz-hostname-or-IP>

3. Verify that the DMZ server is no longer attached to the primary Endpoint Security (HX) server.

• View the ecosystem roles:

hostname (config) # show hx ecosystem

The list of current HX ecosystem configuration roles no longer contains the DMZ server that you detached.
• View the PKI settings:
hostname (config) # show hx pki

The response no longer includes the information about the DMZ server that you detached.

Server boot order

Error messages appear and log messages are written if an Endpoint Security (HX) server or DMZ server is started and the
attached server is not started.

If your Endpoint Security (HX) server is attached to DMZ server, Trellix recommends that they be started (booted) in the following
order:

1. Start the DMZ server first.

2. Start the Endpoint Security (HX) server second.

For best results, the appliances should be rebooted one right after the other.

Endpoint Security (HX) server cluster IP address change guidelines

An Endpoint Security (HX) server cluster is an environment in which an Endpoint Security (HX) server and one or more DMZ
servers are installed.

If you are running an Endpoint Security (HX) cluster environment at your site and you need to change the IP address of the
Endpoint Security (HX) server, follow these guidelines. If you do not follow these guidelines, your agents might not recognize the
IP address of the Endpoint Security (HX) server and will no longer respond to it.

1. Add the new IP address before changing the existing one.

2. Add the new IP address to the Agent Settings page of the Web UI and wait for the agents to download the update from the
Endpoint Security (HX) server. This will ensure that their server address lists are updated.

52 Endpoint Security (HX) Virtual Server 10.x Deployment Guide

4| Configuration

After you have performed these steps, it is safe to assign the new IP address to your Endpoint Security (HX) server.

Configuring the server address list

The server address list is a list of Endpoint Security (HX) (primary and DMZ) servers installed in your enterprise. If your enterprise
deploys both primary and DMZ servers on the network, you need to consider the deployment topology when you configure
agent communication. For example, if a host endpoint will be used outside the enterprise network and its agent is expected to
communicate with a DMZ server, the DMZ server’s address must be included in the server address list. Trellix recommends that
the first server in the server address list be the most accessible to the largest number of hosts.

• Server address order

Agents attempt to connect to the first Endpoint Security (HX) server listed in the server address list. If the first server is
unavailable, the agent then attempts to reach the second server, and so on.

Note

The address order is set by the order in which you add the servers to the server address list. The first server added is
the first one in the list. The second server added is the second in the list.

• Provisioning server
HX and HXD Series (Endpoint Security (HX)) releases before version 3.0 support the use of a single provisioning
appliance, identified as the primary appliance. HX Series version 3.0 and later support the use of multiple provisioning
appliances for endpoints running Trellix xAgent software version 20 or later and a single provisioning appliance for
endpoints running Trellix xAgent software version 11 or earlier. Trellix xAgents use provisioning servers to connect and
complete their installation by establishing their cryptographic agent identity. Any Endpoint Security (HX) server, including
a DMZ server, can be enabled to do provisioning. Endpoint Security (HX) provisioning servers must be accessible by
agents within your company's network. DMZ provisioning servers must be accessible inside and outside your company's
network.
• Primary server
If the endpoints in your environment have xAgent software versions earlier than version 20 installed, a single Endpoint
Security (HX) server must be designated as the primary appliance. This appliance must be accessible within the network
by all agents when they are initially installed on hosts. The primary server manages the initial provisioning of the agents.
You can use either your internal Endpoint Security (HX) server or a DMZ server as your primary server.

Endpoint Security (HX) server administrators and operators can add or remove servers on the server address list.

• Adding a server to the server address list using the Web UI

• Removing a server from the server address list using the Web UI
Prerequisites

• Admin or Operator access

• The Endpoint Security (HX) server is physically installed on the network for agent access

Endpoint Security (HX) Virtual Server 10.x Deployment Guide 53

4| Configuration

Adding a server to the server address list

You can add an Endpoint Security (HX) server to the server address list using the Web UI.

• Adding a server to the server address list using the Web UI

Adding a server to the server address list using the Web UI

To add a server to the server address list using the Web UI:

1. Log into the Web UI as an administrator or an operator.

2. Select Policies on the Admin menu.
3. Click Agent Default policy.
The Edit Policy page opens.
4. Select the Server Addresses tab.
5. In the Enter server address of appliance text box on the Server Addresses tab, enter the hostname or the IP address of the
Endpoint Security (HX) server, and click Add.
All available servers appear in the list shown in the Enable Provisioning section of the page.
6. In the Enable Provisioning section, indicate which Endpoint Security (HX) server will be the provisioning server by selecting
the Enable Provisioning checkbox in the row containing the server name or IP address. At least one server must be
designated as a provisioning server. See Designating provisioning servers.
(Optional) If the endpoints in your environment have agent software versions earlier than version 20 installed, select the
Set as primary checkbox in the row containing the server name or IP address if the added server will be doing provisioning.
This specifies the server as the primary server for your network. Primary servers are used to provision agents older than
version 20. Only a single server can be designated as a primary server. See Designating provisioning appliances.
7. Click Save.

Removing a server from the server address list

You can remove an Endpoint Security (HX) server from the server address list using the Web UI.

• Removing a server from the server address list using the Web UI

Removing a server from the server address list using the Web UI

To delete a server from the server address list using the Web UI:

1. Log into the Web UI as an administrator or an operator.

2. Select Policies on the Admin menu, and then select the Server Addresses tab.

3. Select the remove icon next to the IP address or host to delete.

4. Click Save.

54 Endpoint Security (HX) Virtual Server 10.x Deployment Guide

4| Configuration

Setting up provisioning
Provisioning establishes unique cryptographic identities for the agents installed on your host endpoints. To complete the Trellix
xAgent installation on a host endpoint, the agent connects to a provisioning Endpoint Security (HX) server that then determines
the cryptographic identity for the agent. When provisioning does not occur, the server does not know about and cannot collect
data from the host endpoint on which the agent is installed.

Any Endpoint Security (HX) server, including a DMZ server, can be enabled to do provisioning. Both physical and virtual Endpoint
Security (HX) appliances can be enabled to do provisioning.

If the endpoints in your environment have agent software versions earlier than version 20 installed, they can only provision
against a single Endpoint Security (HX) server, identified as the primary server. By default, the provisioning server is the first
server listed in the agent server address list, which is usually your internal (non-DMZ) server.

If the endpoints in your environment have agent software version 20 or later installed, they can provision against multiple
Endpoint Security (HX) servers. By default, your internal Endpoint Security (HX) server is a provisioning server.

Provisioning Endpoint Security (HX) servers must be accessible by agents within your company's internal network. Provisioning
DMZ servers must be accessible by agents inside and outside your company's network.

Important

You must identify the servers that will be your provisioning servers before you download the Trellix xAgent installation
software to your host endpoints. When agent installation software is downloaded, the IP addresses or DNS names of the
provisioning Endpoint Security (HX) servers are identified in the agent download package.

To set up provisioning:

1. Enable provisioning on the servers you might want to use for provisioning. See Enabling servers for provisioning.
2. Designate which provisioning-enabled server you want to use. See Designating provisioning servers. This must be done
before you download agent software to your host endpoints.
You can cancel a server as a provisioning server. See Canceling provisioning servers.

Prerequisites

• Admin or fe_services access

Enabling servers for provisioning

Before you can designate a server as a provisioning server in your environment, you must enable the server to do provisioning.

Prerequisites

• Admin or Operator access

Endpoint Security (HX) Virtual Server 10.x Deployment Guide 55

4| Configuration

To enable a server for provisioning:

1. Log in to the Endpoint Security (HX) Server Web UI.

2. From the Admin menu, select Agent Versions.
3. In the upper right corner of the page, select Assign Server Addresses to open the Policies page.
4. From the Policies table, click the Agent Default policy link.
5. Select the Server Addresses tab.
6. From the Enable Provisioning section, locate the server you want to use for provisioning.
7. Select the Enable Provisioning checkbox associated with the server you identified in step 6.
8. Click Save.

Designating provisioning servers

After enabling provisioning on a server, you must designate it to do provisioning.

The provisioning server address can be a split DNS that resolves differently depending on whether an agent is operating inside
or outside your company’s internal network. When the agent is inside the network, the DNS resolves to the primary Endpoint
Security (HX) server; when the agent is outside the network, the DNS resolves to the DMZ server.

This section covers the following topics:

• Designating the server as a provisioning server using the Web UI

• Designating a DMZ server as a provisioning server using the Web UI
• Designating provisioning servers using a split DNS in the Web UI
Prerequisites

• Admin or Operator access

Designating the Endpoint Security (HX) server as a provisioning server using the Web UI

Note

For agents version 20 or later, the primary (non-DMZ) Endpoint Security (HX) server is designated as a provisioning server by
default. It cannot be canceled as a provisioning server.
For agents earlier than version 20, you must manually designate the primary Endpoint Security (HX) server for provisioning.

To designate the primary Endpoint Security (HX) server as a provisioning server using the Web UI:

1. Log in to the Endpoint Security (HX) server Web UI.

2. From the Admin menu, select Agent Versions.
3. In the upper right corner of the page, select Assign Server Addresses to open the Policies page.
4. From the Policies table, click the Agent Default policy link.

56 Endpoint Security (HX) Virtual Server 10.x Deployment Guide

4| Configuration

5. Select the Server Addresses tab.

6. From the Enable Provisioning section, locate the server that you want to use for provisioning.
7. If endpoints in your environment have agent software versions 20 or later installed, select Set as Primary to designate the
Endpoint Security (HX) server as the primary server.
If endpoints in your environment have agent software version 20 or later installed, select Enable Provisioning to designate
the Endpoint Security (HX) server as a provisioning server. At least one server must be designated as a provisioning server.
If your environment includes endpoints with agent software versions both earlier and later than version 20 installed, select
Set as Primary and Enable Provisioning for the provisioning server. Only one server can be designated the primary server.
8. Click Save.

Designating and enabling a DMZ server as a provisioning server

When you use the Web UI to enable provisioning on your DMZ server, your Endpoint Security (HX) agents receive the new
configuration setting but the provisioning server does not start on your DMZ server. To start the provisioning server on your DMZ
server, you must also enable provisioning on your DMZ server through the CLI or provisioning will fail.

To designate a DMZ server as a provisioning server using the Web UI:

Note

After you use the Web UI to designate the DMZ server as a provisioning server, you must also enable provisioning for the
DMZ server in the CLI.

1. Log in to the Web UI for your DMZ server.

2. From the Admin menu, select Agent Versions.
3. In the upper right corner of the page, select Assign Server Addresses to go to the Policies page.
4. From the Policies table, click the Agent Default policy link.
5. Select the Server Addresses tab.
6. From the Enable Provisioning section, locate the DMZ server that you want to use for provisioning.
7. If the endpoints in your environment have agent software versions earlier than version 20 installed, select Set as Primary
to designate the DMZ server as the provisioning server. This will deselect any other server on the Server Addresses tab as
the primary server.
If the endpoints in your environment have agent software version 20 or later installed, select Enable Provisioning to
designate the DMZ server as a provisioning server.
8. Click Save.

To use the Endpoint Security (HX) server CLI to enable provisioning for a DMZ server:

1. On your Endpoint Security (HX) appliance, enable CLI configuration mode.

hostname > enablehostname # configure terminal

Endpoint Security (HX) Virtual Server 10.x Deployment Guide 57

4| Configuration

2. Enable provisioning on your DMZ server:

hostname (config) # hx ecosystem dmz <dmz-ip> provisioning-enabled

where <dmz-ip> is the IP address of the DMZ server for which you are enabling provisioning.
3. Save your changes.

hostname (config) # write memory

4. Verify that the DMZ server is a provisioning appliance.

hostname (config) # show hx ecosystem

The server configuration should show an attached DMZ server with provisioning enabled:

Appliance Role: master

DMZ Appliance: {<IP address> or <domain name of DMZ appliance>}

Provisioning: enabled

Designating provisioning servers using a split DNS in the Web UI

The provisioning server address can be a split DNS that resolves differently depending on whether the host on which the agent is
installed is operating inside or outside your company’s internal network. When the agent is inside the network, the DNS resolves
to the internal Endpoint Security (HX) server; when the agent is outside the network, the DNS resolves to the DMZ server.

Prerequisites

• Admin or fe_services access

• A split DNS set up to resolve to your internal Endpoint Security (HX) server when the agent is inside the network and to
the DMZ server when the agent is outside the network.

To designate the provisioning server using a split DNS name:

1. Using the Web UI, enable both your primary Endpoint Security (HX) server and your DMZ server for provisioning. See
Designating the Endpoint Security server as a provisioning server using the Web UI and Designating and enabling a DMZ
server as a provisioning server.
2. In the Web UI, select Appliance Settings on the Admin menu. The Agent Versions page appears.
3. Select the Server Addresses tab.
4. Enter the DNS name or IP address and click Add.
5. If the endpoints in your environment have xAgent software versions earlier than version 20 installed, select Set as Primary
to designate the DNS as the provisioning server. This will deselect any other appliance on the Server Addresses page as the
primary server.
If the endpoints in your environment have xAgent software version 20 or later installed, select Enable Provisioning to
designate the DNS server as a provisioning server.
6. Click Save.

58 Endpoint Security (HX) Virtual Server 10.x Deployment Guide

4| Configuration

Canceling provisioning servers

You can cancel a server as the provisioning server.

Note

You must have at least one provisioning server.

This section covers the following topics:

• Canceling the primary server as a provisioning server using the Web UI

• Canceling a DMZ server as a provisioning server using the Web UI
Prerequisites

• Admin or Operator access

Canceling the primary server as a provisioning server using the Web UI

Note

For agents version 20 or later, the Endpoint Security (HX) server is designated as a provisioning server by default. You cannot
cancel it as a provisioning server.
For agents earlier than version 20, you can cancel the Endpoint Security (HX) server as a provisioning server.

To cancel the Endpoint Security (HX) server as a provisioning server using the Web UI:

1. In the Web UI, select Agent Versions on the Admin menu.

The Agent Versions page appears.
2. Select Assign Server Addresses in the upper right corner of the page.
The Edit Policy page for the Agent Default policy appears.
3. Select the Server Address tab.
4. Locate your server in the server list in the Enable Provisioning section of the page.
5. For agents earlier than version 20, locate another server in the list of servers and select Set as Primary to designate it as
the provisioning server. This will cancel the primary Endpoint Security (HX) server as the provisioning server.
You cannot cancel the primary Endpoint Security (HX) server as a provisioning server for version 20 or later agents.
6. Click Save.

Canceling a DMZ server as a provisioning server using the Web UI

To cancel a DMZ server as a provisioning server using the Web UI:

1. In the Web UI, select Agent Versions on the Admin menu.

Endpoint Security (HX) Virtual Server 10.x Deployment Guide 59

4| Configuration

The Agent Versions page appears.

2. Select Assign Server Addresses.
The Edit Policy page for the Agent Default policy appears.
3. Select the Server Address tab.
4. Locate the DMZ server in the Enable Provisioning section of the page.
For agents earlier than version 20, locate another server in the list of servers and select Primary Server to designate it as
the provisioning server. This will cancel the DMZ server as the provisioning server.
For agents version 20 or later, deselect Enable Provisioning to cancel the DMZ server as a provisioning appliance.
5. Click Save.

60 Endpoint Security (HX) Virtual Server 10.x Deployment Guide

5| Integration

Integration
• How appliance alerts become HX alerts and CM badges
• Integrating CM series and HX series appliances
• Integrating other appliances and HX series appliances
• SNMP data
• Integrating HX with SIEMs

How Trellix appliance alerts become Endpoint Security (HX) alerts and
Central Management System badges
The Endpoint Security (HX) server generates endpoint alerts based on indicators of compromise (IOCs). It uses the following
types of IOCs: Mandiant intelligence, Trellix appliance alerts, and custom intelligence. The Central Management System appliance
does not aggregate all of the Endpoint Security (HX) alerts, but only Endpoint Security (HX) alerts that are generated from a Trellix
appliance IOC.

The following steps describe the process by which a Trellix appliance alert becomes an Endpoint Security (HX) alert and a Central
Management System badge:

1. A Trellix appliance triggers an alert for a web infection, malware object, or malware callback.
2. The Trellix appliance reports the alert to the Central Management System appliance.
3. The Central Management System appliance determines if an IOC for the Endpoint Security (HX) server should be created
and, if so, publishes it.
4. The Endpoint Security (HX) server transforms the Central Management System indicator into an Endpoint Security (HX) IOC
and publishes it for the xAgents.
5. The Endpoint Security (HX) agents search their hosts for any indicator of compromise. If a match is found, the agent reports
back to the Endpoint Security (HX) server. The Endpoint Security (HX) server creates an alert, which is aggregated to the
Central Management System appliance if that alert was based upon an IOC from a managed appliance.
6. The Central Management System appliance correlates the Endpoint Security (HX) alert with the managed appliance alerts
and creates badges for the appropriate alerts. Network Security alerts will have an endpoint compromised badge. Email
Security — Server alerts will have a related endpoint badge.

Endpoint Security (HX) and Trellix appliance alert disparity

There is rarely a one-to-one relationship between Endpoint Security (HX) alerts and other Trellix appliance alerts.

Indicators that are passed to the Endpoint Security (HX) server may not produce alerts if the Trellix appliance blocks the malware
download, if the combination of platform and application version do not expose the required vulnerability, or if the endpoint is
no longer present in the network.

Endpoint Security (HX) Virtual Server 10.x Deployment Guide 61

5| Integration

Network appliances evaluate possible infections within the network rather than actual infections. If a user accesses an infected
website but the browser and system are not vulnerable to that infection, no infections are downloaded to their endpoint. But
the network appliance still fully evaluates the infected site, running various browsers and versions to do so. It will likely generate
multiple alerts for the infected site even though none of the infections occurred on the actual endpoint host and no Endpoint
Security (HX) alerts have been generated.

Here are some other reasons why Endpoint Security (HX) and the other Trellix appliance alert counts differ:

• Not all Trellix appliance alerts provide the kind of data from which an Endpoint Security (HX) indicator can be created.
• Only alerts originating from Trellix appliance IOCs are aggregated to the Central Management System appliance.
• By default, only alerts that are classified as major severity alerts or higher are sent to the Endpoint Security (HX) server,
resulting in only high-fidelity endpoint alerts.

Network Security and Endpoint Security (HX) alert matches

Network Security malware object and malware callback alerts are translated into Endpoint Security (HX) IOCs. An Endpoint
Security (HX) alert is generated when an IOC condition is detected on an endpoint host. The Central Management System
appliance then aggregates the Endpoint Security (HX) alert and badges the original Network Security alert as endpoint
compromised. It matches the endpoint host IP address with the Network Security alert source IP address and malware artifacts,
confirming that evidence of the malware that triggered the Network Security alert was found on the endpoint host.

Email Security — Server and Endpoint Security (HX) alert matches

Email Security — Server malware object and malware callback alerts are translated into Endpoint Security (HX) IOCs. An Endpoint
Security (HX) alert is generated when an IOC condition is detected on an endpoint host. The Central Management System
appliance then aggregates the Endpoint Security (HX) alert and badges the original Email Security — Server alert as a related
endpoint. It matches endpoint host malware artifacts with the Email Security — Server alert malware artifacts, confirming that
evidence of the malware that triggered the Email Security — Server alert was found on the endpoint host.

Email Security — Server alerts do not contain a source IP address that can be matched directly to the endpoint host IP address.
The Central Management System badge indicates the most probable source of origin of the compromise.

Integrating Central Management System appliances and Endpoint

Security (HX) servers
Trellix recommends that you use a Central Management System appliance to manage your Endpoint Security (HX) server to
ensure that your server receives the highest-fidelity indicators available. Central Management System of an Endpoint Security
(HX) server can be set up using the Central Management System Web UI. See the appendix "Configuring a Managed Appliance" in
the Trellix System Security Guide.

62 Endpoint Security (HX) Virtual Server 10.x Deployment Guide

5| Integration

Note

Errors result if you attempt to use the Central Management System CLI to set up management of an Endpoint Security (HX)
server. Use the Web UI only.

If your Endpoint Security (HX) server and other Trellix appliances are managed by a Central Management System appliance,
the Endpoint Security (HX) server automatically receives indicators from the other Trellix appliances. The Central Management
System appliance streamlines management of multiple appliances and enhances detection by correlating indicators. See How
appliance alerts become Endpoint Security alerts and CM badges.

The Central Management System platform can be used to upgrade and manage an Endpoint Security (HX) DMZ server, with the
following caveats.

• Indicator updates from the Central Management System appliance or from the DTI (Dynamic Threat Intelligence) Cloud
to the DMZ server must be configured separately. See Configuring a CM-managed HXD appliance to get updates from
DTI. If these steps are not performed, indicator updates are acquired from the Central Management System appliance
and the DTI by the Endpoint Security (HX) server and transferred to the DMZ server.
• If you have problems connecting your Central Management System appliance to your DMZ server, consider the firewalls
your organization has in place. In some circumstances, the DMZ server is not accessible to the Central Management
System appliance because a firewall is blocking the connection.

Central Management System releases earlier than Release 7.6 do not support integration with Endpoint Security (HX) servers.
Endpoint Security (HX) releases earlier than Release 2.6 do not support integration with Central Management System appliances.
If you are running a Central Management System release earlier than Release 7.6, see Integrating other appliances and HX Series
appliances.

Important

Do not attempt to integrate your Endpoint Security (HX) server with a Central Management System appliance if you have
already integrated with other Trellix appliances as described in Integrating other appliances and HX series appliances. Using
both types of integration will cause errors in the Central Management System integration.

The configuration of your Endpoint Security (HX) server with the Central Management System appliance happens automatically
after they are both installed. Use the instructions in this section to ensure the settings on each appliance are correct.

Caution

When you remove a managed appliance from the Central Management System platform, all data (including alert information)
associated with the appliance is removed. If you add the appliance again later, the data is restored, but all alerts generated by
the appliance are assigned new IDs. Because the alerts have new IDs, Endpoint Security (HX) links for alerts will break if the
alerts were generated by the appliance before it was removed from the Central Management System platform.

To configure Central Management System 7.6 or later and Endpoint Security (HX) server integration:

Endpoint Security (HX) Virtual Server 10.x Deployment Guide 63

5| Integration

1. On your Central Management System appliance, enable CLI configuration mode.

hostname > enablehostname # configure terminal

2. Determine the latest alert ID on the Central Management System appliance.

hostname (config) # show log matching "alert id"

The output from this command lists log file entries that include the CM Series alert ID.

Mar 16 18:02:51 FireEye_CM notifyd[9696]: tid 5175: [notifyd.INFO]: [inform_fireeye_hx] processing

alert id=5762 infection-id=2291 infection-type=malware-object began at:2017-03-17 01:02:51, finish
at:2017-03-17 01:02:51 time cost:0 micro-seconds sequence-id=140655883976776

3. Review the log file and choose a CM Series alert ID. The Endpoint Security (HX) server will start collecting CM Series IOC data
for this alert ID after the server attaches to the Central Management System appliance.
In Endpoint Security (HX), the CM Series alert ID is called a bookmark.
4. On your Endpoint Security (HX) server, enable CLI configuration mode.

hostname > enablehostname # configure terminal

5. Set the starting CM Series alert ID for the integration.

hostname (config) # hx server detection inbound bookmark <CM-alert ID>

where <CM-alert ID> is the starting CM Series alert ID you chose earlier in these steps. The default is 0 (zero), which
downloads all of the CM Series alerts to the Endpoint Security (HX) server after the products are integrated.

Caution

FireEye does not recommend selecting a CM Series alert ID of 0 because of the performance impact this may have on
your Endpoint Security (HX) server after the initial integration with the Central Management System appliance.

If you accidentally set the CM Series alert ID to 0 and you want to delete all or many of the IOCs downloaded from
the Central Management System appliance, temporarily change the Endpoint Security (HX) indicator and alert aging
threshold in the Web UI to just a few days. The Endpoint Security (HX) server will automatically delete IOCs that exceed
this threshold. See "Managing Real-Time Indicator Detection" in the Endpoint Security Agent (HX) Administration Guide.
Alternatively, you can manually remove the IOCs from the Endpoint Security (HX) server using the Indicators page in the
Endpoint Security (HX) Web UI.

6. View detection-related settings for the Endpoint Security (HX) server:

hostname (config) # show hx server detection

Sample output from this command is shown below:

HX Server Detection Configuration:

Generated Indicator Aging: enabled

Generated Indicator Aging Period: 14 days
Alert Aging Period: 30 days
False Positive Alert Aging Period: 1 day

64 Endpoint Security (HX) Virtual Server 10.x Deployment Guide

5| Integration

Intel Matching: enabled

Legacy notification listener active: no

Malicious.URL Indicator Generation (legacy): yes
Suspicious (noisy) Indicator Generation (legacy): no

Inbound alert poll interval: 5 minutes

Inbound alert minimum severity: majr
No ignored alert types.

Last bookmark ID: 5762

If the Legacy notification listener active field is set to no, Central Management System integration with the Endpoint
Security (HX) server is operational and no further steps are necessary. This is the default configuration for Endpoint Security
(HX) 2.6 and later appliances.
If the Legacy notification listener active setting is not set to no, proceed with the remaining steps in this procedure.
7. Disable Trellix legacy appliance support:

hostname (config) # no hx server detection legacy enable

Important

Do not attempt to integrate your Endpoint Security (HX) server with a Central Management System appliance if you
have already integrated with other Trellix appliances as described in Integrating other appliances and Endpoint Security
appliances. Using both types of integration will cause errors in the Central Management System integration.

8. Save your changes:

hostname (config # write mem

9. Log in to the Central Management System Web UI and select CMS Settings.
10. Select Notifications in the left navigation pane.
11. Click the http table heading to access HTTP notification configuration fields. These fields allow you to access the HTTP
connection definitions set up for your FireEye appliance.
12. If an Endpoint Security (HX) server HTTP connection has been defined, disable HTTP notifications to the Endpoint Security
(HX) appliance by clearing the checkbox in the Enabled column of the Endpoint Security (HX) connection definition.

For more information about Central Management System requirements for integration with the Endpoint Security (HX) server,
see the Central Management System Administration Guide.

Configuring a Central Management-managed DMZ server to get updates from DTI

You can configure a Central Management-managed DMZ server to obtain updates from DTI rather than from the Central
Management.

To configure a Central Management-managed DMZ server to get update from DTI:

Endpoint Security (HX) Virtual Server 10.x Deployment Guide 65

5| Integration

1. On the DMZ server, go to CLI configuration mode:

hostname > enable

hostname # configure terminal

2. Override the downloads from the Central Management:

hostname (config) # fenet dti source override enable

3. Apply a custom DTI source:

hostname (config) # fenet dti source default CDN

4. Verify the configuration:

hostname (config) # show fenet dti configuration

5. When the configuration is correct, save your changes:

hostname (config) # write memory

Replacing integrated Central Management System appliances and

Endpoint Security (HX) servers
To successfully replace an integrated Central Management System appliance or Endpoint Security (HX) server, you must manually
configure the Endpoint Security (HX) server Bookmark ID. This manual configuration ensures retrieval of relevant IOCs in a timely
manner from the Central Management System appliance.

Overview

When an Endpoint Security (HX) server is managed by a Central Management System appliance, the Central Management System
appliance sends a notification of the latest Alert ID to the Endpoint Security (HX) server. The Endpoint Security (HX) server then
polls the Central Management System appliance for the Alert ID and retrieves Indicators Of Compromise (IOC) details for the
specified alert. The Endpoint Security (HX) server then updates the Bookmark ID to identify the next Alert ID to use when polling
the Central Management System appliance.

A newly manufactured Endpoint Security (HX) server has a Bookmark ID equal to zero. When the Endpoint Security (HX) server is
attached to the Central Management System appliance, the Central Management System appliance will send the latest Alert ID
to the Endpoint Security (HX) server. The Endpoint Security (HX) server will then poll the Central Management System appliance
for all the Alert IDs from zero through to the latest Alert ID. The delta between the Endpoint Security (HX) server Bookmark ID
and the Central Management System appliance latest Alert ID can be in the thousands, resulting in a performance impact on the
Endpoint Security (HX) server as it gathers all the IOCs.

66 Endpoint Security (HX) Virtual Server 10.x Deployment Guide

5| Integration

Replacement scenarios

The following scenarios are explained in detail.

1. New Central Management System appliance, New Endpoint Security (HX) server, existing Network Security/Email
Security — Server/File Protect/Malware Analysis with a large history of alerts: In this scenario, a large delta may accrue
for all of the historic and incoming alerts on the Trellix detection devices.
2. New Central Management System appliance, existing Endpoint Security (HX) server, existing Network Security/Email
Security — Server/File Protect/Malware Analysis with a high volume of alerts: In this scenario, a large delta may accrue
while the Central Management System appliance is offline with a large influx of alerts.
3. New Central Management System appliance, existing Endpoint Security (HX) server, existing Network Security/Email
Security — Server/File Protect/Malware Analysis with a low volume of alerts: The Bookmark ID may be greater than the
actual latest Alert ID which can potentially result in missed alert IOCs.
4. Existing Central Management System appliance, New Endpoint Security (HX) server, existing Network Security/Email
Security — Server/File Protect/Malware Analysis with a large history of alerts: A large delta may accrue for all of the
historic and incoming alerts on the Trellix detection devices.

Replacement scenario 1: New Central Management System appliance, New Endpoint Security (HX) server, existing Network Security/Email Security —

Server/File Protect/Malware Analysis with a large history of alerts

When a customer installs a new Central Management System appliance (new purchase, model upgrade or RMA) and a new
Endpoint Security (HX) server (new purchase, model upgrade or RMA) in an existing Network Security/Email Security — Server/
File Protect/Malware Analysis environment:

• The Central Management System appliance Alert ID is zero

• The Endpoint Security (HX) server Bookmark ID zero
• The Network Security/Email Security — Server/File Protect/Malware Analysis latest alert ID is a large number
The Central Management System appliance will aggregate all of the existing alert data and send notifications for all of the Alert
IDs to the managed Endpoint Security (HX) server. The Endpoint Security (HX) server will poll the Central Management System
appliance for all of the alerts between zero and the latest Alert ID. This could result in a large delta and could impact the
performance of the Endpoint Security (HX) server. The process of the Endpoint Security (HX) server Bookmark ID catching up
to the latest Alert ID can take many hours or days depending on the amount of alert data present on the Central Management
System appliance. This can result in a signification delay in the Endpoint Security (HX) server receiving the latest, most relevant
IOCs, causing missed malware detection on the endpoints. To prevent this, advance the Endpoint Security (HX) server Bookmark
ID to a recent Alert ID (see steps below) before attaching the Endpoint Security (HX) server to the Central Management System
appliance.

Endpoint Security (HX) Virtual Server 10.x Deployment Guide 67

5| Integration

Replacement scenario 2: New Central Management System appliance, existing Endpoint Security (HX) server, existing Network Security/Email Security

— Server/File Protect/Malware Analysis with a high volume of alerts

When a customer installs a new Central Management System appliance (new purchase, model upgrade or RMA) in an
existing Endpoint Security (HX) server and Network Security/Email Security — Server/File Protect/Malware Analysis high volume
environment:

• The Central Management System appliance Alert ID is zero

• The Endpoint Security (HX) server Bookmark ID is a large number
• The Network Security/Email Security — Server/File Protect/Malware Analysis latest alert ID is a larger number
The Central Management System appliance will aggregate all of the existing alert data and send notifications for all of the Alert
IDs to the managed Endpoint Security (HX) server. The Endpoint Security (HX) server will poll the Central Management System
appliance for all of the alerts between the last Bookmark ID and the latest Alert ID. For a high-volume alert environment, this
delta can be large depending upon how long the Central Management System appliance is offline and the rate of alert influx. This
could result in a large delta and could impact the performance of the Endpoint Security (HX) server. The process of the Endpoint
Security (HX) server Bookmark ID catching up to the latest Alert ID can take several hours depending on the amount of alert data.
This can result in a delay in the Endpoint Security (HX) server receiving the latest, most relevant IOCs.

Replacement scenario 3: New Central Management System appliance, existing Endpoint Security (HX) server, existing Network Security/Email Security

— Server/File Protect/Malware Analysis with a low volume of alerts

When a customer installs a new Central Management System appliance (new purchase, model upgrade or RMA) in an
existing Endpoint Security (HX) server and Network Security/Email Security — Server/File Protect/Malware Analysis low volume
environment:

• The Central Management System appliance Alert ID is zero

• The Endpoint Security (HX) server Bookmark ID is a larger number
• The Network Security/Email Security — Server/File Protect/Malware Analysis latest alert ID is a large number
The Central Management System appliance will aggregate all of the existing alert data and send notifications for all of the
Alert IDs to the managed Endpoint Security (HX) server. In rare cases, the Endpoint Security (HX) server Bookmark ID could be
greater than the latest Central Management System appliance Alert ID. The Endpoint Security (HX) server will poll the Central
Management System appliance for the larger Bookmark ID and will not receive an IOC from the Central Management System
appliance until the Central Management System appliance Alert ID advances to equal the Bookmark ID. This could result in
missing IOCs from alerts with Alert IDs below the Endpoint Security (HX) server Bookmark ID, as well as missing malware
detection on the endpoints. You can modify the Endpoint Security (HX) server Bookmark ID to equal a recent Alert ID (see steps
below) before attaching the Endpoint Security (HX) server to the Central Management System appliance to prevent this.

Replacement scenario 4: Existing Central Management System appliance, New Endpoint Security (HX) server, existing Network Security/Email Security

— Server/File Protect/Malware Analysis with a large history of alerts

When a customer installs a new Endpoint Security (HX) server (new purchase, model upgrade or RMA) in an existing Central
Management System appliance and Network Security/Email Security — Server/File Protect/Malware Analysis environment:

68 Endpoint Security (HX) Virtual Server 10.x Deployment Guide

5| Integration

• The Central Management System appliance latest Alert ID is a large number

• The Endpoint Security (HX) server Bookmark ID zero
• The Network Security/Email Security — Server/File Protect/Malware Analysis latest alert ID is a large number
The Central Management System appliance will send notifications for all of the Alert IDs to the managed Endpoint Security (HX)
server. The Endpoint Security (HX) server will poll the Central Management System appliance for all of the alerts between zero
and the latest Alert ID. This could result in a large delta and could impact the performance of the Endpoint Security (HX) server.
The process of the Endpoint Security (HX) server Bookmark ID catching up to the latest Alert ID can take many hours (or days)
depending on the amount of alert data present on the Central Management System appliance. This can result in a signification
delay in the Endpoint Security (HX) server receiving the latest, most relevant IOCs, causing missed malware detection on the
endpoints. To prevent this, you should advance the Endpoint Security (HX) server Bookmark ID to a recent Alert ID (see steps
below) before attaching the Endpoint Security (HX) server to the Central Management System appliance.

Modifying the Endpoint Security (HX) server Bookmark ID

For Scenarios 1,3 and 4, the Endpoint Security (HX) server Bookmark ID should be set to a recent Central Management System
appliance Alert ID before adding the Endpoint Security (HX) server to the Central Management System appliance. To determine
the most recent Alert ID on the Central Management System appliance, run the following CLI Command:

• sh log matching \bnotifyd\b.*\bdone_notify_alerts\b

In the example below, the Endpoint Security (HX) server Bookmark ID can be set to '5071' to receive the latest IOC from the
Central Management System appliance. However, depending on the scenario, the Endpoint Security (HX) server could have a
large delta or could be missing out on recent IOCs. To get a better Bookmark ID starting point, log into the Central Management
System appliance UI, navigate to the Alerts/Alerts page, set the inline filter Date Range to 'Past 1 Week' (or any desired
time-frame), and apply the filter. The total number of alerts for this time-frame can be found in the upper left-hand corner
of the alerts display. Subtract this number from the most recent Alert ID and set the Endpoint Security (HX) server Bookmark
ID to this number to gather the past weeks IOCs. For instance, if the Central Management System appliance displays 50 alerts
for the selected date range, the Bookmark ID can be set to '5021'. The Endpoint Security (HX) server should be added to the
Central Management System appliance. The Endpoint Security (HX) server will begin to gather the IOCs from the alerts from 5021
through the current Central Management System appliance Alert ID as soon as it receives the first Alert notification of the most
current Alert ID from the Central Management System appliance.

Example

dresden # sh log matching \bnotifyd\b.*\bdone_notify_alerts\b

Jul 11 12:51:51 dresden notifyd[28468]: tid 28468: [notifyd.INFO]: SQL:select * from done_notify_alerts('{5069}
')

Jul 11 12:53:21 dresden notifyd[28468]: tid 28468: [notifyd.INFO]: SQL:select * from done_notify_alerts('{5070}
')

Jul 11 12:54:22 dresden notifyd[28468]: tid 28468: [notifyd.INFO]: SQL:select * from done_notify_alerts('{5071}
')

Endpoint Security (HX) Virtual Server 10.x Deployment Guide 69

5| Integration

Integrating Network Security appliances and Endpoint Security (HX)

servers directly
If your Endpoint Security (HX) server is not managed by a Central Management System appliance, you must configure the
Network Security appliance to communicate with the Endpoint Security (HX) server.

The procedure described in this section is for Endpoint Security (HX) version 2.6 or later servers. If you upgrade to Endpoint
Security (HX) 2.6 or later without upgrading to Central Management System 7.6 or later, you need to perform these steps.

Important

Do not use this procedure if you have already integrated your Endpoint Security (HX) server with a Central Management
System appliance (see Integrating CM appliances and Endpoint Security servers). Using both types of integration will cause
errors in the Central Management System integration.

Alerts can only be sent from Malware Analysis or Email Security — Server appliance to the Endpoint Security (HX) server
through a Central Management System appliance. Attempts to send Malware Analysis or Email Security — Server alerts to
the Endpoint Security (HX) server using the direct connection set up between a Network Security appliance and the server
will fail. Trellix only provides the direct connection between Network Security and Endpoint Security (HX). Use the Central
Management System appliance connection with the Endpoint Security (HX) server for Malware Analysis and Email Security —
Server alerts.

To configure Endpoint Security (HX) integration with Network Security appliances directly when the Endpoint Security (HX) server
is not managed by a Central Management System appliance:

1. On your Endpoint Security (HX) server, enable CLI configuration mode.

hostname > enable

hostname # configure terminal

2. Enable Trellix legacy appliance support for the Endpoint Security (HX) server:

hostname (config) # hx server detection legacy enable

3. Save your changes:

hostname (config) # write mem

4. Log in to the Web UI of the Network Security appliance and then click Settings. (On a Central Management System
appliance, click CMS Settings).
5. Click Notifications in the left navigation pane.
6. Verify that all HTTP event types are selected for the appliance.
7. Click the http table heading to access HTTP notification configuration fields. These fields allow you to define the HTTP
connection with your Endpoint Security (HX) appliance.
8. Type a name for the Network Security appliance's direct connection to the Endpoint Security (HX) appliance in the Name
box and then click Add HTTP Server.

70 Endpoint Security (HX) Virtual Server 10.x Deployment Guide

5| Integration

9. Enter the Endpoint Security (HX) URL in the Server Url box:

https://<DNS-name-or-Endpoint-Security-IP>/alerts

For example: https://123.456.78.90/alerts

10. Select the check box in the Enabled column for the Endpoint Security (HX) server connection. This enables HTTP
notifications between the Network Security appliance and the Endpoint Security (HX) server.
11. Leave the Username and Password boxes for the Endpoint Security (HX) server connection empty.
12. Select All Events from the list in the Notifications column for the Endpoint Security (HX) server connection.
13. In the Delivery list for the server connection, select Per Event.
14. Select the SSL Enable box. Do not select the SSL Verify box for the Endpoint Security (HX) server connection.
15. In the Default Provider list, select Generic.
16. In the Message Format list, select JSON Extended.
17. Click Update to save the Endpoint Security (HX) server connection.

SNMP data
Trellix appliances send Simple Network Management Protocol (SNMP) data to convey abnormal conditions to administrative
computers that monitor and control them. The administrative computers are called SNMP managers.

SNMP data includes the following:

• Information that is retrieved (pulled) by the SNMP manager. This information is sent in response to requests the SNMP
manager sends to the appliance. See Retrieving SNMP data.
• Events (known as traps) that are sent (pushed) by the appliance to the SNMP manager. Traps typically report alarm
conditions such as a disk failure or excessive temperature. They are unsolicited; that is, they are not sent in response to
requests from the SNMP manager. See Sending traps.

Retrieving SNMP data

This section describes how to retrieve SNMP information from the Endpoint Security (HX) appliance.

A Management Information Base (MIB) is a text file written in a specific format in which all of the manageable features of a
device are arranged in a tree. Each branch of the tree contains a number and a name, and the complete path from the top of the
tree down to the point of interest forms the Object Identifier, or OID. The OID is a string of values separated by periods, such as
.1.3.6.1.2.1.1.3.0.

You can send requests for data on an object using the OID, but it can be simpler to use the symbolic name for the object
instead. A MIB allows SNMP tools to translate the symbolic names into OIDs before sending the requests to the managed
device. Symbolic names for objects in the Trellix MIB include feSerialNumber.0, feHardwareModel.0, feProductLicenseActive0,
feFanIsHealthy.1, and so on.

Endpoint Security (HX) Virtual Server 10.x Deployment Guide 71

5| Integration

The Trellix MIB, named FE-FIREEYE-MIB, needs to be downloaded from the Endpoint Security (HX) appliance to the SNMP
manager so it can be loaded into an SNMP browser or other tool. A typical SNMP browser can retrieve the values the appliance
supports, and then display them in a hierarchy so you can navigate to the value you need to include in the request.

This section contains the following topics:

• Providing access to SNMP data

• Downloading the MIB
• Retrieving SNMP data using event OIDs
• Sending requests for SNMP information

Providing access to SNMP data

To allow access to SNMP v3 data, configure a username and password.

Prerequisites

• Operator or Admin access

To enable access to SNMP data:

1. Go to CLI configuration mode:

hostname > enable

hostname # configure terminal

2. Verify that SNMP is enabled:

hostname (config) # show snmp

If the output shows SNMP enabled: no, enter the snmp-server enable command.
3. SNMP v3: Specify the SNMP user and password:

hostname (config) # snmp-server user <username> v3 enable

hostname (config) # snmp-server user <username> v3 auth sha <password>

4. Save your changes:

hostname (config) # write memory

Downloading the MIB

You can download the MIB from the command prompt.

This section describes how to download the FE-FIREEYE-MIB to SNMP managers that run on Microsoft Windows, Linux, and Apple
devices. The MIB file is retrieved using a program that connects using port 22, which is normally used for protocols such as SSH,
SCP, and PSCP. Because file-level access is denied by policy, the direct path to the MIB file needs to be specified.

72 Endpoint Security (HX) Virtual Server 10.x Deployment Guide

5| Integration

Prerequisites

• Analyst, Operator, or Admin access

Downloading the MIB using the command prompt

This section describes how to download the FE-FIREEYE-MIB to SNMP managers that run on Microsoft Windows, Linux, and Apple
devices. The MIB file is retrieved using a program that connects using port 22, which is normally used for protocols such as SSH,
SCP, and PSCP. Because file-level access is denied by policy, the direct path to the MIB file needs to be specified.

To download the Trellix MIB to Windows devices:

1. Download the pscp.exe tool (available from PuTTY download page).

2. Navigate to a command prompt window.
3. Change to the directory in which you downloaded the pscp.exe tool:

cd Downloads

4. Copy the MIB file from the appliance:

pscp.exe -r -scp admin@<appliance><applianceIPAddress>:/usr/share/snmp/mibs \Temp\mibs\

5. When prompted for the password, enter admin.

The files are copied to the \Temp\mibs directory on the Windows device.
6. Change to the mibs directory:

cd C:\Temp\mib

7. Load the MIB into an SNMP browser or tool, or open the MIB file:

vi FE-FIREEYE-MIB.txt

To download the Trellix MIB to Linux devices:

1. Copy the MIB file from the appliance using the OpenSSH client:

scp -r admin@<appliance><applianceIPAddress>:/usr/share/snmp/mibs /usr/<userDirectoryName>

2. When prompted for the password, type admin.

The files are copied to the mibs directory that resides in the /usr/<userDirectoryName> directory.
3. Change to the mibs directory:

cd mibs

4. Load the MIB into an SNMP browser or tool, or open the MIB file:

vi FE-FIREEYE-MIB.txt

To download the Trellix MIB to Apple devices:

1. Navigate to the terminal emulator.

Endpoint Security (HX) Virtual Server 10.x Deployment Guide 73

5| Integration

2. Copy the MIB files from the appliance:

scp -r admin@<applianceIPAddress>:/usr/share/snmp/mibs ~/

3. When prompted for the password, type admin.

The files are copied to the mibs directory that resides in the user directory.
4. Load the MIB into an SNMP browser or tool, or open the MIB file:

vi FE-FIREEYE-MIB.txt

Retrieving SNMP data using event OIDs

You can retrieve SNMP data using event object IDs (OIDs) after the MIB file has been downloaded.

Prerequisites

• Operator or Admin access

• The MIB file must be downloaded. See Downloading the MIB.
To retrieve SNMP data using event OIDs:

1. Go to CLI configuration mode:

hostname > enable

hostname # configure terminal

2. SNMP is enabled by default. Verify that it is enabled:

hostname (config) # show snmp

If the output shows SNMP enabled: no, enter the snmp-server enable command.
3. Enable the appliance to send notifications to the SNMP manager:

hostname (config) # snmp-server enable notify

4. Specify the IP address of the SNMP manager:

hostname (config) # snmp-server host <IPAddress> traps public

5. Enable SNMP communities:

hostname (config) # snmp-server enable communities

6. Add an SNMP community:

hostname (config) # snmp-server community <community>

where <community> is the string needed by the SNMP server to query the appliance. The default community string is
public.

74 Endpoint Security (HX) Virtual Server 10.x Deployment Guide

5| Integration

7. Limit SNMP access to the listen interface called ether1:

hostname (config) # snmp-server listen interface ether1

8. Enable access to the listen interface:

hostname (config) # snmp-server listen enable

9. Save your changes:

hostname (config) # write memory

Sending requests for SNMP information

This topic describes two ways to retrieve SNMP information.

• The snmpget command retrieves the value of a specific object.

• The snmpwalk command walks through the object hierarchy, automatically retrieving the values of objects for the subtree
or node that you specified.

Examples of basic commands that retrieve SNMP data follow. The commands are entered from the SNMP manager application.
The IP address in the commands is the appliance IP address.

SNMP v3 commands:

snmpmgr # snmpget -m +FE-FIREEYE-MIB -v 3 -u myname -a MD5 -A mypassword -l authNoPriv 172.0.0.0

feTemperatureValue.0

snmpmgr # snmpwalk -m +FE-FIREEYE-MIB -v 3 -u myname -a MD5 -A mypassword -l authNoPriv 172.0.0.0

enterprises.25597

SNMP v2c commands:

snmpmgr # snmpget -m +FE-FIREEYE-MIB -v 2c -c public 172.0.0.0 feSupportLicenseActive.0

snmpmgr # snmpwalk -m +FE-FIREEYE-MIB -v 2c -c public 172.0.0.0 fireeye

snmpmgr # snmpwalk -v 2c -c public 172.0.0.0 enterprises.25597

To retrieve license expiration dates formatted in a table, use a command similar to the following (different commands are
required by different SNMP manager applications):

snmpmgr # snmptable -c public -Of -v 2c localhost feLicenseFeatureTable

Check the number of days in the rightmost column. If the value is less than 30, contact your system administrator.

Sending traps

Endpoint Security (HX) Virtual Server 10.x Deployment Guide 75

5| Integration

This section describes how to configure basic SNMP support on the Endpoint Security (HX) appliance, enable and configure traps,
and set up trap logging. For detailed information about SNMP commands and options for more advanced configurations, see the
Trellix CLI Command Reference.

Enabling and configuring traps

Various events can trigger the appliance to send traps to the SNMP manager. Most of the events are enabled by default. This
topic describes how to enable the appliance to send traps, configure the IP address of the SNMP manager that receives the traps,
and disable and enable individual events.

Prerequisites

• Operator or Admin access

To enable traps and events:

1. Go to CLI configuration mode:

hostname > enable

hostname # configure terminal

2. SNMP is enabled by default. Verify that it is enabled:

hostname (config) # show snmp

If the output shows SNMP enabled: no, enter the snmp-server enable command.
3. Enable the appliance to send notifications to the SNMP manager:

hostname (config) # snmp-server enable notify

4. Specify the IP address of the SNMP manager:

hostname (config) # snmp-server host <IPAddress> traps public

5. Save your changes.

hostname (config) # write memory

To view the events that can be enabled or are currently enabled:

1. Go to CLI configuration mode:

hostname > enable

hostname # configure terminal

2. View a list of all events that can be enabled:

hostname (config) # snmp-server notify event ?

3. View the events that are currently enabled:

76 Endpoint Security (HX) Virtual Server 10.x Deployment Guide

5| Integration

hostname (config) # show snmp events

To disable or enable specific events:

1. Go to CLI configuration mode:

hostname > enable

hostname # configure terminal

2. Disable an event:

hostname (config) # no snmp-server notify event <event>

For example, the following command stops a trap from being sent when the temperature of the appliance is normal:

hostname (config) # no snmp-server notify event normal-temperature

3. Enable an event:

hostname (config) # snmp-server notify event <event>

For example, the following command enables the appliance to send a trap when there is a change in an interface link:

hostname (config) # snmp-server notify event if-link-change

4. Save your changes:

hostname (config) # write memory

Logging trap messages

The snmptrapd service receives and logs trap messages.

To set up trap logging:

1. Log into the SNMP manager application.

2. Enable the snmptrapd service:

snmptrapd

3. Specify the log location:

/var/log/snmptrapd.log

Forwarding CEF logs to Helix and SIEM solutions

Endpoint Security (HX) Virtual Server 10.x Deployment Guide 77

5| Integration

You can forward CEF logs from on-premises or virtual Endpoint Security (HX) servers to Helix using a Cloud Collector or
Communications Broker (Comm Broker). This allows you to view, but not manage, on-premises and virtual Endpoint Security (HX)
log data in Helix.

In addition, the Endpoint Security (HX) server can be integrated with a variety of Security Information and Event Management
(SIEM) solutions to exchange requests and information automatically, reducing time spent navigating between product
interfaces. For example, integrating these products helps you perform the following actions.

• You can send common event format (CEF) logs from the Endpoint Security (HX) server to one or more remote SIEMs. This
includes hits (referred to as alerts), containment state events, and triage status. For more information, see Configuring
CEF logging for endpoint events. For information on the data that is logged, see "CEF Logs and Output" in the Endpoint
Security (HX) Server User Guide.

• You can perform two-way communications with SIEM solutions, such as acquiring triage collections.
• With SIEM solutions, you can execute analyst actions initiated in a URL context. Specifically, you can:
Listen for traffic from SIEMs that initiate analyst actions via URL requests.
Parse the arguments in these requests.
Format and execute commands.

The integration between the Endpoint Security (HX) server and most SIEM solutions can be accomplished using an external
integration connector and an API Analyst user account. See "Roles for Local User Accounts" in the System Security Guide. For
an example of setting up an integration connector with a SIEM solution, see SIEM example: Setting up an Endpoint Security
integration connector with ArcSight.

Note

An integration connector can only be used for communications from the SIEM solution to the Endpoint Security (HX) server,
not from the Endpoint Security (HX) server to the SIEM solution.
Similar integration can be accomplished using the Endpoint Security (HX) API.

Configuring CEF logging for endpoint events

Use the CLI commands in this topic to configure logging for CEF-formatted log messages for endpoint events. These CEF log
messages can be sent from the Endpoint Security (HX) appliance to your Helix environment or Security Information and Event
Management (SIEM) solution.

To forward logs to Helix, create a destination for the Cloud Collector or Communications Broker (Comm Broker). The Cloud
Collector or Comm Broker will aggregate and forward Endpoint Security (HX) CEF logs to Helix.

To integrate with a SIEM solution, create a destination for the remote syslog server.

• Viewing the current logging configuration

• Adding a destination
• Removing a destination

78 Endpoint Security (HX) Virtual Server 10.x Deployment Guide

5| Integration

• Using TCP for remote logging

• Configuring the port for a remote logging target
• Enabling local CEF logging
• Disabling local CEF logging
Descriptions of the collected CEF log data can be found in "CEF Logs and Output" in the Endpoint Security (HX) Server User Guide.

Prerequisites

• Admin or fe_services access

• To forward CEF logs to Helix, a Trellix Cloud Collector or Comm Broker must be installed. See the Cloud Collector
Installation Guide or the Unmanaged Communications Broker Installation Guide for details.

Viewing the current logging configuration

To view the current logging configuration:

1. Enable the CLI configuration mode:

hostname > enable

hostname # configure terminal

2. View the configuration:

hostname # show logging

Here is sample output from this command:

Local logging level: notice (OVERRIDES DISABLED)

Override for class cef: none
Remote syslog default level: notice
No remote syslog servers configured.
Receive remote messages via UDP: no
Receive remote messages via TCP: no
Receive remote messages via TLS: no
Log file rotation:
Log rotation size threshold: 256 megabytes
Archived log files to keep: 40
Log format:
Subsecond timestamp field: disabled
Secure channel logs: yes

In this example, CEF logging is actually disabled because the Override for class cef setting is not set to info. All CEF
logging occurs for messages logged at the info system log level. If this level is set to anything other than info, CEF logging
will not occur. See Enabling local CEF logging.

Adding a destination

Define a Cloud Collector or Comm Broker destination to forward CEF log messages to Helix. Define a remote syslog server
destination to integrate Endpoint Security (HX) with your SIEM solution.

Endpoint Security (HX) Virtual Server 10.x Deployment Guide 79

5| Integration

To add a destination:

1. Enable the CLI configuration mode:

hostname > enable

hostname # configure terminal

2. Add the destination:

hostname # logging <IP-address> trap none

hostname # logging <IP-address> trap override class cef priority info

where <IP-address> is the IP address of the Cloud Collector or the remote syslog server destination.
3. Save your settings:

hostname # write mem

Removing a destination

To remove a destination:

1. Enable the CLI configuration mode:

hostname > enable

hostname # configure terminal

2. Remove a remote syslog server destination:

hostname # no logging <IP-address>

where <IP-address> is the IP address of the Cloud Collector or the remote syslog server destination.
3. Save your settings:

hostname # write mem

Using TCP for remote logging

To use TCP for remote logging instead of UDP:

1. Enable the CLI configuration mode:

hostname > enable

hostname # configure terminal

2. Request TCP instead of UDP for a remote logging target:

hostname # logging <remote-IP-address> protocol tcp

3. Save your settings:

hostname # write mem

80 Endpoint Security (HX) Virtual Server 10.x Deployment Guide

5| Integration

Configuring the port for a remote logging target

To change the port for a remote logging target from port 514:

1. Enable the CLI configuration mode:

hostname > enable

hostname # configure terminal

2. Change the port number:

hostname # logging <remote-IP-address> port <new-port-number>

3. Save your settings:

hostname # write mem

Enabling local CEF logging

To enable local CEF logging:

1. Enable the CLI configuration mode:

hostname > enable

hostname # configure terminal

2. Enable CEF logging:

hostname # logging local override class cef priority info

All CEF logging occurs for messages logged at the info system log level. If you set this to any other system log level, CEF
logging will not occur.
3. Save your settings:

hostname # write mem

Disabling local CEF logging

To disable local CEF logging:

1. Enable the CLI configuration mode:

hostname > enable

hostname # configure terminal

2. Disable CEF logging:

hostname # logging local override class cef priority none

3. Save your settings:

Endpoint Security (HX) Virtual Server 10.x Deployment Guide 81

5| Integration

hostname # write mem

SIEM example: Setting up an integration connector with ArcSight

The SIEM example in this section describes how to integrate the Trellix Endpoint Security (HX)-specific integration connector with
ArcSight's Flex CounterACT SDK (SmartConnector). After this integration has been established, it can be used for communication
from the ArcSight Security Information and Event Management (SIEM) solution to the Endpoint Security (HX) appliance.

Follow the steps below, along with your vendor documentation, to install and configure the integration connector. If you need
help setting up an integration connector with your SIEM, contact Trellix Customer Support.

This guide refers to ArcSight and its ESM manager or console as examples of SIEM integration methods and objectives.
For example, analysts can use the ArcSight ESM console's Integration Command menu or rules to automate the process of
requesting acquisitions for a SIEM event. Your ArcSight vendor can provide information about creating and using ArcSight
integration commands. Trellix Support can provide you with information about using the integration connector with other SIEM
solutions.

Note

Trellix supports the use of the ArcSight Smart Connector type 10.0.5. The ArcSight to Endpoint Security (HX) connector port
must be 3000 (TCP). The Endpoint Security (HX) to ArcSight syslog port is configurable.

Important

Trellix recommends that you use Java 7 or later with ArcSight and that your Java class path is updated to point to this Java
version. If you use an earlier version of Java, SSL errors may occur.

Prerequisites

• Administrative permissions to the machine on which you are installing the integration connector.
• An Endpoint Security (HX) Admin or Operator account.
• An Endpoint Security (HX) API Analyst account you have created specifically for the connector.
• A copy of the integration connector installation package (FireEye\ArcSight\Connector\Install\10.0.5.zip available
on SFDC).
• Either of the following types of certificates:
A self-signed development certificate created using OpenSSL (according to the procedure described in Creating a
self-signed development certificate).
A valid certificate that you have purchased from your chosen provider.

82 Endpoint Security (HX) Virtual Server 10.x Deployment Guide

5| Integration

Creating a self-signed development certificate

Follow these steps to create a self-signed development certificate for installing the integration connector.

Note

The certificate must be in .pem format, and it must match the hostname of the Endpoint Security (HX) server.

To create a self-signed development certificate:

1. On a machine on which you have installed OpenSSL, enter the following command:

C:\OpenSSL\bin> openssl req -x509 -nodes -newkey rsa:2048 -keyout key.pem -out cert.pem -days 3000

2. At the end of each line, enter the appropriate information for your enterprise in the format indicated. For example:

Country Name (2 letter code) [XX]: US

State or Province Name (full name) []: Virginia
Locality Name (e.g., city) [Default City]: Bristol
Organization Name (e.g., company) [Default Company Ltd]: Trellix
Organizational Unit Name (e.g., section) []: IT
Common Name (e.g., your name or your server's hostname) []: dti-hx-dev
Email Address []: [email protected]

OpenSSL generates two files: a self-signed certificate (named cert.pem) and a key (named key.pem).
3. Download and save the certificate and key files.

Installing the integration connector

Follow these steps to install and configure the integration connector.

To install and configure the integration connector:

1. On the machine where you are installing the connector, extract the files from the HX Connector Installer .zip package to a
local folder.
2. Copy the certificate and key files that you generated, or the ones supplied by your chosen provider into the same folder as
the installer files.
3. Rename the certificate: certname.pem.
4. Log in to the server Web UI as an administrator.
5. On the Admin menu, select Appliance Settings.
6. Select Certificates on the sidebar. The Certificate Management page appears.
7. On the Certificate Management page, install the certificate:

• To install the self-signed certificate that you created in Creating a self-signed development certificate, upload the
Certificate and Private Key.

Endpoint Security (HX) Virtual Server 10.x Deployment Guide 83

5| Integration

• To install a certificate provided by your chosen provider, upload the Certificate, Private Key, and CA Certificate.
8. Click Update.
You are logged out of the Endpoint Security (HX) server, and the login screen reloads with the following message:

1 notice

• The Web Server is currently restarting

• Please wait for about 20 seconds and try again
• If this condition persists, please contact Trellix Support

9. On the machine where you installed the connector, edit the fireeye-connector.properties file, and enter the appropriate
parameters for the Endpoint Security (HX) target:

appliance HX

hostname The hostname of the Endpoint Security (HX) server

username The username of the API Analyst account

password The password of the API Analyst account

cert certname.pem

Important

The hostname you enter must match the hostname in the certificate.

If the hostname you enter is not registered in the DNS, then you must connect the hostname and IP address in your
operating system's host file on the machine where you are installing the connector.

10. Run the ArcSight SmartConnector installation package installer.

Important

Record the full path of the directory and folder that you use for this installation. You will need it later. If your enterprise
will be using more than one ArcSight SmartConnector, make sure to choose a unique folder name.

When the installation is complete, the SmartConnector Configuration Wizard opens.

11. Before you configure the SmartConnector, run the install.bat file located in the HX Connector Installer package. Enter
the full path for the ArcSight SmartConnector installation folder that you recorded in Step 9.

84 Endpoint Security (HX) Virtual Server 10.x Deployment Guide

5| Integration

12. Enter 2, when you are asked which Connector type you are installing.
13. If you are using ArcSight ESM 6, export an ArcSight certificate from your ESM server and transfer the certificate to the server
where the ArcSight SmartConnector is installed.
14. If you are using ArcSight ESM 6, import the certificate.
a. In Windows environments, run cmd.exe using an account with read/write access to the directory where you are
installing the certificate.
In Linux environments, open a command terminal using an account with read/write access to the directory where you
are installing the certificate.
b. In the SmartConnector's bin directory, execute the appropriate command:
arcsight.bat agent keytoolgui (Windows)

./arcsight agent keytoolgui (Linux)

c. Open the keystore under jre/lib/security/cacerts.

Note

The default password is changeit.

d. Import the certificate, navigate to the certificate file, and then save the keystore.
15. Return to the ArcSight SmartConnector Configuration Wizard.
16. In the Configuration File box, enter HXFlexConnector, and then click Next.
17. Finish performing the steps in the ArcSight SmartConnector Configuration Wizard, choosing default settings or
customizing for your enterprise's SIEM solution, as appropriate.
If you want the SmartConnector to run as a service, choose the following options:

• Select Yes to start the service automatically when you restart the server on which it is running.
• Enter unique names for Service Internal Name and Service Display Name, if your enterprise will have more than
one SmartConnector on the server where you are installing this Connector.

Tip

If you want to run the SmartConnector service before the server restarts, you must start the service manually.

You can validate the success of the installation by using your SIEM console to view events or perform other actions, such as
requesting a triage collection.

Endpoint Security (HX) Virtual Server 10.x Deployment Guide 85

6| Appendices

Appendices
• Enabling and disabling Endpoint Security (HX) quiesce mode
• Managing Endpoint Security (HX) PKI certificates
• Migrating between on-premises HX appliances and cloud Endpoint Security (HX) servers

Enabling and disabling Endpoint Security (HX) quiesce mode

If you need to update an operational Endpoint Security (HX) environment by adding, removing, upgrading or restoring a backup
to an appliance, enable quiesce mode to make sure you do not lose any server-generated tasks.

Enabling quiesce mode causes the Endpoint Security (HX) server to stop generating tasks and aborts any queued tasks that have
not yet completed on the agent, including file, data, and triage acquisitions. It also stops the server from accepting new alerts.
Enabling quiesce mode improves the speed of a server upgrade and is most useful for rollbacks and restoring an appliance from
a backup.

After quiesce mode is enabled, the Endpoint Security (HX) server enters a quiescing state first, during which it aborts tasks and
processes the output of tasks that have already completed. When that processing is finished, the server enters a quiesced state.

Note

After updating the Endpoint Security (HX) environment, remember to disable quiesce mode to ensure that the appliance
resumes generating tasks and accepting new alerts.

Enabling and disabling quiesce mode is performed using CLI commands. By default, quiesce mode is disabled.

• Enabling Quiesce Mode

• Disabling Quiesce Mode
• Reviewing Quiesce Mode status
Prerequisites

• Admin or fe_services access

Enabling quiesce mode

To enable quiesce mode:

1. Enable CLI configuration mode.

hostname > enable

hostname # configure terminal

2. Enable quiesce mode:

86 Endpoint Security (HX) Virtual Server 10.x Deployment Guide

6| Appendices

hostname (config) # hx server quiesce

3. Save your changes:

hostname (config) # write memory

4. Check the result:

hostname (config) # show hx server general

The following snippet represents the quiesce information from the output of this show command:

Quiesce Mode:
App Proc: enabled
Message Bus: enabled

Important

Remember to disable quiesce mode after you finish maintaining Endpoint Security (HX) appliances to ensure they
resume generating tasks and accepting alerts.

Disabling quiesce mode

To disable quiesce mode:

1. Enable CLI configuration mode.

hostname > enable

hostname # configure terminal

2. Disable quiesce mode:

hostname (config) # no hx server quiesce

3. Save your changes:

hostname (config) # write memory

4. Check the result:

hostname (config) # show hx server general

This is a sample result:

Quiesce Mode:
App Proc: disabled
Message Bus: disabled

Reviewing quiesce mode status

Endpoint Security (HX) Virtual Server 10.x Deployment Guide 87

6| Appendices

If an Endpoint Security (HX) server is quiesced, the following message appears at the top of the Web UI.

You can review the complete quiesce mode status of an Endpoint Security (HX) server or the separate quiesce mode status for
the server application processor and message bus using the CLI.

To review the quiesce mode status of an Endpoint Security (HX) server:

1. Enable CLI configuration mode.

hostname > enable

hostname # configure terminal

2. Review the complete quiesce mode status of the server:

hostname (config) # show hx server general

The following snippet from the output of this command shows that quiesce mode is enabled for both the application
processor and the message bus.

Quiesce Mode:
App Proc: enabled
Message Bus: enabled

3. Review the quiesce mode status of the server application processor:

hostname (config) # show hx app-proc

The following output from this command displays when quiesce mode enabling is in process for the application processor:
HX App Proc Configuration: Quiesce Mode: enabled State: quiescing

The following output from this command displays when the application processor is fully quiesced:
HX App Proc Configuration: Quiesce Mode: enabled State: quiesced

The following output from this command displays when quiesce mode disabling is in process for the application processor:
HX App Proc Configuration: Quiesce Mode: disabled State: quiesced

The following output from this command displays when the application processor is not in quiesce mode:
HX App Proc Configuration: Quiesce Mode: disabled State: running

4. Review the quiesce mode status of the server message bus:

hostname (config) # show hx messagebus

The following sample output from this command shows that quiesce mode is disabled for the appliance message bus:

HX Message Bus Configuration:

Quiesce Mode: disabled

Managing Endpoint Security (HX) PKI certificates

Endpoint Security (HX) public key infrastructure (PKI) certificates are the PKI keys needed to communicate with the Trellix xAgent.

88 Endpoint Security (HX) Virtual Server 10.x Deployment Guide

6| Appendices

You can manage Endpoint Security (HX) PKI certificates using the CLI.

• Reviewing certificates and settings

• Exporting certificates
• Importing certificates
• Regenerating certificates
• Setting the PKI certificate prefix
• Setting xAgent certificate authority duration
• Setting xAgent certificate duration
• Setting xAgent certificate length
• Setting certificate authority duration
• Setting certificate duration
• Setting certificate length
• Setting CRL duration
• Importing a CRL
• Regenerating the CRL
• Regenerating the subordinate PKI
• Enabling the provisioning certificate
• Disabling the provisioning certificate
Prerequisites

• Admin or fe_services access

Reviewing certificates and settings

To review Endpoint Security (HX) certificates and settings:

1. Enable CLI configuration mode.

hostname > enable

hostname # configure terminal

2. Review the certificates and certificate settings:

hostname (config) # show hx pki

The following is sample output from this command:

HX PKI Configuration:

Prefix: <prefix>
Agent CA days: 7300
Agent CA key bits: 2048
Agent cert days: 1825
Server CA days: 7300
Server cert key bits: 2048
Server cert days: 1825

Endpoint Security (HX) Virtual Server 10.x Deployment Guide 89

6| Appendices

Server CRL days: 30

Provisioning cert use enabled: yes

CA: comms
valid from: <timestamp> to <timestamp>
subject: <subject>
fingerprint: <fingerprint>

CA: distro
valid from: <timestamp> to <timestamp>
subject: <subject>
fingerprint: <fingerprint>

CA: agent
valid from: <timestamp> to <timestamp>
subject: <subject>
fingerprint: <fingerprint>

CRL: comms
issued: <timestamp> and expires on <timestamp>
number: <comms_CRL_number>
fingerprint: <fingerprint>

CRL: distro
issued: <timestamp> and expires on <timestamp>
number: <distro_CRL_number>
fingerprint: <fingerprint>

host: <HX_appliance_hostname>
role: ca
last ping: <timestamp>

Exporting certificates

You can export Endpoint Security (HX) public key infrastructure (PKI) certificates to a file. This is recommended before you
upgrade the Endpoint Security (HX) server.

To export Endpoint Security (HX) PKI certificates:

1. Enable CLI configuration mode.

hostname > enable

hostname # configure terminal

2. Export the certificates to the file identified by <fileURL>:

hostname (config) # hx pki export file <fileURL> passphrase <passphrase>

For example:

hostname (config) # hx pki export file scp://user@host/path/to/file passphrase abc123

Importing certificates

90 Endpoint Security (HX) Virtual Server 10.x Deployment Guide

6| Appendices

You can import Endpoint Security (HX) public key infrastructure (PKI) certificates from a backup file. If there were any problems
upgrading your appliance that required you to reimage it or to fully reinstall the software, import the Endpoint Security (HX)
certificates you exported earlier so you do not have to reinstall all of your agents.

To import Endpoint Security (HX) PKI certificates:

1. Enable CLI configuration mode.

hostname > enable

hostname # configure terminal

2. Import the certificates from the file containing your exported certificates, identified by <fileURL>:

hostname (config) # hx pki import file <fileURL> passphrase <passphrase>

For example:

hostname (config) # hx pki import file scp://user@host/path/to/file passphrase abc123

Caution

Importing certificates automatically detaches any DMZ server from the Endpoint Security (HX) server. You need to
reattach them after the certificates are imported. See the Endpoint Security (HX) Server Deployment Guide.

Regenerating certificates

You can reset the Trellix Endpoint Security (HX) Agent and Endpoint Security (HX) Server public key infrastructure (PKI), including a
certificate authorities (CA).

Caution

Using this command orphans any existing agents connected to the Endpoint Security (HX) PKI.

Regenerating certificates automatically detaches any DMZ server from the Endpoint Security (HX) server. You need to
reattach them after the certificates are regenerated. See the Endpoint Security (HX) Server Deployment Guide.

To regenerate the PKI and certificate authorities:

1. Enable CLI configuration mode.

hostname > enable

hostname # configure terminal

2. Regenerate the PKI and certificate authorities:

Endpoint Security (HX) Virtual Server 10.x Deployment Guide 91

6| Appendices

hostname (config) # hx pki regenerate

3. Save your changes:

hostname (config) # write memory

Setting the PKI certificate prefix

You can specify the Endpoint Security (HX) PKI certificate prefix.

To specify the PKI certificate prefix:

1. Enable CLI configuration mode.

hostname > enable

hostname # configure terminal

2. Import the CRL:

hostname (config) # hx pki subject-prefix <prefix>

where <prefix> is the prefix

For example:

hostname (config) # hx pki subject-prefix companyname

3. Save your changes:

hostname (config) # write memory

Setting agent certificate authority duration

To set the duration of the Trellix Endpoint Security (HX) agent certificate authority (CA):

1. Enable CLI configuration mode.

hostname > enable

hostname # configure terminal

2. Specify the CA duration, in days:

hostname (config) # hx pki agent ca-days <days>

where <days> is the number of days that the agent CA remains active. Valid values range from 0 and 65535 days. The
default is 7300 days.
To set the duration back to the default, use the no form of this command:

92 Endpoint Security (HX) Virtual Server 10.x Deployment Guide

6| Appendices

hostname (config) # no hx pki agent ca-days

3. Save your changes:

hostname (config) # write memory

Setting agent certificate length

To set the length of Trellix Endpoint Security (HX) agent certificates:

1. Enable CLI configuration mode.

hostname > enable

hostname # configure terminal

2. Specify the certificate length, in bits:

hostname (config) # hx pki agent cert-bits <bits>

where <bits> is the number of bits for the agent certificates. Valid values range from 1024 and 4096 bits. The default is
2048 bits.
To set the length back to the default, use the no form of this command:

hostname (config) # no hx pki agent cert-bits

3. Save your changes:

hostname (config) # write memory

Setting agent certificate duration

To set the duration of Trellix Endpoint Security (HX) Agent certificates:

1. Enable CLI configuration mode.

hostname > enable

hostname # configure terminal

2. Specify the certificate duration, in days:

hostname (config) # hx pki agent cert-days <days>

where <days> is the number of days that the agent certificate remains active. Valid values range from 0 and 65535 days.
The default is 1825 days (5 years).
To set the duration back to the default, use the no form of this command:

Endpoint Security (HX) Virtual Server 10.x Deployment Guide 93

6| Appendices

hostname (config) # no hx pki agent cert-days

3. Save your changes:

hostname (config) # write memory

Setting certificate authority duration

To set the duration of the Endpoint Security (HX) certificate authority (CA):

1. Enable CLI configuration mode.

hostname > enable

hostname # configure terminal

2. Specify the CA duration, in days:

hostname (config) # hx pki server ca-days <days>

where <days> is the number of days that the Endpoint Security (HX) CA remains active. Valid values range from 0 and 65535
days. The default is 7300 days.
To set the duration back to the default, use the no form of this command:

hostname (config) # no hx pki server ca-days

3. Save your changes:

hostname (config) # write memor

Setting certificate length

To set the length of Endpoint Security (HX) certificates:

1. Enable CLI configuration mode.

hostname > enable

hostname # configure terminal

2. Specify the certificate length, in bits:

hostname (config) # hx pki server cert-bits <bits>

where <bits> is the number of bits for the Endpoint Security (HX) certificates. Valid values range from 1024 and 4096 bits.
The default is 2048 bits.
To set the length back to the default, use the no form of this command:

94 Endpoint Security (HX) Virtual Server 10.x Deployment Guide

6| Appendices

hostname (config) # no hx pki server cert-bits

3. Save your changes:

hostname (config) # write memory

Setting certificate duration

To set the duration of Endpoint Security (HX) certificates:

1. Enable CLI configuration mode.

hostname > enable

hostname # configure terminal

2. Specify the certificate duration, in days:

hostname (config) # hx pki server cert-days <days>

where <days> is the number of days that the Endpoint Security (HX) certificate remains active. Valid values range from 0 and
65535 days. The default is 1825 days (5 years).
To set the duration back to the default, use the no form of this command:

hostname (config) # no hx pki server cert-days

3. Save your changes:

hostname (config) # write memory

Setting CRL duration

When the certificate revocation list (CRL) exceeds this duration setting, the CRL expires.

To set the duration of Endpoint Security (HX) certificate revocation list (CRL):

1. Enable CLI configuration mode.

hostname > enable

hostname # configure terminal

2. Specify the CRL duration, in days:

hostname (config) # hx pki server crl-days <days>

where <days> is the number of days that the Endpoint Security (HX) CRL remains active. Valid values range from 0 and
65535 days. The default is 30 days.

Endpoint Security (HX) Virtual Server 10.x Deployment Guide 95

6| Appendices

To set the duration back to the default, use the no form of this command:

hostname (config) # no hx pki server crl-days

3. Save your changes:

hostname (config) # write memory

Importing a CRL

You can import an Endpoint Security (HX) certificate revocation list (CRL) from a URL.

To import an Endpoint Security (HX) certficate revocation list (CRL):

1. Enable CLI configuration mode.

hostname > enable

hostname # configure terminal

2. Import the CRL:

hostname (config) # hx pki server crl-upload distro <url>

where <url> is the URL from which the CRL should be uploaded.
For example:

hostname (config) # hx pki server crl-upload distro https://10.42.138.20

3. Save your changes:

hostname (config) # write memory

Regenerating the CRL

You can reset the Endpoint Security (HX) communications server revocation list (CRL).

Caution

An invalid CRL should correct itself automatically within 30 minutes of the date or time discrepancy. This command forces the
correction to occur immediately.

96 Endpoint Security (HX) Virtual Server 10.x Deployment Guide

6| Appendices

Important

Using this command detaches any DMZ server from the Endpoint Security (HX) server. You need to reattach them after
running this command.

To regenerate the Endpoint Security (HX) CRL:

1. Enable CLI configuration mode.

hostname > enable

hostname # configure terminal

2. Regenerate the CRL:

hostname (config) # hx pki regenerate crl

3. Save your changes:

hostname (config) # write memory

Regenerating the subordinate PKI

You can reset the Endpoint Security (HX) communications server subordinate public key infrastructure (PKI). Do this to resolve a
date or configuration discrepancy that causes the subordinated PKI to become invalid.

Caution

Using this command invalidates any existing agent tasks.

Using this command detaches any DMZ server from the Endpoint Security (HX) server. You need to reattach them after
running this command.

To regenerate the Endpoint Security (HX) subordinate PKI:

1. Enable CLI configuration mode.

hostname > enable

hostname # configure terminal

2. Regenerate the subordinate PKI:

hostname (config) # hx pki regenerate subordinate

3. Save your changes:

hostname (config) # write memory

Endpoint Security (HX) Virtual Server 10.x Deployment Guide 97

6| Appendices

Enabling the provisioning certificate

To enable the use of a provisioning certificate:

1. Enable CLI configuration mode.

hostname > enable

hostname # configure terminal

2. Enable the use of a provisioning certificate:

hostname (config) # hx pki provisioning enabled

3. Save your changes:

hostname (config) # write memory

Disabling the provisioning certificate

To disable the use of a provisioning certificate:

1. Enable CLI configuration mode.

hostname > enable

hostname # configure terminal

2. Disable the use of a provisioning certificate:

hostname (config) # no hx pki provisioning enabled

3. Save your changes:

hostname (config) # write memory

98 Endpoint Security (HX) Virtual Server 10.x Deployment Guide

COPYRIGHT
Copyright © 2025 Musarubra US LLC.

Trellix and FireEye are the trademarks or registered trademarks of Musarubra US LLC, FireEye Security Holdings US LLC, and their affiliates in the
US and /or other countries. Other names and brands are the property of these companies or may be claimed as the property of others.