Copyright Notice

Copyright 2004 - 2023 FireMon, LLC. All rights reserved. This product and related documentation are
protected by copyright and distributed under licensing restricting their use, copying, distribution,
and decompilation. No part of this product or related documentation may be reproduced in any
form or by any means without the written authorization of FireMon, LLC. All right, title, and interest
in the product shall remain with FireMon and its licensors.

This product and related documentation are provided under a license agreement containing
restrictions on use and disclosure and are protected by intellectual property laws.

This product and documentation may provide access to or information on content, products, and
services from third parties. FireMon, LLC is not responsible for and expressly disclaim all warranties
of any kind with respect to third-party content, products, and services. FireMon, LLC will not be
responsible for any loss, costs, or damages incurred due to your access to or use of third-party
content, products, or services.

The information in this document is subject to change without notice and is not warranted to be
error-free. If you find any errors, please report them to us in writing.

FireMon is a registered trademark of FireMon, LLC. All other products or company names
mentioned herein are trademarks or registered trademarks of their respective owners.

A copy of FireMon's End User License Agreement can be found on the User Center.
Contents

Copyright Not ice 2

Cont ent s 3

First Use Guidelines 10

About SIP 11

What is the Security Intelligence Platform? 12

SIP Components 12

About FMOS Generation III 13

What is FMOS? 13

Why FMOS? 14

Requirement s 15

Supported Platforms 16

FireMon (FM) Appliance 16

Non-FM Appliance 16

Virtual Machine 16

Cloud-based 17

System Requirements 18

Machine Specifications 18

Full Install 18

DC Only Install 18

FM Appliance Specs 19

Network Topology 19

Database Server (DB) 19

Application Server (AS) 20

Data Collector (DC) 20

SIP Ecosystem 21

SIP Roles 21
 Deployment Scenarios 21

Single-Server 22

Partially Distributed 22

Fully Distributed 22

Multiple-Database Mode 22

Role Hierarchy 22

Planning the Ecosystem 23

Which Ecosystem Deployment is Right for Your Organization? 24

FM OS Inst allat ion 25

Download the FireMon Operating System 26

Build Variants 26

Distribution Formats 26

Download the Installation Files 27

Install FMOS 28

Ecosystem Setup 28

Initial Configuration 28

Initial Configuration Wizard 28

Host and Network Configuration 30

Network Configuration 30

Network Time 31

Organization 31

User 31

Notifications 32

Email Notifications 32

SMTP Settings 32

Deployment Environment 32

FMOS Initial Configuration Wizard 34

Required Information 34

Recommended Information 34
Installation for Cloud Deployments 37

Initial Setup for Cloud Deployments 37

FMOS Admin User 37

Machine Configuration 37

Organization Information 38

Initial Deployment Process 38

Amazon Web Services 39

AMI 39

Step 1: Launch the AMI 39

To launch from AWS Marketplace 39

To launch from the EC2 Dashboard 40

Step 2: FMOS Initial Setup Authentication for AMI 41

Initial User Account 41

Setup UI Administration 41

Step 3: FMOS Initial Setup Completion for AMI 42

CFT 44

Launch the CloudFormation Template 44

To launch from CloudFormation 44

Microsoft Azure 46

Step 1: Launch Azure Marketplace VMI 46

To launch from Azure Marketplace 46

Step 2: FMOS Initial Setup Authentication for Azure 46

Initial User Account 46

Setup UI Administration 47

Step 3: FMOS Initial Setup Completion for Azure 47

Access SIP 50

MAC Address to Access SIP 50

Launch the Security Intelligence Platform 50

Access SIP Applications 50

Licensing 51

About Licenses 52

Example of license use 52

Permission Requirements 52

Generate a New License 53

Upload a Product License 53

Assign a License 54

License Security Manager 54

License Policy Optimizer or Policy Planner 54

License to use Policy Automation 55

License Errors 55

Users 56

FMOS Users 56

About FMOS Users 56

Unprivileged Users 56

Privileged Users 57

FireMon Administrators 57

Backup Operator 57

Create an FMOS User 57

SIP Users and User Groups 59

Default User Account 59

User Accounts 60

Permission Requirements 60

Open the Users Page 60

Users List 60

Show / Hide Users 61

Grant Permissions to Users 61

Create a New User 61

User Groups 63
 All Users 63

Administrators 63

Security Manager Users 63

Permission Requirements 63

Open the User Groups Page 63

User Groups List 64

Create a User Group 64

About Permissions 65

Permissions Conflicts 67

Assign Permissions 67

* For MSSP Deployments 68

Authentication 69

FMOS Authentication 69

External Authentication 69

Authentication versus Authorization 69

Authorization 69

Authentication 70

SIP Authentication Servers 71

Open the Authentication Servers Page 71

Devices 72

Supported Devices 72

Levels of Device Support 77

Adding Devices 84

General Properties 85

Device Settings 85

Policy Automation 85

Log Monitoring 86

Change Monitoring 86

Scheduled Retrieval 87
 Advanced 87

Share This Device 87

Enforcement Window 87

Supplemental Routes 88

Device Pack Information 88

Before Adding Devices 88

Adding Device Groups and Management Stations 89

Import Devices 89

Device Worksheet 90

Addit ional Configurat ions 92

FMOS Control Panel 92

About FMOS Control Panel 92

Default or Customized Value 92

Reset to Default Value 92

Advanced Configuration Variables 93

Access the FMOS Control Panel 93

Set Update Channel 94

Certificates 95

Certificate Signing Request 96

Create CSR using OpenSSL 96

Create CSR using FMOS CLI 96

Certificates for Multiple FQDNs 98

SMTP 99

Syslog Usage 100

Settings in Control Panel 100

Settings in Administration Application 100

Verify Retrieval and Normalization 101

Retrievals 101

Normalization 101
 Map Zones and Network Segments 102

In the Administration Application 102

In Security Manager 102

Backup Data 103

Automatic Backup 103

Manual Backup 103

Schedule an Automatic Backup 104

Next St eps 105

Resources 105

RSS Feed 105

Release Updates 105

 Getting Started v9.12

First Use Guidelines

Welcome to FireMon's Security Intelligence Platform. If this is your first time installing the product,
below is a guideline to help you get the product fully functional so that you can start exploring its
primary features and begin monitoring your network.

1. Install and Configure FMOS

2. Add at least two FMOS admin users
3. Access SIP
4. License SIP
5. Add SIP users and user groups (including LDAP users)
6. Add management stations and devices
7. FMOS Control Panel*
8. Set the update channel*
9. Certificates*
10. SMTP*
11. Syslog usage*
12. Verify retrieval, normalization and change detection*
13. Map zones and network segments*

This guide is a combination of topics from the FMOSUser's Guide and Administration User's Guide; it
is only a guide to help you get started, it does not go into detail other than to help you get
SIP functioning. Each SIP application has a detailed user's guide available for download on the User
Center with more in-depth topics and advanced procedures.

* These specific topics are only mentioned in this guide with direction as to where more detail is
covered in the respective user's guide

10 | First Use Guidelines

Getting Started v9.12

About SIP

11 | About SIP
 Getting Started v9.12

What is the Security Intelligence Platform?

The Security Intelligence Platform (SIP), the industry-leading firewall and network device policy
management solution, allows you to continuously analyze, visualize and improve your existing
network security infrastructure and firewall management. SIP is designed as a single sign-on point
to access all licensed SIP modules. All SIP modules interact with firewalls using machine-to-machine
communication.

Administ rat ion is used to perform system, user, and device-related administrative
tasks for all modules.

Securit y M anager is used to give you an in-depth look at your entire firewall network.

Policy Planner is an add-on module* used to manage changes to the firewall, from
the initial access request to solution design, through implementation and verification.

Policy Opt imizer is an add-on module* used to create compliance controls within
Security Manager to ensure that all rules are reviewed periodically to confirm that they
are still relevant and required.

Global Policy Cont roller is an add-on module* used as an asset-centric,

implementation independent firewall policy management solution that allows you to
maintain a single, secure global policy.

Risk Analyzer is an add-on module* used to measure the risk to your network assets
based on simulated network attacks that uncover host vulnerabilities. At this time, Risk
Analyzer is part of the Administration and Security Manager applications; it is not a
separate module but still requires a separate license.

* Add-on modules require its own license.

SIP Components
Component Definition

Servers with this role run the SecMgr and Workflow

services and expose their HTTP APIs to network
Application Server (AS) consumers. These servers also expose the web-
based user interface applications. An ecosystem
must have at least one server with this role.

FMOS uses TLS and IPsec to enable secure com-

munication between SIP components, including the
Certificate Authority (CA)
PostgreSQL database, the Elasticsearch index,
SecMgr, the Data Collector, etc. These protocols use

12 | About SIP
Getting Started v9.12

Component Definition

X.509 certificates to authenticate the communicating

parties to one another. FMOS manages an X.509 Cer-
tificate Authority to issue and validate these cer-
tificates. Exactly one machine in the FMOS
ecosystem must have this role. Under normal cir-
cumstances, the first machine created in the eco-
system will hold the CA role.

Servers with this role run the PostgreSQL database

management engine, which houses the data used by
FireMon Security Manager. Additionally, these
Database (DB) servers store data, such as normalized configuration,
in files on the filesystem, which can be shared with
other servers in the ecosystem. An ecosystem can
have exactly one server with this role.

Servers with this role are responsible for

communicating with devices managed by Security
Data Collector (DC) Manager, for example to retrieve configuration and
process log messages. An ecosystem must have at
least one server with this role.

Servers with this role run Elasticsearch to provide

high-performance search capability for FireMon
Security Manager. There must be at least one
Enterprise Search (ES)
machine with this role in the ecosystem. It is typically
held by the same servers that hold the database
server role.

Interactive environment for viewing device data

stored in the database. The GUI must have
Graphical User Interface (GUI)
connectivity with the application server and a web
browser.

About FMOS Generation III

What is FMOS?
The FireMon Operating System (FMOS) is a managed operating system. It is designed exclusively to
support the FireMon Security Intelligence Platform software suite. It provides all of the necessary

13 | About SIP
 Getting Started v9.12

utilities to deploy, configure, use, and troubleshoot the Security Intelligence Platform (SIP) and its
related modules in a wide array of scenarios and environments.

Why FMOS?
To ensure all FireMon customers have a consistent experience when using FireMon software, FMOS
does not allow any users, including users with the FMOS Administrator privilege, to make direct
changes to any operating system or application configuration. FMOS provides an extensive set of
configuration options itself, which can be used to customize the FireMon software, the operating
system, and third-party software included in FMOS. The FireMon development team has evaluated
these configuration options and tests them for compatibility in a range of scenarios to identify and
eliminate issues and potential issues.

FMOS manages configuration files, kernel parameters, security options, user accounts, and more.
In addition to ensuring a consistent user experience and helping administrators avoid
misconfiguration, this approach has powerful security benefits. Limiting users’ access to prescribed
operations shrinks the attack surface area of the system dramatically.

Operating system security updates are provided by FireMon as part of our regular software
releases. With each release, the operating system package set is fully tested for compatibility with
our products – quality assurance that an administrator running SIP software on a different Linux
platform would have to do on their own.

As the FireMon Security Intelligence Platform module suite grows and evolves, so does FMOS. Each
release of FMOS includes additional functionality to simplify deployments, increase security, or
solve problems.

14 | About SIP
Getting Started v9.12

Requirements

15 | Requirements
 Getting Started v9.12

Supported Platforms
Regardless of platform type, system resources have to be available at the minimum requirements
as documented in this guide based on number of devices and load observed on the system given
your specific deployment environment. FMOS follows CentOS 8 supported devices from drivers
perspective.

FireMon provides FMOS distribution options and deployment instructions for the mentioned
platforms. For other systems, standard steps should be used and performed by personnel on given
platform. FMOS can be deployed on mentioned platforms, FireMon Support does provide support
for FMOS but not operation, configuration or troubleshooting of the mentioned platforms unless it
is an FM appliance.

FMOS can be deployed on the following platforms:

FireMon (FM) Appliance

An FM appliance installation consists of:
l An FM appliance (at least one for a single deployment, more for distributed deployments).
l Security Intelligence Platform components: application server, database, one or more data col-
lectors, and a license for SIP.

Your FM appliance meets the system recommendation to run SIP efficiently.

Non-FM Appliance
An installation consists of:
l A physical or virtual machine in your environment (at least one for a single deployment, more for dis-
tributed deployments).
l Security Intelligence Platform components: application server, database, one or more data col-
lectors, and a license for SIP.

If you are installing FMOS on a non-FM appliance machine, your hardware must meet or exceed
the system recommendations.

Virtual Machine
Virtual platforms that have been tested and are supported:

l VMware

l Linux Kernel Virtual Machine (KVM)

An installation consists of:

16 | Requirements
Getting Started v9.12

l A virtual machine in your environment (at least one for a single deployment, more for distributed
deployments).
l Security Intelligence Platform components: application server, database, one or more data col-
lectors, and a license for SIP.

A virtual machine must meet or exceed the system recommendations.

Cloud-based
Cloud-based platforms that have been tested and are supported:

l Amazon Web Services (AWS)

l Microsoft Azure

17 | Requirements
 Getting Started v9.12

System Requirements
Machine Specifications

Recommended system requirements are based on FireMon best practices. Failing to meet these
recommendations can lead to possible performance issues.

Note: We recommend accessing SIP using one of the following supported browsers: Mozilla Firefox,
Google Chrome, Microsoft Edge, and Apple Safari with a minimum screen resolution of 1280 x 800.

When first installing FMOS, the initial configuration wizard will check the local system to ensure it
meets the recommended system requirements. These requirements provide a baseline for all
deployments. When planning the deployment, consider the following guidelines:
l Servers with the database (DB) role will require very large amounts of RAM, especially when gen-
erating reports or running assessments.
l Servers with the application server (AS) role will use a large amount of RAM and CPU time, and
demand will increase as the number of users grows.
l Servers with the data collector (DC) role will use large amounts of RAM and CPU time, and demand
will increase as the number of monitored devices grows.

These are the recommended system requirements, based on FM appliance system specifications. If
you are using your own machine hardware, it is recommended that it has a system equivalent to an
FM appliance.

Full Install

Machines running the full or cloud variant of FMOS must have at least these specifications:

l CPU: 32 cores, 3.2 GHz

l RAM : 96 GB DDR4-2666 with ECC

l St orage: 1200 GB (SAS, 15K RPM HDD or SSD, RAID 10)

DC Only Install

Machines running the dconly variant of FMOS must have at least these specifications:

l CPU: 24 cores, 3.4 GHz

l RAM : 64 GB DDR4-2666 with ECC

l St orage: 240 GB (SATA or SAS, 15K RPM or SSD, RAID 1)

18 | Requirements
Getting Started v9.12

FM Appliance Specs

These are the FM Appliances that machine specifications are based on. FireMon offers three
purpose-built Dell machines to run FireMon SIP solutions in your enterprise or MSSP environment.
Whether you’re monitoring 100 devices or 15,000, on one continent or around the world, we offer
an FM appliance with the power and storage capacity to deliver FireMon’s high-performance, highly
scalable firewall management and risk analysis solutions.

FM -720ES* FM -715DC* FM -1110ES*

2x Intel Xeon Gold 6134 2x Intel Xeon Gold 2x Intel Xeon Gold 6140
Processor
(3.2 GHz) 6128 (3.4 GHz) (2.3 GHz)

12x 8 GB 2666 MT/s 8x 8 GB 2666 MT/s 8x 16 GB 2666 MT/s

Memory Dual Rank DDR4 Dual Rank DDR4 Dual Rank DDR4 RDIMM
RDIMM (96 GB) RDIMM (64 GB) (128 GB)

4x 600 GB 15K RPM 12 2x 240 GB 6 Gbit/s 2.5” 16x 300 GB 15K RPM 12
Storage
Gbit/s 2.5” SAS HDD SATA SSD Gbit/s 2.5” SAS HDD

* All models include iDRAC8 Enterprise.

Network Topology
When deploying multiple servers, consider the following guidelines for best overall performance:
l All servers holding the application server role must be on the same network segment.
l If the application server and database roles are held by separate servers, those servers should be
on the same network segment, with a very high bandwidth connection between them.
l Servers holding the data collector role should be located logically near the devices they monitor.
l Application servers must be able to resolve the database server by fully qualified domain name
(FQDN).
l Data collector servers must be able to resolve application servers by FQDN.
l A default gateway must be configured on all servers.

Database Server (DB)

l ICMP/ICMPv6

l IP protocol 50 (ESP)

l TCP port 5432 (PostgreSQL)

l TCP port 55555 (FMOS Control Panel)*

19 | Requirements
 Getting Started v9.12

l UDP port 500 (ISAKMP)

l UDP port 4500 (IPsec-NAT-T)

Application Server (AS)

l ICMP/ICMPv6

l IGMP

l IP protocol 50

l TCP port 443 (HTTPS)

l TCP port 61617 (ActiveMQ)

l UDP port 500 (ISAKMP)

l UDP port 4500 (IPsec-NAT-T)

l Multicast UDP port 6155 (ActiveMQ Cluster Member Discovery)

Data Collector (DC)

l ICMP/ICMPv6

l UDP port 514 (Syslog) (as needed)

l TCP port 1470 (Syslog) (as needed)

l TCP port 5150 (DC cluster) (as needed)

*Note: TCP port 55555 is required for the DB to access the FMOS Control Panel UI but is optional for
AS and DC. If you do not want to open port 55555, you can use CLI commands within the DB.

20 | Requirements
Getting Started v9.12

SIP Ecosystem
SIP Roles
To facilitate the distributed capabilities of the SIP software suite, FMOS provides tools for deploying
multiple servers that communicate with one another. Each server can hold one or more roles, which
define its responsibilities and the components of SIP that it runs.

l Applicat ion Server (AS): Servers with this role run the SecMgr and Workflow services and
expose their HTTP APIs to network consumers. These servers also expose the web-based
user interface applications. An ecosystem must have at least one server with this role.

l Cert ificat e Aut horit y (CA): FMOS uses TLS and IPsec to enable secure communication
between SIP components, including the PostgreSQL database, the Elasticsearch index,
SecMgr, the Data Collector, etc. These protocols use X.509 certificates to authenticate the
communicating parties to one another. FMOS manages an X.509 Certificate Authority to issue
and validate these certificates. Exactly one machine in the FMOS ecosystem must have this
role. Under normal circumstances, the first machine created in the ecosystem will hold the CA
role.

l Dat abase Server (DB): Servers with this role run the PostgreSQL database management
engine, which houses the data used by FireMon Security Manager. Additionally, these servers
store data, such as normalized configuration, in files on the filesystem, which can be shared
with other servers in the ecosystem. An ecosystem can have exactly one server with this role.

l Dat a Collect or (DC): Servers with this role are responsible for communicating with devices
managed by Security Manager, for example to retrieve configuration and process log
messages. An ecosystem must have at least one server with this role.

l Ent erprise Search (ES): Servers with this role run Elasticsearch to provide high-performance
search capability for FireMon Security Manager. There must be at least one machine with this
role in the ecosystem. It is typically held by the same servers that hold the Database Server
(DB) role.

A server may run a combination of roles as well. It is very common for a single server to hold all
three roles. In medium-sized environments, it is likely that there will be one server that holds the AS
and DB roles, and one or more separate servers with the DC role. Very large environments may
have one server with the DB role, and many servers with each of the other roles.

Deployment Scenarios
FMOS supports several deployment scenarios, each with specific strengths. The size of the
deployment will mostly depend on which features (modules) of SIP will be used, how many devices
it will monitor, and many other factors. FMOS cannot make specific recommendations on which

21 | Requirements
 Getting Started v9.12

scenario is correct for any specific case. In general, however, the larger deployment scenarios tend
to perform better than the smaller ones.

Single-Server

In a single-server deployment (also called an all-in-one or AIO deployment), a single machine holds all
of the SIP roles. This is very easy to set up, and requires very little maintenance. It also performs
extremely poorly in almost all cases, so its use should be limited to demonstration or evaluation
purposes only.

Partially Distributed

A partially distributed deployment is one where one machine holds the AS, CA, DB, and ES roles,
with one or more separate machines holding the DC role. This type of deployment is useful in small
environments where the machine serving the HTTP API and Web UI is not able to directly
communicate with the devices Security Manager monitors. Like the single-server deployment,
performance in this type of scenario is generally poor, so its use is discouraged.

Fully Distributed

In a fully distributed deployment, each SIP role is held by a separate machine. Such a deployment
requires at least three machines: 1 CA+DB+ES, 1 AS, and 1 DC. This type of deployment takes
advantage of the horizontal scalability built into each component of SIP; performance of a
component increases with the number of those components present in the ecosystem.

Note: This type of deployment, while more difficult to deploy, is strongly encouraged for all use cases.

In a fully distributed ecosystem, FMOS requires a shared filesystem for AS machines to store non-
relational data (such as normalized configuration files, etc.). In single-database mode, the machine
holding the DB role shares its local filesystem with the AS machines using NFS. In multi-database
mode, the DB machines form a clustered filesystem that replicates its contents to each DB
machine. The AS machines access this cluster using NFS.

Multiple-Database Mode

By default, FMOS only allows a single machine in the ecosystem to hold the DB and ES roles. To
facilitate rapid disaster recovery scenarios, FMOS can be configured for multi-database mode. In this
mode, additional machines can hold these roles in a standby capacity. The original database
machine operates as a primary server, replicating its changes to the standby machines. In the event
of a failure, one of the standby machines can be promoted to become the primary.

Role Hierarchy
Machines in an FMOS ecosystem are organized hierarchically. The relationship between machines
is described as superior or subordinate. In a typical ecosystem, the machine that holds the DB role
is the superior of all of the machines with the AS role. Thus, the AS machines are subordinates of

22 | Requirements
Getting Started v9.12

the DB machine. Similarly, machines that hold the DC role are subordinates of a machine with the
AS role.

The figure below shows the relationship between roles in a fully distributed ecosystem. The arrows
point to the superior server of each role.

Planning the Ecosystem

It is important when implementing a multi-server ecosystem to plan how many servers will be
required and which roles each server will hold. Having this information available ahead of time will
ease the deployment process significantly. The following questions can help identify exactly which
steps need to be performed in order to correctly deploy the ecosystem:

l Will the server holding the DB role be separate from the server holding the AS role?

l How many servers will hold the AS role?

l Will the servers holding the DC role be separate from the AS roles?

It is a good idea to list each server that will exist within the ecosystem, which roles it will hold, as
well as its host name and network settings before beginning.

23 | Requirements
 Getting Started v9.12

Which Ecosystem Deployment is Right for Your Organization?

These are only visual representations of potential deployment options. Your

environment is unique.

24 | Requirements
Getting Started v9.12

FMOS Installation
For more information and additional installation topics, see the FMOS User Guide.

25 | FMOS Installation
 Getting Started v9.12

Download the FireMon Operating System

Note: These procedures only apply to non-FireMon machines. FM appliances ship with FMOS already
installed.

Build Variants
Every FMOS version is produced in multiple variants. Each variant is designed to serve a specific
purpose. When installing FMOS on a new machine, be sure to select the proper variant:
l Cloud: This variant is intended to be used for Cloud deployments, such as Microsoft Azure or
Amazon Web Services. It contains all of the Security Intelligence Platform application components
and all supporting software.
l DC Only: This variant only contains the Data Collector application component for the Security Intel-
ligence Platform.
l Full: This is the default variant. It contains all of the Security Intelligence Platform application com-
ponents, including the Security Manager server, the data collector, and all supporting software
such as PostgreSQL and elastic search.

Distribution Formats
Each FMOS build variant is distributed in multiple formats. The various formats are designed to
support different deployment environments or scenarios:
l FMOS Distribution Archive (.tar.gpg) [all variants]: This format is used by all FMOS variants for
updating an existing installation of FMOS to a new version. When updating, be sure to use the Dis-
tribution Archive for the same variant that is already installed.
l Virtual Machine Template (.ova) [full, dconly]: This format is used to deploy a new virtual
machine, for example using VMware vSphere, Microsoft Hyper-V, or Oracle VirtualBox.
o If you choose VM Template, it downloads with a limited disk size of 250 GB. You will
need to either edit the disk size and make it the recommended size (500 GB) before
performing the FMOS installation or add a second disk size of 250 GB.
l Virtual Disk Image (.qcow2) [full, dconly]: This format is used to deploy a new virtual machine,
for example using Linux KVM (with libvirt/QEMU) or OpenStack.
o If you choose Virtual Disk Image, it downloads with a limited disk size of 250 GB. You
will need to either edit the disk size and make it the recommended size (500 GB)
before performing the FMOS installation or add a second disk size of 250 GB.
l Physical Hardware Installer (.iso) [full, dconly]: This format is used to install FMOS on a phys-
ical machine.
l Azure Virtual Disk Image (.vhd.zip) [cloud]: This format is used to create a new Virtual Machine
Image in Microsoft Azure.

26 | FMOS Installation
Getting Started v9.12

l AWS Virtual Disk Image (.vmdk) [cloud]: This format is used to create a new Amazon Machine
Image in Amazon Web Services.

Download the Installation Files

1. Go to FireMon User Center (https://usercenter.firemon.com) and log in. Your User Center user
name and password were emailed to your organization.
2. Click Downloads.
3. In the SIP Software section, click Click here to select the correct download to be directed to the
Artifact Selection page.
4. In the Install Selection section, select your deployment type.
l Cloud: select for AWS and Azure installations
l DC Only: select for data collector only installations
l Full: select for full distribution installations
5. In the Distribution Selection section, select the distribution type based on how your ecosystem is
deployed.
l Cloud: AWS, AWS (Update Only), Azure, Azure (Update Only)
l DC Only: Physical Hardware, Update Only, Virtual Disk Image, VM Template
l Full: Physical Hardware, Update Only, Virtual Disk Image, VM Template
6. In the Select File section, verify that the install and distribution types are correct and then click
Select File to be directed to the file download page.
7. Click Download.
8. After downloading the FMOS file, decide if you will install on compatible hardware or to a virtual
machine.

27 | FMOS Installation
 Getting Started v9.12

Install FMOS
Ecosystem Setup
The FMOS Ecosystem Setup process is done using the fmos ecosystem command. Future
versions of FMOS may support performing the ecosystem setup process from the FMOS Control
Panel browser-based graphical user interfaces, but current versions require using the FMOS
command line (e.g. over SSH).

Initial Configuration
Before deploying a multi-server ecosystem, each machine that will be a member of the ecosystem
needs to finish initial configuration. This is when basic options such as hostname, network
configuration, organization identification, etc. are provided for the machine. As part of this process,
the machine is prepared to join the ecosystem by choosing one of the available deployment
options.

Initial configuration of an FMOS machine is done in one of two ways, depending on where the
machine is hosted: a physical or virtual machine, or a cloud deployment.

When deploying a multi-server ecosystem, choose New Deployment only for the first machine
(the database server, which will hold the CA, DB, and ES roles). For all ot her machines, including
standby database machines (if any), choose Existing Deployment.

Initial Configuration Wizard

For FM appliances and other physical hardware servers, as well as on-premises virtual machines,
the FMOSInitial Configuration Wizard is used. This wizard is a text-based user interface that is
displayed on the machine’s graphical console or monitor, and uses the keyboard for input and
navigation.

After FMOS has been successfully installed on the system, the FireMon FMOSInitial Configuration
Wizard will start automatically on the first boot. This wizard will guide you through setting the
required configuration options in order to use the system.

28 | FMOS Installation
Getting Started v9.12

The FMOS Initial Configuration Wizard has the following deployment options:

l Single-Server Deployment : This server is the only server in the deployment. It will perform
all of the functions of SIP without communicating with other servers.

l Exist ing Deployment : This server will be a part of a SIP deployment that already exists in the
organization. This option is used for all machines in a multi-server ecosystem except the
primary database machine. The specific functions this server will perform will be configured
later.

l New Deployment : This is the first server in a new multi-server SIP deployment. It will provide
the database and application server, unless Dat abase Only is selected.

Be sure to select New Deployment for only the first server in a new ecosystem, and select Existing
Deployment for all other servers.

The configuration wizard is organized into several “pages” which contain groups of related
configuration options that can be set.

29 | FMOS Installation
 Getting Started v9.12

Host and Network Configuration

This page prompts for basic required information for configuring the machine and connecting it to
the network.

The host name is the single-label name of the server. It can contain only letters, numerals, and
hyphens. It is not typically case-sensitive, but the entered value will be used as-is. The host name
should not be longer than 15 characters.

The domain name is the name of the DNS domain to which the server belongs. In many cases, this
will match the DNS name of an Active Directory domain or Kerberos realm.

Together, the host name and domain name, when combined with a “dot” (.) character, form the
host’s fully-qualified domain name (FQDN). It is extremely important that the FQDN resolve
correctly using DNS, and that the listed address matches the primary IP address of the server. The
FQDN is used for certificate verification, cluster communication, and several other important
network functions.

Network Configuration

All of the network interfaces detected by the system are listed under Net work Adapt ers on the
host configuration page. By default, the first detected network adapter is enabled, while all others
are disabled. To enable or disable a network adapter, position the cursor in the check box to the
left of the adapter name and select the space bar or enter key on the keyboard.

Enabled network adapters are automatically configured for DHCP address assignment. To change
this, position the cursor on the Configure button to the right of the network adapter name and
select the space bar or enter key on the keyboard. The network adapter configuration page will be
displayed.

To change the configuration mode for the selected network adapter, position the cursor on the
radio button to the left of the desired configuration mode and select the space bar or enter key on
the keyboard. If the Manual configuration mode is selected, the fields below such as IP Address and
Subnet Mask become available. Enter the appropriate information in these fields. To save the
changes and return to the host configuration page, position the cursor on the Ok button and select
the space bar or enter key on the keyboard. The Cancel button will return to the host configuration
page without saving any changes.

Although the Default Gateway and DNS Server fields appear on the network adapter configuration
page for every network adapter, these are system-wide configuration settings, and can only have a
single value. As such, changing the value on one adapter configuration page will change it for all
adapters as well.

30 | FMOS Installation
Getting Started v9.12

Network Time

The operation of SIP is very dependent on accurate time information, it is highly recommended to
configure FMOS to synchronize its system clock with a network time source using NTP. FMOS
supports receiving time server information from the DHCP server (if you configured at least one
network adapter for automatic configuration, and your network’s DHCP server provides this
information) or specifying the time servers to use manually.

DHCP configuration of NTP sources is enabled by default. To manually enter one or more NTP
servers, position the cursor on the Use specific t ime servers radio button and select the space bar
or enter key on the keyboard. The Time Servers field will be automatically populated with the
recommended time servers. To specify different servers, position the cursor in the field and select
the backspace or delete keys on the keyboard. You can enter more than one server by separating
their host names or IP addresses with a space.

Organization

FMOS requires identification information about the organization where the machine is deployed.
This information is used to generate X.509 certificates, and helps FireMon support correlate
diagnostic information when troubleshooting multiple machines.

l Name: The name of the company or organization

l Unit / Depart ment : (Optional) The name of the department, team, unit, etc.

l Cit y: (Optional) The city/locality of the organization or where the machine is deployed

l St at e/ Province: (Optional) The state or province of the organization or where the machine is
deployed

l Count ry: (Optional) The country of the organization or where the machine is deployed

User

At least one user must be created in order to access the FMOS system normally. Enter the desired
username for the user, and optionally the user’s full name.

Choose a strong password of at least eight (8) characters, containing at least one lowercase letter,
one uppercase letter, one number, and one other symbol (such as !, @, etc.). Repeat the
password to confirm you typed it correctly.

Additional users can be created from the operating system command line after initial configuration
is complete.

31 | FMOS Installation
 Getting Started v9.12

Notifications

Email Notifications

SMTP Settings

Several components of SIP and FMOS itself can send notification messages by email. FMOS
supports several configuration modes for sending these messages:

l Delivery M et hod: Configures how email messages will be delivered to recipients:

o Send email direct ly—Email messages will be delivered directly to the mail server
responsible for the recipient email addresses, found by querying looking up the MX
records in DNS
o Send email t hrough an SM TP relay—All email messages will be sent to a relay
server or “smart host” for delivery
o Do not send any email—All email messages will be discarded and never delivered

l Relay Host : If Send email through an SMTP relay delivery method is selected, value indicates
the host name or IP address of the relay server through which all messages will be sent

l Port : The TCP port on which to connect to the SMTP server on the remote host

l Securit y: Selects the security capability to use when communicating with the SMTP relay
server; has no effect on direct email delivery

Only explicit in-band TLS is currently supported. The legacy method of wrapping the entire SMTP
communication in an SSL session, known as “SMTPS” is not available

l Aut hent icat ion: Selects the authentication method to use when communicating with the
SMTP relay server; has no effect on direct email delivery

Only the “plain” authentication mechanism is currently supported. Since this method sends the
username and password in clear text, it should only be used when STARTTLS security is enabled.

l Username/ Password: The credentials to use when authentication required for

communicating with the SMTP relay server; has no effect on direct email delivery

Deployment Environment

FMOS supports several “ecosystem” configurations, consisting of one or more servers performing
different functions. It is extremely important to select the correct deployment option for the
system, as making changes later can be difficult. Be sure to plan ahead and decide how many
servers will be needed and the roles each one will hold.

32 | FMOS Installation
Getting Started v9.12

l Single-Server Deployment : This server is the only server in the organization. It will perform
all of the functions of SIP without communicating with other servers.

l Exist ing Deployment : This server will be a part of a SIP deployment already that already
exists in the organization. The specific functions this server will perform will be configured
later.

l New Deployment : This is the first server in a new multi-server SIP deployment. It will provide
the database and application server, unless Database Only is selected.

Be sure to select New Deployment for only the first server in a new ecosystem, and select Existing
Deployment for all other servers.

33 | FMOS Installation
 Getting Started v9.12

FMOS Initial Configuration Wizard

After FMOS has been successfully installed, the FireMon FMOS Initial Configuration Wizard will start
automatically on the first boot. This wizard will guide you through setting the required
configuration options in order to use the system. This wizard collects values from the administrator
and generates an initial configuration file, which is then used by Ansible to deploy the system as it
is booting.

Before you begin, please make sure that you can provide the required information.

Required Information
l The host name of the device, including domain name
l The interfaces that should be active
l The static IP address and netmask for the primary network interface
l Wanted password for the FireMon administrator role

Recommended Information
l Default gateway IP address
l DNS server IP address
l NTP server IP address (Strongly recommended to ensure date/time accuracy and communication
continuity among Security Manager components and devices)
l SMTP server address and the email address of a user who should receive server alerts

Note: If not configured during initial installation, these settings can be configured using the FMOS
Control Panel after installation.

To run the initial configuration wizard, complete the following steps.

1. At Welcome t o FM OS, press Ent er.

2. Review FireMon's Copyright Notice,End User License Agreement, and Open Source
Licenses. Press the right arrow to select I Agree and then press Enter.

3. In the FireM on FM OS Configurat ion Wizard, complete the following steps, and then select
OK and press Ent er.

a. For Host Name, enter a host name. For example, sm9t est . The host name is the
single-label name of the server. It can contain only letters, numerals, and hyphens. It is
not typically case-sensitive, but the entered value will be used as-is. The host name
should not be longer than 15 characters.

34 | FMOS Installation
Getting Started v9.12

b. For Domain Name, enter your domain. The domain name is the name of the DNS
domain to which the server belongs. In many cases, this will match the DNS name of an
Active Directory domain.

Note: Together, the host name and domain name, when combined with a “dot” (.)
character, form the host’s fully-qualified domain name (FQDN). It is extremely
important that the FQDN resolve correctly using DNS, and that the listed address
matches the primary IP address of the server. The FQDN is used for certificate
verification, cluster communication, and several other important network functions.

c. For Net work Adapt ers, select Configure to set network adapter settings.

d. Select a Net work Time option. Use Time Server Provided by DHCP is
recommended.

l If you selected Use Specific Time Servers, they will be listed in the Time
Servers field.

e. Select OK and press Enter.

4. Enter organization identification information, and then select OK and press Enter.

5. Create a local administrative user for normal access to the system, and select OK and press
Ent er.

Note: Use your command line interface (CLI) user name. For the password, choose a strong
password of at least eight characters, containing at least one lowercase letter, one uppercase letter,
one number, and one symbol.

6. Optional. To configure how the server will send email messages, complete the following:

l In Alert Recipient , enter one or more recipient addresses, separated by spaces, in

Alert Recipient .
l Select a Delivery method.
l Set any Relay Host information.
l Select OK and press Enter.

7. In the server deployment page, select a server deployment option, and select OK and press
Ent er.

a. Single-Server Deployment : will configure the machine as a single-server (or all-in-one)

deployment.

35 | FMOS Installation
 Getting Started v9.12

Note: You should select Single-Server Deployment even if you have additional data
collectors to add. Please refer to the Configure a Single Server with Multiple Data
Collectors topic in the FMOS User's Guide.

b. Exist ing Deployment : will not add roles to the machine. This option is used for
machines in a multi-server deployment, except the primary database machine, or if
you already have a Security Manager deployment in your system, and plan on using
this installation as an additional data collector or application server. This selection is
common for MSSPs that have multiple application server deployments.

c. New Deployment : will configure the machine for a distributed deployment, with the
CA, DB, ES and AS roles. If this is the first server in a new multi-server deployment of
Security Manager. It will provide the database and application server, unless Dat abase
Only is selected.

Note: Be sure to select New Deployment for ONLY the first server in a new
deployment, and select Existing Deployment for all other servers.

d. New Deployment (Database Only): will configure the machine for a fully distributed deploy-
ment, with the CA, DB and ES roles.

The system configuration confirmation screen opens.

8. Review the settings, scroll to the bottom of the screen to select Finish and press Enter.

Note: To continue configuring a distributed deployment, please refer to the Configure a Distributed
Deployment topic.

Note: To continue configuring a High Availability distributed deployment, please refer to the Configure
an HA Deployment topic.

36 | FMOS Installation
Getting Started v9.12

Installation for Cloud Deployments

Initial Setup for Cloud Deployments

The initial setup process for FMOS appliances deployed in cloud environments differs from the
process for FMOS appliances deployed in traditional data centers. Because cloud environments do
not typically provide a mechanism for accessing the graphical console of an FMOS appliance, the
FMOS Initial Configuration Wizard is not available. Instead, FMOS provides a web-based alternative,
the FM OS Set up UI.

The FMOS Setup UI is hosted by the FMOS Control Panel server, and as such is available over TLS on
TCP port 55555.

Note: The FMOS Control Panel always uses a self-signed certificate initially, so browsers will present a
security warning. This cannot be avoided, because the appliance has not yet been configured and so
does not have a host name or access to a trusted certificate authority.

FMOS Admin User

FMOS requires at least one user that will be able to administer the system. Enter the appropriate
values for each field to create the first user. This user will automatically be granted the FMOS
Administrator privilege.

l Username—The user name for the new user, must be at least 3 characters

l Full Name—(Optional) The full name of the user

l Password—A password for the new user, must comply with the default FMOS password
policy

l Confirm Password—Re-enter the password to ensure it was typed correctly

Machine Configuration

SIP can operate in a self-contained environment on a single server, or as part of a multiple-server

ecosystem. Select one of the values to specify how the server will be deployed.

The FMOS Setup UI has the following deployment options:

l Single-Server Deployment : This server is the only server in the deployment. It will perform
all of the functions of SIP without communicating with other servers.

37 | FMOS Installation
 Getting Started v9.12

l Exist ing Deployment : This server will be a part of a SIP deployment that already exists in
the organization. This option is used for all machines in a multi-server ecosystem except the
primary database machine. The specific functions this server will perform will be configured
later.

l New Deployment : This is the first server in a new multi-server SIP deployment. It will
provide the database and application server, unless Dat abase Only is selected.

Organization Information

FMOS requires identification information about the organization where the machine is deployed.
This information is used to generate X.509 certificates, and helps FireMon support correlate
diagnostic information when troubleshooting multiple machines.

l Name—The name of the company or organization

l Unit / Depart ment —(Optional) The name of the department, team, unit, etc.

l Cit y—(Optional) The city/locality of the organization or where the machine is deployed

l St at e/ Province—(Optional) The state or province of the organization or where the machine

is deployed

l Count ry—(Optional) The country of the organization or where the machine is deployed

Initial Deployment Process

After submitting the required information in the FMOS Setup UI, FMOS will begin the initial
deployment process. The status of the deployment can be viewed by using the FMOS Health
system. Health check results are available from a terminal session with the fmos healt h command,
or from the FMOS Server Control Panel.

Caut ion! During initial deployment, the FMOS Control Panel server certificate will be replaced.
Browsers will typically warn users when a server’s certificate has changed, so accessing the
FMOS Control Panel after using the FMOS Setup UI may generate such a warning.

38 | FMOS Installation
Getting Started v9.12

Amazon Web Services

This is a bring your own license (BYOL) AMI, you must already have a SIP license to activate the
subscription.

FMOS can run as an Elastic Compute Cloud (EC2) Instance in Amazon Web Services (AWS). FireMon
has taken the need to manually set up the AMI by providing it as a download using the AWS
Marketplace. There is also an AWS CloudFormation Template available for use.

Available in the AWS Marketplace:

AMI

CloudFormation Template

AMI

Step 1: Launch the AMI

This is a bring your own license (BYOL) AMI, you must already have a SIP license to activate the
subscription.

To launch from AWS Marketplace

1. Log in to the AWS Marketplace.

2. Search for FireMon and select the FireMon Security Intelligence Platform entry.
3. Click Continue to Subscribe.
4. Click Accept Terms after reviewing FireMon's EULA, and then click Continue to Configuration.

Note: You can continue to launch or you can come back later to complete, starting from To launch
from the EC2 Dashboard section.

5. For Configure this software, verify the deployment:

l Delivery Method is set to the AMI version
l Software Version is set to the latest release
l Region can be set to your preferred location or leave the default region
6. Click Continue to Launch.
7. For Launch this software, in Configuration Details, click Usage Instructions to view important
setting information.
8. For Choose Action, select the Launch through EC2, and then click Launch.
9. Select Launch from EC2 Dashboard, and then click Launch to open the AMI configuration set-

39 | FMOS Installation
 Getting Started v9.12

tings.
10. Choose Instance Type: Select an Instance Type from the list of available.

Recommended: A General or Memory Optimized type that is greater or equal to 64 GB memory.

11. Configure Instance: Accept default settings or select data to meet your requirements.
12. Add Storage: Click Add New Volume and in the Size field enter at least 600.

Do not change the Root Volume Type. Be sure to click Add New Volume, This step must be
done to prevent instance launch failure.

13. Add Tags: Enter a Key and Value (a tag) for the instance.
14. Configure Security Group: The required types, protocols, and ports needed for FMOS are set.
l HTTPS / TCP / 55555 to access FMOS Control Panel server for initial setup
l HTTPS / TCP / 443 to access web-based applications
l SSH / TCP / 22 for admin access
15. Click Review and Launch.
16. Review: Review that all information entered is correct and click Launch.
17. The Select an existing key pair or create a new key pair dialog box opens. These keys are
needed for authentication.
18. Select the acknowledgment that you have access to the selected key pair.
19. Click Launch Instance.
20. After the instance launches successfully, you can open a new browser tab to begin the FMOS initial
setup process.
21. Continue to Step 2: FMOS Initial Setup Authentication for AWS.

To launch from the EC2 Dashboard

If you did not launch the AMI at the time of subscribing, you can come back to continue to launch using
the EC2 Dashboard.

1. In the EC2 Dashboard toolbar, click Services.

2. Click AWS Marketplace Subscriptions.
3. Find FireMon Security Intelligence Platform, and click Launch new instance.
4. For Configure this software, verify the deployment:
l Delivery Method is set to the AMI version
l Software Version is set to the latest release

40 | FMOS Installation
Getting Started v9.12

l Region can be set to your preferred location or leave the default region
5. Click Continue to launch through EC2.
6. Continue as from Step 10 above.

Step 2: FMOS Initial Setup Authentication for AMI

The FMOS Initial Setup is responsible for collecting critical information about the system that is
required in order to perform the initial deployment. Among the values it collects are the credentials
for the first FMOS administrative user. This user is authorized to log in to the FMOS CLI using SSH,
run the fmos command, and use the FMOS Control Panel. Because the AWS Marketplace security
policy requires that the user must first enter a randomized password or the instance ID, the FMOS
Initial Setup will prompt for this value before allowing you to continue.

Initial User Account

When FMOS boots for the first time in a cloud environment, it will automatically create the initial
administrative user account. This must be done before you can complete the FMOS Initial Setup
process. The process for creating the user at first boot will be:

l The system will create a new Linux user account. The username will be fmosadmin.
l The system will assign the FMOS Administrator privilege to the account.
l The system will set the password for the new account. The password is the EC2 instance ID,
which is available through the instance metadata service.

Setup UI Administration

Because the administrator must be prompted for the instance ID before being allowed to change
the password for the initial FMOS administrator account, the FMOS Initial Setup must be protected
with authentication. This will ensure that the user provides proper credentials before being allowed
to perform the Initial FMOS Setup process and thereby changing the initial account password. The
authentication procedure will be:

1. Open a web browser to navigate to the hostname or IP address of SIP running the AWS instance.
For example, https://<hostname_or_IPaddress>:55555/setup, replacing <hostname_or_IPad-
dress> with the hostname or IP address of the instance to configure.

2. The UI will display an Aut hent icat ion dialog box before opening the FMOS Initial Setup form.

41 | FMOS Installation
 Getting Started v9.12

a. Username is fmosadmin.
b. Password is the EC2 instance ID.
c. Click Submit.

3. Following successful authentication, the UI will hide the Authentication dialog box and
display the FMOS Initial Setup form.

4. Continue to Step 3: FMOS Initial Setup Completion for AWS.

Step 3: FMOS Initial Setup Completion for AMI

After the FMOS initial setup authentication completes, you will continue to enter information in the
required fields to finish setup of an AWS cloud deployment.

FM OS Administ rat ive User

1. The user name is read-only and cannot be changed, but you can update the password.
l Username— This is fmosadmin and cannot be changed
l Full Name (optional) — The full name of the FMOS admin user
l Password— You can change from the EC2 Instance ID to a new password of your choice
l Confirm Password — Retype the new password

Organizat ion Informat ion

42 | FMOS Installation
Getting Started v9.12

2. Enter your organization's information.

l Name —The name of your company or organization. The name cannot contain non-English
characters, such as ã, ė, õ, ñ
l Unit/Department (optional) —The name of the department, team, unit, etc.
l City (Optional) —The location of the organization or where the machine is deployed
l State/Province (optional) —The state or province of the organization or where the machine
is deployed
l Country (optional) —The country of the organization or where the machine is deployed

M achine Configurat ion

3. Enter the FQDN.

4. Select the type of deployment this will be.
l Single-Server Deployment— This server is the only server in the deployment. It will perform
all the functions of SIP without communicating with other servers
l Existing Deployment— This server will be part of a deployment that already exists in the
organization. The specific functions this server will perform will be configured later
l New Deployment— This is the first server in a new multi-server deployment. It will hold the
Database and Enterprise Search roles
5. Click Submit.
6. Click the FMOS Control Panel link in the deployment progress message to continue configuration,
and log in using your CLI credentials.

During initial deployment, the FMOS Control Panel server certificate will be replaced.
Browsers will typically warn users when a server’s certificate has changed, so accessing the
FMOS Control Panel after using the FMOS Setup UI may generate such a warning. It is safe to
proceed.

7. After the deployment process completes, you can log in to Security Intelligence Platform to continue
setting up your network, such as adding users and devices.
a. Open another browser tab.
b. Enter the IP address of your SIP instance (https://<hostname_or_IPaddress>).
c. Enter your username and password:
l Username is firemon (case-sensitive)
l Password is the MAC address of the instance with colons removed and lowercase let-
ters used. For example, a MAC address of 00:05:95:A1:2B:CC would be
000595a12bcc. This is a one-time password to use at first installation and will need to
be reset after initial login.
l Click Log In

43 | FMOS Installation
 Getting Started v9.12

Note: Refer to the Administration User's Guide (available in the User Center) for information about
device properties and monitoring, and other administrative tasks.

CFT

Launch the CloudFormation Template

FMOS can run as a CloudFormation Template in Amazon Web Services (AWS).

To launch from CloudFormation

1. In the Cloud Formation Dashboard, click Create Stack (With New Resources).
2. Select Upload a template file and choose a valid *yaml/*json file.
3. Click Next.
4. Enter a Stack Name.
5. Enter data in all required fields in Parameters.
l VPC ID
l Subnet ID
l Instance Type
l KeyPair Name
l Volume Size
l FMOS username
6. In Machine Configuration specify Ecosystem.
7. Add an Organization Name.
8. Click Next.
9. Review: Review all sections entered and then click Next.
10. A new stack with above Stack Name is created with a status of CREATE_COMPLETE.
11. Go to the EC2 Dashboard. A new instance is created.
12. After the deployment process completes, you can log in to Security Intelligence Platform to con-
tinue setting up your network, such as adding users and devices.
a. Open another browser tab.
b. Enter the IP address of your AWS instance. For example, https://<hostname_or_IPaddress>
or DNS

44 | FMOS Installation
Getting Started v9.12

c. Enter your username and password:

l Username is firemon (case-sensitive)
l Password is the MAC address for the instance with colons removed and lowercase let-
ters. For example, a MAC address of 00:05:95:A1:2B:CC would be 000595a12bcc.
This is a one-time password to use at first installation and will need to be reset after ini-
tial login.
l Click Log In.

Note: Refer to the Administration User's Guide (available in the User Center) for information about
device properties and monitoring, and other administrative tasks.

45 | FMOS Installation
 Getting Started v9.12

Microsoft Azure
FMOS can run as a virtual machine on the Microsoft Azure cloud platform. FireMon has taken the
need to manually set up the VMI by providing it as a download using the Azure Marketplace.

Step 1: Launch Azure Marketplace VMI

This is a bring your own license (BYOL) VMI, you must already have a SIP license to activate the
subscription.

To launch from Azure Marketplace

1. Log in to the Azure Marketplace.

2. Search for FireM on and select the FireM on Securit y Int elligence Plat form for Azure
entry.

3. Click Get it Now.

4. Click Continue to accept terms of use, and to create this app in Azure.
5. Once the subscription has processed, select

Step 2: FMOS Initial Setup Authentication for Azure

The FMOS Initial Setup is responsible for collecting critical information about the system that is
required in order to perform the initial deployment. Among the values it collects are the credentials
for the first FMOS administrative user. This user is authorized to log in to the FMOS CLI using SSH,
run the fmos command, and use the FMOS Control Panel.

Initial User Account

When FMOS boots for the first time in a cloud environment, it will automatically create the initial
administrative user account. This must be done before you can complete the FMOS Initial Setup
process. The process for creating the user at first boot will be:

l The system will copy the OVF metadata from the virtual removeable disc to persistent
storage.
l The system will create a new Linux user account. The username is as specified by the user during
VM creation, which is provided in the OVF metadata.
l The system will assign the FMOS Administrator privilege to the account.
l The system will set the password for the account. The password is as specified by the user
during VM creation, which is provided in the OVF metadata; if the user specified an SSH key

46 | FMOS Installation
Getting Started v9.12

instead of a password, the password is the first 12 characters of the base64-encoded SHA256
fingerprint of the SSH public key.

Setup UI Administration

Because the administrator must be prompted for the instance ID before being allowed to change
the password for the initial FMOS administrator account, the FMOS Initial Setup must be protected
with authentication. This will ensure that the user provides proper credentials before being allowed
to perform the FMOS Initial Setup process and thereby changing the initial account password. The
authentication procedure will be:

1. Open a web browser to navigate to the host name or IP address of SIP running the Azure VM. For
example, https://<hostname_or_IPaddress>:55555/setup, replacing <hostname_or_address>
with the host name or IP address of the instance to configure.

2. The UI will display an Aut hent icat ion dialog box before opening the FMOS Initial Setup form.

a. Username is the username for the created VM.

b. Password is the password for the created VM.
c. Click Submit.

3. Following successful authentication, the UI will hide the authentication dialog box and display
the FMOS Initial Setup form.

Step 3: FMOS Initial Setup Completion for Azure

After the FMOS initial setup authentication completes, you will continue to enter information in the
required fields to finish setup of an Azure cloud deployment.

FM OS Administ rat ive User

1. Enter FMOS Administrator User information.

l Username— The username used for the created VM
l Full Name (optional)— The full name of the user

47 | FMOS Installation
 Getting Started v9.12

l Password— The password used for the created VM

l Confirm Password — Re-enter the password to ensure it was typed correctly

Organizat ion Informat ion

2. Enter your organization's information.

l Name —The name of the company or organization
l Unit/Department (optional) —The name of the department, team, unit, etc.
l City (Optional) —The location of the organization or where the machine is deployed
l State/Province (optional) —The state or province of the organization or where the machine
is deployed
l Country (optional) —The country of the organization or where the machine is deployed
3. Enter the FQDN.
4. Select the type of deployment this will be.
l Single-Server Deployment— This server is the only server in the deployment. It will per-
form all of the functions of SIP without communicating with other servers
l Existing Deployment— This server will be part of a deployment that already exists in the
organization. The specific functions this server will perform will be configured later
l New Deployment— This is the first server in a new multi-server deployment. It will hold the
Database and Enterprise Search roles
5. Click Submit.
6. Click the FMOS Control Panel link in the deployment progress message to continue configuration,
and log in using your CLI credentials.

During initial deployment, the FMOS Control Panel server certificate will be replaced.
Browsers will typically warn users when a server’s certificate has changed, so accessing the
FMOS Control Panel after using the FMOS Setup UI may generate such a warning. It is safe to
proceed.

7. After the deployment process completes, you can log in to Security Intelligence Platform to con-
tinue setting up your network, such as adding users and devices.
a. Open another browser tab.
b. Enter the IP address of your Azure instance.
c. Enter your user name and password:
l Username is the username provided from the created VM
l Password is the MAC address for the created VM with colons removed and lower-
case letters. For example, a MAC address of 00:05:95:A1:2B:CC would be

48 | FMOS Installation
Getting Started v9.12

000595a12bcc. This is a one-time password to use at first installation and will need to
be reset after initial login.
l Click Log In

Note: Refer to the Administration User's Guide (available in the User Center) for information about
device properties and monitoring, and other administrative tasks.

49 | FMOS Installation
 Getting Started v9.12

Access SIP
Note: We recommend accessing SIP using one of the following supported browsers: Mozilla Firefox,
Google Chrome, Internet Explorer 11, Microsoft Edge, and Apple Safari with a minimum screen
resolution of 1280 x 800.

MAC Address to Access SIP

The MAC address of the application server used to access SIP will be used as the password for the
initial SIP sign on. This is a one-time password to use at first installation and will need to be reset
after initial sign on.

l For a VM installation, use the MAC address of the VM used to access SIP

l For a multi application server deployment, use the MAC address of the first application
server installed

The password is the MAC address of the server with colons removed and lowercase letters used.
For example, a MAC address of 00:05:95:A1:2B:CC would be 000595a12bcc.

Launch the Security Intelligence Platform

To launch SIP and begin managing your network security, complete the following steps.

1. Open a web browser.

2. In the Address bar, enter your FMOS / SIP IP address.

The Security Intelligence Platform Log In screen opens.

Access SIP Applications

To access SIP applications, complete the following steps.

1. In the Security Intelligence Platform dialog box, enter the following information:
l Username—firemon (case-sensitive)
l Password—is the MAC address of the server with colons removed and lowercase letters
used. For example, a MAC address of 00:05:95:A1:2B:CC would be 000595a12bcc. This is
a one-time password to use at first installation and will need to be reset after initial sign on.
2. Click Log In.

50 | FMOS Installation
Getting Started v9.12

Licensing
For more information and additional licensing topics, see the Access: License chapter in the
Administration User's Guide.

51 | Licensing
 Getting Started v9.12

About Licenses
For Security Manager to retrieve configurations from your network and security devices, and for
access to add-on modules such as Policy Planner or Policy Optimizer, a valid license must be stored
in the database. For an MSSP, only one license is required regardless of the number of domains in
SIP.

Your product license also specifies how many and which types of devices can be added. Once you
have added the total number of devices for that device type, Security Manager or the selected bro
will not monitor any additional devices of that type. You can, however, change which devices you
want to monitor within each device type. For a list of device types in your SIP license, in the
Administration module, click Access > License.

All of the devices that you want to monitor, excluding clusters, must be licensed. (Check Point
Cluster Members must be licensed.)

You received your first Security Manager product license file when you purchased SIP or requested
your evaluation.

Note: If you have added new devices on your network that you want to monitor with Security Manager,
you must upload a new product license. Except for the devices mentioned earlier, Security Manager will
not monitor devices that are not part of the SIP product license. Please contact the Sales Team at
[email protected] to request a new SIP product license.

Example of license use

Assume that your Security Manager license allows you to monitor the following device types: one
Security Device Manager (SDM) and three firewalls. You add a Juniper NSM, which is an "SDM"
device type. At this point, the total number of SDMs allowed by your license has been met. Then
you add three Juniper NetScreen devices, which are "firewall" device types. At this point, the total
number of firewalls allowed by your license has been met. If you create a fourth NetScreen firewall
in Security Manager, it will not be monitored until you unlicense one of the three firewalls, or until
you generate and upload a new license to accommodate the fourth firewall.

Permission Requirements
A user will need to be a member of a user group with the following minimum permissions granted:

l Administration: Server Licenses

l Module: Administration

52 | Licensing
Getting Started v9.12

Generate a New License

You must generate a new license in the following situations:
l You changed the IP Address of your application server.
l You want to monitor a device that is not already licensed.
l You want to use an add-on module, such as Policy Planner or Policy Optimizer, but have not pur-
chased a license for it.
l You added new customers to your product license in an MSSP deployment.

You can generate a license in the User Center. You must have a User Center account with
Administrator permissions and a valid software subscription.

To generate a new product license, complete the following steps.

1. Log in to https://usercenter.firemon.com.
2. Click Licenses.
3. Click Download in the Production License or Eval License (for evaluation users only) section.
4. Upload the new license in the Administration module.

Note: If you do not have Administrator permissions or a valid software subscription, or if you want to add
a new device or module to your SIP license, please contact FireMon Sales at [email protected] to
purchase a new license.

Upload a Product License

A product license must be uploaded in the following scenarios:
l You have just purchased the Security Intelligence Platform.
l You have purchased a new license from Sales for additional devices or add-on modules.
l You have changed your application server’s IP address.
l You added new customers to your product license in an MSSP deployment.

Prerequisit e: You must first generate a license in the User Center.

You will be prompted to upload a product license when your evaluation period expires (evaluation
users only) and when your Security Manager license expires.

1. Open the Administration module.

2. On the toolbar, click Access > License.

53 | Licensing
 Getting Started v9.12

3. Click Upload.
4. In the Upload License dialog box, click Choose File to browse for and select the .lic file to upload,
and then click Open.
5. Click Upload.

Assign a License
In most cases, your SIP product license will correctly select and display the devices that should be
licensed for monitoring. In some cases, you will need to manually assign a new device to the
product license. It is assumed that you have already added the device.

Note: If a device is managed by a management station, the management station must be added first
and it will auto discover child devices and assign licenses.

License Security Manager

Note: The following procedure assumes that you have not exceeded the maximum allowable devices
for the type of device that you want to license. You must first remove a device of the same type from the
product license, or request a new license.

To assign a license to a device, complete the following steps.

1. On the toolbar, click Device > Devices or Management Stations.

2. From the devices list, find the device you would like to license.
3. Select the Security Manager check box. As soon as you do, Security Manager will begin to mon-
itor data.
4. You can perform a manual configuration retrieval.

License Policy Optimizer or Policy Planner

Prerequisit e: An active Policy Optimizer or Policy Planner license is required before assigning
to a device.

To assign a license for Policy Optimizer or Policy Planner to a device, complete the following steps.

54 | Licensing
Getting Started v9.12

1. On the toolbar, click Device > Devices or Management Stations.

2. From the devices list, find the device that you would like to use with Policy Optimizer or Policy Plan-
ner.
3. Select the Policy Optimizer or Policy Planner check box.

Note: Any controls set to send failed rules to Policy Optimizer will begin to do so.

License to use Policy Automation

Prerequisit e: An active Policy Planner license is required before assigning to a device. Read
more about Policy Automation.

To assign a license for Policy Automation to a device, complete the following steps.

1. On the toolbar, click Devices > Management Stations or Devices.

2. From the list, find the device you would like to use for Policy Automation.
3. Select the Automation check box.

License Errors
The system will return license error messages in the following scenarios:
l Attempt to upload an expired license.
l Attempt to upload a corrupt license.
l Attempt to upload a license for a SIP version that you have not installed.
l Attempt to upload a license for an application server that is not identified in the license.
l Attempt to add a device in Security Manager that is not identified in the license.
l If your SIP product license does not meet any of these criteria but you have received an error mes-
sage, please contact our Support team for assistance.

In cases where the error message indicates that you are trying to add a device that is not licensed,
please review the list of licensed devices. If you have multiple devices that you are not monitoring
with Security Manager, these devices may have accidentally been selected as licensed devices.

55 | Licensing
 Getting Started v9.12

Users

FMOS Users
For more information and additional FMOS user topics, see the FMOS User's Guide.

About FMOS Users

Note: This topic only pertains to FMOS. Users of SIP (Security Manager and other applications) are
discussed in the Administration User's Guide.

When you first run the FMOS Initial Configuration Wizard you will create an account granting both
FireMon Administrator and System Administrator privileges.
l FireMon Administrator is used to access the FMOS CLI.
l System Administrator is used to access the Security Intelligence Platform (SIP). This account is
managed in the Administration application, not in FMOS.

FMOS uses the related practices of the Principle of Least Privilege and Privilege Separation.
Together, these practices help mitigate security risks and trace the origins of attacks that may
occur.

The Principle of Least Privilege states that users and program should never be given the capability
to perform any task outside what is strictly necessary to perform their primary functions. For
example, a program responsible for receiving email messages should not have the ability to reboot
the computer.

Privilege Separation is a practice whereby users can operate in one of two roles:
l Unprivileged—users in this role perform tasks such as web browsing and document editing which
do not require any control over the system beyond accepting keyboard and mouse input.
l Privileged— users in this role perform tasks such as installing new software or making con-
figuration changes that affect multiple users.

Unprivileged Users
The FMOS operating system is a type of unprivileged user account. All users on an FMOS system
are unprivileged users by default. These users have limited access to system resources and almost
no control over system functions. Most daemon processes run as unprivileged users to reduce the
risk that they may leak sensitive information to unauthorized users or make changes to themselves
or the system.

56 | Users
Getting Started v9.12

The FMOS operating system includes:

l fmjas: FireMon Security Manager Server
l fmnd: FireMon Normalized Worker
l fmdc: FireMon Data Collector
l httpd: Apache HTTPD
l postgres: PostgreSQL Database Server

Note: FMOS manages its unprivileged users, you cannot do anything with them. These unprivileged
users have no password. They cannot be used to log in to the system, and are strictly used for
process separation.

Privileged Users
FMOS has two privileged user accounts.

FireMon Administrators
l Users that are authorized to configure and control FireMon Security Manager services are known as
FireMon Administrators. These users are allowed to run the FMOS commands.
l Users who are members of the fmadmin group hold the FireMon Administrator role.

Note: The user created by the FMOS Initial Configuration Wizard automatically holds the FireMon
Administrator role, as well as System Administrator.

Backup Operator
l Users who are responsible for managing and maintaining FMOS backups are known as Backup
Operators. These users are allowed to edit the contents of the backup storage directory located in
/var/lib/backup/firemon.
l Users who are members of the fmbackup group hold the Backup Operator role.

Note: By default, no users hold the Backup Operator role.

Create an FMOS User

Note: This procedure only creates an FMOS user. To create a SIP user, you'll need to log in to the
Administration application.

Recommendat ion: It is recommended that you create an additional admin user account in case
the password for the initial admin user account is lost.

57 | Users
 Getting Started v9.12

FMOS includes a utility for managing users and privileges called fmos user. Using this tool, users
with the FireMon Administrator role can create and delete users as well as grant and revoke
privileges.

To create a new user, use the fmos user create command. The program will prompt for some
basic information about the user, including user name, full name, and password. In addition, it will
ask which roles the user should hold.

fmos user create

Username: fmosuser

Full Name: FMOS User

Select privileges:

FireMon Administrator? [y/N]

Backup Operator? [y/N]

Password:

Confirm Password:

Successfully created user 'fmosuser'

Note: You must replace the example Username and Full Name with one that meets your user
name requirements.

Note: A FireMon Administrator does not need to be a Backup Operator, nor does a Backup
Operator need to be a FireMon Administrator. The roles can be separate or combined.

Note: If you have enabled password complexity, you must enter a strong 8-character password that
must contain one lowercase letter, one uppercase letter, one number, and one other symbol
character. Using a character delimiter, such as \ or . or , can result in the password not saving
correctly.

Answers to each prompt can also be provided using command-line arguments:

fmos user create fmosuser -n 'FMOS User' -p fmadmin

Recommendat ion: It is recommended that you create an additional admin user account in
case the password for the initial admin user account is lost.

58 | Users
Getting Started v9.12

SIP Users and User Groups

For more information and additional users and user groups topics, see the Access chapter of the
Administration User's Guide.

Default User Account

SIP installs with one user account preconfigured.
l firemon

This preconfigured account has full write permissions, which allows access to all system,
administration, module, device group, and workflow functions.

Note: This preconfigured user account does not provide command line interface (CLI) access for
machine or server management, only access to SIP modules.

For security purposes, we recommend that you change the password for this account.

However, we do not recommend that you disable this account or remove it from the All Users
group.

Caut ion! If you choose to disable this account, you must first add the account to another user
group with "Write Users" and "Write User Groups" permissions. If you are logged in with this
FireMon user account and you disable it, you will immediately lose authorization to further
modify the account unless you have manually added the account to another user group with
"Write Users" and "Write User Groups" permissions.

59 | Users
 Getting Started v9.12

User Accounts
Every person who logs into SIP is referred to as a User.
l User accounts are managed in the Administration module.
l Users can be authenticated using a third-party authentication server such as LDAP or RADIUS.
Depending on how that authentication is configured, these users may not exist as individual
accounts in the Administration module.
l All users belong to the All Users user group.
l To access features and functionality in Security Manager or its add-on modules, users must be
assigned to at least one user group.
l A user can belong to multiple groups.
l In an MSSP deployment, users can belong to the enterprise (main) domain or to a customer
domain. Users cannot be mapped to multiple domains, but if this is needed then the user should be
added to a user group in the enterprise domain and then granted permissions to other domains.
l A user account cannot be deleted, only disabled.

Permission Requirements
A user will need to be a member of a user group with the following minimum permissions granted:

l Administration
o User Groups
o Users

l Module: Administration

Open the Users Page

To open the Users page, on the toolbar, click Access > Users.

Users List

The following table defines the values in the Users table. The order listed is ascending by
Username, but can be sorted by any column.

Users List
Value Description

Username The displayed name of the user in the system.

First Name User's first name.

Last Name User's last name.

60 | Users
Getting Started v9.12

Users List
Value Description

Email Address Email address to be used for the user.

Account Is the account Unlocked or Locked?

Status Is the account Enabled or Disabled?

Action menu with options for tasks to complete at the user level.

Show / Hide Users

Use the toggle key to show or hide disabled users.

Grant Permissions to Users

Permissions are assigned to User Groups. To provide permissions to data and functionality in SIP,
begin by adding a user to. Then, assign that user to a User Group.

Note: Since every user is assigned to the All Users group, FireMon recommends not setting any
permissions for this group.

Create a New User

To create a new user account, complete the following steps.

1. On the toolbar, click Access > Users.

2. Click Create.
3. On the Create User page, complete the User Properties section:
l Username—make it unique and with no spaces
l Email address—such as [email protected]
l First Name
l Last Name
l Status: Select the Enabled check box.
l Authentication Type: Select from the list.
l Password—although there are no password requirements, it is recommended to enter a
strong 6 to 8-character password using a combination of upper and lowercase letters, num-
bers, and symbols

61 | Users
 Getting Started v9.12

4. In the Assignment section, add the user to one or more groups.

l Select a group from the All User Groups section, click Add to move it to the Selected User
Groups section.
5. Click Save.

Note: If you create a user with an existing user name, you'll receive an error message: Failed while
saving user. [User with username 'name of user' already exists]

62 | Users
Getting Started v9.12

User Groups
A user group is a collection of users with the same permissions. Users are authorized to access
specific modules and functionality within those modules, and even particular groups of devices,
according to their membership in a user group.

In an MSSP deployment, user groups can belong to the Enterprise domain and to customer
domains.

There is only one default user group - All Users.

Note: You cannot delete the All Users, Administrators and Security Manager Users groups.

All Users
l All users automatically become members of the All Users group when they are added to the domain.
l No permissions are granted to the All Users group. If you grant permissions to this user group, the
permissions will be granted to all users.

Note: Since every user is assigned to the All Users group, FireMon recommends not assigning any
permissions to this group.

Administrators
l Read / Write permissions have been granted to the Administrators group for administrators of the
Security Intelligence Platform to perform operational and administrative tasks.

Security Manager Users

l Read-only permissions have been granted to the Security Manager Users group.

Note: All permissions are assigned at the user group level.

Permission Requirements
A user will need to be a member of a user group with the following minimum permissions granted:

l Administration
o User Groups
o Users

l Module: select at least one module that the user will have access to

Open the User Groups Page

To open the User Groups page, on the toolbar, click Access > User Groups.

63 | Users
 Getting Started v9.12

User Groups List

The following table defines the values in the User Groups table. The order listed is ascending by
User Group name, but can also be sorted by Description.

User Groups List

Value Description

User Group The name of the user group.

Users The number of users assigned to the group.

Description A description of the group.

Action menu with options for tasks to complete at the user group level.

Create a User Group

To create a new user group, complete the following steps.

1. On the toolbar, click Access > User Groups.

2. Click Create, then select Create.
3. In the User Group Properties section, complete the following:
a. Name—type the name of the user group as it should appear in the User Groups list. There is
a limit of 255 characters. There are no restrictions on the type of characters entered. The
name must be unique, not used by another group.
b. Description—type a brief description of the group. This text will appear only in the user
group's properties.
4. In the Assignment section, search/filter for users in All Users field. Click on a user's name, and
then click the Add button to move the user to the Selected Users.
5. In the User Group Permissions section, set Read and Write permissions for each section's
access areas as it pertains to the group's purpose and needed permissions.
l For an MSSP, you can enter the Domain for the user group to be assigned to.
6. If you are using an authentication server, the Authentication Server Mapping section is pop-
ulated after creation and save of an authentication server. All available authentication servers will
be listed here. You must map a user group to an authentication server.
7. Click Save.

64 | Users
Getting Started v9.12

About Permissions

Permissions are access rights to SIP features and device data, domains, product modules, as well as
to Policy Planner and Policy Optimizer workflow states.

All permissions are granted at the user group level.

Permissions to modules or functions within each category can be granted or revoked by selecting or
clearing check boxes, respectively. As you set permissions, the system will automatically select
additional permissions that are dependent on the one you selected. You will see a indication icon
and can hover over the icon to read a reasoning message for the permission auto-selection.
Another example, selecting a Write permission will automatically select the Read permission.

What a user has access to is determined by the granted permissions. All areas of the user interface
(UI) will be viewable but not accessible based on the assigned permissions.

Permissions to grant are Read and Write.

Read means a user can only view information.

Writ e means a user can view and make changes to information.

Note: Selecting write will automatically select read.

Note: Since every user is assigned to the All Users group, FireMon recommends not
assigning any permissions to this group.

SIP permissions are organized into the following categories:

Syst em is used to grant permissions that are not specific to any of the other
permissions categories.
l Domains is used to grant permissions to view and modify domain-specific settings
and data for MSSP deployments. This is set at the Enterprise level.
l Plugins is used to grant access to view or add device packs, report packs, and work-
flow packs.

Administ rat ion is used to grant permissions to perform a variety of administrative

tasks. Included in this section are the following:
l Event Log is used to grant access to view events that appear in the Event Log.
l Data Collectors is used to grant permission to manage data collectors.
l Server Licenses is used to grant permission to manage server licenses.
l Assessments and Controls is used to grant permissions related to creating and
assigning assessments and controls. It is also used for the ability to whitelist a rule.

65 | Users
 Getting Started v9.12

l Authentication Servers is used to grant permission to manage authentication serv-

ers.
l Central Syslog Servers is used to grant permission to manage central syslog serv-
ers.
l Reports is used to grant permission to schedule (in Administration) and run (in Secur-
ity Manager) reports.
l User Groups is used to grant permission to manage user groups.
l Users is used to grant permission to manage users.
l Workflows is used to grant permission to manage workflows and workflow packs.
l Configuration is used to grant permission to manage match patterns for central sys-
log configuration and collection configurations.
l System Users is for users who have access to a data collector CLI. This user role /
permission is set within FMOS. This selection is not visible to users not assigned this
role.
l Risk Data is only needed for Risk Analyzer use (Risk Analyzer requires a separate
license)
l Rule Documentation is used to grant permission to modify a rule or change a doc-
umentation field in the database.
l Administer Workflows is used to grant permission to manage ticket access so that
users can only see tickets that have been assigned to them.
l Change Windows is used to grant permissions to allow the ability to view and edit
change windows.

FireM on Object s is used to grant permissions related to service and service groups,
zones, and network segments. Network Segments is also used for Network Tap
Groups.

M odules is used to grant permissions to access SIP modules.

Note: Selecting Read for a module actually means you grant permission to access
the module, and is not meant as view-only.

Note: A separate license is required for each module to gain access.

Device Group is used to grant permissions to view (Read), modify (Write), or Risk
(used for licensed Risk Analyzer) for device groups in domains.

Workflows is role-based permissions that enable users in this group to perform

actions on Policy Planner and Policy Optimizer tickets that apply to selected devices.
The workflow actions that can be performed are determined by the workflow

66 | Users
Getting Started v9.12

permission; the firewalls that the user will have access to view in Policy Planner and
Policy Optimizer are determined by device group (or all devices) for which the user has
workflow permissions.

Note: An exception to the Read / Write permission options are the following three
workflow permissions. Selecting Read actually means you grant permission to use the
function, and is not meant as view-only.

l View Packet indicates that users are able to view packets for a specific workflow. This
makes no distinction between what packets can or cannot view, it only dictates on the
workflow level if you can view packets for that workflow.
l View Secure is a placeholder permission that is not currently used for anything. It is
intended to be for fields which contain sensitive data.
l Create Packet indicates that users are able to create packets for a specific workflow.

Global Policy Cont roller is used to grant permissions to perform tasks within the
module.

Permissions Conflicts

Due to the extensive and granular permissions assignments offered, and the ability to place users in
multiple user groups, it is possible that users can be assigned conflicting permissions. In cases
where the permissions between those groups conflict, the users will be given the most permissive
access.

Assign Permissions

You can easily assign or remove permissions to user groups.

Caut ion! Please note the user group to which your account is assigned before making any
changes to the user group. Clearing certain permissions from your user group, such as the ability
to modify users and user groups, may immediately revoke your authority to make further
changes.

Note: Since every user is assigned to the All Users group, FireMon recommends not assigning any
permissions to this group.

To assign permissions to a user group, complete the following steps.

1. On the toolbar, click Access > User Groups.

2. Select a user group from the list.

67 | Users
 Getting Started v9.12

3. Expand the User Group Permissions section.*

4. Click a category permission tab.
5. Select the Read or Write check box for each permission.

Note: Selecting Write will automatically select Read. Additional permissions may be automatically
selected based on your original selection (if this / then).

6. Click Save.

* For MSSP Deployments

You must first select the domain for the user group before assigning permissions.

68 | Users
Getting Started v9.12

Authentication
For more information and additional authentication topics, see the Authentication Servers chapter in the
FMOS User's Guide and the Authentication Servers section of the Access chapter in the Administration
User's Guide.

FMOS Authentication

For more information and additional authentication topics, see the Authentication Servers chapter in the
FMOS User's Guide

External Authentication
FMOS supports authenticating users against several common types of external authentication
servers, including Kerberos and LDAP. As with other features of FMOS, external authentication is
configured by setting the appropriate configuration variables. Ideally, enabling external
authentication is as simple as setting the appropriate type_authn or type_authz variables to true, but
most environments will require additional configuration.

This topic attempts to describe how to best configure FMOS to use one or more external
authentication mechanisms to delegate user credential management to a remote service.

Many authentication settings can be set from the FMOS Control Panel.

Authentication versus Authorization

The Linux log in process consists of two phases, identity mapping (referred to as “Authorization”)
and password verification (referred to as “Authentication”).

Authentication is handled by PAM and authorization by the Name Service Switch. By default, both
phases are performed using local UNIX authentication, with users, groups, and passwords all kept
locally in plain-text files. FMOS requires local UNIX authentication be used for at least one account.
This allows an administrator to log in even in the event of a failure of all external authentication
providers.

FMOS provides several options for both phases, and supports practically any combination of them:

Authorization
l Local UNIX authentication
l LDAP

69 | Users
 Getting Started v9.12

Authentication
l Local UNIX authentication
l LDAP
l Kerberos

Not all external authentication mechanisms provide identity mapping (UID lookup and group
membership resolution) capabilities, so they must be used in tandem with ones that do. For
example, it is common to use LDAP for authorization and Kerberos for authentication. Alternatively,
identity mapping can be handled by local UNIX authentication in all cases, even if it is not used for
password verification.

Note: When using an external authentication method, FMOS does not enforce any password policy
(such as length and complexity requirements, expiration, etc.), but relies on the external authentication
server to provide this feature. Additionally, FMOS does not support changing of external passwords.

70 | Users
Getting Started v9.12

SIP Authentication Servers

For more information and additional authentication server topics, see the Authentication Servers section
of the Access chapter in the Administration User's Guide.

To provide a most basic definition, LDAP, RADIUS, Active Directory, and SAML authentication servers
are a directory of user names and passwords for the purpose of logging into multiple systems or
applications. This is sometimes referred to as "single sign-on". Authentication involves verifying the
identity of a user, process, or device, often as a prerequisite to allowing access to resources in an
information system. The authenticator is the means used to confirm the identity of a user,
processor, or device, which is a different password mapping process for both LDAP and RADIUS to
determine authenticity.

SIP has four authentication server types—LDAP, RADIUS, Active Directory, and SAML.
l Lightweight Access Directory Protocol (LDAP) is a cross-platform, open industry standard
application protocol used by multiple vendors for accessing and maintaining distributed directory
information services over an Internet protocol (IP) network. You can set up LDAP with or without
using secure sockets layer (SSL).
l Remote Access Dial In User Service (RADIUS) is a client-server protocol that runs in the applic-
ation layer using UDP port 1812 as transport. Security Manager requires Name and IP to authen-
ticate, but if a DNS is provided, the system will use DNS over IP.

RADIUS Protocols—the following five RADIUS authentication protocols are supported

for use with Security Manager—CHAP, EAPMD5, MSCHAPv1, MSCHAPv2, and PAP.
l Active Directory is a database-based system that provides authentication, directory, policy, and
other services in a Windows environment. Active Directory makes it easier for administrators to man-
age and deploy network changes and policies to all devices connected to the domain. LDAP is one
of the protocols you can use to communicate with an Active Directory.
l Security Assertion Markup Language (SAML) is an XML-based open-standard data format for
exchanging authentication and authorization data between parties, in particular, between an identity
provider and a service provider.

Open the Authentication Servers Page

To open the Server Authentication page, open the Administration application and on the toolbar,
click Access > Aut hent icat ion Servers.

71 | Users
 Getting Started v9.12

Devices
Devices are often complex topics, because of this, all topics for adding a specific management station
and device are in the Device chapter of the Administration User's Guide.

Supported Devices
Networks are made up of numerous device types from different manufacturers. The following table
lists the devices that Security Manager can retrieve data from. Configuration retrieval is the first
level of support for every supported device. For the highest level of support offered for each device,
refer to Levels of Device Support.

Management Stations
Manufacturer Device Version

Barracuda Control Center 7.2.4

Check Point R80 CMA / SmartCenter™ R80.10 - R80.40

Check Point R80 MDS R80.10 - R80.40

Check Point R81 CMA / SmartCenter™ R81 - R81.10

Check Point R81 MDS R81 - R81.10

Cisco ACI 4.1

Cisco Security Manager CSM 4.3 - 4.19+

Cisco Firepower Management Center (FMC) 6.1 - 6.6

Cisco ISE 2.2+

Cisco Meraki cloud based, no version

Cisco Viptela vManage

CloudGenix ION cloud based, no version

Forcepoint Stonesoft Management Center 5.6 - 5.10, 6.0 - 6.7+

Fortinet FortiManager / ADOM 4.3.6, 5.0+, 6.0-6.4

Google Google Cloud Platform 1.22.13+

72 | Devices
Getting Started v9.12

Manufacturer Device Version

HPE Aruba EdgeConnect SD-WAN 9.1.x

Network and Security Manager (NSM) with man-

Juniper Networks 2009+
aged NetScreen ScreenOS

Juniper Networks Space 19.1R1, 20.1R1

Microsoft Azure Manager cloud based, no version

8.1.x, 9.0.x, 9.1.x, 10.0.

Palo Alto Panorama
10.1.x

vSphere 6.5, NSX 6.2.4 -

VMware NSX-V Manager 6.4, Log Insight 4.0.0 -
4.5

Zscaler ZIA Advanced Cloud

Log Server
Manufacturer Device Version

Check Point Check Point Log Server NG FP3, R77.x, R80.10+

Firewalls
Manufacturer Device Version

AhnLab TrusGuard Series 2.1+

Amazon Web Services AWS Account cloud based, no version

Barracuda NGFW 7.2.4, 8

Check Point R80 Edge R80.10 - R80.40

Check Point R80 Firewall R80.10 - R80.40

Check Point R81 Edge R81

Check Point R81 Firewall R81

Cisco ACI 4.1

Cisco ASA/ASA Context 7.x, 8.x, 9.x

73 | Devices
 Getting Started v9.12

Firewalls
Manufacturer Device Version

Cisco FWSM/FWSM Context 3.0+

Cisco Firepower 6.1 - 6.7.x

Cisco Meraki cloud based, no version

Cisco Viptela Tenant

CloudGenix ION cloud based, no version

Forcepoint Enterprise 8.0+

Forcepoint Sidewinder 7.0+

Forcepoint Stonesoft 5.6 - 5.10, 6.0 - 6.7+

Fortinet FortiGate Firewall FortiOS 4.0+ - 6.4.x

Fortinet FortiGate ADOM FortiOS 4.0+ - 6.4.x

Google VPC Network 1.22.13+

Hillstone Networks Firewall 4.0+

Huawei Eudemon Series 3.3, 5.3+

Huawei NGFW Series 5.0

Juniper Networks ScreenOS ScreenOS 5.0+

Juniper Networks ScreenOS VSYS ScreenOS 5.0+

Juniper Networks SRX LSYS Junos 9.6R1.13+

Juniper Networks QFX Junos 12.x - 15.x+

Juniper Networks VSRX 19.1R1, 20.1R1

Microsoft Azure Subscription cloud based, no version

Microsoft Azure Firewall cloud based, no version

4.0.x, 4.1.2-4.1.10, 5.0-

Palo Alto Networks Firewall 7.1.x, 8.0.x+, 9.0.x,
10.1.x

74 | Devices
Getting Started v9.12

Firewalls
Manufacturer Device Version

4.0.x, 4.1.2-4.1.10, 5.0-

Palo Alto Networks VSYS
7.1.x, 8.0.x, 9.0.x, 10.1.x

Riverbed SteelHead 9.1.0

SECUI MF2 2.0

SECUI NXG Series 2000

SonicWALL SonicWALL 5.8 5.8

SonicWALL SonicWALL 5.9+ 5.9+, 6.x+

SonicWALL SonicWALL 6.5.1+ 6.5.1+

Sophos Sophos XG 7.x , 8.x

Stormshield Stormshield Network Security 3.2.1+

TopSec Firewall 3.3+

VMware Distributed Firewall 6.2, 6.3.1

VMware Edge Firewall 6.2, 6.3.1

VMware NSX-T 3.1+

WatchGuard Firebox 11.11.2

Zscaler Cloud cloud based, no version

Traffic Manager
Manufacturer Device Version

A10 ADC Load Balancer 4.14, 5.2.x

Blue Coat ProxySG 5.2, 6.5, 6.6

Citrix Netscaler VPX 12.0.53.13.nc+

F5 BIG-IP 10.x, 11.x - 15.x

Router/Switch
Manufacturer Device Version

Arista VeOS 4.22

75 | Devices
 Getting Started v9.12

Router/Switch
Manufacturer Device Version

Cisco IOS® /IOS® XE 11.x+

Cisco IOS® XR 5.3.3+

Cisco IOS® ZFW ZoneBased-FW 12.4(6)T

Cisco Nexus 4.1 - 7.2

Extreme Networks X Series EXOS 22.6.1.4

HPE ArubaOS-CX 9.2+

Juniper Networks EX Series 12.x - 15.x+

Juniper Networks M Series Junos 11.1R4+

76 | Devices
Getting Started v9.12

Levels of Device Support

SIP offers five levels of device support. Each level offers graduating features and functionality in
Security Manager, Policy Planner and Global Policy Controller. Please refer to the table below for the
level of support offered for your devices.

Level 1: Text-based configuration retrieval is the foundational functionality of Security

Manager. Raw retrieval for schedule change detection, comparisons, and change
notification features are all built on text-based configuration retrieval.

Level 2: Normalized configuration retrieval. Features that require Level 2 support

include configuration comparisons in a normalized display, the display of the device in
the network map, database queries, and most reports. Also, real-time change detection
using Syslog or CPMI/API polling for Check Point devices.

Level 3: Usage analysis is offered for object and rule usage (both reports and
GUI displays), and Traffic Flow Analysis.

Level 4: Behavior analysis is offered for risk analysis, access path analysis (APA), and
enhanced rule recommendation features in Security Manager and Policy Planner.

Level 5 / Aut omat ion: Ability to take a planned rule and stage it on a device from
inside the Policy Planner module. This feature includes the capability to create new
rules and place existing objects inside of them. Changes are staged through
management stations where applicable, except with ASA where automation is directly
against ASA web services.

Management Station Level of Support is determined by the managed device's level of

support.
Manufacturer Device

Amazon AWS Account

Barracuda Control Center

Check Point R80 CMA / SmartCenter™

Check Point R80 and R81 MDS

Cisco ACI

Cisco Security Manager CSM

Cisco Firepower Management Center (FMC)

77 | Devices
 Getting Started v9.12

Management Station Level of Support is determined by the managed device's level of

support.
Manufacturer Device

Cisco ISE

Cisco Meraki

Cisco Viptela vManage

Forcepoint Stonesoft Management Center

Fortinet FortiManager

Google Google Cloud Platform

HPE / Aruba EdgeConnect SD WAN

Network and Security Manager (NSM) with man-

Juniper Networks
aged NetScreen ScreenOS

Juniper Networks Space

Microsoft Azure Manager

Palo Alto Panorama

VMware NSX-V Manager

Zscaler ZIA

Log Server Levels of Support

Manufacturer Device 1 2 3 4 Comment

DC connects to Log
Check Point Log
Check Point Server over TCP/18184
Server to receive usage logs.

Firewall Levels of Support

Manufacturer Device 1 2 3 4 5 Comment

AhnLab TrusGuard Series X X X

Amazon VPC X X X

Barracuda NGFW X X

78 | Devices
Getting Started v9.12

Firewall Levels of Support

Manufacturer Device 1 2 3 4 5 Comment

Check Point R80 and R81 Edge X X X X X

Check Point R80 and R81 Firewall X X X X X

Cisco ACI X X

Cisco ASA/FWSM X X X X X

Cisco ASA/FWSM Context X X X X X

Cisco Firepower X X X X X

Cisco Firepower FDM X X

Cisco Meraki X X X X

Cisco Viptela Tenant X X

CloudGenix ION X X X

Forcepoint Enterprise Firewall X X X

Forcepoint Sidewinder X X X

Forcepoint Stonesoft X X X X

Fortinet FortiGate Firewall X X X X X

Fortinet FortiGate ADOM X X X X X

Google VPC Network X X

Hillstone Net-
Firewall X X X
works

Huawei Eudemon Series X X X

Huawei NGFW Series X X X

Juniper Networks ScreenOS X X X X

Juniper Networks ScreenOS VSYS X X X X

Automation for
SRX, not
Juniper Networks SRX X X X X X
managed by
NSM

79 | Devices
 Getting Started v9.12

Firewall Levels of Support

Manufacturer Device 1 2 3 4 5 Comment

Juniper Networks SRX LSYS X X X X

Juniper Networks QFX X X

Juniper Networks VSRX X X

Linux IPtables X X

Linux NFtables X X X

Usage by Hit
Microsoft Azure X X X X
Count

Microsoft Azure Firewall X X

Palo Alto Net-

PA Firewall X X X X X
works

Palo Alto Net-

VSYS X X X X X
works

Riverbed SteelHead X

SECUI MF2 X X X

SECUI NXG Series X X X

80 | Devices
Getting Started v9.12

Firewall Levels of Support

Manufacturer Device 1 2 3 4 5 Comment

There is a
known bug
that we're try-
ing to get the
vendor to fix.
SonicWALL SonicWALL 6.5.1+ X X X Duplicate
UUIDs may be
seen on rules,
which can
cause incorrect
usage for rules.

No UUID in this
version to track
usage for level
3 support.
SonicWALL SonicWALL 5.9+ X X Usage will
require Son-
icWALL firm-
ware: 6.2.7.0-
11+

No UUID in this
version to track
SonicWALL SonicWALL 5.8 X X
usage for level
3 support

Sophos Sophos XG X X

Stormshield Network
Stormshield X X X
Security

TopSec Firewall X X X

81 | Devices
 Getting Started v9.12

Firewall Levels of Support

Manufacturer Device 1 2 3 4 5 Comment

VMware NSX-T X X X

* Real time
change
detection is not
VMware NSX-V Distributed Firewall X X* X X X currently
supported for
VMware NSX
devices

* Real time
change detec-
tion is not cur-
VMware NSX-V Edge Firewall X X* X rently
supported for
VMware NSX
devices

WatchGuard Firebox X X X

Zscaler Cloud X X X

Traffic Manager Levels of Support

Manufacturer Device 1 2 3 4 5 Comment

A10 ADC Load Balancer X X

Usage by Hit
Blue Coat ProxySG X X X
Count

Usage by Sys-
Citrix Netscaler VPX X X X X
log

Policy Plan-
ner auto-
F5 BIG-IP X X X X X
mation for
F5 AFM

82 | Devices
Getting Started v9.12

Router/Switch Levels of Support

Manufacturer Device 1 2 3 4 5 Comment

Arista VeOS X X

Minimum
version
required
for Hit
Cisco IOS® IOS XE X X X X X Counters:
IOS 12.4
(22)T IOS
XE Release
3.6S

Cisco IOS® XR X X X X X

Cisco IOS® ZFW ZoneBased-FW X X X X

Cisco Nexus X X X

Extreme Net-
X Series X X
works

HPE ArubaOS-CX X X

Juniper Net-
EX Series X X X X
works

Juniper Net-
M Series X X X X X
works

83 | Devices
 Getting Started v9.12

Adding Devices
The user adding devices must be a member of a user group that has permissions granted to
access the Administration module.

All devices are added to SIP following a similar procedure that is completed in Administration. Each
device has its own specific data requirements. These procedures require a few configuration
changes to the monitored devices. Please make sure that you have the necessary permissions to
update the device.

If you are installing multiple devices, using a management station to detect all supported devices
can save you time. SIP detects all of the associated firewalls, management servers and log servers,
and adds them for you at one time. The management station must be installed before the
supported devices.

Our products (all SIP modules) interact with firewalls using machine to machine communication.

Please make sure that you have uploaded a current Security Manager product license that includes
the device that you want to monitor. You will not be able to monitor any new device that is not
included in your Security Manager product license. Check Point clusters do not have to be licensed
in Security Manager.

In most cases, Security Manager requires use of an administrator account to collect data from your
devices. Security Manager does not use this account or any other access method to make changes
to any monitored device. A Check Point device is an exception to this rule is when Security Manager
requests one-time use of a read-write account to automatically create an OPSEC application object
in the Check Point database.

Below is a general overview of the various sections and boxes on the Creat e Device page. Some
boxes are populated with recommended settings for the specific device.

Note: When adding a device, as you progress through each section entering data specific to your
device and network, you may not need to complete all boxes in the section.

Note: Required sections are marked with a red alert icon. Required data is marked with a red *
asterisk.

The first step is to select the device manufacturer (vendor) and then the specific device you want to
add from the Devices page, and then the Create Device page opens.

84 | Devices
Getting Started v9.12

General Propert ies

In the General Properties section you'll enter data specific to the device such as name, IP address
and data collector. By default, automatically retrieving a device configuration is enabled.

Caut ion! To prevent errors in device group-level device maps and incorrect reporting data,
all devices added in Administration must have unique IP addresses. If devices with duplicate
IP addresses must be added within a domain, it is strongly recommended that those devices
be separated into discrete device groups, where no duplicate IP addresses are included in the
same device group. Devices with duplicate IP addresses will cause errors in the All Devices
device map, and may cause incorrect data in reports, even if they are in discrete device
groups.

Ext ernal ID can be used as a unique identifier defined by you for a specific network device when
the device identifier is different than what is displayed in Security Manager. It's best use-case
scenario is for a one time password (OTP) for the data collector to retrieve configurations.

Device Set t ings

In the Device Settings section you'll see the modules that the device is licensed for.

You'll also enter user credentials and verify retrieval points.

Prot ocol—the communication program used between Security Manager and the
monitored device.

Note: SSH is the only supported retrieval method. Telnet is no longer supported as a
retrieval method due to potential security risks.

Port —the device endpoint from which Security Manager uses the specified protocol to
retrieve device data.

Please refer to the Communication Protocols table for a complete list of ports and protocols used
for communication between supported devices.

Policy Aut omat ion

The section is used to configure automation for supported devices. If you use Policy Planner, you
are able to take a planned rule and stage it on a device from inside the Policy Planner module. This
feature includes the capability to create new rules and place existing objects inside of them. If you
use Global Policy Controller (GPC), you are also able to take advantage of automation for supported
devices.

A Policy Planner or GPC license is required for each management station and device utilizing policy
automation.

85 | Devices
 Getting Started v9.12

Log M onit oring

By default, log monitoring is enabled and used for Rule Usage Analysis.

For some devices, you'll select whether to track usage using hit counters or syslog.

l Syslog Traffic Log Expression—the regular expression that allows the data collector to
collect traffic logs for usage analysis. This information rarely, if ever, should be changed.

l Log Updat e Int erval—this number (in minutes) determines how often usage data is sent to
the application server. The default value is 10.

l Log Record Cache Timeout —this number (in minutes) determines how often the data
collector cache will be processed and the processed records will be erased. The default value
is 5.

When a log message is sent to the data collector, the data collector matches the log against a
firewall policy. But in some cases, like if the data collector doesn’t yet have the normalized file from
the application server, the policy will not be available yet, so the data collector caches parsed
messages. The log record cache timeout keeps track of when to next process the cache.

Change M onit oring

By default, change monitoring and scheduled retrieval are enabled.

When both change monitoring and scheduled retrieval are enabled, each feature works
independently. Security Manager will retrieve a configuration at the scheduled interval even if a
changed configuration was just detected and retrieved. But, the newly retrieved configuration will
be stored only if it differs from the previous one.

l Enable Change M onit oring—enables Security Manager to monitor the device for change.
Configurations will be retrieved automatically when changes to them are detected. It is
recommended that you leave this feature enabled. This feature should be disabled only if
you are unable to configure syslog to send messages to the Data Collector, or if your syslog
server sends so many messages that automatic retrieval proves unwieldy. In these cases, you
can schedule configuration retrieval instead.

l Alt ernat e Syslog Source IP—if the IP address of the location where Syslog messages are
being sent is different from that of the source interface (in your device administration tool),
you must enter the alternate IP address in Security Manager. If the IP Address is the same, no
changes are necessary.

Select the Perform Change Verificat ion check box to allow the Data Collector to verify there are
actual changes prior to posting a revision to Security Manager. This will enable more efficient use of
disk space by not posting revisions that did not change from the last normalized revision.

86 | Devices
Getting Started v9.12

Scheduled Ret rieval

Enable Scheduled Ret rieval—enables Security Manager to retrieve the current configuration at the
scheduled interval that you specify. If no changes have been made since the previously retrieved
configuration, Security Manager discards the newly retrieved configuration. If the configuration
differs from the previously retrieved configuration, Security Manager stores the new configuration
and displays it on the All Revisions page (security Manager > Device > Change > Revisions).

Note: SSH is the only supported retrieval method. Telnet is no longer supported as a
retrieval method due to potential security risks.

l Check for Change Int erval—is where you set the time (in minutes) between check intervals.
The default is 1440 (every 24 hours). You can change the check interval time to best fit your
requirements. The minimum required interval is 1 hour (60 minutes).

In most cases, it is recommended that you enable this feature as a backup retrieval
mechanism in addition to device monitoring (above). This backup method ensures that
we will retrieve configurations in the event of a system outage or interruption.
However, in some cases, such as if you are unable to configure Syslog to send
messages to the Data Collector, you may need to use scheduled retrieval as your sole
configuration retrieval mechanism.

l Check for Change St art Time— to schedule the first retrieval for a specific time, select the
St art ing at check box and select a time. The first retrieval will run at the time you enter. All
subsequent retrievals will occur at the interval you entered above, based on the time that the
first retrieval occurred. If you do not select a Change Start Time, the first scheduled retrieval
will occur immediately after you save the settings. Subsequent retrievals will occur at the
interval you entered.

Advanced

This section varies by vendor as to the additional setting options that can be configured.

Share This Device

When using an MSSP, you can share a device with other domains. You must be at the Enterprise
level in order to share a device.

Enforcement Window

An enforcement window is when changes are pushed to managed devices and ensures that the
defined connectivity remains intact. Policy Planner and Global Policy Controller (GPC) will consider
enforcement windows when performing automation changes. It will only push changes that are
associated to devices that have active enforcement windows.

87 | Devices
 Getting Started v9.12

A device must be supported at Level 4 (behavior analysis) & Level 5 (automation) and licensed for
Policy Planner or GPC to use an Enforcement Window. This option will not be available for
unlicensed devices.

Supplement al Rout es

A supplemental route supplements the routing tables retrieved from devices to fill in missing
network data not supplied during normalization. Supplemental routes are not applied to synthetic
routers or management stations.

Supplemental routes cannot be added until after a retrieval normalizes successfully. You can
perform a manual retrieval before adding.

Device Pack Informat ion

This section details the configurations set within the provided device pack.

Before Adding Devices

Note: If a device is to be managed by a management station, you must first add the management
station in the Administration module.

Please take a moment to complete the following steps:

1. Locate your Security Manager product license.

Copy the Security Manager product license file to the computer that you will use to log in to
SIP.

2. Gather required information.

n Mail server or syslog server settings. SIP sends notifications using your mail server or syslog
server. You must first create the central syslog server.
3. Complete the Device Worksheet.

Please take a moment to print and complete the Device Worksheet. The information that you
provide will quicken the setup process.

Refer to the Communication Protocols table for a complete list of ports and protocols used
for communication between the data collector and supported devices.

St ep 1: Configure t he Device

The first step is to configure the device that you want to monitor so that it can communicate with
SIP. The procedures listed are completed on the device, usually at the command line interface (CLI)
or through an administration tool, such as a web user interface (web UI).

88 | Devices
Getting Started v9.12

Once the device properties are saved, the name of your monitored devices will be viewable on the
Devices dashboard.

St ep 2: Add t he Device in t he Administ rat ion M odule

The second step is to add a representation of the device. This is completed in the Devices section of
Administration.

In an MSSP deployment, a device shared across multiple customer domains must be added in each
domain.

St ep 3: Verify Communicat ion

The last step is to verify that SIP can communicate with the device, by either automatically or
manually retrieving a configuration.

The Devices page displays a health status for each monitored device.

Adding Device Groups and Management Stations

If you would like to add a device group or management station, please refer to the Device:
Management Stations or Device: Device Groups chapters in the Administration User's Guide.

Import Devices
If you would like to import device configurations, please refer to the Devices: Import Devices chapter
in the Administration User's Guide.

89 | Devices
 Getting Started v9.12

Device Worksheet
Use this sheet to help you gather information about the devices that you want to add to SIP. You
will enter this information during the device setup process.

Value Your Data

Device Name (as it should appear in SIP)

Description

Management IP Address

Data Collector Group to assign the device to

Device Credentials: User Name/Password

Device Name (as it should appear in SIP)

Description

Management IP Address

Data Collector Group to assign the device to

Device Credentials: User Name/Password

Device Name (as it should appear in SIP)

Description

Management IP Address

Data Collector Group to assign the device to

Device Credentials: User Name/Password

Device Name (as it should appear in SIP)

Description

Management IP Address

Data Collector Group to assign the device to

Device Credentials: User Name/Password

90 | Devices
Getting Started v9.12

Value Your Data

91 | Devices
 Getting Started v9.12

Additional Configurations
This section mentions the various settings that can be configured to improve system performance
and functionality.

FMOS Control Panel

Additional topics about the FMOS Control Panel are found in the FMOS User's Guide in the FMOS
Control Panel chapter.

About FMOS Control Panel

The FMOS Control Panel application is used to manage configuration changes (yml files) on any
FireMon server.

All FMOS configuration is currently done by editing / et c/ firemon/ config.yml using the command
fmos config --edit. The reason we built Control Panel is to decrease the need to access the file
system to perform configuration changes. One of the goals is to be usable by administrators with
little to no experience with Linux or system administration in general. As such, Control Panel is a
simple, intuitive interface to make configuration changes, without requiring you to edit YAML
settings by hand.

Information icons are available for each entry field to provide more information about the type of
data that can be entered into the field.

Default or Customized Value

You can easily identify if a field is using a default or customized value by looking at the Status key. A
field that has been customized will be highlighted and the Status key switched to the enabled
position (solid blue toggle). The default value is seen below the field box.

Reset to Default Value

To reset a customized field to its default value, click the Status key to switch back to the disabled
position.

92 | Additional Configurations
Getting Started v9.12

Advanced Configuration Variables

Several system configuration variables have been marked as 'advanced' and are no longer visible or
modifiable. If there are no 'basic' settings available for configuration, you will see a "No
configuration settings available." on the page. Modifying advanced settings requires Support
Services.

Access the FMOS Control Panel

Accessing the FMOS Control Panel is easy. Using a secure web browser, use the IP address of the
server you want to access. The port 55555 is hard set and must be used to access this application.

In the web browser, enter the following:

https://FMOSIPaddress:55555

The application’s authentication is the FMOS administrative user account. Typically, this would be
the user account that you created during the initial FMOS installation wizard. You cannot log into
this application using a SIP user account created in the Administration application. If you’ve setup an
authentication server for the FMOS log in, it will also work.

Note: The user must be a member of the FMOS admin group

Delete this text and replace it with your own content.

93 | Additional Configurations
 Getting Started v9.12

Set Update Channel

Additional topics about updating FMOS are found in the FMOS User's Guide in the Backups and
Updates chapter.

After FMOS installation completes, you must set the update channel in the FMOS Control Panel.

Updates to FireMon software are packaged as a single unit and delivered together as an FMOS
system update. These updates are applied using FMOS tools, which manage the process of
verifying the update source, installing the new software, updating configuration files, and migrating
data.
l Product Update releases replace an installed version of a product with a new version of the same
product (example: v9.1 to v9.2).
l Bug Fix releases occur between product version releases and are used to address resolved and
known issues (example: 9.1.4, 9.1.5, 9.2.1).

To set the FMOS update channel, complete the following steps.

1. Log in to the Control Panel.

2. On the toolbar, click OS > Operating System.
3. Enable the FMOS Update Channel field.
4. Select one of the following update channels:
l Latest-the default channel. The system will be kept up-to-date with the most recent version
of FMOS released and available on the User Center.
l Stable-this channel only includes fixes for critical bugs and security vulnerabilities, without
introducing new features.

5. When finished, click St age Changes and then click Apply Configurat ion.

94 | Additional Configurations
Certificates
Additional topics about certificates are found in the FMOS User's Guide in the Certificates chapter.
Certificate Signing Request
To eliminate browser security exception and privacy warnings and ensure all traffic is encrypted,
you will create a certificate signing request (CSR).

This process creates two files, a certificate file to be signed by a certificate authority (CA)—the .csr
file—and a public key—the .key file. These files provide the CA with the details needed to sign the
key. The .csr file represents the identity of the FMOS server and the .key file is the server’s public
key; which is used to provide unique instructions to the CA as to how to encrypt the .csr exclusively
for the FMOS server. No other device will have the same public key, or the private key needed to
decrypt the signed certificate.

You can create a CSR and a public key for your server one of two ways: use OpenSSL or an
FMOS CLI command.

Create CSR using OpenSSL

To use OpenSSL, use a similar command as exampled below to create the CSR:

openssl req -new -newkey rsa:2048 -nodes -out fmosServerIdentity.csr -

keyout fmosServerPublicKey.key

Note: The file names <fmosServerIdentity> and <fmosServerPublicKey> can be set to

your company's approved file naming convention.

Create CSR using FMOS CLI

To use the FMOS CLI, complete the following steps.

1. Log in to the FMOS server with both an SSH and SCP/SFTP client. Unless you're comfortable
using Linux commands for copying files off and on to the FMOS server.

2. Run the command:

fmos pki gen-csr fmosServerIdentity.csr --new-key

fmosServerPublicKey.key

Note: The file names <fmosServerIdentity> and <fmosServerPublicKey>

can be set to your company's approved file naming convention.

Or you can use alternative names to access the system using the same certificate by adding
a subject alternative name (SAN) to the CSR. To do so run the command:

fmos pki gen-csr fmos_identity.csr -K fmos-public.key -n

host1.domain.com -n host2.domain.com 10.10.1.1 -n
 Note: Where <-n> indicates an individual SAN entry, and <host1.domain.com> is
the first SAN entry, <host2.domain.com> is the second SAN entry, and so on.
Multiple SAN entries are permitted, to suit your organization's needs.

3. When you run the fmos pki command, you will be prompted to enter a passphrase. You
can leave this blank by pressing Ent er to continue on without adding a passphrase, or if you
can set a passphrase.

Note: If you set a passphrase, you must supply it to the CA to have it signed.

4. Take both files to your company’s certificate authority to have them signed. Follow your
company’s procedure for presenting the CSR and public key to your CA.

5. When you make the request to have the CSR signed, ensure that the complete certificate
chain is there as all certificates from the Root CA to the server CSR need to be included in the
export process.

Note: For multiple intermediary certificates it is recommended to combine these into one file.
A .pem file typically works best for this task. Choose Base64 encoding.

Certificate authorities use their public key to sign the certificate, it and their identifying
certificate were signed by an authority above them. This is called a certificate chain, at the
top of which is the Root Authority. Root authorities can directly sign identity certificates
however most organizations use intermediate authorities to sign most certificates (so that
the root can be secured). All certificates from the root through intermediates must be
present on a server in order for its newly signed certificate to remain valid.

6. Once you have the certificates, you will need to move them to the FMOS server using WinSCP
or another file transfer tool and then switch back to the FireMon CLI and perform the
following tasks in order.

7. Import the root certificate using the command:

fmos pki import-ca root.cer

Note: Replace <root.cer> with the actual file name.

8. Import the device certificate and key (optionally, include intermediate certificates with these
commands):

fmos pki import-server-cert device.cer keyname.key

fmos pki import-server-cert device.cer keyname.key --chain

intermediate.cer
 Note: Replacing <device.cer> and <keyname.key> with the actual file name.

9. Optionally, you can import the same signed certificate used for the application server for the
FMOS Control Panel (https://fmosServerIP:55555) using this command: fmos pki import -cpl-
cert device.cer

10. Reboot the server you are installing the certificates on. A reboot is required.

Certificates for Multiple FQDNs

For distributed environments (multiple FMOS servers), please ensure that the root certificate is
present on both the application server, and any existing data collectors. Any data collectors you add
in the future will already contain this information as part of the ecosystem join process.

Place the signed certificate file on each data collector with WinSCP and then run the command:
fmos pki import -ca <cert name>
SMTP
The FMOS User's Guide has more information about this topic in the Configuration Commands and
FMOS Control Panel chapters.

SMTP settings can be configured in the FMOS CLI or using the Control Panel. The Control Panel
provides information icons for each entry field to provide more detail about the type of data that
can be entered into the field.
 Getting Started v9.12

Syslog Usage
Settings in Control Panel

The FMOS User's Guide has more information about this topic in the FMOS Control Panel chapter.

In the Control Panel you can add a remote syslog configuration.

l This setting is used to setup an external source to listen on events using syslog from FMOS

l External sources can listen over ports 514 or 6514 for either UDP or TCP

Settings in Administration Application

The Administration User's Guide has more information about this topic in the System: Central Syslog
Servers and the Device: Devices chapters.

In the Administration application you can add a central syslog server and set devices to use syslog
for usage.

l Setting up a central syslog server and server configurations are found in System menu

l Enabling log monitoring using syslog is done at the device level. A device must have level 3
support to track usage

100 |
 Getting Started v9.12

Verify Retrieval and Normalization

Retrievals

The Administration User's Guide has more information about retrievals in the Devices: Firewall
Retrievals section of the Device chapter.

The process of collecting configurations is called a retrieval. Configurations can be retrieved

manually or automatically when a change is detected or according to a schedule.

There are three types of retrievals.

l Manual Retrieval—a user with SIP Administration permissions queued a retrieval on demand.
Manual retrieval will show the user who initiated the retrieval. It won't show a device-end user
name.
l Scheduled Retrieval—the data collector reached out to the device to check for change on a sched-
uled basis. Scheduled retrieval will show "DC_Automated" as the user.
l Automatic (change-based) Retrieval—the data collector received a change syslog message,
matched it to the device it belongs to, and initiated a retrieval. The only time a user who pushed the
change will display is for Automatic Retrieval, where the Data Collector receives a syslog message
stating there was a change and reacts by retrieving a new configuration. Usually the message
received contains the change user. Example "Commit job succeeded for user xxxx". In which case
we display that user as the person who made a change. In some cases the change user is cached
from an earlier syslog event that was processed.

After adding a new device, because automatically retrieving a configuration is enabled by default,
there is nothing for you to do. Security Manager will automatically attempt to retrieve a device
configuration.

You can check the results of a retrieval on the Devices and Management Stations pages in the
Administration application. These pages display a health status for each monitored device.

The Administration User's Guide has more information about device health in the Devices: Device
Management Topics section of the Device chapter.

Normalization

The Administration User's Guide has more information about normalization in the Normalization Status
section of the Device chapter.

To open the normalization status page, open the Administration application, on the toolbar, click
Device > Normalizat ion St at us.

101 |
 Getting Started v9.12

Map Zones and Network Segments

In the Administration Application
FireMon objects (Services, Service Groups, Compliance Zones, Network Segments) are used in
compliance auditing (reports) and the network map.
l Services are the ports and protocols used in network communication
l Service Groups are a collection of similar services grouped together to configure security policies
l Compliance Zones are labels given to one interface or multiple interfaces that designates it as a
security area within a network
l Network Segments are a logical grouping of interfaces, routes and addresses as part of a zone
used to create a network map

Compliance zones, services, and service groups must be configured in order to use the Allowed
Services and Service Risk Analysis controls. These audit controls check whether a service is allowed
from one network zone to another.

Setting up the network map is accomplished in the Administration application.

Refer to the FireMon Objects and Compliance chapters in the Administration User's Guide.

In Security Manager
The network and device map is viewable in the Security Manager application.

Refer to the Topology chapter in the Security Manager User's Guide.

102 |
Getting Started v9.12

Backup Data
Additional topics about performing backups are found in the FMOS User's Guide in the Backups and
Updates chapter.

All of the SIP application data such as your device configurations and user profiles are stored in the
database. To ensure that you can access recent data in the unlikely event of a corruption or system
failure, SIP performs an automatic daily backup.

The average size of a backup with a fresh install (no devices) is about 200 MB, each device, report
and configuration will increase this size. The retention policy set in the FMOS Control Panel (55555,
interface) will determine how often the system will be backed up and how much will be retained.

Prior to installing an FMOS update, performing a backup is required.

Prerequisit e: A Backup Operator must be assigned as an FMOS privileged user before a backup
can be performed.

Note: Only full backups are performed, not incremental backups.

Automatic Backup
When a backup is run, the file that is created is saved to / var/ lib/ backup/ firemon/ by default. The
file will be named HOSTNAM E_DATE.backup, and will be readable only by the group fmbackup.

The backup file that is created will contain the FMOS system configuration, PostgreSQL database
dump, and the file system archive.

If a server is configured to be a database, automatic backups are enabled by default; otherwise

automatic backups are disabled. The default auto backup configuration does a backup daily at 23:48
UTC.

Read Schedule an Automatic Backup.

Manual Backup
You can perform a backup at any time using the fmos backup command. The backup will be saved
with the default location and name unless otherwise specified.

Note: You must also include a new file name when you specify a location for the backup to be saved.

To perform a manual backup, complete the following steps.

1. Access the database server CLI.

2. At the command prompt, type: fmos backup <location>

103 |
 Getting Started v9.12

By default, the backup is stored in the following location: var/lib/backup/firemon

3. You can use SFTP to move the backup "off box" to be stored on another server.

Schedule an Automatic Backup

When a backup is run, the file that is created is saved to / var/ lib/ backup/ firemon/ by default. The
file will be named HOSTNAM E_DATE.backup, and will be readable only by the group fmbackup.

The backup file that is created will contain the FMOS system configuration, PostgreSQL database
dump, and the file system archive.

If a server is configured to be a database, automatic backups are enabled by default; otherwise

automatic backups are disabled. The default auto backup configuration does a backup daily at
23:48 UTC.

To set an automatic backup. complete the following steps.

1. Log in to the FMOS Control Panel.

2. On the toolbar, click OS > Backup.
3. Enable backup fields to change default settings.

4. When finished, click St age Changes and then click Apply Configurat ion.

104 |
 Getting Started v9.12

Next Steps
Now that your FireMon Security Intelligence Platform product is fully functional you can start
exploring its many features.

Resources
Each SIP application has a detailed user's guide available for download from the User Center on the
Support > Documentation page.

Access to video tutorials and Knowledge Base articles are also accessible on the User Center.

RSS Feed
To stay up-to-date on current releases, consider adding the Security Intelligence Platform v9 RSS
feed to your RSS reader. Simply log into the User Center to get the link. Note that this link will be
visible only if you have a current support subscription.

Release Updates
Additional topics about updating FMOS are found in the FMOS User's Guide in the Backups and
Updates chapter. When it's time to update FMOS, Instructions are also include in the version release
notes that are available on the User Center.

105 | Next Steps