The following topics show the command line supported by the ThreatSTOP Centralized Manager.

Overview

ThreatSTOP’s Centralized Manager (TSCM) is a Linux-based virtual machine that powers the integration between ThreatSTOP’s Threat Intelligence Platform and the following device families:

  • A10 Thunder
  • Cisco ASA
  • Cisco ISR
  • Cisco Firepower
  • Fortinet Fortigate
  • Palo Alto Networks PA Series
  • Infoblox NIOS

The TSCM provide a command line tool to link a device entry in the ThreatSTOP portal and the actual device. Its purpose is to retrieve policy updates and update the device’s ACLs with the latest data, and to forward logs to the ThreatSTOP portal for reporting on network connections that were blocked by that policy.

Network configuration

The TSCM is available as a Ubuntu-based virtual machine (A10, ASA, ISR, Firewpower, Fortigate, PAN-OS). Red Hat images (RHEL 7 and CentOS 7) are also available for the A10 ADC and TPS integration.

The TSCM image is configured to use DHCP during its initial boot. It can be reconfigured to use a static IP v4 configuration using the tsadmin network command.

The command will first ask to choose between DHCP and static settings. In either configuration, the TSCM will keep its current IP address until it is rebooted, which allows validataing the new connectivity settings before making them permanent.

Using DHCP, the command will display the new IP address after it’s successfully retrieved.

$ tsadmin network
Use DHCP[y/n]: y
Applying DHCP settings...
	*** Verify IP settings ***
	Interface Address Method: DHCP
Apply settings[y/n]: y
[Backing up current configuration]
using DHCP template
applying permanent config to /etc/network/interfaces
[ ok ] Restarting networking (via systemctl): networking.service.
The IP address: 172.16.1.138 will disappear on next reboot
Your current IP: 172.16.1.138
Success: Network setup complete.

Using a static network configuration, the command will prompt for the IP address, netmask, gateway and DNS server(s).

Use DHCP[y/n]: n
IP Address: 172.16.2.100
Adding: IP Address '172.16.2.100'
Subnet Mask (Valid formats: 255.255.240.0 or /24): /24
	Appears to be a valid network: IPv4Network('172.16.2.0/24')
Default Route Address: 172.16.2.1
Adding: Default Route Address '172.16.2.1'
[Adding DNS Server]
Adding: DNS Server Address '172.16.2.2'
Add Another DNS Server[y/n]: n
	*** Verify IP settings ***
	Address: IPv4Address('172.16.2.100')
	Netmask: IPv4Address('255.255.255.0')
	Netmask Bits: /24
	v4_or_v6: 4
	Default Route: IPv4Address('172.16.2.1')
	DNS Servers: [IPv4Address('172.16.2.2')]
	Current IP: IPv4Address('172.16.1.138')
Apply settings[y/n]: y
Please test network connectivity
Try running: ping 172.16.2.100
Can you communicate with the new address?[y/n]: y
[Backing up current configuration]
using STATIC template
applying permanent config to /etc/network/interfaces
[ ok ] Restarting networking (via systemctl): networking.service.
The IP address: 172.21.70.138 will disappear on next reboot
Success: Network setup complete.
  • If the TSCM isn’t reachable on the new IP address as expected, the command can be run again.
  • If you are unsure about the current IP address of the TSCM, you can check its IP on the video console provided by your Hypervisor. You can also login into the console to change the network configuration with the tsadmin network command.

TSCM Credentials

  • The default password for the threatstop account is threatstop.
  • The TSCM operations (tsadmin command) can only be run using this account.
  • The password can be changed using the tsadmin account command.
$ tsadmin passwod
[INFO ] : Changing account password
	Ctrl + C to cancel
Changing password for threatstop.
(current) UNIX password: **********
Enter new UNIX password: **********
Retype new UNIX password: **********
passwd: password updated successfully

System maintenance

In addition to the ThreatSTOP software pre-packaged on the virtual machine, please note that the OS has been configured to run syslog-ng instead of the standard syslog daemon (rsyslogd).

Use of the ThreatSTOP TSCM VM should require little to no management with the exception of package updates using apt (Ubuntu) and yum (Red Hat).

You can change these settings without impacting the TSCM application:

  • change the network configuration to use a static IP address, routes and/or DNS servers.
  • change credentials for the threatstop account

Please note that we recommend not installing additional applications on the virtual machine, but common applications (e.g. backup solutions) should not impact the TSCM functionality.

Upgrading base-files on Ubuntu

The TSCM modifies the /etc/issue file on Ubuntu. When the Ubuntu package is updated, its installation will warn about a conflict. It is safe to choose the update or keep option, and the file will be replaced during the next boot.

CLI reference

All TSCM operations are performed by running the tsadmin command as the threatstop user. The following tables show the available operations and their options.

Operation Description  
add Link a new device entry. This will enable TSCM functionality for a new device  
remove Unlink a device. Policy updates and log forward will be terminated.  
configure Update the device configuration  
update Force an update of the policy on the device  
list Show the list of devices currently linked  
show Show the configuration of one of the devices currently linked  
logs Force a log upload  
version Display the TSCM version.
Add –all to show all ThreatSTOP packages (option added in TSCM v1.42).
 

tsadmin add

Devices using TSCM with Web Automation integration (Web based)

  • Syntax: tsadmin add –type auto –device_id=<tdid> –auto_key=<product_key>
    • Will proceed with the automatic configuration of a new device.
    • tdid (required): Device ID retrieved from the ThreatSTOP Portal
    • product_key (required): Product Key retrieved from the ThreatSTOP Portal

Devices using TSCM integration (CLI based)

  • Syntax: tsadmin add –type <device type> <device nickname> [–advanced]
    • Will proceed with the manual configuration of a new device. You will be prompted for the settings.
    • Arguments
      • device type (required): one of a10, asa, isr, fortinet, pan
      • device nickname (required): will be used to identify the device on the TSCM
      • –advanced (optional): prompt for advanced network settings and device configuration
    • Example
      threatstop@tsclient:~$ tsadmin add --type asa my_asa
      Configuring Cisco ASA device.
      Enter the device ID (tdid):
      

tsadmin remove

  • Syntax: tsadmin remove <device nickname>
    • Will remove the device entry from the TSCM, thus disabling policy updates and log forwarding
    • You can re-run tsadmin add to re-add the device
    • Arguments
      • device nickname (required). Can be retrieved using tsadmin list.

tsadmin configure

  • Syntax: tsadmin configure <device nickname>
    • Will reconfigure an existing device entry.
    • Existing settings will be presents as default.
    • Arguments
      • device nickname (required). Can be retrieved using tsadmin list.
    • Example
      threatstop@tsclient:~$ tsadmin  configure my_asa
      Configuring Cisco ASA device.
      Enter the device ID (tdid):  [default tdid_12345678]
      

tsadmin update

  • Syntax: tsadmin update <device nickname>
    • Will retrieve the policy from ThreatSTOP’s Policy servers and update ACLs on the device.
    • This command is performed automatically every hour using cron
    • Arguments
      • device nickname (required). Can be retrieved using tsadmin list.
        threatstop@tsclient:~$ tsadmin update my_asa
        [INFO ] : CONFILE = /opt/threatstop/etc/devices/my_asa.conf
        [INFO ] : Previous configuration found ... Loading config data...
        [INFO ] : Locking current execution instance
        [INFO ] : Starting /opt/threatstop/bin/ts-asa v3.35 on Fri May 25 23:40:39 2018
        [INFO ] : Verifying mandatory parameters state
        [INFO ] : Building allow/deny lists
        ....
        

tsadmin list

  • Syntax: tsadmin list
    • Show the list and basic settings of devices currently configured
    • Arguments
      • none
    • Example
      threatstop@tsclient:~$ tsadmin list
      | Device name | Type | Device ID     | Management IP | Log upload ID | Log uploads |
      | my_asa      | asa  | tdid_12345678 | 172.21.50.3   | tdid_12345678 | enabled     |
      

tsadmin show

  • Syntax: tsadmin show <device nickname>
    • Show the current settings of an existing device entry.
    • Arguments
      • device nickname (required). Can be retrieved using tsadmin list.
    • Example
      threatstop@tsclient:~$ tsadmin show my_asa
      Setting name                             Value
      ---------------------------------------- ---------------------------
      Device Name                              my_asa
      Device Type                              Cisco ASA
      Automatic Configuration                  disabled
      Automatic Updates                        enabled
      Device Auto-configuration Key
      Block List                               basic.threatstop.local
      Allow List                               dns.threatstop.local
      Log association (External IP address)
      Log association (Device ID)              tdid_12345678
      DNS Server(s) for Updates                ts-dns.threatstop.com
      DNS port for Updates                     53
      Device Management IP Address             172.21.50.3
      All Syslog IP Addresses                  172.21.50.3
      Log Size for Uploads                     100
      Log Uploads                              enabled
      List Updates                             enabled
      Username                                 admin
      Syslog Forward                           disabled
      additional IP(s)
      object_group_block                       threatstop-block
      object_group_allow                       threatstop-allow
      custom_username_prompt                   not customized
      custom_password_prompt                   not customized
      maxpolicysize                            30000
      

tsadmin logs

  • Syntax: tsadmin logs
    • Will perform a log upload
    • Requires log files to be present; the command will exit if no log files are available.
    • If multiple devices are configured, logs will be rotated and uploaded for each one.
    • Arguments
      • none
    • Example
      threatstop@tsclient:~$ tsadmin logs
      [INFO ] : Starting log upload client
      [INFO ] : [Uploader] Loading device configuration
      [INFO ] : Processing logs for device [devicename]
      [INFO ] : Starting ThreatSTOP logupload operation v2.00 at 24/05/2018 19:34:05
      [INFO ] : Verifying log file [/var/log/threatstop/devices/my_asa/syslog.1] stats
      [INFO ] : Processing [/var/log/threatstop/devices/devicename/syslog.1] log file
      [INFO ] : Start sending data
      [INFO ] : Preparing connection data
      [INFO ] : Connecting to https://logs.threatstop.com:443/logupload.pl
      [INFO ] : Upload was successful [200 OK]
      [INFO ] : Completed processing for device [my_asa]
      [INFO ] : Finish ThreatSTOP logupload operation at 24/05/2018 19:34:10 after 00:00:05
      [INFO ] : Log upload client exited
      

tsadmin version

  • Syntax: tsadmin version
    • Display the version of the TSCM package
    • Arguments
      • none
    • Example
      threatstop@tsclient:~$ tsadmin version
      1.36