Overview
ThreatSTOP’s Centralized Manager (TSCM) is a Linux-based virtual machine that powers the integration between ThreatSTOP’s Threat Intelligence Platform and the following device families:
- A10 Thunder
- Cisco ASA
- Cisco ISR
- Cisco Firepower
- Fortinet Fortigate
- Palo Alto Networks PA Series
- Infoblox NIOS
The TSCM provide a command line tool to link a device entry in the ThreatSTOP portal and the actual device. Its purpose is to retrieve policy updates and update the device’s ACLs with the latest data, and to forward logs to the ThreatSTOP portal for reporting on network connections that were blocked by that policy.
Network configuration
The TSCM is available as a Ubuntu-based virtual machine (A10, ASA, ISR, Firewpower, Fortigate, PAN-OS). Red Hat images (RHEL 7 and CentOS 7) are also available for the A10 ADC and TPS integration.
The TSCM image is configured to use DHCP during its initial boot. It can be reconfigured to use a static IP v4 configuration using the tsadmin network command.
The command will first ask to choose between DHCP and static settings. In either configuration, the TSCM will keep its current IP address until it is rebooted, which allows validataing the new connectivity settings before making them permanent.
Using DHCP, the command will display the new IP address after it’s successfully retrieved.
$ tsadmin network
Use DHCP[y/n]: y
Applying DHCP settings...
*** Verify IP settings ***
Interface Address Method: DHCP
Apply settings[y/n]: y
[Backing up current configuration]
using DHCP template
applying permanent config to /etc/network/interfaces
[ ok ] Restarting networking (via systemctl): networking.service.
The IP address: 172.16.1.138 will disappear on next reboot
Your current IP: 172.16.1.138
Success: Network setup complete.
Using a static network configuration, the command will prompt for the IP address, netmask, gateway and DNS server(s).
Use DHCP[y/n]: n
IP Address: 172.16.2.100
Adding: IP Address '172.16.2.100'
Subnet Mask (Valid formats: 255.255.240.0 or /24): /24
Appears to be a valid network: IPv4Network('172.16.2.0/24')
Default Route Address: 172.16.2.1
Adding: Default Route Address '172.16.2.1'
[Adding DNS Server]
Adding: DNS Server Address '172.16.2.2'
Add Another DNS Server[y/n]: n
*** Verify IP settings ***
Address: IPv4Address('172.16.2.100')
Netmask: IPv4Address('255.255.255.0')
Netmask Bits: /24
v4_or_v6: 4
Default Route: IPv4Address('172.16.2.1')
DNS Servers: [IPv4Address('172.16.2.2')]
Current IP: IPv4Address('172.16.1.138')
Apply settings[y/n]: y
Please test network connectivity
Try running: ping 172.16.2.100
Can you communicate with the new address?[y/n]: y
[Backing up current configuration]
using STATIC template
applying permanent config to /etc/network/interfaces
[ ok ] Restarting networking (via systemctl): networking.service.
The IP address: 172.21.70.138 will disappear on next reboot
Success: Network setup complete.
- If the TSCM isn’t reachable on the new IP address as expected, the command can be run again.
- If you are unsure about the current IP address of the TSCM, you can check its IP on the video console provided by your Hypervisor. You can also login into the console to change the network configuration with the tsadmin network command.
TSCM Credentials
- The default password for the threatstop account is threatstop.
- The TSCM operations (tsadmin command) can only be run using this account.
- The password can be changed using the tsadmin account command.
$ tsadmin passwod
[INFO ] : Changing account password
Ctrl + C to cancel
Changing password for threatstop.
(current) UNIX password: **********
Enter new UNIX password: **********
Retype new UNIX password: **********
passwd: password updated successfully
System maintenance
In addition to the ThreatSTOP software pre-packaged on the virtual machine, please note that the OS has been configured to run syslog-ng instead of the standard syslog daemon (rsyslogd).
Use of the ThreatSTOP TSCM VM should require little to no management with the exception of package updates using apt (Ubuntu) and yum (Red Hat).
You can change these settings without impacting the TSCM application:
- change the network configuration to use a static IP address, routes and/or DNS servers.
- change credentials for the threatstop account
Please note that we recommend not installing additional applications on the virtual machine, but common applications (e.g. backup solutions) should not impact the TSCM functionality.
Upgrading base-files on Ubuntu
The TSCM modifies the /etc/issue file on Ubuntu. When the Ubuntu package is updated, its installation will warn about a conflict. It is safe to choose the update or keep option, and the file will be replaced during the next boot.
CLI reference
All TSCM operations are performed by running the tsadmin command as the threatstop user. The following tables show the available operations and their options.
Operation | Description | |
---|---|---|
add | Link a new device entry. This will enable TSCM functionality for a new device | |
remove | Unlink a device. Policy updates and log forward will be terminated. | |
configure | Update the device configuration | |
update | Force an update of the policy on the device | |
list | Show the list of devices currently linked | |
show | Show the configuration of one of the devices currently linked | |
logs | Force a log upload | |
version | Display the TSCM version. Add –all to show all ThreatSTOP packages (option added in TSCM v1.42). |
tsadmin add
Devices using TSCM with Web Automation integration (Web based)
- Syntax: tsadmin add –type auto –device_id=<tdid> –auto_key=<product_key>
- Will proceed with the automatic configuration of a new device.
- tdid (required): Device ID retrieved from the ThreatSTOP Portal
- product_key (required): Product Key retrieved from the ThreatSTOP Portal
Devices using TSCM integration (CLI based)
- Syntax: tsadmin add –type <device type> <device nickname> [–advanced]
- Will proceed with the manual configuration of a new device. You will be prompted for the settings.
- Arguments
- device type (required): one of a10, asa, isr, fortinet, pan
- device nickname (required): will be used to identify the device on the TSCM
- –advanced (optional): prompt for advanced network settings and device configuration
- Example
threatstop@tsclient:~$ tsadmin add --type asa my_asa Configuring Cisco ASA device. Enter the device ID (tdid):
tsadmin remove
- Syntax: tsadmin remove <device nickname>
- Will remove the device entry from the TSCM, thus disabling policy updates and log forwarding
- You can re-run tsadmin add to re-add the device
- Arguments
- device nickname (required). Can be retrieved using tsadmin list.
tsadmin configure
- Syntax: tsadmin configure <device nickname>
- Will reconfigure an existing device entry.
- Existing settings will be presents as default.
- Arguments
- device nickname (required). Can be retrieved using tsadmin list.
- Example
threatstop@tsclient:~$ tsadmin configure my_asa Configuring Cisco ASA device. Enter the device ID (tdid): [default tdid_12345678]
tsadmin update
- Syntax: tsadmin update <device nickname>
- Will retrieve the policy from ThreatSTOP’s Policy servers and update ACLs on the device.
- This command is performed automatically every hour using cron
- Arguments
- device nickname (required). Can be retrieved using tsadmin list.
threatstop@tsclient:~$ tsadmin update my_asa [INFO ] : CONFILE = /opt/threatstop/etc/devices/my_asa.conf [INFO ] : Previous configuration found ... Loading config data... [INFO ] : Locking current execution instance [INFO ] : Starting /opt/threatstop/bin/ts-asa v3.35 on Fri May 25 23:40:39 2018 [INFO ] : Verifying mandatory parameters state [INFO ] : Building allow/deny lists ....
- device nickname (required). Can be retrieved using tsadmin list.
tsadmin list
- Syntax: tsadmin list
- Show the list and basic settings of devices currently configured
- Arguments
- none
- Example
threatstop@tsclient:~$ tsadmin list | Device name | Type | Device ID | Management IP | Log upload ID | Log uploads | | my_asa | asa | tdid_12345678 | 172.21.50.3 | tdid_12345678 | enabled |
tsadmin show
- Syntax: tsadmin show <device nickname>
- Show the current settings of an existing device entry.
- Arguments
- device nickname (required). Can be retrieved using tsadmin list.
- Example
threatstop@tsclient:~$ tsadmin show my_asa Setting name Value ---------------------------------------- --------------------------- Device Name my_asa Device Type Cisco ASA Automatic Configuration disabled Automatic Updates enabled Device Auto-configuration Key Block List basic.threatstop.local Allow List dns.threatstop.local Log association (External IP address) Log association (Device ID) tdid_12345678 DNS Server(s) for Updates ts-dns.threatstop.com DNS port for Updates 53 Device Management IP Address 172.21.50.3 All Syslog IP Addresses 172.21.50.3 Log Size for Uploads 100 Log Uploads enabled List Updates enabled Username admin Syslog Forward disabled additional IP(s) object_group_block threatstop-block object_group_allow threatstop-allow custom_username_prompt not customized custom_password_prompt not customized maxpolicysize 30000
tsadmin logs
- Syntax: tsadmin logs
- Will perform a log upload
- Requires log files to be present; the command will exit if no log files are available.
- If multiple devices are configured, logs will be rotated and uploaded for each one.
- Arguments
- none
- Example
threatstop@tsclient:~$ tsadmin logs [INFO ] : Starting log upload client [INFO ] : [Uploader] Loading device configuration [INFO ] : Processing logs for device [devicename] [INFO ] : Starting ThreatSTOP logupload operation v2.00 at 24/05/2018 19:34:05 [INFO ] : Verifying log file [/var/log/threatstop/devices/my_asa/syslog.1] stats [INFO ] : Processing [/var/log/threatstop/devices/devicename/syslog.1] log file [INFO ] : Start sending data [INFO ] : Preparing connection data [INFO ] : Connecting to https://logs.threatstop.com:443/logupload.pl [INFO ] : Upload was successful [200 OK] [INFO ] : Completed processing for device [my_asa] [INFO ] : Finish ThreatSTOP logupload operation at 24/05/2018 19:34:10 after 00:00:05 [INFO ] : Log upload client exited
tsadmin version
- Syntax: tsadmin version
- Display the version of the TSCM package
- Arguments
- none
- Example
threatstop@tsclient:~$ tsadmin version 1.36