You will first need to have a working TSCM virtual machine:
- In vSphere, import the OVA file by clicking File and selecting Deploy OVF Template…
- Enter the location of the .ova file or click on Browse… and locate the file on your computer. Then click Next.
- Review the details of the deployment, make note of the Size on disk values. Click Next.
- Provide a name for the VM, this can be left as-is or may be updated to fall into an existing naming schema. Click Next.
- Select the resource pool into which your device should be deployed, and click Next.
- Select the destination storage destination for the Virtual Machine, and click Next.
- Select the Provisioning required by your deployment and available disk space.
- Verify the network used in the OVF template, and click Next.
- Review your deployment selections and click Finish, if they appear correct.
- Power on the VM Console and login using the following login information:
- Username: threatstop
- Password: threatstop
Command line switches for the tsadmin tool are documented here .
Logging Setup (TSCM)
threatstop@tsclient:~$ tsadmin add –type logger
The TSCM setup itself is extremely straight forward, only requiring six entries, and most of those are defaults. The required data is:
- Device name: This is the nickname of the device provided to the ThreatSTOP portal.
- Log upload IP address: The external IP address of your network. If you are uncertain of what address to use please visit https://www.threatstop.com/cgi-bin/validip.pl this will show the address to provide.
- All possible syslog source IP(s): This utility sets up one logging device, but can receive logs from multiple NIOS devices. Enter the IP addresses of the NIOS devices from which the logger will receive logs.
- Log rotate size, in Kb: Logs can be cached by NIOS devices until they reach a certain size and then batch uploaded to the logging device.
- Send logs to ThreatSTOP?: If the logging device should send the received logs to ThreatSTOP set this to Y.
To setup logging for TSCM with a new NIOS device
- Login to your TSCM device.
- At the command prompt enter the following command:
tsadmin add --type logger <device name>
This will add a NIOS logging device, and provide the following setup questions.
- Press ENTER to accept the default (Y) for the Configuring ‘ThreatSTOP Log Relay Device’ prompt.
- Enter the external IP address that will be providing Log data to ThreatSTOP at the Log upload IP address prompt.
- Enter the device IP adresses for any NIOS devices at the Please enter all possible syslog source IP(s): prompt.
- Enter the Log rotation size, in Kb to enable rotation. Most users keep this set this to around 100 Kb.
- For Send logs to ThreatSTOP? press ENTER to accept the default.
- This will complete your setup and begin sending your logs to ThreatSTOP.
If for any reason you need to reconfigure the NIOS logging device enter this command, and you will be able to update the device settings:
tsadmin configure <device name>
Adding an RPZ Zone for ThreatSTOP DNS Firewall
- Navigate to Data Management –> DNS –> Response Policy Zones
- Click on the Add icon at the top right of the table. This will open a wizard dialog to add the RPZ feed.
- Select the Add Response Policy Zone Feed option and click Next button
- Enter in the name of the RPZ zone and click Next button.
Zone name: [retrieve from the device settings on the portal]
- Add the Grid Secondary name server
- Select the down arrow next to the Add icon button and select Grid Secondary.
- Click on the Select button below Add Grid Secondary then click Add button.
- Add the External Primary name server
- Name: should match the RPZ feed
- Setup TSIG by selecting Use TSIG checkbox. Retrieve the key name and secrete from your device settings on the ThreatSTOP Portal. Select hmac-md5 for the algorithm.
TSIG Key name: [retrieve from the device settings on the portal] TSIG Key secret: [retrieve from the device settings on the portal] External Primary Name Server name: ts-rpz.threatstop.com External Primary Name Server IPv4 address: [Zone masters retrieved from device settings]
- Click Add button to insert external DNS server into table.
- Click Next button to go to next wizard screen.
- Click Next button without making any changes to Extensible Attributes.
- Click Next button to accept Schedule Change - Now option.
- Click Save & Close button to submit changes.
Log Export (NIOS)
These steps will help you to configure your NIOS device to report RPZ events to ThreatSTOP, and relay them through the TSCM vm.
- Enabling Logging for RPZ
** Assuming you have setup the DNS service and are using RPZ domains, you need to verify that the RPZ events are being captured as logged events. Navigate to Data Management –> DNS –> Members -> Grid DNS Properties –> Edit. Once the Grid DNS Properties window is open, select the Logging tab.
- Change the Logging Facility to LOCAL7 unless another facility is required for logging.
- Select the categories desired, but at a minimum, ensure that rpz and security checkboxes are selected.
- Click the Save & Close button when finished to apply the changes. A restart of the DNS service will probably be required.
- Add an External Syslog server
- Open the Grid Properties, Select Grid –> Grid Manager –> Members –> Grid Properties –> Edit. Once the Grid Properties Editor window is open select the Monitoring tab.
- Select the Log to External Syslog Servers checkbox if not already selected.
- Click on the Add Server icon at the top right of the External Syslog Servers table. This will display a form to the a syslog server.
- Complete the Add External Syslog Server form
- Add the IP Address of the syslog server
- Change the Transport to your preferred method.
- Select the Interface that NIOS server will us to send syslog packets.
- Change the Node ID to Host Name.
- Change Logging Category to Send selected categories and select DNS RPZ and DNS Security categories only.
- Click the Add button to insert the new syslog server into the table.
- Click the Save & Close button to complete the setup of the external syslog server. A service restart may be required.
Testing the Connection
After device setup has been completed, a test will need to be run to verify the firewall is behaving as intended. To perform this test:
- Open a console on the TSCM and enter “tail -f /var/log/threatstop/devices/<device name>/syslog”
- From a device behind the firewall that is not the TSCM, attempt to connect to bad.threatstop.com with a web browser.
- If the connection is blocked, you will see a connection blocked error message in the web browser, and the log being tailed will update.
- If the connection is not blocked you will see the ThreatSTOP logo appear, and the configuration settings will need to be double checked.
- If the command runs successfully update the device’s configuration as detailed in TSCM Configuration to begin sending logs back to ThreatSTOP for enhanced security.