Overview

ThreatSTOP’s ThreatSTOP Centralized Manager (TSCM) software allows for the rapid deployment of ThreatSTOP across multiple devices and types of devices in a production environment. Installation and configuration is also simpler than the single device scripts.

Who should use this manual?

This manual is intended to be a step-by-step guide for System Administrators of intermediate to advanced skill levels. It assumes a certain level of familiarity with setting up Linux based Virtual Machines (VMs), and importing saved Virtual Machine Images (OVA files) into a VM host.

The following instructions will cover the setup of the TSCM from the Command Line Interface (CLI). Note that automating these setups is possible with a simple shell script. However, the instructions will only cover the prompted device installation at this time.

tsadmin

The command to setup and control TSCM is tsadmin. During configuration, tsadmin associates module files that contain configuration data relevant to your available hardware. These files allow tsadmin to communicate with your hardware and expedite setting up ThreatSTOP on your network.

Network Connectivity

To function properly, the TSCM virtual machine must have access to the following:

  • DNS over TCP
    • Hostname: dns.threatstop.com
    • IP range: 192.124.129.0/24
    • Outbound TCP port 53
    • Outbound TCP port 5353 can be used if TCP port 53 is not reachable.
  • HTTPs
    • Hostname: rest.threatstop.com and logs.threatstop.com
    • IP range: 204.68.99.208/28
    • Outbound TCP port 443
  • Device access: Fortinet and Cisco devices
    • SSH (TCP Port 22) from the TSCM to the device (policy configuration)
    • Syslog (UDP Port 514) from the device to the TSCM (log export)
  • Device access: PanOS devices
    • HTTPs (TCP Port 443) from the TSCM to the device (firewall configuration)
    • HTTP (TCP Port 80) from the device to the device (policy retrieval)
    • Syslog (UDP Port 514) from the device to the TSCM (log export)
  • Device access: Infoblox devices
    • Syslog (UDP Port 514) from the device to the TSCM (log export)

VM Installation

TSCM OVA Distributions

TSCM is available as Ubuntu 16.04-based OVA and VHD images.

Format Link
Ubuntu 16.04LTS OVA ftp.threatstop.com/pub/TSCM.ova
Ubuntu 16.04LTS VHD ftp.threatstop.com/pub/TSCM-HyperV.zip

After downloading the OVA for your chosen flavor of Linux, the file can be imported in VMware. Once the VM import has completed you will need to configure the new VM as laid out in Adjusting the Appliance to Your Network Environment. A Microsoft Hyper-V based environment is also available through our Support (support@threatstop.com) team but is not directly supported here.

Beginning Deployment

  • In vSphere, import the OVA file by clicking File and selecting Deploy OVF Template…
  • Enter the location of the .ova file or click on Browse… and locate the file on your computer. Then click Next.
  • Review the details of the deployment, make note of the Size on disk values. Click Next.
  • Provide a name for the VM, this can be left as-is or may be updated to fall into an existing naming schema. Click Next.
  • Select the resource pool into which your device should be deployed, and click Next.
  • Select the destination storage destination for the Virtual Machine, and click Next.
  • Select the Provisioning required by your deployment and available disk space.
  • Verify the network used in the OVF template, and click Next.
  • Review your deployment selections and click Finish, if they appear correct.

Adjusting the Appliance to Your Network Environment

Power on the VM Console and login using the following login information:

  • Username: threatstop
  • Password: threatstop After powering up the system, the VM will need to be modified to access the network with a static IP address. This will vary by the distribution being deployed. To do this:

CentOS 7.3

  • At the command prompt enter:
    sudo vi /etc/network-scripts/ifcfg-ens160
    
  • Locate the line:
    BOOTPROTO="dhcp"
    

    This will need to be modified to none.

  • The following information will also need to be added to the end of the file:
    IPADDR="192.168.1.7"
    NETMASK="255.255.255.0"
    GATEWAY="192.168.1.99"
    DNS1="192.168.1.99"
    DNS2="8.8.8.8"
    
  • After these settings are changed, save the file and restart networking with the command:
    sudo systemctl restart NetworkManager
    
  • Once this is performed the system should be upgraded to the current version of CentOS using the following commands. Please be aware that this upgrade process can take more than 25 minutes depending on the speed of your Internet connection.
    sudo yum update
    

RHEL 7.3

  • At the command prompt enter:
    sudo vi /etc/sysconfig/network-scripts/ifcfg-ens192
    
  • Locate the line:
    BOOTPROTO="dhcp"
    

    This will need to be modified to none.

  • The following information will also need to be added to the end of the file:
    IPADDR="192.168.1.7"
    NETMASK="255.255.255.0"
    GATEWAY="192.168.1.99"
    DNS1="192.168.1.99"
    DNS2="8.8.8.8"
    

    After these settings are changed, save the file and restart networking with the command:

    sudo systemctl restart NetworkManager
    
  • Once this is performed the system should be upgraded to the current version of RHEL using the following commands. Please be aware that this upgrade process can take more than 25 minutes depending on the speed of your Internet connection.
    sudo yum update
    

Ubuntu

  • At the command prompt enter:
    sudo vi /etc/network/interfaces
    

Locate the line iface eth0 inet dhcp in the file (see figure 1) you will need to change this to iface eth0 inet static.

# The primary network interface
auto eth0
iface eth0 inet dhcp

# address 192.168.1.7
# netmask 255.255.255.0
# gateway 192.168.1.99

#dns-nameservers 192.168.1.99 8.8.8.8
  • Uncomment and adjust the address, netmask, and gateway values to match your network.
    # The primary network interface
    auto eth0
    iface eth0 inet static
     address 192.168.1.7
     netmask 255.255.255.0
     gateway 192.168.1.99
     dns-nameservers 192.168.1.99 8.8.8.8
    
  • This should be followed by restarting the network using the command:
    sudo /etc/init.d/networking restart
    
  • Once this is performed the system should be upgraded to the current version of Ubuntu using the following commands. Please be aware that this upgrade process can take more than 25 minutes depending on the speed of your Internet connection.
    sudo apt-get update
    sudo apt-get dist-upgrade
    

Devices Supported by the TSCM

At this point you will need to follow the directions for adding your supported device to the TSCM. At this time we support the following devices:

Testing the Connection

After device setup has been completed, a test will need to be run to verify the firewall is behaving as intended. To perform this test:

  • Open a console on the TSCM and enter
    tail -f /var/log/threatstop/devices/<device name>/syslog
    
  • From a device behind the firewall that is not the TSCM, attempt to connect to http://bad.threatstop.com with a web browser.
    • If the connection is blocked, you will see a connection blocked error message in the web browser, and the log being tailed will update.
    • If the connection is not blocked you will see the ThreatSTOP logo appear, and the configuration settings will need to be double checked.

If the command runs successfully update the device’s configuration as detailed in TSCM Configuration to begin sending logs back to ThreatSTOP for enhanced security.

TSCM Configuration

After the initial setup, reconfiguring the device (for example to enable sending logs to ThreatSTOP for processing) uses the following instructions:

  • At the command prompt, enter: tsadmin configure <device name> and press ENTER.
  • Accept the established defaults; these come from the settings provided during the initial device setup. If a parameter needs to be changed, you may do so when its prompt appears.
  • If setup completed correctly in the previous steps and you choose to Submit logs to ThreatSTOP enter Y when prompted.
  • The username and password are stored securely and will not need to be added a second time.
  • If one appears, enter the password at the Enable Password prompt.
  • For the block list, grouping name (Object, Address, or Zone) enter the name you want the block or allow lists to appear as in the control panel for the maintenance device.
  • For the allow list, grouping name (Object, Address, or Zone) enter the name you want the block or allow lists to appear as in the control panel for the maintenance device.
  • For the Max entries or Number of Dynamic Lists prompts accept the defaults or enter the values determined to be required for your network.
  • To verify your settings enter tsadmin show and review the output.

Reconfiguration of the device is not immediately applied. tsadmin update is scheduled in cron (/etc/cron.d/multidevice-core) and will automatically update the device when the job is normally scheduled to run. You can speed up this process by entering tsadmin update .

Notes and Limitations

Attempting to run multiple instances of tsadmin will not work. Multiple users are locked, and only the first user will be allowed to commit their changes.

It is possible to adjust resources on a VM, but the number of CPUs cannot be changed, this will cause the VM to fail to start.