Copyright © 2017. Trend Micro Incorporated. All rights ... · targeted attack detection TippingPoint ATP for Networks detection engines deliver expanded APT and targeted attack detection

Trend Micro Incorporated reserves the right to make changes to this document and tothe product described herein without notice. Before installing and using the product,review the readme files, release notes, and/or the latest version of the applicabledocumentation, which are available from the Trend Micro website at:

http://docs.trendmicro.com

Trend Micro, the Trend Micro t-ball logo, Deep Discovery, TippingPoint, and ControlManager are trademarks or registered trademarks of Trend Micro Incorporated. Allother product or company names may be trademarks or registered trademarks of theirowners.

Copyright © 2017. Trend Micro Incorporated. All rights reserved.

Document Part No.: APEM37844/170502

Release Date: May 2017

Protected by U.S. Patent No.: Patents pending.

http://docs.trendmicro.com/en-us/home.aspx/

This documentation introduces the main features of the product and/or providesinstallation instructions for a production environment. Read through the documentationbefore installing or using the product.

Detailed information about how to use specific features within the product may beavailable at the Trend Micro Online Help Center and/or the Trend Micro KnowledgeBase.

Trend Micro always seeks to improve its documentation. If you have questions,comments, or suggestions about this or any Trend Micro document, please contact us [email protected].

Evaluate this documentation on the following site:

http://www.trendmicro.com/download/documentation/rating.asp

mailto:%[email protected]


i

Table of Contents

Chapter 1: IntroductionAbout TippingPoint ATP for Networks ..................................................... 1-2

What's New ..................................................................................................... 1-2

Features and Benefits ..................................................................................... 1-3Threat Management Capabilities ......................................................... 1-4APT Attack Sequence ............................................................................ 1-5Host Severity ........................................................................................... 1-6Advanced Threat Scan Engine ............................................................. 1-9Virtual Analyzer ...................................................................................... 1-9

Chapter 2: About Your SystemPackage Contents ............................................................................................ 2-2

The TippingPoint Advanced Threat Protection for Networks Appliance ............................................................................................................................ 2-3

Front Panel .............................................................................................. 2-3Back Panel ................................................................................................ 2-6NIC Indicators ........................................................................................ 2-9Power Indicators ................................................................................... 2-14

Setting Up the Hardware ............................................................................. 2-15

Ports Used by the Appliance ...................................................................... 2-17

Product Specifications ................................................................................. 2-21Product Specifications - 510/1100 Appliance ................................. 2-21Product Specifications - 4100 Appliance .......................................... 2-22

Chapter 3: DeploymentDeployment Overview ................................................................................... 3-2

Deployment Planning .................................................................................... 3-2Single Port Monitoring .......................................................................... 3-3

Trend Micro TippingPoint Advanced Threat Protection for Networks Installation and DeploymentGuide

ii

Multiple Port Monitoring ...................................................................... 3-5Network Tap Monitoring ...................................................................... 3-5Redundant Networks ............................................................................. 3-7VLAN-based Port Monitoring ............................................................. 3-7Remote Port or VLAN Mirroring ....................................................... 3-8Proxy Monitoring ................................................................................... 3-9Mirroring Trunk Links ........................................................................ 3-10

Installation Requirements ............................................................................ 3-10System Requirements ........................................................................... 3-11

Chapter 4: InstallationConfiguring Options ...................................................................................... 4-2

Setting Security Options for Internet Explorer ................................. 4-2Setting JavaScript Options for Chrome .............................................. 4-3Setting JavaScript Options for Firefox ................................................ 4-3Setting JavaScript Options for Internet Explorer .............................. 4-4Setting Options for Virtual Appliance in ESXi 5.x, or 6.x .............. 4-4

TippingPoint Advanced Threat Protection for Networks Installation .. 4-5Installing TippingPoint Advanced Threat Protection for Networks ona Hardware Appliance ............................................................................ 4-6Installing TippingPoint Advanced Threat Protection for Networks ona Virtual Appliance ............................................................................... 4-13

Restoring to Factory Mode ......................................................................... 4-19

Chapter 5: PreconfigurationPreconfiguration Console .............................................................................. 5-2

Preconfiguration Console Access ........................................................ 5-2

Preconfiguration Console Main Menu ........................................................ 5-6Viewing Appliance Information and Status ....................................... 5-7Modifying Device Settings .................................................................... 5-9Modifying Interface Settings ............................................................... 5-11

Chapter 6: System TasksSystem Tasks Overview ................................................................................. 6-2

Importing the Configuration File ........................................................ 6-2

Table of Contents

iii

Exporting the Configuration File ........................................................ 6-5Importing an HTTPS Certificate ......................................................... 6-7Performing a Diagnostic Test ............................................................... 6-9Performing a Ping Test ........................................................................ 6-10Restarting TippingPoint Advanced Threat Protection for Networks .................................................................................................................. 6-11Changing the Root Password ............................................................. 6-13Logging Off .......................................................................................... 6-14

Chapter 7: Create a New Virtual ApplianceCreating a Virtual Machine in VMware ESXi ............................................ 7-2

Configuring the VMware ESXi Server Network ............................... 7-3Enabling Promiscuous Mode in VMware ESXi ................................ 7-9

Installing TippingPoint Advanced Threat Protection for Networks inVMware ESXi ............................................................................................... 7-12

Enabling Hardware-assisted Virtualization in VMware ESXi ....... 7-25

Chapter 8: TroubleshootFrequently Asked Questions (FAQs) ........................................................... 8-2

FAQs - Appliance Rescue ..................................................................... 8-2FAQs - Configuration ............................................................................ 8-3FAQs - Detections ................................................................................. 8-3FAQs - Installation ................................................................................. 8-3FAQs - Upgrade ..................................................................................... 8-4FAQs - Virtual Analyzer Image ............................................................ 8-4

Troubleshooting .............................................................................................. 8-4Slow Management Console Response ................................................. 8-5Detections ................................................................................................ 8-6"Database is Corrupt" Alert Displays ............................................... 8-11Virtual Analyzer .................................................................................... 8-11Virtual Analyzer Images ...................................................................... 8-13Cannot Connect to Network Services .............................................. 8-19Diagnostics ............................................................................................ 8-19


iv

Chapter 9: Technical SupportTroubleshooting Resources ........................................................................... 9-2

Using the Support Portal ....................................................................... 9-2Threat Encyclopedia .............................................................................. 9-2

Contacting Trend Micro TippingPoint Support ........................................ 9-3

Sending Suspicious Content to Trend Micro ............................................. 9-4Email Reputation Services .................................................................... 9-4File Reputation Services ........................................................................ 9-4Web Reputation Services ....................................................................... 9-4

Other Resources ............................................................................................. 9-5Download Center ................................................................................... 9-5Documentation Feedback ..................................................................... 9-5

AppendicesAppendix A: Get Started

Management Console .................................................................................... A-2

Get Started Tasks ........................................................................................... A-9

IndexIndex .............................................................................................................. IN-1

v

Preface

PrefaceThis Guide introduces Trend Micro™ TippingPoint™ Advanced Threat Protection forNetworks 3.8 SP5.

Learn more about the following topics:

• Documentation on page vi

• Audience on page vii

• Document Conventions on page vii


vi

DocumentationThe documentation set for TippingPoint Advanced Threat Protection for Networksincludes the following:

Table 1. Product Documentation

Document Description

Administrator's Guide The Administrator's Guide contains detailed instructions onhow to configure and manage TippingPoint ATP forNetworks, and explanations on TippingPoint ATP forNetworks concepts and features.

Installation andDeployment Guide

The Installation and Deployment Guide containsinformation about requirements and procedures forplanning deployment, installing TippingPoint ATP forNetworks, and using the Preconfiguration Console to setinitial configurations and perform system tasks.

Syslog Content MappingGuide

The Syslog Content Mapping Guide provides informationabout log management standards and syntaxes forimplementing syslog events in TippingPoint ATP forNetworks.

Quick Start Card The Quick Start Card provides user-friendly instructions onconnecting TippingPoint ATP for Networks to your networkand on performing the initial configuration.

Readme The Readme contains late-breaking product informationthat is not found in the online or printed documentation.Topics include a description of new features, known issues,and product release history.

Online Help Web-based documentation that is accessible from theTippingPoint ATP for Networks management console.

The Online Help contains explanations of TippingPoint ATPfor Networks components and features, as well asprocedures needed to configure TippingPoint ATP forNetworks.

Preface

vii

Document Description

Support Portal The Support Portal is an online database of problem-solving and troubleshooting information. It provides thelatest information about known product issues. To accessthe Support Portal, go to the following website:

http://esupport.trendmicro.com

View and download product documentation from the Trend Micro Online Help Center:

http://docs.trendmicro.com/en-us/home.aspx

AudienceThe TippingPoint Advanced Threat Protection for Networks documentation is writtenfor IT administrators and security analysts. The documentation assumes that the readerhas an in-depth knowledge of networking and information security, including thefollowing topics:

• Network topologies

• Database management

• Antivirus and content security protection

The documentation does not assume the reader has any knowledge of sandboxenvironments or threat event correlation.

Document ConventionsThe documentation uses the following conventions:


http://docs.trendmicro.com/en-us/home.aspx


viii

Table 2. Document Conventions

Convention Description

UPPER CASE Acronyms, abbreviations, and names of certaincommands and keys on the keyboard

Bold Menus and menu commands, command buttons, tabs,and options

Italics References to other documents

Monospace Sample command lines, program code, web URLs, filenames, and program output

Navigation > Path The navigation path to reach a particular screen

For example, File > Save means, click File and then clickSave on the interface

Note Configuration notes

Tip Recommendations or suggestions

Important Information regarding required or default configurationsettings and product limitations

WARNING! Critical actions and configuration options

1-1

Chapter 1

IntroductionLearn about product features, capabilities, and security technology in the followingtopics:

• About TippingPoint ATP for Networks on page 1-2

• Features and Benefits on page 1-3

• Threat Management Capabilities on page 1-4

• APT Attack Sequence on page 1-5

• Host Severity on page 1-6

• Advanced Threat Scan Engine on page 1-9

• Virtual Analyzer on page 1-9


1-2

About TippingPoint ATP for NetworksTippingPoint ATP for Networks is a third-generation threat management solutiondesigned and architected to deliver breakthrough targeted attack and advanced threatvisibility, insight, and control. TippingPoint ATP for Networks provides ITadministrators with critical security information, alerts, and reports.

Trend Micro developed TippingPoint ATP for Networks to meet the requirements ofG1000 organizations and government around the world. TippingPoint Advanced ThreatProtection for Networks integrates global intelligence and scanning technology to catchtraditional signature-based threats and more sophisticated threats requiring heuristicanalysis.

TippingPoint ATP for Networks deploys in offline monitoring mode. It monitorsnetwork traffic by connecting to the mirror port on a switch for minimal to no networkinterruption.

What's NewThis version of TippingPoint Advanced Threat Protection for Networks offers a rangeof product enhancements that improve usability and detection information.

Table 1-1. TippingPoint Advanced Threat Protection for Networks 3.8 SP5 NewFeatures

Key Feature Description

Refreshed Dashboardwidgets

TippingPoint Advanced Threat Protection for Networksprovides an improved dashboard experience that utilizesmodern technologies and graphics without Flash.

Palo Alto Panorama andvirtual system integration

TippingPoint Advanced Threat Protection for Networksimproves its third-party integration options with Palo AltoPanorama and Palo Alto virtual system support.

Introduction

1-3

Key Feature Description

Enhanced VirtualAnalyzer

Virtual Analyzer includes the following enhancements:

• Proxy configuration for internal Virtual Analyzer

• New supported file types (Microsoft Publisher 2016,Microsoft Windows Command Script file, MicrosoftWindows Batch file, and Scalable Vector Graphics)

• Support Microsoft Office 2016 application for Office fileanalysis in sandbox images

• Support for analysis of embedded URLs in PDFs

• Deployment of sandbox images running Windows 10(versions 1507 and 1511), Windows Server 2012, andWindows Server 2012 R2 operating systems

• Integration of the following ActiveUpdate components:

• Network Content Inspection Engine (Linux, Usermode, 64-bit)

• Network Content Inspection Pattern

• Virtual Analyzer Configuration Pattern

• Deep Discovery Trusted Certificate Authorities

Smart filter import andexport

TippingPoint Advanced Threat Protection for Networks addsthe ability to share customized investigations through theimport and export of smart filters.

Features and BenefitsTippingPoint Advanced Threat Protection for Networks offers sophisticated detectioncapabilities using multiple advanced detection engines to present detailed informationabout custom and signature-based threats passing through various network protocols.TippingPoint Advanced Threat Protection for Networks detects targeted attacks andadvanced threats, and helps remediate targeted attacks with automated processes.

TippingPoint Advanced Threat Protection for Networks includes the following features:


1-4

• Threat Management Capabilities on page 1-4

• APT Attack Sequence on page 1-5

• Host Severity on page 1-6

• Advanced Threat Scan Engine on page 1-9


Threat Management CapabilitiesTippingPoint ATP for Networks detects and identifies evasive threats in real-time, andprovides in-depth analysis and actionable intelligence needed to discover, prevent, andcontain attacks against corporate data.

Table 1-2. Threat Management Capabilities

Capability Description

Expanded APT andtargeted attack detection

TippingPoint ATP for Networks detection engines deliverexpanded APT and targeted attack detection includingcustom sandbox analysis. New discovery and correlationrules detect malicious content, communication, andbehavior across every stage of an attack sequence.

Visibility, analysis, andaction

Using an intuitive multi-level format, the TippingPoint ATPfor Networks management console provides real-timethreat visibility and analysis. This allows securityprofessionals to focus on the real risks, perform forensicanalysis, and rapidly implement containment andremediation procedures.

High capacity platforms TippingPoint ATP for Networks features a high-performancearchitecture that meets the demanding and diversecapacity requirements of large organizations.

TippingPoint ATP for Networks features are useful for acompany of any size, and are vital to larger organizationsneeding to reduce the risk of targeted attacks.

Introduction

1-5

APT Attack Sequence

Targeted attacks and advanced persistent threats (APTs) are organized, focused effortsthat are custom-created to penetrate enterprises and government agencies for access tointernal systems, data, and other assets. Each attack is customized to its target, butfollows a consistent life cyle to infiltrate and operate inside an organization.

In targeted attacks, the APT life cyle follows a continuous process of six key phases.

Table 1-3. APT Attack Sequence

Phase Description

IntelligenceGathering

Identify and research target individuals using public sources (forexample, social media websites) and prepare a customizedattack

Point of Entry An initial compromise typically from zero-day malware deliveredvia social engineering (email/IM or drive-by download)

A backdoor is created and the network can now be infiltrated.Alternatively, a website exploitation or direct network hack may beemployed.

Command & Control(C&C)Communication

Communications used throughout an attack to instruct and controlthe malware used

C&C communication allows the attacker to exploit compromisedmachines, move laterally within the network, and exfiltrate data.

Lateral Movement An attack that compromises additional machines

Once inside the network, an attacker can harvest credentials,escalate privilege levels, and maintain persistent control beyondthe initial target.

Asset/DataDiscovery

Several techniques (for example, port scanning) used to identifynoteworthy servers and services that house data of interest

Data Exfiltration Unauthorized data transmission to external locations

Once sensitive information is gathered, the data is funneled to aninternal staging server where it is chunked, compressed, andoften encrypted for transmission to external locations under anattacker’s control.


1-6

TippingPoint Advanced Threat Protection for Networks is purpose-built for detectingAPT and targeted attacks. It identifies malicious content, communications, and behaviorthat may indicate advanced malware or attacker activity across every stage of the attacksequence.

Host SeverityIn TippingPoint Advanced Threat Protection for Networks, host severity is the impacton a host as determined from aggregated detections by Trend Micro products andservices.

Investigating beyond event security, the host severity numerical scale exposes the mostvulnerable hosts and allows you to prioritize and quickly respond.

Host severity is based on the aggregation and correlation of the severity of the eventsthat affect a host. If several events affect a host and have no detected connection, thehost severity will be based on the highest event severity of those events. However, if theevents have a detected correlation, the host severity level will increase accordingly.

For example: Of five events affecting a host, the highest risk level is moderate. If theevents have no correlation, the host severity level will be based on the moderate risklevel of that event. However, if the events are correlated, then the host severity level willincrease based on the detected correlation.

The host severity scale consolidates threat information from multiple detectiontechnologies and simplifies the interpretation of overall severity. You can prioritize yourresponses based on this information and your related threat response policies.

Introduction

1-7

Table 1-4. Host Severity Scale

Category Level Description

Critical

Host exhibits behavior thatdefinitely indicates host iscompromised

10 Host shows evidence of compromise includingbut not limited to the following:

• Data exfiltration

• Multiple compromised hosts/servers

9 Host exhibits an indication of compromisefrom APTs including but not limited to thefollowing:

• Connection to an IP address associatedwith a known APT

• Access to a URL associated with aknown APT

• A downloaded file associated with aknown APT

• Evidence of lateral movement

8 Host may exhibit the following:

• A high severity network event

• Connection to a C&C Server detected byWeb Reputation Services

• A downloaded file rated as high risk byVirtual Analyzer


1-8


Major

Host is targeted by a knownmalicious behavior or attackand exhibits behavior thatlikely indicates host iscompromised


• Inbound malware downloads; noevidence of user infection

• An inbound Exploit detection


• Connection to a dangerous site detectedby Web Reputation Services


• A downloaded medium- or low-riskpotentially malicious file with no evidenceof user infection


• A medium severity network event

• A downloaded file rated as medium riskby Virtual Analyzer

Minor

Host exhibits anomalous orsuspicious behavior thatmay be benign or indicate athreat


• Repeated unsuccessful logon attempts orabnormal patterns of usage

• A downloaded or propagated packedexecutable or suspicious file

• Evidence of running IRC, TOR, oroutbound tunneling software


• A low severity network event

• Evidence of receiving an email messagethat contains a dangerous URL

• A downloaded file rated as low risk byVirtual Analyzer

Introduction

1-9


Trivial

Host exhibits normalbehavior that may bebenign or indicate a threatin future identification ofmalicious activities


• An informational severity network event

• Connection to a site rated as untested orto a new domain detected by WebReputation Services

• Evidence of a running disruptiveapplication such as P2P

Advanced Threat Scan Engine

Advanced Threat Scan Engine uses a combination of signature file-based scanning andheuristic rule-based scanning to detect and document exploits and other threats used intargeted attacks.

Major features include the following:

• Detection of zero-day threats

• Detection of embedded exploit code

• Detection rules for known vulnerabilities

• Enhanced parsers for handling file deformities

Virtual Analyzer

Virtual Analyzer is a secure virtual environment that manages and analyzes objectssubmitted by integrated products, administrators, and investigators. Custom sandboximages enable observation of files, URLs, registry entries, API calls, and other objects inenvironments that match your system configuration.

Virtual Analyzer performs static and dynamic analysis to identify an object's notablecharacteristics in the following categories:

• Anti-security and self-preservation


1-10

• Autostart or other system configuration

• Deception and social engineering

• File drop, download, sharing, or replication

• Hijack, redirection, or data theft

• Malformed, defective, or with known malware traits

• Process, service, or memory object change

• Rootkit, cloaking

• Suspicious network or messaging activity

During analysis, Virtual Analyzer rates the characteristics in context and then assigns arisk level to the object based on the accumulated ratings. Virtual Analyzer also generatesanalysis reports, suspicious object lists, PCAP files, and OpenIOC and STIX files thatcan be used in investigations.

2-1

Chapter 2

About Your SystemLearn about the TippingPoint Advanced Threat Protection for Networks appliance inthe following topics:

• Package Contents on page 2-2

• The TippingPoint Advanced Threat Protection for Networks Appliance on page 2-3

• Setting Up the Hardware on page 2-15

• Ports Used by the Appliance on page 2-17

• Product Specifications on page 2-21


2-2

Package ContentsExamine the TippingPoint Advanced Threat Protection for Networks appliance packagecontents and hardware to correctly configure the appliance in your network.

The following illustration shows the items that are included in the TippingPointAdvanced Threat Protection for Networks appliance package.

Figure 2-1. Package Contents

Table 2-1. TippingPoint Advanced Threat Protection for Networks PackageContents

# Name Description

1 Slide and rail sets (2) Secure the appliance (fixed mount) or use to secure andallow the appliance to slide in and out of a four-post rack(sliding mount).

NoteThe rail is assembled with the slide when thepackage is shipped. Remove the rail from the slidebefore mounting the appliance.

About Your System

2-3

# Name Description

2 Trend Micro InstallationDVD for TippingPointAdvanced ThreatProtection for Networks(1)

TippingPoint ATP forNetworks Quick StartCard

The Installation DVD contains installers and the PDFdocumentation set, including the following:

• Trend Micro TippingPoint Advanced ThreatProtection for Networks Administrator's Guide

• Trend Micro TippingPoint Advanced ThreatProtection for Networks Installation and DeploymentGuide

The Quick Start Card provides user-friendly instructionson connecting TippingPoint ATP for Networks to yournetwork and on performing the initial configuration.

3 Power cords (2) Supply power to the appliance (length is 79 in/200 cm)

4 TippingPoint AdvancedThreat Protection forNetworks (1)

The appliance

The TippingPoint Advanced Threat Protectionfor Networks Appliance

Front Panel


2-4

Front Panel - 510/1100 Appliance

Figure 2-2. TippingPoint Advanced Threat Protection for Networks 510/1100 FrontPanel

Table 2-2. 510/1100 Front Panel Features

# Feature Description

1 Power-on indicator

Power button

• Lights when the system power is on

• Controls the power supply output to theappliance

2 Appliance ID button Not supported by TippingPoint Advanced ThreatProtection for Networks

3 Video connector Connects a VGA display to the appliance

4 LCD menu buttons Enable control panel LCD menu navigation

5 LCD panel Displays system ID, status information, and systemerror messages

6 USB management port USB 2.0-compliant

7 Optical drive DVD +/- RW drive

8 Hard drives (2) 3.5-inch, hot-swappable

9 USB 2.0 connector • Connects USB devices (for example, keyboardor mouse) to the appliance

• USB 2.0-compliant

About Your System

2-5

Front Panel - 4100 Appliance

Figure 2-3. TippingPoint Advanced Threat Protection for Networks 4100 Front Panel

Table 2-3. 4100 Front Panel Features


1 Power-on indicator

Power button

• Lights when the system power is on

• Controls the power supply output to theappliance

2 Appliance ID button /appliance statusindicator

Not supported by TippingPoint Advanced ThreatProtection for Networks


4 LCD menu buttons Enable control panel LCD menu navigation

5 LCD panel Displays system ID, status information, and systemerror messages

6 Hard drives (4) 2.5-inch, hot-swappable hard drive

7 USB management port • Connects to a management network forcommunication and interaction with otherproducts and services

• USB 2.0-compliant.


2-6




9 Optical drive DVD +/- RW drive

Back Panel

Back Panel - 510/1100 Appliance

Figure 2-4. TippingPoint Advanced Threat Protection for Networks 510/1100 BackPanel

Table 2-4. 510/1100 Back Panel Features




11 RS-232 serial connector Connects to the serial port of a computer with anRS-232 type connection to perform preconfiguration

12 Management port Connects to a management network forcommunication and interaction with other productsand services

About Your System

2-7


13 iDRAC port Connects to a dedicated management port on theiDRAC card

14 Data port 1 Integrated 10/100/1000 Mbps NIC connector





19 Power supplyconnectors (2)

Two 750-watt hot-plug power supply units:

• Main power supply

• Backup power supply

Note"Hot-plug" refers to the ability to replace thepower supply while the appliance is running.TippingPoint Advanced Threat Protection forNetworks automatically and safely recognizesthe change without operational interruption orrisk.

Use the power cord included in the package (fordetails, see Package Contents on page 2-2).







2-8

Back Panel - 4100 Appliance

Figure 2-5. TippingPoint Advanced Threat Protection for Networks 4100 Back Panel

Table 2-5. 4100 Back Panel Features


10 USB 3.0 connectors (2) • Connects USB devices (for example, keyboardor mouse) to the appliance


11 RS-232 serial connector Connects to the serial port of a computer with anRS-232 type connection to perform preconfiguration

12 Management port Connects to a management network forcommunication and interaction with other productsand services

13 iDRAC port Connects to a dedicated management port on aniDRAC card






19 Data port 6 10 Gbps NIC connector

About Your System

2-9





23 Power supplyconnectors (2)

Two 750-watt hot-plug power supply units:

• Main power supply

• Backup power supply

Note"Hot-plug" refers to the ability to replace thepower supply while the appliance is running.TippingPoint Advanced Threat Protection forNetworks automatically and safely recognizesthe change without operational interruption orrisk.

Use the power cord included in the package (fordetails, see Package Contents on page 2-2).




NIC Indicators

NIC Indicators - 510/1100

TippingPoint Advanced Threat Protection for Networks has five user-configurablecopper-based Ethernet NIC ports. All accept integrated 10/100/1000 Mbps connectors.

Each port has an indicator showing the current state of the port.


2-10

Table 2-6. NIC Indicator Key: TippingPoint Advanced Threat Protection forNetworks 510/1100

Indicator Description

1 Connection status: Port connected/not connected to a valid network

Data activity status: Network data transmission/reception

2 Data transmission speed

Table 2-7. NIC Indicators: TippingPoint Advanced Threat Protection for Networks510/1100

Indicator Indicator Pattern Condition

1 Off No NIC network connection

Green on NIC connection to a valid network

Green flashing Network data is being sent or received

2 Yellow 10 Mbps

Yellow 100 Mbps

Green 1000 Mbps

Orange flashing Identity

Use the Identify Adapter button in IntelPROSet to control blinking. For moreinformation, see Intel PROSet Help.

Table 2-8. NIC Ports and Indicators: TippingPoint Advanced Threat Protection forNetworks 510/1100

Data Port Port Style

Data port 1

About Your System

2-11

Data Port Port Style

Data port 2

Data port 3

Data port 4

Data port 5

NIC Indicators - 4100

The TippingPoint Advanced Threat Protection for Networks 4100 appliance providesthe following nine user-configurable, copper-based Ethernet ports:

• Integrated 10/100/100 Mbps (5)

• 10 Gbps (4)

NIC Indicators - 4100 1 Gbps


Table 2-9. Indicator Key: TippingPoint Advanced Threat Protection for Networks4100 1 Gbps



Data activity status: Network data is being sent or received

2 Data transmission speed


2-12

Table 2-10. NIC Indicators: TippingPoint Advanced Threat Protection for Networks4100 1 Gbps


1 Off No NIC network connection

Green on NIC connection to a valid network

Green flashing Network data transmission/reception

2 Yellow 10 Mbps

Yellow 100 Mbps

Green 1000 Mbps

Orange flashing Identity

Use the Identify Adapter button in IntelPROSet to control blinking. For moreinformation, see Intel PROSet Help.

Table 2-11. NIC Ports and Indicators: TippingPoint Advanced Threat Protection forNetworks 4100 1 Gbps

Data Port Speed Port Style

Data port 1 10/100/1000 Mbps

Data port 2

Data port 3

Data port 4

Data port 5

10/100/1000 Mbps

About Your System

2-13

NIC Indicators - 4100 10 Gbps


Table 2-12. NIC Indicator Key: TippingPoint Advanced Threat Protection forNetworks 4100 10 Gbps



2 Data activity status: Network data is being sent or received

Table 2-13. NIC Indicators: TippingPoint Advanced Threat Protection for Networks4100 10 Gbps


1 On NIC connection to a valid network

2 Green flashing Network data transmission/reception

Both 1 and 2 Off No NIC network connection

Table 2-14. NIC Ports and Indicators: TippingPoint Advanced Threat Protection forNetworks 4100 10 Gbps


Data port 6 10 Gbps

Data port 7 10 Gbps


2-14


Data port 8

Data port 9

10 Gbps

Power Indicators

Figure 2-6. Power Supply Status Indicators

1: Power supply status indicator/handle

Table 2-15. Power Supply Status Indicators

Indicator Pattern Condition

Not lit Power is not connected

Green A valid power source is connected to the power supply andthe power supply is operational

About Your System

2-15

Indicator Pattern Condition

Flashing green When hot-adding a power supply, indicates the power supplyis mismatched with the other power supply (in terms ofefficiency, feature set, health status, and supported voltage)

Replace the power supply that has the flashing indicator witha power supply that matches the capacity of the otherinstalled power supply.

Flashing amber Indicates a problem with the power supply

ImportantWhen correcting a power supply mismatch, replaceonly the power supply with the flashing indicator.Swapping the opposite power supply to make amatched pair can result in an error condition and anunexpected system shutdown.

To change from a high output configuration to a lowoutput configuration or vice versa, first power down thesystem.

AC power supplies support both 220 V and 110 V inputvoltages. When two identical power supplies receivedifferent input voltages, they may output differentwattages and trigger a mismatch.

If two power supplies are used, they must be of thesame type and have the same maximum output power.

Setting Up the Hardware

Procedure

1. Mount the appliance in a standard 19-inch 4-post rack, or on a free-standing object,such as a sturdy desktop.


2-16

NoteWhen mounting the appliance, leave at least two inches of clearance on all sides forproper ventilation and cooling.

2. Connect the appliance to a power source.

TippingPoint Advanced Threat Protection for Networks has two power supplyunits. One unit acts as the main power supply and the other as a backup.

3. Connect the monitor to the VGA port at the back panel.

See Back Panel on page 2-6 for a diagram.

4. Connect the keyboard and mouse to the USB ports on the back panel.

5. Connect the management port to your network.

6. Power on the appliance.

The power button is found on the front panel of the appliance, behind the bezel.See Front Panel on page 2-3 for a diagram.

A screen similar to the following appears:

Figure 2-7. Power-on self-test (POST)

About Your System

2-17

What to do next

If applicable, perform initial preconfiguration using the Preconfiguration Console. Fordetails, see Preconfiguration on page 5-1.

Ports Used by the ApplianceThe following table shows the ports that are used with TippingPoint Advanced ThreatProtection for Networks and why they are used.

Table 2-16. Ports used by TippingPoint Advanced Threat Protection for Networks

Port Protocol Function Purpose

22 TCP Listening andoutbound

TippingPoint Advanced Threat Protectionfor Networks uses this port to:

• Connect to the preconfigurationconsole

• Send logs and data to the ThreatManagement Services Portal ifTippingPoint ATP for Networks isregistered over SSH

25 TCP Outbound TippingPoint ATP for Networks sendsnotifications and scheduled reports throughSMTP.

53 TCP/UDP Outbound TippingPoint ATP for Networks uses thisport for DNS resolution.

67 UDP Outbound TippingPoint ATP for Networks sendsrequests to the DHCP server if IPaddresses are assigned dynamically.

68 UDP Listening TippingPoint ATP for Networks receivesresponses from the DHCP server.


2-18



TippingPoint ATP for Networks connects toother computers and integrated TrendMicro products and hosted servicesthrough this port.

• Update components by connecting tothe ActiveUpdate server

• Verify the TippingPoint ATP forNetworks product license throughCustomer Licensing Portal

• Query Community File ReputationServices through Smart ProtectionServer

• Query Web Reputation Servicesthrough the Smart Protection Network

• Connect to the Community FileReputation service for file prevalencewhen analyzing file samples

• Communicate with Trend MicroControl Manager if TippingPoint ATPfor Networks is registered over HTTP

123 UDP Listening andoutbound

TippingPoint ATP for Networks connects tothe NTP server to synchronize time.

137 UDP Outbound TippingPoint ATP for Networks usesNetBIOS to resolve IP addresses to hostnames.

161 UDP Listening andoutbound

TippingPoint ATP for Networks uses thisport for SNMP agent listening and protocoltranslation.

162 UDP Outbound TippingPoint ATP for Networks uses thisport to send SNMP trap notifications.

About Your System

2-19



TippingPoint Advanced Threat Protectionfor Networks uses this port to:

• Access the management console witha computer through HTTPS

• Register to the mitigation server

• Send logs and data to the ThreatManagement Services Portal ifTippingPoint ATP for Networks isusing SSL encryption

• Connect to Trend Micro ThreatConnect

• Communicate with Trend MicroControl Manager

NoteThis is the default port.Configure this port through themanagement console.

• Communicate with Deep DiscoveryDirector

• Scan APK files and send detectioninformation to the Mobile AppReputation Service

• Query Mobile App Reputation Servicethrough Smart Protection Server

• Query the Web Reputation Servicesblocking reason

• Verify the safety of files through theCertified Safe Software Service

• Share anonymous threat informationwith the Smart Protection Network

• Send files to Deep Discovery Analyzerfor sandbox analysis


2-20


514 UDP Outbound TippingPoint ATP for Networks sends logsto a syslog server over UDP.

NoteThe port must match the syslogserver.

601 TCP Outbound TippingPoint ATP for Networks sends logsto a syslog server over TCP.


4343 TCP Outbound Communicate with Smart Protection Server

5274 TCP Outbound Query Web Reputation Services throughSmart Protection Server

8514 UDP Outbound TippingPoint ATP for Networks sendssyslog information to Deep DiscoveryAdvisor if TippingPoint ATP for Networks isintegrated with Deep Discovery Advisor.

NoteThis is the default port. It can beconfigured through the managementconsole, and it must match thesyslog settings on Deep DiscoveryAdvisor.

About Your System

2-21


6514 TCP Outbound TippingPoint ATP for Networks sends logsto a syslog server over TCP with SSLencryption.


Product SpecificationsStandard TippingPoint Advanced Threat Protection for Networks appliances have thefollowing specifications.

Contact Trend Micro if the appliance you are using does not meet these hardwarespecifications.

Note

Hardware vendors and specifications may vary for customers in China, Japan, and otherregions.

Product Specifications - 510/1100 Appliance

Table 2-17. TippingPoint Advanced Threat Protection for Networks 510/1100

Feature Specifications

Rack size 1U 19-inch standard rack

Availability Raid 1 configuration

Storage size 2 x 1 TB 3.5-inch SATA


2-22


Connectivity • Management: 1 x 1 GB/100/10Base copper

• Data: 5 x 1 GB/100/10Base copper

Dimensions (WxDxH) 43.4 cm (17.09 in) x 64.2 cm (25.28 in) x 4.28 cm (1.69 in)

Maximum weight 19.9 kg (43.87 lb)

Operating temperature 10°C to 35°C at 10% to 80% relative humidity (RH)

Power 550W , 100-240 VAC 50/60 HZ

Product Specifications - 4100 ApplianceTable 2-18. TippingPoint Advanced Threat Protection for Networks 4100 Appliance


Rack size 2U 19-inch standard rack

Availability Raid 10 configuration

Storage size 4 x 1 TB 3.5-inch SAS

Connectivity • Management: 1 x 1 GB/100/10Base copper

• Data:

4 x 10 GB SPF+ Direct Attach copper

5 x 1 GB/100/10Base copper

Dimensions (WxDxH) 43.4 cm (17.09 in) x 75.58 cm (29.75 in) x 8.73 cm (3.44 in)

Maximum weight 31.5 kg (69.3 lb)

Operating temperature 10°C to 35°C at 10% to 80% relative humidity (RH)

Power 750W , 100-240 VAC 50/60 HZ

3-1

Chapter 3

DeploymentLearn tips, suggestions, and requirements for installing TippingPoint Advanced ThreatProtection for Networks in the following sections:

• Deployment Overview on page 3-2

• Deployment Planning on page 3-2

• Installation Requirements on page 3-10


3-2

Deployment Overview

Procedure

1. Plan the deployment.

See Deployment Planning on page 3-2.

2. Review the installation requirements.

See Installation Requirements on page 3-10.

3. Review the system requirements.

See System Requirements on page 3-11.

4. Install TippingPoint Advanced Threat Protection for Networks.

See Installation on page 4-1.

5. Preconfigure TippingPoint Advanced Threat Protection for Networks.

See Preconfiguration on page 5-1.

Deployment PlanningPlan how to best deploy TippingPoint Advanced Threat Protection for Networks bydoing the following:

• Determine the segments of your network that need protection.

• Plan for network traffic, considering the location of appliances critical to youroperations such as email, web, and application servers.

• Determine both the number of appliances needed to meet your security needs andtheir locations on the network

• Conduct a pilot deployment on a test segment of your network.

• Redefine your deployment strategy based on the results of the pilot deployment.

Deployment

3-3

• Use the following examples to plan a customized TippingPoint Advanced ThreatProtection for Networks deployment.

Single Port MonitoringThe TippingPoint Advanced Threat Protection for Networks data port connects to themirror port of the core switch, which mirrors the traffic through the port to the firewall.

(Optional) Configure the mirror port to mirror inbound/outbound traffic from single ormultiple source ports.

NoteMirrored traffic should not exceed the capacity of the network interface card.


3-4

Figure 3-1. Single Port Monitoring

Deployment

3-5

Multiple Port MonitoringTippingPoint ATP for Networks can monitor different network segments usingdifferent data ports. TippingPoint ATP for Networks data ports are connected to themirror ports of access or distribution switches.

Figure 3-2. Multiple Port Monitoring

Network Tap MonitoringNetwork taps monitor the data flowing across the network from interconnectedswitches, routers, and clients. Multiple TippingPoint ATP for Networks appliances canbe connected to a network tap.


3-6

NoteIf using network taps, make sure that they copy DHCP traffic to TippingPoint AdvancedThreat Protection for Networks instead of filtering DHCP traffic.

Figure 3-3. Network Tap Monitoring - Single TippingPoint ATP for Networks

Deployment

3-7

Redundant Networks

Many enterprise environments use redundant networks to provide high availability.When available, an asymmetric route connects TippingPoint ATP for Networks toredundant switches.

Figure 3-4. Redundant Network Monitoring

VLAN-based Port Monitoring

VLAN-based port mirroring allows users to choose to monitor traffic on all portsbelonging to a particular VLAN. In this scenario, connect TippingPoint ATP forNetworks to a switch if the mirror configuration is VLAN-based.


3-8

Remote Port or VLAN Mirroring

Use remote mirroring in the following conditions:

• Monitoring switches

• Local switches do not have enough physical ports

• Port speed on local switches do not match (GB versus MB)

Figure 3-5. Remote Port or VLAN Mirroring

Note

In this diagram, the dotted line displays the remote mirror, and the solid line displays thedirect mirror.

Deployment

3-9

Proxy MonitoringWhen configuring TippingPoint Advanced Threat Protection for Networks in proxyenvironments outside the proxy server, enable XFF on the proxy server.

To avoid false alarms when configuring TippingPoint Advanced Threat Protection forNetworks in proxy environments inside or outside the proxy server, add HTTP Proxy asa registered service on TippingPoint Advanced Threat Protection for Networks.

Figure 3-6. Proxy Monitoring


3-10

Mirroring Trunk LinksWhen multiple VLANs encapsulate the same physical link, mirror the source port froma trunk link. Make sure that the switch mirrors the correct VLAN tag to TippingPointATP for Networks for both directions.

Figure 3-7. Mirroring Trunk Links

Installation RequirementsEnsure the following before installing TippingPoint Advanced Threat Protection forNetworks.

Requirement Description

Match port speeds The destination port speed should be the same as the source portspeed to ensure equal port mirroring. If the destination port isunable to handle the faster speed of the source port, thedestination port may drop some data.

Deployment

3-11


Configure VirtualAnalyzer data ports

When enabling an internal Virtual Analyzer, select one of thefollowing network options and make sure the data ports areconfigured as follows:

• No Network

Virtual Analyzer does not exchange data with the Internet.

• Custom Network

Virtual Analyzer uses an additional specified data port toexchange data with the Internet.

• Management Network

Virtual Analyzer uses a management port to exchange datawith the Internet.

For details, see Internal Virtual Analyzer in the TippingPointAdvanced Threat Protection for Networks Administrator's Guide.

Monitor all data TippingPoint Advanced Threat Protection for Networks monitorsall inbound and outbound network traffic.

NoteFor better performance when installing TippingPointAdvanced Threat Protection for Networks, Trend Microrecommends using a plug-in NIC rather than an onboardNIC as a data port.

NoteTo ensure TippingPoint ATP for Networks captures trafficfrom both directions, configure the mirror port, and makesure that traffic in both directions is mirrored to the port.

System RequirementsTippingPoint Advanced Threat Protection for Networks requires the following:


3-12

Table 3-1. System Requirements

Resource Requirement

Hardware hostappliance

Trend Micro provides the TippingPoint Advanced Threat Protectionfor Networks appliance hardware. No other hardware is supported.

VMware ESXivirtual hostappliance

TippingPoint Advanced Threat Protection for Networks supportsinstallation on a VMware ESXi 5.x or 6.x virtual appliance. TrendMicro recommends the following minimum specifications:

• Virtual disk: 100 GB

• Virtual CPU cores: 5

• Virtual memory: 8 GB

• Virtual NICs: 2

NoteTrend Micro recommends using the VMXNET 3 networkadapter on ESXi 5.5 or later.

CentOS KVMvirtual hostappliance

TippingPoint Advanced Threat Protection for Networks supportsinstallation on a CentOS KVM 7.0 or later virtual appliance. TrendMicro recommends the following minimum specifications:

• Virtual disk: 100 GB

• Virtual CPU cores: 6

• Virtual memory: 8 GB

• Virtual NICs: 2

NoteTrend Micro recommends using the VirtIO or E1000network adapters.

Deployment

3-13


PreconfigurationConsole

The TippingPoint Advanced Threat Protection for NetworksPreconfiguration Console is a terminal communications programused to configure the network and system settings that are requiredto access the TippingPoint Advanced Threat Protection forNetworks management console.

For details, see Preconfiguration Console on page 5-2

Access to the Preconfiguration Console requires the following:

• VGA connections:

• Monitor with a VGA port

• USB keyboard

• VGA cable

• Serial connections:

• Computer with a serial port

• RS-232 serial cable

• Serial communication application (HyperTerminal)

Managementconsole

TippingPoint Advanced Threat Protection for Networks provides abuilt-in online management console for viewing system status,configuring and viewing threat detections and logs, running reports,administering TippingPoint Advanced Threat Protection forNetworks, updating components, and obtaining help.

For details, see Management Console in the TippingPointAdvanced Threat Protection for Networks Administrator's Guide.

The TippingPoint Advanced Threat Protection for Networksmanagement console supports the following web browsers:

• Google™ Chrome™

• Microsoft™ Internet Explorer™ 11.0

• Mozilla™ FireFox™

• Microsoft™ Edge

Recommended resolution rate: 1280x800


3-14


Operating systeminstallation media(disk or diskimage) for VirtualAnalyzer images

Windows operating systems and other Microsoft products areavailable separately from Microsoft and Microsoft channel partners.

ImportantTrend Micro does not provide any Microsoft Windowsoperating systems or Microsoft Office products required forinstallation on Virtual Analyzer images or sandbox instancesyou create in TippingPoint Advanced Threat Protection forNetworks. You must provide the operating system andMicrosoft Office installation media and appropriate licensingrights necessary for you to create any sandboxes.

4-1

Chapter 4

InstallationLearn the steps for installing TippingPoint Advanced Threat Protection for Networks asa hardware or virtual appliance in the following sections:

• Configuring Options on page 4-2

• TippingPoint Advanced Threat Protection for Networks Installation on page 4-5


4-2

Configuring OptionsSet the following options to enable TippingPoint Advanced Threat Protection forNetworks management console navigation.

• Setting Security Options for Internet Explorer on page 4-2

• Setting JavaScript Options for Chrome on page 4-3

• Setting JavaScript Options for Firefox on page 4-3

• Setting JavaScript Options for Internet Explorer on page 4-4

• Setting Options for Virtual Appliance in ESXi 5.x, or 6.x on page 4-4

Setting Security Options for Internet Explorer

NoteFor all Internet Explorer versions, make sure that the following options are enabled.

Procedure

1. On the browser, go to the Tools > Internet Options > Security tab.

2. Select the Internet zone and click Custom level....

3. Enable Allow META REFRESH found under Miscellaneous settings.

4. Repeat steps 1-3 for Local intranet and Trusted sites zones.

5. Verify that browser zoom is set to 100%.

Installation

4-3

Setting JavaScript Options for Chrome

Procedure

1. On the browser, go to Settings.

2. Click Show advanced settings....

3. Under Privacy, click Content settings....

4. Under JavaScript, click Allow all sites to run JavaScript (recommended).

5. Click Done.

Setting JavaScript Options for Firefox

Procedure

1. For Firefox versions lower than 23, do the following.

a. On the browser, go to the Options > Content tab.

b. Verify that Enable JavaScript is selected.

c. Click OK.

2. For Firefox version 23 or higher, do the following.

a. In the address bar, type about:config and press ENTER.

b. Click I'll be careful, I promise!.

c. Verify that the Value of Preference Name javascript.enabled is set to true.


4-4

Setting JavaScript Options for Internet Explorer

Procedure

1. On the browser, go to the Tools > Internet Options > Security tab.

2. Select the Internet zone and click Custom level....

3. Under Scripting, enable Active scripting.

4. Click OK.

Setting Options for Virtual Appliance in ESXi 5.x, or 6.x

Procedure

1. On the vSphere Client > Inventory screen, right-click the appliance name andselect Edit Settings....

The settings screen appears.

2. On the Settings screen, click the Options tab and select VMware Tools.

3. Disable the Synchronize guest time with host option.

Installation

4-5

Figure 4-1. Virtual Appliance Options

TippingPoint Advanced Threat Protection forNetworks Installation

TippingPoint Advanced Threat Protection for Networks is available as a hardware orvirtual appliance.


4-6

Hardware appliance • Trend Micro provides a bare metal server with TippingPointAdvanced Threat Protection for Networks pre-installed.

• Trend Micro provides TippingPoint Advanced ThreatProtection for Networks packaged as an ISO file on aninstallation DVD.

Install the TippingPoint Advanced Threat Protection forNetworks software on a bare metal server that meets therequirements listed in Installation Requirements on page3-10.

Virtual appliance Install the TippingPoint Advanced Threat Protection for Networkssoftware as a virtual appliance on a bare metal server that meetsthe requirements listed in Installation Requirements on page 3-10.

Connect the virtual CD/DVD drive to the installation DVD or theISO file.

Installing TippingPoint Advanced Threat Protection forNetworks on a Hardware Appliance

WARNING!Back up any pre-existing data on the target hard disk before installing TippingPointAdvanced Threat Protection for Networks. The installation process formats andrepartitions the hard disk and removes all existing data.

Procedure

1. Using a VGA cable, connect the monitor VGA port to the TippingPoint AdvancedThreat Protection for Networks appliance VGA port.

2. Insert the TippingPoint Advanced Threat Protection for Networks installationDVD into the CD/DVD drive.

3. Power on the appliance.

Installation

4-7

The BIOS screen appears.

Figure 4-2. BIOS

4. Press F11.

The Boot Manager screen appears.


4-8

Figure 4-3. Boot Manager

5. Select BIOS Boot Menu and press ENTER.

The BIOS Boot Manager screen appears.

Figure 4-4. BIOS Boot Manager Menu

Installation

4-9

Note

When installing TippingPoint Advanced Threat Protection for Networks through aserial connection, press ESC and simultaneously press SHIFT and 1 to enter theBIOS Boot Manager.

6. Select TSSTcorp DVD-ROM SN-108BB and press ENTER.

The Installation DVD screen appears.

Figure 4-5. TippingPoint Advanced Threat Protection for Networks InstallationDVD

7. Press ENTER.

• When installing TippingPoint Advanced Threat Protection for Networksthrough a serial connection, type serial and press ENTER.

The System Information screen appears.


4-10

Figure 4-6. System Information

8. Perform the following tasks:

a. (Optional) To show system information, type 0 and press ENTER.

b. (Optional) Perform a system requirements check.

• To skip the system requirements check, type 2 and press ENTER.

• By default, the installer checks system requirements before installingTippingPoint Advanced Threat Protection for Networks to confirm thatthe appliance has the necessary resources to run the product.

• Skip the system requirements check to test the product in a controlledenvironment before installing it on the network.

c. Start the installation.

To start installing TippingPoint Advanced Threat Protection for Networks,type 1 and press ENTER.

d. Obtain installation logs.

To obtain installation logs (used for troubleshooting installation problems),type 3 and press ENTER.

Installation

4-11

The Management Port Selection screen appears.

Figure 4-7. Management Port Selection

Note

TippingPoint Advanced Threat Protection for Networks automatically detects theactive link cards (indicated by Link is UP) available for use as a management port.


a. Verify that the network port status and the actual port status match.

If a status conflict exists, select Re-detect and press ENTER.

b. Select an active link card.

To determine which active link card is connected to the management domain,perform the steps listed on the Management Port Selection screen.

c. Select an active link card and press ENTER.


4-12

Installation continues and completes.

Figure 4-8. Export Installation Logs

10. Note

If you enabled installation log export on the System Information screen, a list ofstorage devices is displayed on the Export Installation Logs screen.

To save the exported installation logs, perform the following tasks:

a. Select a storage device and press ENTER.

b. When the installation log file name appears, press ENTER.

Trend Micro recommends saving exported installation logs to sda11.

Note

Record the file name for future reference.

The file name is in the following format:

install.log.YYYY-MM-DD-hh-mm-ss

Installation

4-13

c. If the preferred device is not listed, verify that it is connected to the applianceby doing the following:

i. Go to Re-detect.

ii. Press ENTER to refresh the list.

The system automatically restarts and the Preconfiguration Console appears. Ifused, the installation DVD ejects from the CD/DVD drive.

11. (Optional) Remove the DVD to prevent reinstallation.


For details, see Preconfiguration Console on page 5-2.

NotePreconfiguration tasks are identical for both hardware and virtual appliances.

Installing TippingPoint Advanced Threat Protection forNetworks on a Virtual Appliance

WARNING!Back up any existing data on the target hard disk before installing TippingPoint AdvancedThreat Protection for Networks. The installation process formats and repartitions the harddisk and removes all existing data.

ImportantYou must separately license VMware ESXi and such use is subject to the terms andconditions of the VMware license agreement for that product.

Procedure

1. Create a CentOS KVM or VMware ESXi virtual appliance.

For details, see Create a New Virtual Appliance on page 7-1.


4-14

When installing TippingPoint Advanced Threat Protection for Networks on aVMware ESXi server, disable the snapshot feature for the virtual appliance topreserve hard disk space.

2. Start the virtual machine.


a. Insert the TippingPoint Advanced Threat Protection for Networks installationDVD into the physical CD/DVD drive of the hypervisor server.

b. Connect the virtual CD/DVD drive of the virtual appliance to the physicalCD/DVD drive of the hypervisor server.

c. Connect the virtual CD/DVD drive of the virtual appliance to the ISO file.

4. Restart the virtual appliance.

• On the VMware vSphere Client, go to Inventory > Virtual Machine >Guest > Send and press CTRL+ALT+DEL.

• On the CentOS KVM server, use an available management tool. For details,see http://www.linux-kvm.org/page/Management_Tools.

http://www.linux-kvm.org/page/Management_Tools

Installation

4-15

The Installation DVD screen appears.

Figure 4-9. TippingPoint Advanced Threat Protection for Networks InstallationDVD

5. Press ENTER. When installing TippingPoint Advanced Threat Protection forNetworks through a serial connection, type serial and press ENTER.

The System Information screen appears.


4-16

Figure 4-10. System Information


a. (Optional) To show system information, type 0 and press ENTER.

b. (Optional) Perform a system requirements check.

To skip the system requirements check, type 2 and press ENTER.

By default, the installer performs a system requirements check beforeinstalling TippingPoint Advanced Threat Protection for Networks to confirmthat the appliance has the necessary resources to run the product.

Skip the system requirements check to test the product in a controlledenvironment before installing it on the network.

c. Start the installation.

To start installing TippingPoint Advanced Threat Protection for Networks,type 1 and press ENTER.

Installation

4-17

d. Obtain installation logs.

To obtain installation logs (used for troubleshooting installation problems),type 3 and press ENTER.

The Management Port Selection screen appears.

Figure 4-11. Management Port Selection

Note

TippingPoint Advanced Threat Protection for Networks automatically detects theactive link cards (indicated by Link is UP) available for use as a management port.


a. Verify that the network port status and the actual port status match.

If a status conflict exists, select Re-detect and press ENTER.

b. To determine which active link card is connected to the management domain,perform the steps listed on the Management Port Selection screen.

c. Select an active link card and press ENTER.

Installation continues and completes.


4-18

Figure 4-12. Export Installation Logs

8. Note

If you enabled installation log export on the System Information screen, a list ofstorage devices is displayed on the Export Installation Logs screen.

To save the exported installation logs, perform the following tasks:

a. Select a storage device and press ENTER.

b. When the installation log file name appears, press ENTER.

Tip

Trend Micro recommends saving exported installation logs to sda11.

Note

Record the file name for future reference.

The file name is in the following format:

install.log.YYYY-MM-DD-hh-mm-ss

Installation

4-19

c. If the preferred device is not listed, verify that it is connected to the applianceby doing the following:

i. Navigate to Re-detect.

ii. Press ENTER to refresh the list.

The system automatically restarts and the Preconfiguration Console appears. Ifused, the installation DVD ejects from the CD/DVD drive.

9. (Optional) Remove the DVD to prevent reinstallation.


For details, see Preconfiguration Console on page 5-2.

Note

Preconfiguration tasks are identical for both hardware and virtual appliances.

Restoring to Factory ModeReset TippingPoint Advanced Threat Protection for Networks by restoring the defaultsettings that shipped with the product.

Procedure

1. Power on TippingPoint Advanced Threat Protection for Networks with a monitorconnected to a VGA port.

When TippingPoint Advanced Threat Protection for Networks is starting andbefore the Preconfiguration Console opens, the Press ESC key to enter themenu prompt appears. If no action is performed, the system will automaticallyboot within 10 seconds.

2. Press the ESC key to enter the boot system options menu.

3. Using the arrow key, select Restore to factory mode and press ENTER.


4-20

TippingPoint Advanced Threat Protection for Networks restarts and thePreconfiguration Console opens.

5-1

Chapter 5

PreconfigurationLearn how to use the Preconfiguration Console to configure initial TippingPointAdvanced Threat Protection for Networks settings in the following sections:

• Preconfiguration Console Access on page 5-2

• Preconfiguration Console Main Menu on page 5-6


5-2

Preconfiguration ConsoleThe TippingPoint Advanced Threat Protection for Networks Preconfiguration Consoleis a terminal communications program used to configure the network and systemsettings that are required to access the TippingPoint Advanced Threat Protection forNetworks management console.

The Preconfiguration Console also supports recovery operations if the managementconsole is not available.

Use the Preconfiguration Console to do the following:

• Configure initial settings (product IP address and host name)

• Import/export appliance configurations

• Import HTTPS certificates

• Perform a diagnostic test

• Ping the network to verify configuration

• Restart the appliance

• View system logs

• Change the root password

NoteTo enter data when using HyperTerminal, disable the scroll lock function on yourkeyboard.

Preconfiguration Console AccessThe TippingPoint Advanced Threat Protection for Networks Preconfiguration Consoleis accessible from a hardware or virtual appliance.

Access the Preconfiguration Console as follows:

• Accessing the Preconfiguration Console with a VGA Port on page 5-3

Preconfiguration

5-3

TipTrend Micro recommends accessing the Preconfiguration Console using a monitorwith a VGA port.

• Accessing the Preconfiguration Console with a Serial Port on page 5-4

Accessing the Preconfiguration Console with a VGA Port

Procedure

1. Using a VGA cable, connect the monitor VGA port to the appliance VGA port.

2. When the Preconfiguration Console screen opens, type the default passwordadmin and press ENTER twice.



5-4

Figure 5-1. Log On

Accessing the Preconfiguration Console with a Serial Port

Procedure

1. Using an RS-232 serial cable, connect the serial port of the TippingPoint AdvancedThreat Protection for Networks appliance to the serial port on a computer.

2. On the computer, open a serial communication application (HyperTerminal).

3. Type the following values if you are accessing the Preconfiguration Console for thefirst time:

• Bits per second: 115200

• Data bits: 8

• Parity: None

• Stop bits: 1

• Flow control: None

Preconfiguration

5-5


4. When the Preconfiguration Console screen appears, type the default passwordadmin and press ENTER twice.

Figure 5-2. Log on


5-6

Preconfiguration Console Main Menu

Figure 5-3. Preconfiguration Console Main Menu

The Preconfiguration Console main menu displays the following menu items:

Table 5-1. Main Menu Items

Item Description

1) Device Information andStatus

View information about TippingPoint Advanced ThreatProtection for Networks and monitor memory usage.

2) Device Settings Modify the TippingPoint Advanced Threat Protection forNetworks IP address, subnet mask, network defaultgateway address, and DNS servers.

3) Interface Settings View the network speed and duplex mode for themanagement port, automatically detected by TippingPointATP for Networks.

Preconfiguration

5-7

Item Description

4) System Tasks Configure the following:

• Perform a diagnostic test, or restart the product.

• Import or export the configuration file and import theHTTPS certificate.

• Ping a server in the same subnet.

5) Change Password Change the root password.

6) Log Off with Saving Log off from the Preconfiguration Console after savingchanges.

7) Log Off without Saving Log off from the Preconfiguration Console without savingchanges.

To access a menu item, type the number for the menu item and then press ENTER.

Viewing Appliance Information and Status

Use the Device Information & Status screen to view the product name, version, andmemory usage.

Note

View memory usage information on the TippingPoint ATP for Networks managementconsole. Go to Dashboard > System Status.

For details, see System Status in the TippingPoint Advanced Threat Protection for NetworksAdministrator's Guide.

Procedure

1. Log on to the Preconfiguration Console.

The Main Menu appears.

2. Type 1 to select Device Information & Status and press ENTER.


5-8


The Device Information and Status screen appears.

Figure 5-4. Device Information and Status

3. Press ENTER to return to the main menu.

Preconfiguration

5-9

Modifying Device Settings

Figure 5-5. Device Settings

Use the Device Settings screen to configure the management IP address settings.

Note

These tasks can also be performed on the management console.

Procedure



2. To select Device Settings, type 2 and press ENTER.


5-10

NoteTo enter data when using a serial communication application (for example,HyperTerminal), disable the scroll lock function on your keyboard.

The Device Settings screen appears.

3. In the Type field, use the space bar to select one of the following properties:

• dynamic

• static

4. Configure the following IPv4 address settings:

a. In the IP address field, type an IPv4 address.

Type a Subnet mask.

b. Type a Gateway IP address.

c. Type a Primary and Secondary DNS server IP address.

5. (Optional) Configure the following IPv6 address settings:

a. In the Enable field, select yes.

b. In the IP address field, type an IPv6 address.

Type a Subnet prefix.

c. Type a Gateway IP address.

d. Type a DNS server IP address.

6. (Optional) Type a VLAN ID.

NoteThe VLAN ID is used when a trunk connection is required between theTippingPoint ATP for Networks management port and a switch. The VLAN ID isused as a VLAN tag in 802.1Q Ethernet frame.

7. Go to Return to main menu and press ENTER.

Preconfiguration

5-11

8. To save the settings, type 6 and press ENTER.

Modifying Interface Settings

Figure 5-6. Interface Settings

By default, TippingPoint Advanced Threat Protection for Networks automaticallydetects the network speed and duplex mode for the management port. These settingsmay be manually configured.

TipTo maximize throughput, Trend Micro recommends full-duplex mode. Half-duplex isacceptable, but network throughput may be limited by transmission delays.

NoteTippingPoint Advanced Threat Protection for Networks data ports can be managed fromthe management console. Go to Administration > System Settings > Network. Fordetails, see Network in the TippingPoint Advanced Threat Protection for Networks Administrator'sGuide.


5-12

Procedure



2. Type 3 to select Interface Settings and press ENTER.


The Interface Settings screen appears.

3. To change the interface settings, perform the following tasks:

a. Type 1 and press ENTER.

b. In the Speed and Duplex fields, use the space bar to change the networkspeed and duplex mode.

c. Navigate to Return to main menu and press ENTER.

4. Type 2 and press ENTER to return to the main menu.

5. Type 6 and press ENTER to save the settings.

6-1

Chapter 6

System TasksLearn how to perform system tasks on the Preconfiguration Console in the followingtopics:

• Importing the Configuration File on page 6-2

• Exporting the Configuration File on page 6-5

• Importing an HTTPS Certificate on page 6-7

• Performing a Diagnostic Test on page 6-9

• Performing a Ping Test on page 6-10

• Restarting TippingPoint Advanced Threat Protection for Networks on page 6-11

• Changing the Root Password on page 6-13

• Logging Off on page 6-14


6-2

System Tasks OverviewUse the System Tasks screen to perform the following system tasks.

Figure 6-1. System Tasks

Tip

You can also import and export a configuration file from the management console.

Importing the Configuration FileIf TippingPoint Advanced Threat Protection for Networks encounters errors with thecurrent settings, restore the configuration and database from a backup file.

WARNING!

Export the current configuration settings before importing the backup configuration file.For details, see Exporting the Configuration File on page 6-5.

System Tasks

6-3

NoteThe following steps are for HyperTerminal only. Other serial communication applicationscan be used, but the steps may be different.

Procedure



2. Type 4 and press ENTER.

The System Tasks screen appears.


The Import configuration file screen appears.

4. On the HyperTerminal console, go to Transfer > Send File to send theconfiguration file to TippingPoint Advanced Threat Protection for Networksbefore importing.


6-4

Figure 6-2. Send File Option

5. Browse to the configuration file to be imported.

Figure 6-3. Send File

6. Change the protocol to Kermit and click Send.

System Tasks

6-5

Figure 6-4. Kermit file send for Serial Connection

TippingPoint Advanced Threat Protection for Networks imports and applies thesettings from the configuration file.

Exporting the Configuration FileBack up the configuration files regularly.

NoteThe following steps are for HyperTerminal only. Other serial communication applicationscan be used, but the steps may be different.

Procedure






The Export configuration file screen appears.


6-6

4. On the HyperTerminal console, go to Transfer > Receive File.

Figure 6-5. Receive File Options

The Receive File window opens.

Figure 6-6. Receive File

5. Browse to the configuration file to be exported.

6. Change the protocol to Kermit, and then click Receive.

System Tasks

6-7

TippingPoint Advanced Threat Protection for Networks exports the configurationsettings to a config.dat file.

Figure 6-7. Kermit File Receive for Serial Connection

7. Rename the exported configuration files for proper version control.

Importing an HTTPS Certificate

To eliminate any potential browser security issues, replace the TippingPoint ATP forNetworks default security certificate with an imported security certificate from areputable Certificate Authority.

TippingPoint Advanced Threat Protection for Networks supports the following HTTPSformats:

• X509 PEM

Note

For details on generating an HTTPS certificate, see Generating an HTTPS Certificate in theTippingPoint ATP for Networks Administrator's Guide.


6-8

Note

The following steps are for HyperTerminal only. Other serial communication applicationscan be used, but the steps may be different.

Procedure

1. From a Linux operating system, use the following command to generate acertificate:

openssl req -newkey rsa:2048 -x509 -sha512 -days 365 -nodes-out server.pem -keyout server.pem






The Import HTTPS certificate screen appears.

Figure 6-8. Import HTTPS Certificate

5. From the HyperTerminal menu, click Transfer > Send File.

System Tasks

6-9

6. Browse to the HTTPS certificate file to be imported.

7. Change the Protocol to Kermit and click Send.

Performing a Diagnostic TestRun a diagnostic test on TippingPoint Advanced Threat Protection for Networks tocapture and view a log of hardware and software status and events.

Procedure






The Diagnostic Test screen appears.

4. On the HyperTerminal console, go to Transfer > Capture Text.

Note

This step uses HyperTerminal as an example. Other serial communicationapplications can be used, but this step may be different.

5. Browse to the folder and specify a file name for the log.

Note


6. Click Start.


6-10

Note


7. Under Run diagnostic test now?, go to OK and press ENTER.

While the diagnostic test runs, TippingPoint Advanced Threat Protection forNetworks displays log entries on the console.

After the diagnostic test finishes, TippingPoint Advanced Threat Protection forNetworks generates a summary log report, and automatically restarts.

8. After TippingPoint ATP for Networks restarts, open the log summary report toview the results.

Performing a Ping TestUse a Ping test to verify network configuration.

Procedure






The Ping Test screen appears.

4. Input the server IP address and press Ping.

Ping test results appear on the screen.

5. Press ESC to return to the main menu.

System Tasks

6-11

Restarting TippingPoint Advanced Threat Protection forNetworks

To restart TippingPoint Advanced Threat Protection for Networks, access thePreconfiguration Console using a serial communication application (for example,HyperTerminal). Using TippingPoint Advanced Threat Protection for Networks toaccess the Preconfiguration Console allows you to restart the appliance remotely.

When TippingPoint Advanced Threat Protection for Networks starts, it verifies theintegrity of its configuration files. The management console password may reset if theconfiguration file containing password information is corrupted. If management consolelogon is unsuccessful when using the preferred password, log on using the defaultpassword admin.

Procedure






The Restart System screen appears.

4. On the Restart System screen, navigate to OK and press ENTER.


6-12

Figure 6-9. Restart System

TippingPoint Advanced Threat Protection for Networks restarts.

System Tasks

6-13

Changing the Root Password

Figure 6-10. Change Password

Procedure




The Change Password screen appears.

3. Type the old and new passwords.

4. Confirm the new password.

5. Go to Return to main menu and press ENTER to return to the main menu andsave the settings.


6-14

Logging OffLog off from the Preconfiguration Console with or without saving.

Procedure

1. After changing the configuration settings, return to the main menu.

2. Select one of the following logoff options:

• To save the changes, type 6 and press ENTER.

• To exit without saving the changes, type 7 and press ENTER.

3. Navigate to OK and press ENTER.

7-1

Chapter 7

Create a New Virtual ApplianceLearn how to create a virtual appliance using VMware ESXi in the following topics:

• Creating a Virtual Machine in VMware ESXi on page 7-2

• Configuring the VMware ESXi Server Network on page 7-3

• Enabling Promiscuous Mode in VMware ESXi on page 7-9

• Installing TippingPoint Advanced Threat Protection for Networks in VMware ESXi on page7-12

For details about the minimum virtual appliance system requirements and supportedhypervisors, see System Requirements on page 3-11.


7-2

Creating a Virtual Machine in VMware ESXi

Important

You must separately license VMware ESXi and such use is subject to the terms andconditions of the VMware license agreement for that product.

To install TippingPoint Advanced Threat Protection for Networks in a VMware server,prepare the following:


VMware ESXi server Install the TippingPoint Advanced Threat Protection forNetworks virtual machine and verify the following:

• ESXi server is version 5.x or 6.x

• Two or more NICs on the VMware ESXi server (oneManager Network, one or more Data Networks)

For details, see Configuring the VMware ESXi ServerNetwork on page 7-3.

• Promiscuous Mode is enabled to pass all traffic receivedby the Data Network.

For details, see Enabling Promiscuous Mode in VMwareESXi on page 7-9.

• Virtualization Technology (VT) is enabled on your VMwarehost and in the VMware vSphere configuration.

For details about the VMware vSphere configuration, seeEnabling Hardware-assisted Virtualization in VMware ESXion page 7-25.

VMware vSphereclient

Synchronizes VMware vSphere Client with the ESXi server.

VMware vSphere Client provides the following functionality:

• Performs deployment tasks

• Manages the TippingPoint Advanced Threat Protection forNetworks virtual machine

Create a New Virtual Appliance

7-3


Windows computer Install the following software on a Windows computer:

• VMware vSphere Client

• Internet Explorer, Microsoft Edge, Firefox, or Chrome (foraccessing the TippingPoint Advanced Threat Protection forNetworks management console)

Configuring the VMware ESXi Server Network

Use VMware vSphere Client to connect the ESXi server to a Windows computer.

Procedure

1. To open VMware vSphere Client, type the VMware ESXi server IP Address, Username, and Password, and click Login.

2. Go to the Configurations tab and click Networking. Observe the initial state.


7-4

3. Set the default VM Network as the Management Network.

4. Click Add Networking....

The Add Network Wizard opens.

5. In the Add Network Wizard, click Connection Type. Select Virtual Machine,and then click Next.


7-5

6. On the Network Access screen, do the following:

a. Select Create a vSphere standard switch.

b. Select a NIC card as the Data Network.

c. Click Next.


7-6

7. On the Connection Settings screen, do the following:

a. In Network Label, type Data Network.

b. In VLAN ID (Optional), select All (4095).

c. Click Next.


7-7

8. On the Summary screen, verify that all new and modified vSphere standardswitches are configured appropriately.


7-8

9. Click Finish.

10. Go to the Configurations tab and click Networking to verify that the DataNetwork is connected to the Monitored Network.


7-9

11. Enable Promiscuous Mode.

For details, see Enabling Promiscuous Mode in VMware ESXi on page 7-9.

12. (Optional) Create additional data networks by repeating steps 6 to 11.

Enabling Promiscuous Mode in VMware ESXi

Procedure

1. In the VMware vSphere Client, go to the Configurations tab and clickNetworking.

2. At your Data Network vSwitch, click Properties.


7-10

3. Click Edit.

4. Click the Security tab and set Promiscuous Mode as Accept. Click OK.


7-11


7-12

Installing TippingPoint Advanced ThreatProtection for Networks in VMware ESXi

The following procedure is for VMware.

Procedure

1. From the VMware ESXi menu bar, select File > New > Virtual Machine.

2. On the Configuration screen, click Custom > Next.


7-13

3. On the Name and Location screen, specify a name for the virtual machine andclick Next.

4. On the Storage screen, select the destination storage where the virtual machinewill reside and click Next.


7-14

5. On the Virtual Machine Version screen, select the virtual machine version andclick Next.


7-15

6. On the Guest Operating System screen, perform the following steps.

a. For Guest Operating System, select Linux.

b. For Version, select CentOS 4/5/6 (64-bit).

c. Click Next.


7-16

7. On the CPUs screen, adjust the number of virtual sockets and cores per virtualsocket to allocate at least 5 total cores for the virtual machine and click Next.


7-17

8. On the Memory screen, allocate at least 8 GB of memory for the virtual machineand click Next.


7-18

9. On the Network screen, configure at least two NICs for the virtual machine andclick Next.

Set the VMware ESXi server VM Network as the TippingPoint Advanced ThreatProtection for Networks Management Network (NIC 1). Set Data Network as theTippingPoint Advanced Threat Protection for Networks Data Network (NIC 2).

Note

Trend Micro recommends using the VMXNET 3 network adapter on ESXi 5.5 orlater.


7-19

10. On the SCSI Controller screen, select the I/O adapter type appropriate for thevirtual disk and click Next.


7-20

11. On the Select a Disk screen, select Create a new virtual disk and click Next.


7-21

12. On the Create a Disk screen, allocate at least 100 GB of hard disk space for thevirtual machine and click Next.


7-22

13. On the Advanced Options screen, keep the default selections and click Next.


7-23

14. On the Ready to Complete screen, review the settings and click Finish.


7-24

15. Enable hardware-assisted virtualization in the VMware vSphere Web Client.

For details, see Enabling Hardware-assisted Virtualization in VMware ESXi on page7-25.


7-25

Enabling Hardware-assisted Virtualization in VMwareESXi

Procedure

1. Verify that Virtualization Technology (VT) is enabled on the VMware host.

TipThe Virtualization Technology setting is typically in the BIOS settings and thelocation varies based on the system vendor. The feature may be named AMD-V, VT,VT-x, Vanderpool Technology, Virtualization Technology, VMX, or Virtual MachineExtensions.

2. In the VMware vSphere Web Client, right-click the virtual machine and select EditSettings.

3. On to the Virtual Hardware tab, expand CPU.

4. Enable Expose hardware-assisted virtualization to guest OS.

5. Click OK.

8-1

Chapter 8

TroubleshootLearn about common troubleshooting options available in TippingPoint ATP forNetworks and find answers to frequently asked questions in the following topics:

• Frequently Asked Questions (FAQs) on page 8-2

• Troubleshooting on page 8-4


8-2

Frequently Asked Questions (FAQs)Find answers to frequently asked questions in the following topics.

• FAQs - Appliance Rescue on page 8-2

• FAQs - Configuration on page 8-3

• FAQs - Detections on page 8-3

• FAQs - Installation on page 8-3

• FAQs - Upgrade on page 8-4

• FAQs - Virtual Analyzer Image on page 8-4

FAQs - Appliance Rescue

How do I rescue the TippingPoint ATP for Networks appliance?

To rescue the TippingPoint ATP for Networks appliance, do one of the following:

• Reinstall TippingPoint ATP for Networks and use the saved or default settings.

Important

All log data is deleted during reinstallation.

• In the management console, go to Administration > Updates > ProductUpdates > Sever Packs / Version Upgrade and install the service pack orversion upgrade file (*.R.tar).

Important

The service pack or version upgrade file must be the same version as the installedversion.

Troubleshoot

8-3

FAQs - ConfigurationCan I register TippingPoint ATP for Networks to more than one ControlManager server?

No, you cannot register TippingPoint ATP for Networks to more than one ControlManager server. For details on registering to a Control Manager server, see Registering toControl Manager in the TippingPoint ATP for Networks Administrator's Guide.

FAQs - DetectionsWhy are there no more Virtual Analyzer detections on the widget or the LogQuery screen after Deep Discovery Analyzer, Deep Discovery Advisor, orTippingPoint Advanced Threat Protection Analyzer reinstalls?

After Deep Discovery Analyzer, Deep Discovery Advisor or TippingPoint AdvancedThreat Protection Analyzer reinstalls, the API key changes. Change the API key on theTippingPoint ATP for Networks management console from Administration > VirtualAnalyzer > Setup.

FAQs - InstallationDoes TippingPoint ATP for Networks installation disrupt network traffic?

No. TippingPoint ATP for Networks installation should not disrupt the network trafficbecause the appliance connects to the mirror port of the switch and not directly to thenetwork.

After a fresh installation, TippingPoint ATP for Networks is unable to obtain adynamic IP address. What do I do?

Restart the appliance and verify that it is able to obtain an IP address. Next, connect anethernet cable from the management port to a known good ethernet connection andrestart the appliance.


8-4

FAQs - UpgradeCan I roll back to a previous version after upgrading to TippingPoint AdvancedThreat Protection for Networks 3.8 SP5?

No. The rollback function is not supported.

Why does TippingPoint ATP for Networks still use old components afterupdating the software and restarting?

When updating components, TippingPoint ATP for Networks updates the softwarefirst. Restart TippingPoint ATP for Networks and update the Network ContentInspection Engine. After updating the Network Content Inspection Engine, clickUpdate, or wait for the next scheduled update.

FAQs - Virtual Analyzer ImageI am unable to download images from an FTP server. What should I do?

Verify the following:

• The specified server path, user name, and password are correct

• Both active and passive modes are enabled on the FTP server

• The FTP server supports UTF-8 (in case image names or file paths contain multi-byte characters)

The Found New Hardware wizard opens when the image is tested in VirtualBox.Does this affect Virtual Analyzer?

The Found New Hardware wizard automatically runs whenever an image istransferred from one machine to another. If the Found New Hardware wizard appearswhen the image is tested in VirtualBox, it may interfere with the CD/DVD auto-run.

TroubleshootingThis section describes common troubleshooting options available in TippingPoint ATPfor Networks.

Troubleshoot

8-5

• Slow Management Console Response on page 8-5

• Detections on page 8-6

• "Database is Corrupt" Alert Displays on page 8-11


• Virtual Analyzer Images on page 8-13

• Cannot Connect to Network Services on page 8-19

• Diagnostics on page 8-19

Slow Management Console ResponseThe management console response is slow or times out.

This occurs when system resources are insufficient.

Procedure

1. To verify CPU, memory, and disk usage, go to https://<appliance IPaddress>/html/troubleshooting.htm.

2. Under Real-time Status, select System Process (ATOP).


8-6

The System Process screen appears.

Figure 8-1. System Process (ATOP)

3. Click Suspend and verify system resources real-time.

Table 8-1. System Resources

Item Line Column Description

CPU CPU Idle The lower the number, the busier the CPU is.

If this number is low, view the processinformation and record the CPU with thehighest usage.

MEM MEM Free,cache

The "Free" field indicates available memory. Alow number means that there is not enoughavailable memory to complete certain actions.

Disk DSK Busy A high number indicates that the disk is busy.

Detections• No Detections on Detections Tab on page 8-7

• "Unregistered Service" Server Displays in All Detections Query on page 8-8

Troubleshoot

8-7

• Unknown IP Addresses Display on a Screen on page 8-10

• Known Safe Objects Flagged as Malicious on page 8-10

No Detections on Detections Tab

No detections appear on the management console Detections tab.

Procedure

1. Verify that the switch mirror port is configured to mirror both directions ofnetwork traffic to the mirror port.

For details, see Deployment Planning in the TippingPoint Advanced Threat Protection forNetworks Installation and Deployment Guide.

2. Verify that networked packets can be captured.

a. Go to Administration > System Settings > Network Interface.

Figure 8-2. Network Interface Port Status

b. Under Network Interface Port Status, click the Start button of the dataport in use.

c. Wait 10 seconds and click Stop.

d. Click View.


8-8

The Packet Capture Information screen appears.

Figure 8-3. Packet Capture Information

i. In the Capfile information section, verify that the data rate matches thereal-time traffic rate.

ii. Click Conversation by TCP or Conversation by UDP, and verify thatTCP and UDP packets are visible.

"Unregistered Service" Server Displays in All DetectionsQueryA server appears as an Unregistered service on the All Detections screen.

Troubleshoot

8-9

Make sure that the server has been added to the Registered Services list. For details, seeAdding Registered Services in the TippingPoint Advanced Threat Protection for NetworksAdministrator's Guide.

Figure 8-4. All Detections Query

Procedure

1. Add the server to the Registered Services list.

a. Go to Administration > Network Groups and Assets > RegisteredServices.


8-10

The Registered Services screen appears.

Figure 8-5. Registered Services

b. Under Add Registered Services, select service type, specify server name andIP address, and click Add.

2. Configure Registered Domains.

a. Go to Administration > Network Groups and Assets > RegisteredDomains.

b. Under Add Registered Domains, add your domain.

Unknown IP Addresses Display on a ScreenIP addresses that do not belong to your network appear on a screen.

Make sure that all IP addresses in your network have been added to the network groupcorrectly. For details, see Adding Network Groups in the TippingPoint Advanced ThreatProtection for Networks Adminstrator's Guide.

Known Safe Objects Flagged as MaliciousKnown safe files, IP addresses, domains, and URLs are flagged malicious by VirtualAnalyzer.

Troubleshoot

8-11

Add any safe entities to the Allow List. For details, see Creating a Custom Allow List in theTippingPoint Advanced Threat Protection for Networks Administrator's Guide.

"Database is Corrupt" Alert Displays

The management console displays the "Database is corrupt" alert.

This message occurs when the database has been corrupted. As a precaution, data is notwritten to the database, which now must be manually repaired. For details, see StorageMaintenance in the TippingPoint Advanced Threat Protection for Networks Administrator's Guide.

Note

After a manual repair, all current data will be lost.

Figure 8-6. Database status alert

Virtual Analyzer

• Cannot Upload OVA on page 8-11

• No Virtual Analyzer Response to File Submissions on page 8-12

Cannot Upload OVA

The OVA is too large and cannot upload into TippingPoint ATP for Networks.

The OVA image must be between 1 GB and 20 GB in size.


8-12

No Virtual Analyzer Response to File Submissions

File samples were sent to TippingPoint ATP for Networks but no response was receivedfrom Virtual Analyzer.

To receive results, enable file submission to Virtual Analyzer.

Procedure

1. Verify that Virtual Analyzer is enabled.

For details, see Enabling Virtual Analyzer in the TippingPoint Advanced Threat Protectionfor Networks Administrator's Guide.

2. Go to Administration > Virtual Analyzer > File Submissions > Add andverify file submission rules are configured as follows:

• Under Criteria, click the applicable file types.

• Under Actions, click Submit.

For details, see File Submission Rules in the TippingPoint Advanced Threat Protectionfor Networks Administrator's Guide.

3. Go to Dashboard > Virtual Analyzer Status and view the Virtual Analyzerstatus field on the Virtual Analyzer widget.

a. If Virtual Analyzer status is "Disabled", enable Virtual Analyzer. Go toAdministration > Virtual Analyzer > Setup to enable file submission toeither an external or internal Analyzer.

For details, see Enabling Virtual Analyzer in the TippingPoint Advanced ThreatProtection for Networks Administrator's Guide.

b. If the Virtual Analyzer status is "Enabled", reboot TippingPoint ATP forNetworks.

4. Verify notification settings.

For details, see Configuring Email Notification Settings in the TippingPoint AdvancedThreat Protection for Networks Administrator's Guide.

Troubleshoot

8-13

5. If the problem persists, contact your technical support provider.

Virtual Analyzer Images• Installation CD/DVD Won't Start on page 8-13

• "Found New Hardware" Wizard on page 8-15

• An Image Displays a Blue Screen on page 8-15

Installation CD/DVD Won't StartThe installation CD/DVD does not automatically start.

Verify items by testing the Virtual Analyzer images in VirtualBox.

Procedure

1. In Oracle VM VirtualBox Manager, click the imported custom Virtual Analyzerimage in the left panel.

2. Click Settings and select Storage.

3. Select Controller: IDE and verify that the specified type is PIIX4.


8-14

Figure 8-7. IDE Controller Name

4. Select the optical disc icon and verify that the specified CD/DVD drive is IDESecondary Master.

Troubleshoot

8-15

Figure 8-8. CD/DVD Drive

"Found New Hardware" WizardDuring Virtual Analyzer image creation, the Found New Hardware wizard appears.

The Found New Hardware wizard automatically runs whenever an image istransferred from one machine to another.

When an image is imported, the Found New Hardware wizard may interfere with theCD/DVD auto-run. Make sure the Virtual Analyzer image is created and prepared usingthe correct procedure. For details, see the Virtual Analyzer Image Preparation User's Guideat http://docs.trendmicro.com/en-us/enterprise/virtual-analyzer-image-preparation.aspx.

An Image Displays a Blue ScreenAn image displays the blue "Cannot find Operating System" screen when tested inVirtualBox.

Verify items by testing the Virtual Analyzer images in VirtualBox.

http://docs.trendmicro.com/en-us/enterprise/virtual-analyzer-image-preparation.aspx

http://docs.trendmicro.com/en-us/enterprise/virtual-analyzer-image-preparation.aspx


8-16

Procedure

1. In Oracle VM VirtualBox Manager, click the imported custom Virtual Analyzerimage in the left panel.

2. Click the Settings and select System.

Figure 8-9. Motherboard

3. On the Motherboard tab, verify that the following are selected:

• Chipset: ICH9

• Enable IO APIC

4. On the Processor tab, verify that the PAE/NX is enabled.

Troubleshoot

8-17

Figure 8-10. Processor

5. On the Acceleration tab, verify that the TV-x/AMD-V is enabled.


8-18

Figure 8-11. Acceleration

Troubleshoot

8-19

Cannot Connect to Network Services

You can use the Network Services Diagnostics screen to test the networkconnections for the internal Virtual Analyzer and other network services.

Figure 8-12. Network Services Diagnostics

Procedure

1. Go to https://<appliance IP address>/html/troubleshooting.htmand click Network Services Diagnostics.

2. Select one or more enabled services and click Test.

Wait for the connection test to complete. The time required depends on thenetwork environment and the number of services selected. View the connectiontest result in the Result column.

Diagnostics

For any issue not mentioned, run diagnostics and provide a test result and debug log toyour Trend Micro TippingPoint ATP for Networks support provider.


8-20

Procedure

1. To run diagnostics, open the Preconfiguration Console and do the following:

a. Select 4) System Tasks, and press ENTER.

a. Follow the instructions in Performing a Diagnostic Test in the TippingPointAdvanced Threat Protection for Networks Installation and Deployment Guide.

2. To obtain the debug log:

a. Go to https://<appliance IP address>/html/troubleshooting.htm.

b. In the left panel, click Debug Logs.

c. In Debug Log Settings, set the debug level to Debug for the relatedmodule.

Important

To avoid performance loss, only set the debug level to Debug for requiredmodules. Contact your support provider for advice on how to set the level todebug and obtain the debug report.

d. Click Save.

e. If possible, reproduce the issue.

f. Select one or more debug logs to export.

• Select Export debug log to export the debug log.

• Select Export advanced debug log to export all the advanced debuglogs.

• Select one or more dated debug logs under Export advanced debuglog to export the advanced debug log for that date.

g. Click Export.

Troubleshoot

8-21

ImportantTo conserve system resources, only perform one export at a time.

h. In Debug Log Settings, click Reset to default log settings.

i. In Debug Log Maintenance, click Purge Debug Logs.

9-1

Chapter 9

Technical SupportLearn about the following topics:

• Troubleshooting Resources on page 9-2

• Contacting Trend Micro TippingPoint Support on page 9-3

• Sending Suspicious Content to Trend Micro on page 9-4

• Other Resources on page 9-5


9-2

Troubleshooting ResourcesBefore contacting technical support, consider visiting the following Trend Micro onlineresources.

Using the Support PortalThe Trend Micro Support Portal is a 24x7 online resource that contains the most up-to-date information about both common and unusual problems.

Procedure

1. Go to http://esupport.trendmicro.com.

2. Select from the available products or click the appropriate button to search forsolutions.

3. Use the Search Support box to search for available solutions.

4. If no solution is found, click Contact Support and select the type of supportneeded.

Tip

To submit a support case online, visit the following URL:

http://esupport.trendmicro.com/srf/SRFMain.aspx

A Trend Micro support engineer investigates the case and responds in 24 hours orless.

Threat EncyclopediaMost malware today consists of blended threats, which combine two or moretechnologies, to bypass computer security protocols. Trend Micro combats this complexmalware with products that create a custom defense strategy. The Threat Encyclopedia


http://esupport.trendmicro.com/srf/SRFMain.aspx

Technical Support

9-3

provides a comprehensive list of names and symptoms for various blended threats,including known malware, spam, malicious URLs, and known vulnerabilities.

Go to http://about-threats.trendmicro.com/us/threatencyclopedia#malware to learnmore about:

• Malware and malicious mobile code currently active or "in the wild"

• Correlated threat information pages to form a complete web attack story

• Internet threat advisories about targeted attacks and security threats

• Web attack and online trend information

• Weekly malware reports

Contacting Trend Micro TippingPoint SupportContact the TippingPoint Technical Assistance Center (TAC) by using any of thefollowing options.

Phone • North America: +1 866 681 8324

• International: +1 512 681 8324

For online support and additional international toll-free numbers,visit https://tmc.tippingpoint.com

Email address [email protected]

• Visit us online at:

http://www.trendmicro.com/tippingpoint

• Trend Micro product documentation:


http://about-threats.trendmicro.com/us/threatencyclopedia#malware

https://tmc.tippingpoint.com

mailto:[email protected]

http://www.trendmicro.com/tippingpoint



9-4

Sending Suspicious Content to Trend MicroSeveral options are available for sending suspicious content to Trend Micro for furtheranalysis.

Email Reputation Services

Query the reputation of a specific IP address and nominate a message transfer agent forinclusion in the global approved list:

https://ers.trendmicro.com/

Refer to the following Knowledge Base entry to send message samples to Trend Micro:

http://esupport.trendmicro.com/solution/en-US/1112106.aspx

File Reputation Services

Gather system information and submit suspicious file content to Trend Micro:

http://esupport.trendmicro.com/solution/en-us/1059565.aspx

Record the case number for tracking purposes.

Web Reputation Services

Query the safety rating and content type of a URL suspected of being a phishing site, orother so-called "disease vector" (the intentional source of Internet threats such asspyware and malware):

http://global.sitesafety.trendmicro.com/

If the assigned rating is incorrect, send a re-classification request to Trend Micro.

https://ers.trendmicro.com/

http://esupport.trendmicro.com/solution/en-US/1112106.aspx

http://esupport.trendmicro.com/solution/en-us/1059565.aspx

http://global.sitesafety.trendmicro.com/

Technical Support

9-5

Other ResourcesIn addition to solutions and support, there are many other helpful resources availableonline to stay up to date, learn about innovations, and be aware of the latest securitytrends.

Download CenterFrom time to time, Trend Micro may release a patch for a reported known issue or anupgrade that applies to a specific product or service. To find out whether any patchesare available, go to:

http://www.trendmicro.com/download/

If a patch has not been applied (patches are dated), open the Readme file to determinewhether it is relevant to your environment. The Readme file also contains installationinstructions.

Documentation FeedbackTrend Micro always seeks to improve its documentation. If you have questions,comments, or suggestions about this or any Trend Micro document, please go to thefollowing site:


http://www.trendmicro.com/download/


AppendicesAppendices

A-1

Appendix A

Get StartedLearn about the TippingPoint Advanced Threat Protection for Networks managementconsole and basic appliance settings in the following topics:

• Management Console on page A-2

• Get Started Tasks on page A-9


A-2

Management ConsoleTippingPoint Advanced Threat Protection for Networks provides a built-in onlinemanagement console for viewing system status, configuring and viewing threatdetections and logs, running reports, administering TippingPoint Advanced ThreatProtection for Networks, updating components, and obtaining help.

Figure A-1. TippingPoint Advanced Threat Protection for Networks ManagementConsole

The management console includes the following user interface elements:

# UI Element Description

1. Account name and basicuser account operations

Basic user account operations are located under theaccount name in the upper right corner of themanagement console screen and include thefollowing:

• Change Password

• Log Off

2. Appliance information ata glance

Appliance information at a glance includes thefollowing:

• Time zone

• Appliance FQDN or IP address

• Network traffic

Get Started

A-3

# UI Element Description

3. Main screen tabs The management console includes the followingtabs:

• Dashboard

• Detections

• Reports

• Administration

• Help

Management Console RequirementsThe TippingPoint Advanced Threat Protection for Networks management consolesupports the following web browsers:

• Google™ Chrome™

• Mozilla™ Firefox™

• Microsoft™ Internet Explorer™ 11.0

• Microsoft™ Edge

Recommended resolution: 1280x800 or higher

Opening the Management Console

Procedure

1. From a network workstation, open a supported browser.

2. Set the Internet security level to Medium and enable ActiveX Binary and ScriptBehaviors to make sure that tool tips and reports appear.

3. Type the management console IP address:

• If using the default TippingPoint Advanced Threat Protection for NetworksIP address, type the following:


A-4

https://192.168.252.1/index.html

NoteThe URL is case sensitive.

• If using a unique IP address, type that IP address.

4. Type the default user name:

admin

5. Type the default password:

admin

6. Click Log on.

ImportantAfter changing the TippingPoint Advanced Threat Protection for Networks applianceIP address, update browser bookmarks to reflect the new IP address.

7. Change the default password.

See Management Console Account Passwords on page A-4.

8. Set system time.

See Configuring Time Options on page A-7.

9. Activate TippingPoint Advanced Threat Protection for Networks.

See Activating or Renewing a Product License on page A-8.

Management Console Account PasswordsTippingPoint Advanced Threat Protection for Networks grants access to themanagement console by user accounts. The built-in administrator account can create amaximum of 127 accounts. To access the management console, each user accountrequires a logon password.

Get Started

A-5

The management console accepts passwords that contain the following:

• 6 to 32 characters

• Characters from at least three of the following categories:

• Uppercase (A-Z)

• Lowercase (a-z)

• Numeric (0-9)

• Special characters: ` ~ ! @ # $ % ^ & * ( ) - _ + = [ ] { } \ | < > , . / ? : ; ' "

Observe the following guidelines for creating a strong password:

• Avoid words found in the dictionary

• Intentionally misspell words

• Use phrases or combine words

• Use both uppercase and lowercase letters

Changing an Administrator Account Password

The default management console password for the system administrator account isadmin.

TipFor added security, change the TippingPoint Advanced Threat Protection for Networkspassword periodically.

TipAn administrator password can also be reset on the Accounts screen.

Procedure

1. On any TippingPoint Advanced Threat Protection for Networks main screen, atthe top-right corner, open the drop-down menu under your account name.


A-6

2. Click Change Password.

3. Type the old password.

4. Type the new password and confirm it.

5. Click Save.

TippingPoint Advanced Threat Protection for Networks automatically logs off.

6. Log on to TippingPoint Advanced Threat Protection for Networks with the newpassword.

Changing a Viewer Account PasswordTippingPoint Advanced Threat Protection for Networks generates a defaultmanagement console password when a new viewer account is created.

The new user must obtain this default password from the administrator and change theaccount password after logging on for the first time.

TipFor added security, change the TippingPoint Advanced Threat Protection for Networkspassword periodically.

Procedure

1. On any TippingPoint Advanced Threat Protection for Networks main screen, atthe top-right corner, open the drop-down menu under your account name.

Get Started

A-7

2. Click Change Password.

3. Type the old password.

4. Type the new password and confirm it.

5. Click Save.

TippingPoint Advanced Threat Protection for Networks automatically logs off.

6. Log on to TippingPoint Advanced Threat Protection for Networks with the newpassword.

Configuring Time Options

Procedure

1. Go to Administration > System Settings > Time.

2. Under System Time Settings, select one of the following:

• Synchronize appliance time with a Network Time Protocol (NTP)server:

a. Specify the NTP server address.

b. Click Synchronize Now.

• Set the system time manually:

a. Click the calendar icon or type the month, day, and year using themm/dd/yyyy format.

b. Select the hour, minute, and second.

3. Using the Time Zone drop-down menu, select the time zone.

4. Click Save.


A-8

Activating or Renewing a Product License

Procedure

1. Go to Administration > License.

2. Under License Information, click New Activation Code.

The New Activation Code screen displays.

3. Type the new Activation Code and click Save.

The Trend Micro License Agreement displays.

4. Read the license agreement and click Agree.

After TippingPoint Advanced Threat Protection for Networks is activated, theSetup Guide is displayed.

5. Follow the steps in the Setup Guide.

6. On the License screen, click Update Information to refresh the screen.

The new license details are displayed.

7. (Optional) Detailed license information is also available on the Customer LicensingPortal website. To view, click View license details online.

8. (Optional) To view the Trend Micro Terms of Sale and Software LicenseAgreement for the family of products, go to https://<appliance IPaddress>/html/eula.htm.

Note

TippingPoint Advanced Threat Protection for Networks may contain or be deliveredwith one or more third-party components, some of which may be open sourcesoftware or other similar license agreements and be subject to different licenseagreement terms, conditions, limitations, and disclaimers than those set forth in theTrend Micro License Agreement. For details, go to Help > About.

Get Started

A-9

Get Started TasksCustomize threat detection by configuring the following settings.

For information on the settings you need to configure, refer to the help topics for eachstep below.

Procedure

1. Add Network Groups.

For details, see Adding Network Groups on page A-9.

2. Configure Registered Domains.

For details, see Adding Registered Domains on page A-11.

3. Configure Registered Services.

For details, see Adding Registered Services on page A-12.

4. (Optional) Configure Proxy Settings .

For details, see Configuring a Proxy Server on page A-14.

5. Update components.

For details, see Performing Manual Updates on page A-15.

Adding Network GroupsTo allow TippingPoint Advanced Threat Protection for Networks to determine whetherattacks originate from within or outside the network, use IP addresses to establishgroups of monitored networks.

Procedure

1. Go to Administration > Network Groups and Assets > Network Groups.


A-10

2. Click Add.

The Network Groups window appears.

3. Type a group name.

Note

Provide specific groups with descriptive names for easy identification of the networkto which the IP address belongs. For example: "Finance network", "IT network", or"Administration".

4. Type an IP address range in the text box (up to 1,000 IP address ranges).

Note

The IP address range cannot contain a Class D or Class E address (224.0.0.0 -255.255.255.255)

TippingPoint Advanced Threat Protection for Networks provides a defaultnetwork group containing the following IP address blocks reserved by the InternetAssigned Numbers Authority (IANA) for private networks:

• IPv4: 10.0.0.0 - 10.255.255.255

• IPv4: 172.16.0.0 - 172.31.255.255

• IPv4: 192.168.0.0 - 192.168.255.255

• IPv6: fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff

• IPv6: fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

• IPv6: fec0::-feff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

Tip

Create a new network group by editing the Default network group.

a. Click Default to edit and add a new network group.

Get Started

A-11

b. Use a dash to specify an IP address range.

The Network Groups window supports IPv4 and IPv6:

• IPv4 example: 192.168.1.0-192.168.1.255

• IPv6 example: 2620:1005::123-2620:1005::460

c. Use a slash to specify the subnet mask/prefix for IP addresses.

• IPv4 subnet mask example: 192.168.1.0/255.255.255.0 or192.168.1.0/24

• IPv6 subnet prefix example: fd00:1:1111:200::1000/116

NoteAdd up to three layers of sub-groups.

5. Select the Network zone.

NoteTrusted indicates a secure network and Untrusted indicates a degree of doubt aboutthe security of the network.

6. Click Add.

7. Click Save.

Adding Registered DomainsAdd domains used by companies for internal purposes or those considered trustworthy.Identifying trusted domains ensures detection of unauthorized domains.

Add only trusted domains (up to 1,000 domains) to ensure the accuracy of your networkprofile.

TippingPoint Advanced Threat Protection for Networks supports suffix-matching forregistered domains. For example, adding domain.com adds one.domain.com,two.domain.com.


A-12

Procedure

1. Go to Administration > Network Groups and Assets > Registered Domains.

2. Specify a domain name to be registered.

NoteRegistered domain names appear in the Defined Registered Domains section.

3. (Optional) Click Analyze to display a list of domains that can be added to the list.

4. Click Add.

Adding Registered ServicesAdd dedicated servers for specific services that your organization uses internally orconsiders trustworthy. Identifying trusted services in the network ensures detection ofunauthorized applications and services.

Add only trusted services to ensure the accuracy of your network profile.

NoteAdd up to 1,000 services. More than one server may be dedicated to each service.

Procedure

1. Go to Administration > Network Groups and Assets > Registered Services.

2. Select a service from the drop-down list.

Get Started

A-13

Table A-1. Service Types

Service Network Server Description

Active Directory Provides directory services and stores user accounts andpasswords

Configure the same server as the Domain Controller.

AuthenticationServers -Kerberos

Provides Kerberos authentication

ContentManagementServer

Manages content

DatabaseServer

Used as a database server

DNS Used as a DNS server

DomainController

Responds to security authentication requests and allows hostaccess to domain resources

Configure the same server as the Active Directory.

File Server Provides a location for shared file access

FTP Used as an FTP server

HTTP Proxy Used as an HTTP Proxy server

Radius Server Used as the Radius authentication server

Security AuditServer

Detects vulnerabilities and insecure configurations

SMTP Used as an SMTP server

SMTP OpenRelay

Used as an SMTP Open Relay server


A-14

Service Network Server Description

SoftwareUpdate Server

Used for the following:

• Responsible for Windows Server Update Services (WSUS)

• Performs remote deployment

Web Server Used as a web server

3. (Optional) Click Analyze to display a list of detected services and domains on yournetwork.

4. Specify a server name.

5. Specify an IP address.

Note

The Add Registered Services screen supports IPv4 and IPv6.

IP address ranges cannot be specified.

6. Click Add.

Configuring a Proxy Server

Procedure

1. Go to Administration > System Settings > Proxy.

2. Select Use a proxy server for pattern, engine, and license updates.

3. Select HTTP, SOCKS4, or SOCKS5 for the Proxy Protocol.

4. Specify the Host name or IP address and the Port number.

5. If the proxy server requires authentication, specify a User Name and Passwordunder Proxy Server Authentication.

6. Click Test Connection to verify connection settings.

Get Started

A-15

7. Click Save if the connection was successful.

Performing Manual Updates

Procedure

1. Go to Administration > Updates > Component Updates > Manual.

2. TippingPoint Advanced Threat Protection for Networks automatically checkswhich components need updating.

Any components that need updating appear in red.

3. Click the Update button.

The TippingPoint Advanced Threat Protection for Networks components update.When the update completes, the following confirmation message appears:

All components are up-to-date.

IN-1

IndexDdocumentation feedback, 9-5

Pports, 2-17

Documents

Copyright © 2017. Trend Micro Incorporated. All rights ... · targeted attack detection TippingPoint ATP for Networks detection engines deliver expanded APT and targeted attack detection