Trellix NS3 00 Series - User Manual

This document serves as a quick start guide for the Trellix Intrusion Prevention System NS3100 and NS3200 Sensors, designed for inline mode operation with a throughput of 750 Mbps. It outlines the necessary steps for setting up and activating these sensors, along with system requirements for the Manager software.

The Trellix NS3100/NS3200 Sensor is a network security appliance that functions as an Intrusion Prevention System (IPS). Its primary role is to monitor network traffic in inline mode, detect malicious activities, and prevent intrusions. By being deployed inline, the sensor can actively block threats as they occur, providing real-time protection for the network. The system is designed to integrate with a Manager or Central Manager application, which provides centralized control, configuration, and monitoring capabilities.

Usage Features:

The sensor's front panel provides several key connection points for its operation. A Console port is available for direct command-line interface (CLI) access, which is crucial for initial configuration and troubleshooting. This direct connection ensures that the sensor can be set up even before network connectivity is fully established. The RJ-45 10/100/1000 Management port (MGMT) is used to connect the sensor to the network device that communicates with the Manager server. This port facilitates remote management and configuration once the sensor is operational. An RJ-45 10/100/1000 Response port (R1) is also present, likely for specific response actions or integration with other security tools. Additionally, USB ports are included, which may be used for firmware updates, configuration backups, or connecting peripheral devices. The most critical ports for the sensor's core function are the RJ-45 10/100/1000 Mbps Ethernet Monitoring ports (8). These eight ports are used to connect the sensor to the network segments it is designed to monitor and protect. When operating in inline mode, these ports are typically used in pairs to intercept and inspect traffic flowing between network devices, such as a switch and a router.

The setup process involves several steps to ensure proper functionality. First, the contents of the shipping crate should be verified, including the sensor itself, power cords (both standard and international), and the printed quick start guide. Before proceeding with installation, it is essential to review the hardware and software requirements for the Manager application, which can run on either Windows or Linux server systems. The Manager software has specific requirements for the operating system, memory, CPU, and disk space, with recommended specifications for larger deployments supporting more alerts. For Windows-based Managers, various editions of Windows Server (2016, 2019, 2022) are supported, with Windows Server 2022 Datacenter Edition being recommended. Only x64 architecture is supported. Memory requirements range from 16 GB (minimum) to 32 GB or more (recommended), supporting up to 10 million and 20 million alerts in Solr, respectively. Disk space requirements are 300 GB (minimum) to 500 GB or more (recommended). For Linux-based Managers, specific MLOS versions, logical CPU cores, memory, disk space, and NIC configurations are outlined. VMware ESX server requirements are also provided for both Windows and Linux operating systems, specifying supported ESXi versions and the importance of hyperthreading.

Client system requirements for accessing the Manager are also detailed, covering Windows 10 and Mac operating systems. For Windows 10 clients, minimum requirements include Windows 10 (English or Japanese), 8 GB memory, a 1.5 GHz processor, and a 1440 x 900 display setting. Recommended specifications include Windows 10 version 1903 (English or Japanese), 16 GB memory, a 2.4 GHz or faster processor, and a 1920 x 1080 or above display. Supported browsers include Microsoft Edge, Mozilla Firefox, and Google Chrome, with specific versions recommended. For Mac clients, Ventura is supported with Safari 16 or later. It is important to note that the display language of the Manager client must match that of the Manager server operating system. To avoid certificate errors, the Manager web certificate should be added to the trusted certificate list on the client.

Once the prerequisites are met, the physical installation of the sensor begins. The mounting ears are pre-attached, simplifying the process of installing the sensor into a rack. Connecting the Management and Console ports is the next critical step. A Category 5e Ethernet cable is plugged into the Management port on the sensor's front panel, with the other end connected to the network device communicating with the Manager server. For initial configuration, a DB9 Console cable is plugged into the Console port on the sensor, and the other end is connected directly to a COM port on a PC or terminal server running appropriate software (e.g., Windows Hyperterminal). Direct console access is mandatory for initial setup, as remote configuration is not possible at this stage. The required Hyperterminal settings include a baud rate of 115200, 8 data bits, 1 stop bit, and no parity or flow control.

Connecting the monitoring ports is essential for the sensor's inline operation. Cables appropriate for the transceiver modules are plugged into the monitoring ports, typically in pairs (e.g., port 1 and port 2). The other ends of these cables are then connected to the network devices that traffic will be monitored between, such as a router and a switch. This setup allows the sensor to intercept and inspect all traffic passing through these segments.

The installation of the Manager software follows, requiring administrator privileges on the target Windows or Linux server. MariaDB is included and automatically installed with the Manager. The process involves downloading the Manager installation files from the Trellix Download Server using a grant number and registered email address. After installation, the sensor needs to be added to the Manager. This involves logging into the Manager, navigating to the Device Manager, and adding a new device. Mandatory information such as the sensor name (1-25 characters, starting with a letter) and a shared secret (8-25 characters, case-sensitive, alphanumeric and symbols, no exclamation mark at the start or spaces) must be entered. The device type should be set to "IPS Sensor," and the deployment mode can be "Direct" (default, enabling online sensor updates) or "Indirect." Optional contact information, location, and comments can also be added. The shared secret entered here must precisely match the one configured on the sensor itself to establish a trust relationship.

Configuring the sensor information involves logging into the sensor via the Console port using the default username (admin) and password (admin123). It is recommended to change the default password immediately. The sensor's name, default gateway IP address (if not on the same network as the Manager), Manager server IP address, and the sensor's own IP address and subnet mask are then configured using CLI commands. After these settings, the sensor may require a reboot. A ping test to the Manager IP address is recommended to verify network connectivity. Finally, the shared secret key value is set on the sensor, which must match the one entered in the Manager. The show command can be used to verify all configuration information before exiting the session.

Maintenance Features:

Verification of successful installation is crucial. After configuration, typing status in the sensor CLI displays a status report. Key parameters to check are "System Initialized" and "Trust Established," both of which should be "yes." The Manager Dashboard also provides a "System Faults" monitor where the Manager status should be "Up" and the sensor status "Active."

The Manager interface allows for detailed monitoring and configuration of the sensor's physical ports. By navigating to Devices | | Devices | | Setup | Physical Ports, users can view and verify port settings, ensuring they match the cabling and intended mode of operation (e.g., inline mode).

Upon adding the sensor, a "Default Prevention" policy is automatically active. This policy contains pre-configured attacks with "blocking" sensor response actions, meaning the sensor will automatically block detected attacks. Users can view this policy under Policy | | Intrusion Prevention | Policy Types | IPS Policies. For customization, the policy can be cloned and modified according to specific network security needs.

For ongoing usage and troubleshooting, the Trellix Intrusion Prevention System Product Guide is a comprehensive resource. The Manager also provides a help icon for context-sensitive assistance. Attack statistics and alerts can be viewed in the Attack Log under Analysis | | Attack Log, and a summary is available in the Attack Severity Summary monitor on the Manager Dashboard.

Troubleshooting common deployment problems often involves checking for configuration mismatches between the sensor and connected network devices, particularly duplex and auto-negotiation settings, to ensure they are synchronized. If further assistance is needed, Technical Support can be contacted via the Trellix support portal.

The Trellix Intrusion Prevention System NS3100/NS3200 Sensor, combined with its Manager application, provides a robust solution for network intrusion prevention, offering real-time threat blocking and comprehensive management capabilities.