2023-09-18--TP Cert Pro 1.0.pdf

Trend Micro™ TippingPoint® Certified Professional Training 1.0 Product Cloud Lab Guide Copyright © 2023 Trend Micro Incorporated. All rights reserved. Trend Micro, the Trend Micro t-ball logo, InterScan, VirusWall, ScanMail, ServerProtect, and TrendLabs are trademarks or registered trademarks of Trend Micro Incorporated. All other product or company names may be trademarks or registered trademarks of their owners. Portions of this manual have been reprinted with permission from other Trend Micro documents. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Information in this document is subject to change without notice. No part of this publication may be reproduced, photocopied, stored in a retrieval system, or transmitted without the express prior written consent of Trend Micro Incorporated. Released: July 20, 2023 TippingPoint vSMS 6.0.0, vTPS 6.0.0 Courseware v1 - 3 Day Trend Micro TippingPoint Solutions Training for Certified Professionals - Lab Guide Table of Contents Table of Contents.........................................................................................................................................................i Lab 1: Navigate Links.........................................................................................................................1 Exercise 1: Research the following Trend Micro Links....................................................................................... 1 Lab 2: Accessing the Lab Environment........................................................................................3 Network Settings........................................................................................................................................................ 3 ESX Hosted Environment................................................................................................................................ 3 Management Network Information............................................................................................................... 4 mRemoteNG........................................................................................................................................................ 4 Utility Server Overview.................................................................................................................................... 4 Attacker Server Overview............................................................................................................................... 4 Victim Server Overview................................................................................................................................... 4 Syslogs................................................................................................................................................................. 5 Network Diagram....................................................................................................................................................... 6 Exercise 1: Access the Product Cloud Portal....................................................................................................... 7 Lab 3: Device Setup and Configuration........................................................................................11 Exercise 1: Inspection Device Setup....................................................................................................................... 11 Lab 4: SMS Management............................................................................................................... 13 Exercise 1: Authentication and Authorization Configuration......................................................................... 13 Exercise 2: Verify Inspection Devices Health.....................................................................................................15 Exercise 3: Role, Group, and User Creation on vTPS.......................................................................................16 Exercise 4: Update DV on SMS and Inspection Devices.................................................................................. 17 Exercise 5: Create a Basic Profile.........................................................................................................................18 Exercise 6: Event Generation.................................................................................................................................19 Exercise 7: Create a Perim, Core, and DMZ Segment Group.........................................................................19 Exercise 8: Device Snapshot and SMS Backups...............................................................................................20 Exercise 9: SMS Notifications...............................................................................................................................20 Lab 5: Device Management and Network Configuration....................................................... 21 Exercise 1: Network Configuration........................................................................................................................ 21 Exercise 2: Verify and View Events Attacks......................................................................................................22 Exercise 3: Edit All Devices.................................................................................................................................... 23 Lab 6: Security Profile Management......................................................................................... 25 Exercise 1: Digital Vaccine......................................................................................................................................25 Exercise 2: Auxiliary DVs........................................................................................................................................25 Exercise 3: Modify a Profile & Distribute to All Segments.............................................................................26 Exercise 4: Set up an Inspection Path Traffic Capture and Generate Test Traffic.................................28 Exercise 5: Review the SMS Event Viewer........................................................................................................28 Exercise 6: Create Multiple Profiles....................................................................................................................29 Exercise 7: Test L2FB Behavior............................................................................................................................. 31 Lab 7: Traffic Management Filters............................................................................................. 35 Exercise 1: Testing Traffic Management Block at the Perimeter.................................................................35 Exercise 2: Create Traffic Management Filters................................................................................................36 Exercise 3: Limiting Access to a Website in the Core and DMZ................................................................... 37 © 2023 Trend Micro Inc. Education i Trend Micro TippingPoint Solutions Training for Certified Professionals - Lab Guide Exercise 4: Lab Cleanup.........................................................................................................................................39..................................................................................................................................................................................... 40 Lab 8: Quarantine............................................................................................................................ 41 Exercise 1: Setup Tasks............................................................................................................................................41 Exercise 2: Create the Action Sets.......................................................................................................................41 Exercise 3: Quarantine with Immediate Blocking.............................................................................................42 Exercise 4: Modifying Policy using Thresholds.................................................................................................43 Lab 9: SMS Events and Reports.................................................................................................. 45 Exercise 1: SMS Event Viewer Search................................................................................................................ 45 Exercise 2: SMS Event Viewer Search............................................................................................................... 46 Exercise 3: Create Custom Event Views and Queries.................................................................................... 46 Exercise 4: Modify Filters from Events...............................................................................................................47 Exercise 5: SMS Reports (Saved Reports)........................................................................................................ 48 Exercise 6: Executive Reports............................................................................................................................. 49 Exercise 7: Researching Using Threat Insights............................................................................................... 50 Exercise 8: Create Additional Reports and Review via Threat Insights......................................................51 Lab 10: SMS Dashboard................................................................................................................. 53 Exercise 1: Modify the Dashboard to Monitor the Perimeter Network........................................................53 Exercise 2: Modify the Dashboard to Monitor the Core Network............................................................... 54 Exercise 3: Modify the Dashboard to Monitor the DMZ Network.................................................................55 Exercise 4: Modify the Dashboard to Monitor Various Options...................................................................55 Exercise 5: Generate Traffic to Test...................................................................................................................56 Exercise 6: Access SMS Web Dashboard and Create a Widget....................................................................56 Lab 11: Maintenance and Performance...................................................................................... 57 Exercise 1: Review Inspection Events..................................................................................................................57 Lab 12: Best Practices.................................................................................................................... 59 Exercise 1: Research TPS Best Practices............................................................................................................59 Exercise 2: End of Course Survey (Please complete).....................................................................................59 ii © 2023 Trend Micro Inc. Education Lab 1: Navigate Links Lab 1: Navigate Links In this lab, students will become familiarized with Trend Micro resources. Estimated time to complete this lab: 15 Minutes LAB OBJECTIVES Search Trend Micro documentation links for common questions Exercise 1: Research the following Trend Micro Links 1 https://docs.trendmicro.com/en-us/home.aspx Navigate to TippingPoint > Security Management System - Click the latest Security Management System link View the Release Notes 2 https://success.trendmicro.com Under Product Support, Click TippingPoint IPS/TPS What is the Latest Article posted?____________________________________________________ 3 https://tmc.tippingpoint.com/TMC Select My Account > License Manager Do you see any devices listed?_______________________________________________________ 4 https://threatlinq.tippingpoint.com Click Digital Vaccine > DV Releases In the New Filters column, select a filter from the New Filters column and review the Description 5 https://education.trendmicro.com/learn Search “tippingpoint” © 2023 Trend Micro Inc. Education 1 Lab 1: Navigate Links 2 © 2023Trend Micro Inc. Education Lab 2: Accessing the Lab Environment Lab 2: Accessing the Lab Environment This section introduces students to the lab environment that will be used to complete the hands-on exercises in the TippingPoint training course. The classroom lab environment is delivered as a virtual application through the Trend Micro Product Cloud and ill be accessed from a Web browser on your computer. Google Chrome is the preferred browser for the environment, though other browsers may work if the appropriate plug-ins are enabled and working properly. Estimated time to complete this lab: 30 Minutes LAB OBJECTIVES Familiarize yourself with the various devices in the lab environment Access the Product Cloud Portal Review and access the devices in the lab environment Network Settings ESX Hosted Environment The details and login credentials for each virtual machine in the classroom environment are listed here. VM Name Hostname Login Victim (Core) Lab IP: 10.10.11.100/20 Mgmt IP: 192.168.2.111/20 User: root Password: Trend11++ Victim (DMZ) Lab IP: 10.10.12.100/20 Mgmt IP: 192.168.2.112/20 User: root Password: Trend11++ User: student01 Password: Trend11++ Utility (labDNS/Syslog) Mgmt IP: 192.168.2.113/20 Attacker Lab IP: 172.16.216.116/24 Mgmt IP: 192.168.2.116/20 User: root Password: Trend11++ vTPS-Core IP: 192.168.2.211/20 User: SuperMan Password: Trend11++ vTPS-DMZ IP: 192.168.2.212/20 User: SuperMan Password: Trend11++ vTPS-Perim IP: 192.168.2.213/20 User: SuperMan Password: Trend11++ ESX Host IP: 192.168.3.201/20 User: labuser Password: Trend11++ © 2023 Trend Micro Inc. Education vTPS/SMS Syslog Messages http://192.168.2.113/logs/ 3 Lab 2: Accessing the Lab Environment VM Name Hostname Login vSMS Appliance IP: 192.168.3.202/20 User: SuperMan Password: Trend11++ Windows (RDP) 192.168.3.200/20 User: Administrator Password: Trend11++ Management Network Information Domain: training.local Net: 192.168.0.0/20 Mask: 255.255.240.0 Gateway: 192.168.0.1 DNS/NTP: 192.168.2.113 Secondary DNS/NTP - AMER:10.45.79.251 EMEA: 10.34.47.251 APJ: 10.28.87.251 mRemoteNG Allows you to view all of your remote connections in a simple yet powerful tabbed interface. mRemoteNG supports several protocols including SSH (Secure Shell) - We will be using mRemoteNG with SSH for this class mRemoteNG is open source software and is released under the terms of the GNU General Public License Version 2. Utility Server Overview The Utility server is a Linux server used to replay traffic and attacks through segments of the hardware device. Access to the Utility Server is through mRemoteNG located in the task bar. The server is also used as a Utility server on several labs and will be referred to as such. Refer to IP assignment sheet above as needed. Attacker Server Overview The Attacker Server is used for generating SYN-floods, port scans and pings for the ADDoS, Scan/ Sweep and SMS Responder labs. Access to the Attacker is through mRemoteNG located in the task bar. Victim Server Overview The Victim Servers are used in various exercise including Quarantine, SMS Responder, Port Scan Filter, and ADDoS labs. You should see the victim web page at http://. 4 © 2023 Trend Micro Inc. Education Lab 2: Accessing the Lab Environment There is a Victim Core and Victim DMZ. Access to these devices is through mRemoteNG located in the task bar. Syslogs The lab environment has a syslog server: The Windows RDP host has a syslog server configured - This syslog is configured and managed by clicking on the icon with the guy in sunglasses which will open the Syslog Watcher application © 2023 Trend Micro Inc. Education 5 Lab 2: Accessing the Lab Environment Network Diagram sDtĂƌĞ^yϲ͘ǆ,ŽƐƚ ϭϵϮ͘ϭϲϴ͘Ϯ͘Ϯϭϭ /W͗ϭϵϮ͘ϭϲϴ͘ϯ͘ϮϬϭͬϮϬ h͗ůĂďƵƐĞƌ W͗dƌĞŶĚϭϭнн DŐŵƚ ϭϬ͘ϭϬ͘ϭϭ͘ϭϬϬ ^ĞŐϭ ^ĞŐϭ ŽƌĞEĞƚ ϭϵϮ͘ϭϲϴ͘Ϯ͘ϭϭϭ ǀdW^ŽƌĞ sŝĐƚŝŵ;ŽƌĞͿ ^ƚĂŶĚĂƌĚDŽĚĞ ŽƌĞs>E;ϭϬϭͿ͗ϭϬ͘ϭϬ͘ϭϭ͘ϬͬϮϰ ĚŐĞ ZŽƵƚĞƌ WĞƌŝŵĞƚĞƌEĞƚ Ds>E;ϭϬϮͿ͗ϭϬ͘ϭϬ͘ϭϮ͘ϬͬϮϰ ϭϬ͘ϭϬ͘ϭϮ͘ϭϬϬ ^ƚĂŶĚĂƌĚDŽĚĞ ϭϳϮ͘ϭϲ͘Ϯϭϲ͘ϬͬϮϰ ǆƚĞƌŶĂů EĞƚ ^ĞŐϭ ϭϵϮ͘ϭϲϴ͘Ϯ͘ϭϭϮ ^ĞŐϭ DEĞƚ sŝĐƚŝŵ;DͿ ǀdW^D DŐŵƚ ϭϵϮ͘ϭϲϴ͘Ϯ͘ϮϭϮ ϭϬ͘ϭϬ͘ϭϮ͘ϭϬϭ ϭϳϮ͘ϭϲ͘Ϯϭϲ͘ϭϭϲ ϭϵϮ͘ϭϲϴ͘Ϯ͘ϭϭϬ Dd>^ůŝĞŶƚ ϭϵϮ͘ϭϲϴ͘Ϯ͘ϭϭϲ ƚƚĂĐŬĞƌ ǀ^D^ ǀ^D^ƉƉůŝĂŶĐĞ /W͗ϭϵϮ͘ϭϲϴ͘ϯ͘ϮϬϮͬϮϬ h͗^ƵƉĞƌDĂŶ W͗dƌĞŶĚϭϭнн ϭϵϮ͘ϭϲϴ͘Ϯ͘Ϯϭϯ DŐŵƚ ǀdW^WĞƌŝŵ DŐŵƚ EĞƚǁŽƌŬ ǀ^ǁŝƚĐŚϬ ^ƚĂŶĚĂƌĚDŽĚĞ ϭϵϮ͘ϭϲϴ͘Ϭ͘ϬͬϮϬ ^ĞŐϭ ^ĞŐϭ WĞƌŝŵEĞƚͲ ǀ^ǁŝƚĐŚϯ WĞƌŝŵEĞƚͲ ǀ^ǁŝƚĐŚϰ tŝŶĚŽǁƐ;ZWͿ /W͗ϭϵϮ͘ϭϲϴ͘ϯ͘ϮϬϬͬϮϬ h͗ĂĚŵŝŶŝƐƚƌĂƚŽƌ W͗dƌĞŶĚϭϭнн ϭϵϮ͘ϭϲϴ͘Ϯ͘ϭϭϯ hƚŝůŝƚǇ;E^ͬEdWͬ^ǇƐůŽŐͿ DŐŵƚƐƵďŶĞƚ/ŶĨŽ͗ ŽŵĂŝŶ͗ƚƌĂŝŶŝŶŐ͘ůŽĐĂů EĞƚ͗ϭϵϮ͘ϭϲϴ͘Ϭ͘ϬͬϮϬ DĂƐŬ͗Ϯϱϱ͘Ϯϱϱ͘ϮϰϬ͘Ϭ 't͗ϭϵϮ͘ϭϲϴ͘Ϭ͘ϭ E^ͬEdW͗ϭϵϮ͘ϭϲϴ͘Ϯ͘ϭϭϯ ^ĞĐŽŶĚĂƌǇE^ͬEdW͗ DZ͗ϭϬ͘ϰϱ͘ϳϵ͘Ϯϱϭ D͗ϭϬ͘ϯϰ͘ϰϳ͘Ϯϱϭ W:͗ϭϬ͘Ϯϴ͘ϴϳ͘Ϯϱϭ ǀdW^ͲŽƌĞ /W͗ϭϵϮ͘ϭϲϴ͘Ϯ͘ϮϭϭͬϮϬ h͗^ƵƉĞƌDĂŶ W͗dƌĞŶĚϭϭнн ǀdW^ͲD /W͗ϭϵϮ͘ϭϲϴ͘Ϯ͘ϮϭϮͬϮϬ h͗^ƵƉĞƌDĂŶ W͗dƌĞŶĚϭϭнн ǀdW^ͲWĞƌŝŵ /W͗ϭϵϮ͘ϭϲϴ͘Ϯ͘ϮϭϯͬϮϬ h͗^ƵƉĞƌDĂŶ W͗dƌĞŶĚϭϭнн hƚŝůŝƚǇ;>ĂďE^ͬEdWͬ^ǇƐůŽŐͿ DŐŵƚ/W͗ϭϵϮ͘ϭϲϴ͘Ϯ͘ϭϭϯͬϮϬ h͗ƐƚƵĚĞŶƚϬϭ W͗dƌĞŶĚϭϭнн sŝĐƚŝŵ;ŽƌĞͿ >Ăď/W͗ϭϬ͘ϭϬ͘ϭϭ͘ϭϬϬͬϮϬ DŐŵƚ/W͗ϭϵϮ͘ϭϲϴ͘Ϯ͘ϭϭϭͬϮϬ h͗ƌŽŽƚ W͗dƌĞŶĚϭϭнн sŝĐƚŝŵ;DͿ >Ăď/W͗ϭϬ͘ϭϬ͘ϭϮ͘ϭϬϬͬϮϬ DŐŵƚ/W͗ϭϵϮ͘ϭϲϴ͘Ϯ͘ϭϭϮͬϮϬ h͗ƌŽŽƚ W͗dƌĞŶĚϭϭнн Dd>^ůŝĞŶƚ >Ăď/W͗ϭϬ͘ϭϬ͘ϭϮ͘ϭϬϭͬϮϬ DŐŵƚ/W͗ϭϵϮ͘ϭϲϴ͘Ϯ͘ϭϭϬͬϮϬ h͗ƐƚƵĚĞŶƚϬϭͲŽƌͲƌŽŽƚ W͗dƌĞŶĚϭϭнн ƚƚĂĐŬĞƌ >Ăď/W͗ϭϳϮ͘ϭϲ͘Ϯϭϲ͘ϭϭϲͬϮϰ DŐŵƚ/W͗ϭϵϮ͘ϭϲϴ͘Ϯ͘ϭϭϲͬϮϬ h͗ƌŽŽƚ W͗dƌĞŶĚϭϭнн dWdƌĂŝŶŝŶŐǀdW^dƌĞŶĚĂŵƉƵƐΘĞƌƚŝĨŝĞĚWƌŽĨĞƐƐŝŽŶĂů>Ăď Zsϱ͘ϰ͘ϭĂ 6 ǀ^D^ϱ͘ǆ͖tŝŶĚŽǁƐϮϬϭϮZϮ͖^yϲ͘ǆ,ŽƐƚ͗;ǀdW^Ύϯ͕>ŝŶƵǆΎϱͿ © 2023 Trend Micro Inc. Education ϭͬϮϳͬϮϬϮϭ Ěƌď Lab 2: Accessing the Lab Environment Exercise 1: Access the Product Cloud Portal In this exercise, participants will access the classroom virtual application through the email link delivered to participants by Trend Micro Product Cloud. The lab environment is available for the duration of the training session only and will be reset automatically at the end of the final day of class. Google Chrome is the recommended browser to use for the classroom exercises. 1 Note: In the email message that was sent to you by Trend Micro, click the link to access the lab environment. If you did not receive the email message with the link, you may not have been correctly registered for the class. Please advise the instructor immediately. 2 The Product Cloud Training page is displayed in the browser. Expand the Training section in the left-hand pane and click Trainings. © 2023 Trend Micro Inc. Education 7 Lab 2: Accessing the Lab Environment 3 Hover your mouse over the name of the class and click Enter Lab View. 4 The Lab View is presented. This view displays the virtual machines available in the vApp. 5 Hover your mouse over one of the virtual machines, and click Remote Control under the Operations column. Note: 8 If the Status column displays a red icon, the virtual machine may not yet be running. In this scenario, click the Start icon. Once the Status icon is green, you can click Remote Control to access the virtual machine. © 2023 Trend Micro Inc. Education Lab 2: Accessing the Lab Environment 6 The selected virtual machine will be launched. It will take a moment for the VM to load and the window to be resized. 7 To maximize the virtual machine window, click the window frame on the tool bar. 8 To log into the virtual machine, click the lock on the tool bar to send a CTRL+ALT+DEL command to the virtual machine. Log in with the appropriate user name and password as indicated in the © 2023 Trend Micro Inc. Education 9 Lab 2: Accessing the Lab Environment exercise steps. The connection icon on the tool bar will indicate if the network connection is adequate to run the lab environment. Green bars should be displayed. 9 You should now see your desktop environment. 10 © 2023 Trend Micro Inc. Education Lab 3: Device Setup and Configuration Lab 3: Device Setup and Configuration In this lab, students will configure their lab environment and deploy a TippingPoint Inspection Device. Estimated time to complete this lab: 30 Minutes LAB OBJECTIVES Perform initial Out-of-Box setup (OBE) and configuration of one inspection device Exercise 1: Inspection Device Setup The environment is up and running with two configured inspection devices in place. In this section of the lab you will configure a VTPS through the Out-of-Box-Experience (OBE). Upon completion of this section, the vTPS-Perim will be configured and ready to inspect in a limited capacity as it will still need to be licensed. The vTPS-Perim will be used to secure the perimeter throughout this training course. 1 Open the Chrome Browser and click the ESXi shortcut Note: Click Advanced Click Proceed to 192.168.3..201 (unsafe) Username: labuser Password: Trend11++ In the left navigation window, click Virtual Machines > vTPS-Perim Click the window to Power On the inspection device and open the console Notify the instructor if you have any problems connecting to the ESXi server. © 2023 Trend Micro Inc. Education 11 Lab 3: Device Setup and Configuration 2 Wait for the vTPS to fully boot before proceeding. 3 Once connected to the console, click in the console window to set up the device: Note: Hit Enter then Press Q to accept the EULA. Do you agree to the license terms? y Security Level: Medium Username: SuperMan Do you wish to accept [SuperMan] y Password: Trend11++ Verify Password: Trend11++ These first steps only create the account. Once created, we need to login to the device to begin the configuration. 4 Login to the device with the new credentials Note: Device Login: SuperMan / Trend11++ Enter Management IPv4 Address: 192.168.2.213 The Mask is not default. Be sure to configure the proper with the /20 setting. Enter Network IPv4 Mask: 255.255.240.0 Enable IPv6 Address Autoconfiguration: n Enter optional IPv6 Address: Press Enter Enter Host Name [device]: vTPS-Perim Enter optional Host Location: TM Product Cloud Do you require a Default Gateway: Y Would you like to configure a DNS server: Y Note: Default Gateway: 192.168.0.1 Primary DNS Address: 192.168.2.113 Secondary DNS: Press Enter Enter the DNS Domain Name: training.local Would you like to modify timekeeping option: N Would you like to Save the Changes: s If you need to run the wizard again, you can use the ‘setup’ command. 5 Close or Minimize vSphere Client once complete 12 © 2023 Trend Micro Inc. Education Lab 4: SMS Management Lab 4: SMS Management In this lab, students will go through the daily tasks of managing the SMS Estimated time to complete this lab: 45 Minutes LAB OBJECTIVES Install the SMS Client Manage inspection device Install the License Key to the newly created inspection device Create Roles, Groups, and Users on the vTPS Update Digital Vaccine and distribute Exercise 1: Authentication and Authorization Configuration This section of the lab will have you access the SMS using the SMS client. The vTPS license activation will be completed, allowing students to update and distribute all Digital Vaccines (DV) so that all devices are running the latest release. You will also create a DV schedule 1 Using a browser, login to the SMS (https://192.168.3.202) or use the vSMS shortcut in the browser: Click Advanced Click to proceed when prompted Download and install the Java SMS client from Threat Insights download section 2 Login to your SMS Username: SuperMan Password: Trend11++ © 2023 Trend Micro Inc. Education 13 Lab 4: SMS Management On the homescreen, familiarize yourself with the icons in the left column 3 Click Help icon 4 Select Client Installation and click the Windows (64-bit) download Click the SMSInstall64.exe Select Run on the Open File- Security Warning Select the “I accept the agreement” radio button and click Next Create a desktop icon and create a Quick Launch icon and click Next Select Run TippingPoint SMS Client and click Finish to complete the installation Close the browser for now 5 Login to the new install of the SMS client with the same criteria used above: SMS Server: 192.168.3.202 Click Connect Username: SuperMan Password: Trend11++ Click Login 6 Close the SMS Dashboard 7 The Digital Vaccine Pop-up may be visible asking if you would like to update to the latest DV Check the box Don’t show me this message again as this will be discussed in a later lab Click No 8 Modify the SMS Banner Click Edit > Preferences > Banner Message: Note: 14 Enable Banner Message Title: Insert “-location-is using this vSMS” Click OK You may need to resize window to see the OK button periodically throughout the class. © 2023 Trend Micro Inc. Education Lab 4: SMS Management 9 Manage your vTPS-Perim by adding it as a New Device in your SMS: Navigate to Devices > All Devices > Right-click in the Devices area - Click New Device 10 Use the vTPS-Perim credentials Note: IP Address: 192.168.2.213 Username: SuperMan Password: Trend11++ Wait for the discovery window to close You should now see three vTPS devices being managed by the SMS The inspection device is currently in a trial mode. 11 Install the certificate for the vTPS-Perim system using the following steps: Right click on the vTPS-Perim device Select Device Summary Click the Install Certificate button In the pop-up box select the 250 Mbps License with DV License Click Next then Finish Once the certificate has been installed click Close 12 The vTPS-Perim should automatically reboot. This is done to allow for the license to take effect. 13 Once the device is rebooted and communicating with the SMS: Open mRemoteNG and start a session to vTPS-Perim: Note: Click Yes on the PuTTYNG Security Alert Login as SuperMan/Trend11++ Type: show license and verify that Throughput Upgrade and String show 250/ 250 Mbps Device supports a Maximum of 2 Gbps and 16 CPUs. 14 Minimize mRemoteNG 15 In the SMS client: Navigate to Devices > All Devices - Right click on vTPS-Perim and select Device Summary · Note: Verify Speed License is 250 Mbps Notify instructor if you don’t see 250 Mbps. Exercise 2: Verify Inspection Devices Health 1 Navigate to Devices > All Devices © 2023 Trend Micro Inc. Education 15 Lab 4: SMS Management 2 Verify all devices are healthy (green lights) 3 If not, right click device(s) reporting health issues and select Events > System Log 4 Right click System Log and Select Filter 5 Type Warning 6 How many Warnings are present?_______________________________________________________ Exercise 3: Role, Group, and User Creation on vTPS This exercise will have you create new roles, groups and users on the vTPS from the SMS. 1 Create a Role called Administrators-R : Navigate to Devices and select vTPS-Perim from the left navigation pane Select Authentication > Device Users Click the Roles tab on the right menu pane then click the New button Name: Administrator-R Description: Administrator Role Initialize Capabilities With: administratorRole Click Yes when the Warning for Override the capabilities box appears Under the Capability tab, navigate to Reporting > Log and un-check AUDITLOG Click OK 2 Create a Role called Operator-R : From the Roles tab click the New button Name: Operator-R Description: Operator Role Initialize Capabilities With: OperatorRole Click Yes when the Warning for Override the capabilities box appears Under the Capability tab, navigate to Reporting > Log and un-check AUDITLOG Click OK 3 Create a Group called Administrator-G by clicking the Groups tab then the New button Name: Administrator-G Description: Administrator Group Administration Role: Administrator-R Click OK 4 Create a Group called Operator-G by clicking the New button Name: Operator-G Description: Operator Group Administration Role: Operator-R Click OK 5 Create a local Administrator User account by clicking the Users tab then the New button 16 Name: Administrator Password: root00-Confirm: Password: root00-- © 2023 Trend Micro Inc. Education Lab 4: SMS Management Select Administrator-G from Available Groups and click the single right arrow button to move it over to the Member Groups Click OK 6 Create a local Operator User account by clicking the New button Note: Name: Operator Password: root00-Confirm: Password: root00-Select Operator-G from Available Groups and click the single right arrow button to move it over to the Member Groups Click OK Be sure both are added to the appropriate Group Exercise 4: Update DV on SMS and Inspection Devices Best Practice: It is a Best Practice to keep the DV updated to the latest release on the SMS and inspection devices. Verify that the vTPS-Core and vTPS-DMZ which were previously created are currently running the same version of the DV that the newly created vTPS-Perim is. In these next steps, we will update to the latest DV on the SMS and verify that all devices are running the latest versions. 1 Verify the current Active DV on the SMS Click Profiles > Digital Vaccines and expand Digital Vaccines What is the current Active DV?______________________________________________________ - What is the Release Date?_______________________________________________________ What is the Download Date?_____________________________________________________ 2 Verify the DV on each inspection device. What is the current Active DV version? Hint: It’s a device setting vTPS-Core_________________________________________________________________________ vTPS-DMZ_________________________________________________________________________ vTPS-Perim________________________________________________________________________ - Where did you find the information?______________________________________________ Is the Active DV on the SMS the same as the DV on all inspection devices?___________ 3 Click Profiles > Digital Vaccines and Click Download From TMC Be sure the latest Available DV is selected using the drop down box Click Download 4 Once downloaded: Select DV (active) Click Distribute © 2023 Trend Micro Inc. Education 17 Lab 4: SMS Management 5 In the Digital Vaccine Distribution pop-up window: Select All Devices Click OK Activate the Digital Vaccine on the SMS Best Practice: Following the above steps follows Best Practice and the latest DV is on the SMS and inspection devices. Let the DV complete distribution before proceeding 6 Verify the following by clicking Devices > All Devices > Member Summary Are all devices running the same version of TOS?______________________________________ Are all devices running the latest DV that was downloaded, activated, and distributed?_____ Exercise 5: Create a Basic Profile In this Exercise, we will create a Basic Profile which we will discuss in detail in a later module. This is done for several reasons. An inspection device begins inspecting once the OBE is complete. Once managed by the SMS, it will stop inspecting packets. Several steps need to be performed to address this default behavior. Note: 1 We will use the Security Optimized profile for the labs ONLY. This will allow students to see more Events. This is not a Best Practice. Navigate to Profiles > Profiles > Inspection Profiles Click New Name: Basic Profile Deployment Mode: Security Optimized Capture Additional Information Select HTTP Context (Hostname, URI, Method) Inheritance: None Click OK Best Practice: Create a Basic Profile at minimum. Never modify the Default Profile. 2 Click the Basic Profile under Inspection Profiles (2) 3 Click Distribute 4 In the Targets section: 18 Check the box next to Allow Segment Selection and verify Segment Group is selected Under Segment Group Select Default Click the + next to Default to expand and review the segments for distribution Click OK © 2023 Trend Micro Inc. Education Lab 4: SMS Management 5 Wait for the distribution to complete It is a Best Practice to have the Digital Vaccine Active Version on the SMS be the same as the DV on the inspection device. Best Practice: Exercise 6: Event Generation This next section will verify that all devices are active and working properly. 1 Use Utility Server from mRemoteNG to generate traffic and verify Events in the SMS Login as: student01 Password: Trend11++ 2 [student01@vUtility-113 ~]$ attacks 1; replay_pcaps 3 Navigate to SMS Client > Events and verify events in the past hour Exercise 7: Create a Perim, Core, and DMZ Segment Group This section will have the student create a Segment Group which will allow users to maintain settings and profile distribution. 1 Create the following Segment Groups using Devices > Segment Groups > New Group Name: Core Segment Group - Select Device vTPS-Core (A>B and AB and AB and B>A) Select Device vTPS-Perim (A>B and A All Devices > vTPS-Perim > Device Configuration > System Update Select New Name: Lab_4 Leave the defaults and Click OK Select Lab_4 snapshot once complete, and click Archive to SMS 2 In your SMS, create an immediate SMS backup (Admin > Database > Backup) 3 Click Backup Now Leave the default settings and click Next Select HTTPS downloadable from SMS and click Next Click Backup 4 Schedule a daily backup, to be stored on the SMS that contains all events: Navigate to Admin > Database > Backup > New Schedule Name: Daily Backup Recurrence Pattern: Daily at 2 AM Click Next Leave the rest of the boxes at the default setting Click Next Backup Location HTTPS downloadable from SMS Click Next Click Finish Exercise 9: SMS Notifications 1 Click on the notifications tab in the lower right corner (small envelope). 2 Review the notifications then click Clear All 20 © 2023 Trend Micro Inc. Education Lab 5: Device Management and Network Configuration Lab 5: Device Management and Network Configuration In this lab, students will perform device management tasks and network configuration settings Estimated time to complete this lab: 30 Minutes LAB OBJECTIVES Edit device segment settings Multi-device configuration Run attacks from Utility Server and check default behavior Exercise 1: Network Configuration In this section you will rename the default segment name (segment1) to a name that is more representative of the network that is being protected in the configuration. This exercise is of even more value when working with a physical inspection device that supports many segments. 1 Edit your Segment Settings to reflect the location in the network and L2FB settings as shown: Devices > All Devices 2 Navigate to vTPS-Core > Network Configuration Highlight segment 1 in the Physical Segments area and click Edit Segment Name: Core Segment Link Down Synchronization: Intrinsic Network HA: Permit All Link Down Synchronization: Hub Click Finish 3 Navigate to vTPS-DMZ > Network Configuration Highlight segment1 in the Physical Segments area and Click Edit Segment Name: DMZ Segment Link Down Synchronization: Intrinsic Network HA: Permit All Link Down Synchronization: Hub Click Finish 4 Navigate to vTPS-Perim > Network Configuration Highlight segment1 in the Physical Segments area and Click Edit Segment Name: Perim Segment Link Down Synchronization: Intrinsic Network HA: Block All Link Down Synchronization: Hub Click Finish © 2023 Trend Micro Inc. Education 21 Lab 5: Device Management and Network Configuration Best Practice: For management purposes it is best to use descriptive names where applicable. Example: Segment Groups. In the lab, we created the vTPS-Perim. The Utility Server is sitting at the Perimeter (Perim). Note: The Device Name can be changed in the Device Configuration settings by clicking Edit and changing the Hostname. Note: Note that the Device Name and Segment Names all match for the inspection devices. Attacks will still be generated from the Utility Server. Exercise 2: Verify and View Events Attacks This next section will verify that all devices are active and working properly. 1 Use the Utility Server from mRemoteNG to verify that traffic is being blocked by vTPS-Perim Login as: student01 Password: Trend11++ [student01@Utility-113 ~]$ attacks; replay_pcaps 2 Use Attacker from mRemoteNG to verify that the pings to the Victim-DMZ start again Login as: root Password: Trend11++ ping -c12 10.10.12.100 3 Use Attacker from mRemoteNG to verify that the pings to Victim-Core start again ping -c12 10.10.11.100 Verify that you are seeing Events in the SMS 4 Click Events > Inspection Events: You should see Events showing up Modify the time range if needed What device(s) are showing events?__________________________________________________ 5 Navigate to View > Dashboard and click on View Note: 22 Click on the Top 5 Attacks (Last Hour) widget How many events do you see?_______________________________________________________ You may need to close the Dashboard window and repeat the above steps if the Widgets don’t appear. © 2023 Trend Micro Inc. Education Lab 5: Device Management and Network Configuration Exercise 3: Edit All Devices 1 Use the multi-edit feature: Devices > All Devices and highlight all devices by holding Shift and clicking each device Right click > Edit > Device Configuration Point all devices to the Syslog Watcher on your RDP host - Select Remote Syslog > New IP Address: 192.168.3.200 Leave the default settings for the remaining options Click OK Click OK to close the Device Configuration Window 2 Review the Change Settings Summary and Click Yes 3 Verify the Syslog Watcher is collecting events Click the Syslog Watcher icon on the Taskbar Click the Red Collect Button in the upper left corner to start the collection In the Status Bar at the bottom you should now see the Server: Collecting and UDP: 514 Click Close on the Syslog Watcher pop-up window if prompted UDP port 514 should be Black. If it’s Red then there is a connection issue. While the status bar at the bottom should show Server: Collecting, no events will be displayed. Configure the Log Configuration for the devices - Devices > All Devices, highlight vTPS-Core, Right click > Edit > Device Configuration Select Log Configuration Click New under System Log Select Info from the Severity Threshold drop down Click OK Click New under Audit Log Verify the Severity Threshold has All for the value Click OK Click OK to close the Device Configuration Window Repeat these steps for the other VTPS systems © 2023 Trend Micro Inc. Education 23 Lab 5: Device Management and Network Configuration 24 © 2023 Trend Micro Inc. Education Lab 6: Security Profile Management Lab 6: Security Profile Management In this lab, students will configure and manage a Basic Profile. Estimated time to complete this lab: 30 Minutes LAB OBJECTIVES Demonstrate upgrading the DV following best practices Practice editing profiles Set-up and capture network traffic Search events in the Event Viewer Exercise 1: Digital Vaccine Best Practice: 1 Verify the Active DV on the SMS matches the DV on all of the inspection devices. Set the SMS to automatically Download and Activate any new DVs released during the week by navigating to Profiles > Digital Vaccines: In the Auto DV Activation, click Edit Select the following options - Automatic Download and Automatic Activation DO NOT select Automatic Distribution Click OK 2 Create a DV distribution schedule by clicking the Scheduled Distributions tab Click New - Schedule Name: Daily Distribution Schedule type: Recurring Set the options for daily at 3:00 PM Click Next Device Targets: All Devices 3 Follow best practices by verifying that High Priority is unchecked 4 Click Finish Exercise 2: Auxiliary DVs This section will have the student activate the Malware Auxiliary DV (a separate subscription) 1 While still under Profiles, Click the Auxiliary DVs tab in the left window pane 2 Navigate to Auxiliary DV Activation and click Edit © 2023 Trend Micro Inc. Education 25 Lab 6: Security Profile Management Set the Auto DV Settings to Automatic Download and Automatic Activation Click OK 3 Under Auxiliary DV Inventory 4 Click Download Available Types: Malware Click Refresh Available Version: Select Activate (Make this Auxiliary DV active in the SMS) Select Distribute (Distribute this Auxiliary DV to all available devices) Click Download 5 Verify the Aux DV has distributed to all devices 6 Create a scheduled distribution just as you did for the Digital Vaccines Review the Digital Vaccines > Scheduled Distributions if you need to Exercise 3: Modify a Profile & Distribute to All Segments This section will have the student modify a Basic Profile and distribute across all segments. Be sure to follow Best Practices. Note: 1 Remember, profile changes always require distribution. Navigate to the Basic Profile you created earlier 2 Navigate to Basic Profile > Profile Overview and modify the following settings: In the Category Settings - Select Identity Theft and click the Edit Category Setting button Change the Action Set to: Block + Notify Click OK 3 In the Basic Profile, click Search Best Practice: 26 Filter Name: RDP How many filter matches resulted?_______________________________________________ Click the Reset All button Description Name: RDP How many filter matches resulted?_______________________________________________ Are the results the same or different?_____________________________________________ Why?__________________________________________________________________________ Click Reset All again It is a Best Practice to use Reset All when performing a new search. Remember all of the Search Criteria including Filter Criteria, Source Criteria, Additional Criteria, Filter © 2023 Trend Micro Inc. Education Lab 6: Security Profile Management Taxonomy Criteria, and Vulnerability Criteria can be combined. Filter searches can be heavily impacted when criteria is not defined correctly. 4 In the Filter Name: - Search for RDP In the Search Results, select all (use the Shift Key) and click Edit In the Edit Multiple Filters window, under Filter Settings: · Modify the Action to Change filters to use the settings below · - Use Filter Specific Settings State: Enabled Action Set: Permit+Notify+ Trace Click OK What is the Action Set now in the Search Results?__________________________________ 5 Click Profile Overview in the left window pane and select the Filters tab How many entries do you see in the Modified Filters section?____________________________ Is that what you expected?__________________________________________________________ 6 Return to the Search window and click Reset All 7 Repeat step 4 and search for RPC filters 8 Search RPC filters, enable them, and set the Action to Permit+Notify+Trace 9 Click Profile Overview in the left window pane and select the Filters tab How many entries do you see in the Modified Filters section?____________________________ Is that what you expected?__________________________________________________________ 10 Return to the Search and Perform Best Practice by clicking Reset All 11 Search for the ICMP Echo Request filter (Filter 0164) -ONLY enable the filter 0164 Enable the filter, and set the Action Set to Block+Notify+Trace Did searching “ICMP Echo Request” work?____________________________________________ Did searching “ICMP” work?_________________________________________________________ Try searching by filter “0164”. What were the results?__________________________________ Click OK once complete 12 Distribute the Basic Profile to the three Segment Groups Highlight Basic Profile in the left hand navigation and select Distribute. Select DMZ, Perim and Core Segment Group destinations Click OK © 2023 Trend Micro Inc. Education 27 Lab 6: Security Profile Management Exercise 4: Set up an Inspection Path Traffic Capture and Generate Test Traffic In this exercise, students will create a packet capture at the Perimeter. Start a packet trace for traffic traveling across vTPS-Perim. 1 In your SMS, navigate to Devices > All Devices > Member Summary > Traffic Capture > New Note: Device: vTPS-Perim Name: PerimTrace Segment/Interface: 1A Max Packets: 100 Max File Size: 1 Click OK to begin capture Verify that the Basic Profile Distribution has completed before proceeding. 2 Using mRemoteNG : SSH from the Utility Server: Run the attacks and replay_pcaps commands to generate traffic replay_pcaps; attacks Navigate to Devices >All Devices > Member Summary > Traffic Capture > Click Refresh button Did the File Size field/column of your capture change?_________________________________________ Exercise 5: Review the SMS Event Viewer This exercise will allow the student to view and manage the Events captured in the packet trace. Note: 1 Do Not upgrade Wireshark to save time if prompted. Define a query for the SMS Events Viewer to identify all events with a Packet Trace Events > Inspection Events Selection Criteria: Network Criteria, where Packet Trace = Events w Pkt Trace Save this with the name Events with Packet Traces 2 View some of the packet traces Right-click an event and selecting Packet Trace > View Click OK to configure the Packet Trace Viewer - For now, we will select Use application registered with.pcap file association Click OK 3 Right-click an event and select Packet Trace > View 28 Can you see the packet capture?_____________________________________________________ © 2023 Trend Micro Inc. Education Lab 6: Security Profile Management Close the window 4 Right-click an event and select Packet Trace > Download into SMS Leave the default name.pcap and click OK Click OK 5 Open a browser and login to the SMS with the correct credentials Navigate to Administration > Exports and Archives Is the created name-xxxyyy.pcap shown and available for download?_____________________ Minimize or close the browser session Review your Inspection Path Traffic Capture 6 On your SMS, stop, the traffic capture you started earlier (PerimTrace). See Exercise 4, Step 1 if you are unsure how to stop the Trace 7 Download it locally and view it in WireShark to see what information it contains. Exercise 6: Create Multiple Profiles In this exercise, the student will create and distribute multiple profiles to better protect the various network segments in the environment. 1 Navigate to Profiles > Inspection Profiles Click New In the Create New Profile window Name: Core Profile Deployment Mode: Default Capture Additional Event Information: - Select HTTP Context (Hostname, URI, Method) Inheritance: None Click OK 2 Repeat Step 1 and name the profile DMZ Profile 3 Create a Perim Profile using the Security Optimized Deployment Mode Note: This lab will use the Security Optimized Deployment Mode for testing purposes only so that we can see additional events. Click New In the Create New Profile window Name: Perim Profile Deployment Mode: Security-Optimized Capture Additional Event Information: Select HTTP Context (Hostname, URI, Method) Inheritance: None Click OK © 2023 Trend Micro Inc. Education 29 Lab 6: Security Profile Management How many Inspection Profiles are now on the SMS?____________________________________ 4 Search in the three profiles for the following filters: (Use Global Search): Search ICMP Echo Requests and Replies (Hint: Filter 0164 is Echo Request. You also need to find Echo Reply). Configure the correct filters in the results to Permit+Notify+Trace Search Overlong URL (Hint: start with lower case overlong in the filter name) Can you see the Profiles in the Search Results? ____________________________________ Can you see the Profiles in the Search Results? ____________________________________ Configure Suspicious Overlong URL filters in the results to Permit+Notify+Trace Search for overlong.*uri and select all filters in the results and edit them to the P+N+Trace 5 Distribute the profiles to the correct inspection devices Navigate to Profiles > Inspection Profiles Deploy the Core Profile, DMZ Profile, and Perim Profile to the appropriate Segment Groups Click Distribute In the left window pane, highlight Core Profile and select the Core Segment Group Use the Ctrl button and click the three profiles Note that the Core Profile is now Green Select DMZ Profile in the left window pane and select DMZ Segment Group Assign the Perim Profile to the Perim Segment Group Click OK 6 Wait for the Distribution to complete 7 Use mRemoteNG and generate traffic from the Utility Server using replay_pcaps; attacks; overlongTest 8 Review the Inspection Events. Remember Best Practices when performing searches Note: Do you see an Event for the Suspicious Overlong URL or URI filter?______________________ What is the filter number?___________________________________________________________ Hint: Use the Search function. What is the Action?_______________ Which Profile?____________________________________ Is this what you were expecting?______ Why or Why Not?_______________________________ 9 Navigate to Inspection Profiles > Perim Profile Distribute to the proper Segment Group 10 Use mRemoteNG and generate traffic from Utility server using replay_pcaps; attacks 11 Review the Inspection Events again Do you see an Event for the Suspicious Overlong URL or URI filter?______________________ What is the Action?_______________ Which Profile?____________________________________ Is this what you were expecting?______Why or Why Not?________________________________ 12 Review the capture for Overlong URL or URI. What is triggering this filter?____________________ 13 Which Segment(s) do you see Overlong URL or URI events?_________________________________ 14 Which Segment(s) do you see ICMP events?_______________________________________________ 30 © 2023 Trend Micro Inc. Education Lab 6: Security Profile Management Exercise 7: Test L2FB Behavior In this exercise, students will place the devices into L2FB and confirm behavior is as expected using mRemoteNG to access the Attacker and Utility Server and generate traffic. 1 Use a browser to navigate to Threat Insights located on the SMS and put the device into L2FB Browse to 192.168.3.202 Username: SuperMan Password: Trend11++ 2 In the left column: Note: Select the Devices Icon > All Devices The devices should have Green Indicators for System Health, Performance, and Port Health Place each device in Fallback Mode by clicking the slider. Read the Warning and click Confirm Note that the indicators now show the device in Fallback What is the cause for the device to be in Fallback Mode?________________________________ Minimize the Browser The devices now show to be in L2FB in the SMS. Use the refresh button if needed. You will run a set of commands for testing and event tracking throughout this course. It is important to understand the network topology of the lab environment as well. These next steps will teach you some of the commands you will be using. 3 Open mRemoteNG and double click the Utility Server to start a SSH Session Login as: student01 Password: Trend11++ Run attacks 1 Note: The attacks 1 command replays the pcaps across the network for the devices to analyze. The number (in this case, 1) is the number of times each pcap will run. It can be run more or fewer times. We run it one time to generate traffic without taking too much time. Note: The next step can be run after attacks or can be performed in a separate session. To save time, we will open a separate session and generate additional traffic. 4 Right click to Utility Server tab and click Connect to start an additional session: Login as: student01 Password: Trend11++ Run replay_pcaps to generate traffic. 5 Make note of the results using Events Viewer in the SMS client: Do you see events?_________________________________________________________________ © 2023 Trend Micro Inc. Education 31 Lab 6: Security Profile Management Were the attacks blocked or permitted?______________________________________________ Note: Why?_________________________________________________________________________ The replay_pcaps doesn’t have visibility to blocks/permits on the inspection device. A successful transmission just notes that the Linux machine sent packets to the interfaces. Were the replay_pcaps successful?___________________________________________________ Why?__________________________________________________________________________ Are the results what you expected?__________________________________________________ 6 Using mRemoteNG: Login into the Attacker Username: root Password: Trend11++ Start a ping to the Victim-DMZ using the following command ping -c12 10.10.12.100 Note: The -c12 is a count option so that the ping command sends 12 pings and stops. The option is used in the lab so that the ping command stops to limit traffic being sent across the virtual environment. 7 Are the pings stopped? y/n ________________________________________________________ Why?____________________________________________________________________________ Open another Attacker session by right clicking Attacker and click Connect Username: root Password: Trend11++ Start a ping to the Victim-Core using the following command ping -c12 10.10.11.100 Are the pings stopped? y/n __________________________________________________________ Why?______________________________________________________________________________ Using the SMS. How many Events do you see in the last minute?_________________________ Is that what you expected?__________________________________________________________ 8 Take vTPS-Core out of L2FB using the SMS Navigate to Devices > All Devices Note the Red box in HA Settings section - Intrinsic HA: Fallback Click Edit in the bottom right corner) Navigate to the correct menu option and change the device state back to Normal Click vTPS-Core (fallback) > Device Configuration Click Apply Click OK Notice that the HA Settings are now Green and the device is functioning properly 9 Navigate to Devices > All Devices 32 © 2023 Trend Micro Inc. Education Lab 6: Security Profile Management Click vTPS-DMZ (fallback) in the left window pane Right click the device and select Edit > Intrinsic HA > Normal In the lower right corner of the SMS client, Select Refresh Note that the device is now Green and functioning properly How could you change the inspection devices back to Normal all at once?_________________ Is that possible?____________________________________________________________________ 10 Maximize your browser session from the beginning of this lab and click the Devices Section The session has most likely timed out and you will be prompted to log back in. Use the same credentials if needed Expand the Devices section and record your findings - What state is the vTPS-Core in?__________________________________________________ What state is the vTPS-DMZ in?__________________________________________________ What state is the vTPS-Perim in?_________________________________________________ · Take the vTPS-Perim out of Fallback Mode Close the Web Management Console by closing the browser. All devices should be in an Active state. © 2023 Trend Micro Inc. Education 33 Lab 6: Security Profile Management 34 © 2023 Trend Micro Inc. Education Lab 7: Traffic Management Filters Lab 7: Traffic Management Filters In this lab, students will practice managing the inspection device using the SMS Estimated time to complete this lab: 45 Minutes LAB OBJECTIVES Practice several Traffic Management Filters in the Core, DMZ, and Perim Segment Groups Observe policies installed on the inspection device Verify notifications with Traffic Management Exercise 1: Testing Traffic Management Block at the Perimeter Management decided to block all traffic to FTP servers (TCP, port 21) at the perimeter (Inbound and outbound) 1 2 3 4 5 6 Configure all FTP filters to Permit + Notify Go to the Perim Profile > Search Enter \sftp in the “Filter Name” field under the “Filter Criteria” section Select all the filters in the “Search Results” using Ctrl-A Configure them to Permit + Notify Distribute the profile to the Perim Segment Group Go to the Events > Inspection Events and expand Name Select Reset All to clear previous queries In the Filter Name field Enter: ftp Select Real Time Use mRemoteNG to access Utility Server SSH session or open a new one After the profile is distributed, issue the following command from the utility server: attacks 1 Your results should look similar to the ones below) © 2023 Trend Micro Inc. Education 35 Lab 7: Traffic Management Filters Exercise 2: Create Traffic Management Filters 1 Block TCP Port Destination 21 at the Perimeter in both directions In the Perim Profile, create a Traffic Management filter by navigating to Perim Profile > Traffic Management > New: Name: Block FTP A2B Action: Block Direction: Port A to Port B ---> (A>B) Protocol: TCP Source Address: Any Source Port: Any Destination Address: Any Destination Port: Value 21 Click OK In the Perim Profile, create a Traffic Management filter: - Name: Block FTP B2A Action: Block Direction: Port B to Port A Inspection Profiles > Core Profile > Traffic Management) create a TMF to block all access to the Victim Core Click New Name: TMF Core Block Action: Block Direction: Port A to Port B Protocol: IP Source Address: Any Destination Address: Value: 10.10.11.100 (Victim Core) Click OK 8 In the Core profile create a TMF allowing access to Victim Core from Victim DMZ Click New - 38 Name: TMF Allow DMZ to Core Action: Allow Direction: A to B Protocol: IP Direction: A to B © 2023 Trend Micro Inc. Education Lab 7: Traffic Management Filters - Source IP: 10.10.12.0/24 Destination IP: 10.10.11.100 9 Be sure your Allow Filter is above your Block Filter 10 In the DMZ Profile (Profiles > Inspection Profiles > DMZ Profile > Traffic Management) create a TMF to block all access to the Victim Core Click New Name: TMF DMZ Block Action: Block Direction: Port A to Port B Protocol: IP Source Address: Any Destination Address: Value: 10.10.12.100 (Victim DMZ) Click OK 11 In the DMZ profile create one TMF allowing access to Victim DMZ from the Victim Core Click New - Name: TMF Allow Core to DMZ Action: Allow Direction: A to B Protocol: IP Source IP: 10.10.11.0/24 Destination IP: 10.10.12.100 12 Be sure your Allow filter is above your Block Filter 13 Distribute profiles and wait for successful distribution 14 Using the similar commands (with appropriate IP addresses) from above verify the following: Attacker cannot access either website (Core/DMZ) links http://10.10.11.100:33333 links http://10.10.12.100:44444 DMZ can access core and download Core file links http://10.10.11.100:33333 Core can access and download DMZ file links http://10.10.12.100:44444 15 Hint: You may need new SSH connections to DMZ and Core servers on mRemoteNG Exercise 4: Lab Cleanup 1 Note: Remove all Traffic Management Filters once you are finished. Any leftover TMF filters may cause problems in the remainder of the labs. 2 Distribute the Core and DMZ profiles to the appropriate Segment Group © 2023 Trend Micro Inc. Education 39 Lab 7: Traffic Management Filters 40 © 2023 Trend Micro Inc. Education Lab 8: Quarantine Lab 8: Quarantine In this lab, students will practice Quarantine techniques Estimated time to complete this lab: 45 Minutes LAB OBJECTIVES Note: Create Quarantine Action Sets Quarantine with Immediate Blocking Improving Policy / Quarantine with Threshold This is a test environment and you can configure your devices in ways that may not be appropriate in production. Verify that the different tasks go along with TM Best Practices and fix accordingly. Exercise 1: Setup Tasks 1 Use SSH from mRemoteNG to verify that all traffic is stopped to both vTPS-Core and vTPS DMZ. You can also verify using the SMS Exercise 2: Create the Action Sets 1 Action Set 1 Name: TPS-Q-Block-1 Flow Control: Quarantine Notifications: Select Management Console Thresholds: Hit Count: 1 / Period: 1 Minute Action performed before threshold is reached: Block Web Requests: - Display quarantine web page · · Show filter causing quarantine action: Enable Show description of filter causing quarantine action Other Traffic: Block Quarantine Exceptions > Exceptions > New - Name: Core Traffic Network Gateway Source: 10.10.11.1 2 Action Set 2 Name: TPS-Q-Permit-5 Flow Control: Quarantine © 2023 Trend Micro Inc. Education 41 Lab 8: Quarantine Notifications: Management Console Thresholds: Hit Count: 5 / Period: 2 Minutes Action performed before threshold is reached: Permit Web Requests: - Display quarantine web page · · Show filter causing quarantine action: Enable Show description of filter causing quarantine action Other Traffic: Block Quarantine Exceptions > Exceptions > New - Name: Core Traffic Network Gateway Source: 10.10.11.1 Exercise 3: Quarantine with Immediate Blocking 1 Navigate to the Core Profile 2 Search for Specific Filter Info: ^0079:|^0164: In the Search Results - Double-click filter 0079 · · · - Select: Use Filter Specific Settings TPS-Q-Block-1 Click OK Double-click filter 0164 · Set to Permit+Notify 3 Distribute 4 Use mRemoteNG to connect to the Attacker Ping the Victim-Core ping -c12 10.10.11.100 Review the device log files in the SMS Note: 42 How many Ping packets were allowed?__________________________________________ Are the results what you would expect? _________________________________________ What is wrong with the results? ________________________________________________ The approach above has several mistakes. To Block or Limit Pings from an external host, select the appropriate ICMP Echo Request Filter. In this case, you can see in the logs that the Core server has been Blocked and Quarantined. Additionally, you are blocking external hosts and you never want to send feedback. Blocks should be done silently. © 2023 Trend Micro Inc. Education Lab 8: Quarantine Best Practice: When configuring TPS Quarantine, ALWAYS add restrictions and/or exceptions. Restrictions are useful when limiting scope of IP addresses that can be affected by a quarantine. Exceptions are useful to avoid quarantining internal key hosts. Exercise 4: Modifying Policy using Thresholds Note: 1 Offending host should be quarantined after a configured number of packets has been permitted. Edit Action Set: TPS-Q-Permit-5 Note: Quarantine Exceptions > Exceptions Select New and add Source Name: Core Traffic Network Gateway IP: 10.10.11.1 Select OK and Finish We cannot use Restrictions in this case as any outside attacker should be quarantined. 2 Modify the Core Profile Filters 0079 and 0164 (they should still be in the Search Results area) Disable 0079 Enable 0164 and set the Action Set to TPS-Q-Permit-5 Distribute the Profile 3 Verify the Attacker is not Quarantined or in the Block Streams List Go to Devices > vTPS-Core > Events Flush the Attacker from the Blocked Streams Was it there?_______Why?_____________________________________________________ Remove the Attacker from Quarantined Host list - Was it there?_________Why?___________________________________________________ 4 From the Attacker, ping the victim-core ping -c12 10.10.11.100 How many Ping packets were allowed?______________________________________________ Is your Attacker in the Blocked Streams list?___________________Why?_________________ Is the Attacker in the Quarantined list? ______________Why?___________________________ 5 Disable Filters 0079 and0164 and Distribute to the Core Profile © 2023 Trend Micro Inc. Education 43 Lab 8: Quarantine 44 © 2023 Trend Micro Inc. Education Lab 9: SMS Events and Reports Lab 9: SMS Events and Reports In this lab, students will reinforce the learned skill set for viewing SMS Events and Reports. Estimated time to complete this lab: 35 Minutes LAB OBJECTIVES Examine events using the SMS Event Viewer Discuss custom SMS Reports Create manual and scheduled SMS Reports Exercise 1: SMS Event Viewer Search Note: 1 Be sure to Reset All the Event Criteria in Inspection Events Query. On the SMS, click Events > Inspection Events Note: Select a time frame and click Refresh Click the Magnifying Glass in the right column. As an alternative, you can right click on any event and select filter A prompt opens at the bottom to search for a filter. In the Filter area, search keyword Edge - How many filter matches did you get?_____________________________________________ Are any of them the same?_______________________________________________________ Do you see several events for filter 39158?_________________________________________ Why are there multiple entries?___________________________________________________ 2 Click one of the events and review the source, destination, and client information Click the second event and review the source, destination, and client information - Is the information the same or different?__________________________________________ 3 Do you see an event where filter 31018 fired?__________________________________________ Double-click the event and record the Event No:___________________________________ - What is the Severity?________________________________________________________ In the Filter Info section, click More... and review the information © 2023 Trend Micro Inc. Education 45 Lab 9: SMS Events and Reports Click Edit Filter and review the different options Is the Edit Filter option always available?______________________________________________ Explain______________________________________________________________________________ Click Cancel to close the Edit Filter window 4 At the bottom of The Events - Event Details window: Click Copy Details To Clipboard Note: On your Windows remote desktop, click the Notepad++ icon Do not update if prompted. On the Notepad++ click the Edit > Paste Can you think of scenarios where copying the information would be helpful?___________ Close Notepad++ Close the Events - Event Details window. 5 Select a different event What is the CVE Id?____________________________________________ Click the CVE Id link (CVE- for additional information) and read the description Close the Events window when complete Exercise 2: SMS Event Viewer Search 1 Open mRemoteNG and run the ping commands from the Attacker ping -c12 10.10.11.100 ping -c12 10.10.12.100 2 Using the filter search as above, search for IP 10.10.11.100 Note: How many entries do you see?_______________________________________________________ What is the Src. Addr.?______________________________________________________________ Is this what you would expect?_______________________________________________________ Hint - Review the Ping configuration in all profiles. 3 Click the Red X at the bottom right to clear the data field Exercise 3: Create Custom Event Views and Queries In this next step we will create several event views and save each. Be sure to Reset All before starting a new search. 1 Create an event from the last day from all Segment Groups for HTTP: 46 On Events > Inspection Events Filter Taxonomy Criteria > Protocol select HTTP © 2023 Trend Micro Inc. Education Lab 9: SMS Events and Reports Device, Segment, Rule, Criteria > Segment Groups Click Add and select Core and DMZ Segment Groups Click OK Change the time frame to Last 24 Hours Click Refresh Review the Results In the upper right, click Save As - Name the Event Daily HTTP Events Click Save 2 You should now see two Saved Events in the Saved Queries 3 Perform the same steps for DNS Add the vTPS-Perim to Device/Group/Stack Name the event Daily DNS Events How many events do you see? _______________________________________________________ Do you see filter 0588 and 0562 have fired?___________________________________________ In the upper right, click Save As - Name: Daily DNS Events - Perim Click Save You now want to see events by platform. 4 Search for filters on Windows and Linux Server Application or Service How many results do you see?___________________________________________________ Save the results as a report Exercise 4: Modify Filters from Events In this exercise, you will search for an event and modify the filter from your Saved Queries. For this exercie we will block Ping Request but we still want to see them in events 1 Click on the Saved Queries > Events with Packet Traces 2 From one of the 0164 Ping Events in the Perimeter in the event viewer Note: Right click the event and click Profile > Edit Filter Change the Action Set: Block + Notify + Trace Click Distribute Be sure that only Perim Segment Group is selected and click OK Wait for the distribution to complete before proceeding. 3 Open mRemoteNG and run the ping commands from the Attacker ping -c12 10.10.11.100 ping -c12 10.10.12.100 © 2023 Trend Micro Inc. Education 47 Lab 9: SMS Events and Reports 4 Run the following command from Utility Server: attacks; replay_pcaps Note: You will need to wait several minutes before proceeding. 5 Open the TippingPoint Dashboard and monitor 6 In the top left corner is the Top 5 Attacks (Last 15 Minute) - Perim Double-click 0164:ICMP: Echo Request (Ping) It should bring your SMS Events to the front (if not, click the SMS client so you can see Events) - Do you see events for 0164?______________________________________________________ Do you see Block events at the Perimeter Profile?___________________________________ Do you see any Permit events?___________________________________________________ Why?____________________________________________________________________________ 7 Click the Reset All and perform a a search (magnifying glass) for Filter: 0164 Do you see both Permit and Block Actions for filter 0164 now?___________________________ Which Profile(s) are Permit?_________________________________________________________ Which Profile(s) are Block?___________________________________________________________ Is this working as expected?_________________________________________________________ 8 Clear the filter search Exercise 5: SMS Reports (Saved Reports) 1 Search for Filter with largest hit count using the Hit Count Column: Right Click Event > Reports > Generate Specific Filter Report A Report will build called Specific Attack Change the report to 7 Days Click Run Click Save Report 2 In the Create Report Name: Name: Filter xxxx Specific Attacks (where x is the filter number) Set the Report Time Period to: Last 7 Days Template: Specific Attack Be sure that Copy to current result to new report (the copied result will contain the template title) is Selected Select the Schedule section Select the Run Now and Run on Schedule - 48 Schedule Name Daily Specific Attacks for Filter xxxx (as created above) Set the schedule to run daily at 4:00PM Review the Export Results Click Finish © 2023 Trend Micro Inc. Education Lab 9: SMS Events and Reports 3 In the Save Reports pane: Click Filter xxxx and click Run Use the options to view the report to see the different pages 4 Click Export Result... Review the different options Click Cancel Exercise 6: Executive Reports The CXO of your organization requests a high level overview each business day of Inspected Traffic across your network. The request is to generate a daily report that includes activities that occurred overnight and to send them in email in.pdf format 1 How would you set this up?__________________________________________________________ Select the Executive Reports in the left window pane In the right window, highlight Inspection Executive Report and click View In the required field, select all the options in the Required Fields Set the report to Last 24 Hours Click Run 2 Review each page of the report How many pages are included in the report?___________________________________________ Does every page have data?_________________________________________________________ Remove all of the pages that don’t have data from the report - Hint - Top P2P Peers does not contain data. Remove it. Remove the other fields that don’t provide useful information Which other reports did you remove?_____________________________________________ 3 Save the Report as: Note: Name: Daily Inspection Executive Report Set the Schedule to the same as above except have it run at 7AM Email Reports To: [email protected] Select PDF format and include an HTTPS link to online web format Click Finish You will get an error notifying you that no email is available. Click OK. 4 Navigate to Saved Reports > Daily Inspection Executive Reports and review the available reports. 5 Open a web browser and navigate to 192.168.3.202 or use vSMS browser shortcut 6 Review Threat Insights Do you see any ZDI Filter Hits?_______________________________________________________ © 2023 Trend Micro Inc. Education 49 Lab 9: SMS Events and Reports Note: We will continue on for now with this exercise but will return to the ZDI Filter Hits in Threat Insights in the next Exercise. Click the Reports Link in the left window pane: Select one of the Daily Inspection Executive Reports and select HTML - Review the Report Close the Browser tab when done. 7 Create custom reports for the following and save them and create daily schedules for all of them Specific Destination report for your Victim-DMZ Server (run for last 24 hours) Specific Destination report for your Victim-Core Server (run for last 24 hours) 8 Top Attacks for the Perim Segment group (for last 24 hours) 9 Generate a Report for Device Traffic on the Perimeter for the past 7 days Exercise 7: Researching Using Threat Insights 1 Return to Threat Insights where you saw the ZDI Filter Hits Was anything Permitted?____________________________________________________________ Look at Filter 32341? Does it show Blocked and Permitted Hits?__________________________ - Why? Time to do a bit of research. 2 Open the SMS client and navigate to Profiles > Inspection Profiles Navigate to Core Profile > Search and Search for Filter Name 32341 Navigate to DMZ Profile > Search and Search for Filter Name 32341 Is it set to Block/Notify?_________________________________________________________ Navigate to Perim Profile > Search and Search for Filter Name 32341 Is it set to Block/Notify?_________________________________________________________ Is it set to Block/Notify?_________________________________________________________ Why is the packet permitted if the filter is set to block on all of the profiles?___________________________________________________________________________ 3 Navigate to Basic Profile > Search and Search for Filter Name 32341 - Is it set to Block/Notify?_________________________________________________________ It is set to Permit/Notify. Our original Basic Profile was set to Allow. Just something to think about. 4 Navigate to Global Search and search for Filter Name: 32341 50 This view allows you to see Filter 32341 on each of the profiles. You can see that it is set to Block/Notify on all profiles except the Basic Profile we originally created. Click Reset All © 2023 Trend Micro Inc. Education Lab 9: SMS Events and Reports Exercise 8: Create Additional Reports and Review via Threat Insights Use what you learned in the above exercises to create the following custom reports using the SMS client. Once created, save the report so that it runs daily at a scheduled time. 1 Specific Destination report for your Victim-Core Server (run for last 24 hours) 2 Specific Destination report for your Victim-DMZ Server (run for last 24 hours) 3 Top Attacks for the Perim Segment group (for last 24 hours) 4 Generate a Report for Device Traffic on the Perimeter for the past 7 days 5 Review Reports using both SMS client and SMS Web Console © 2023 Trend Micro Inc. Education 51 Lab 9: SMS Events and Reports 52 © 2023 Trend Micro Inc. Education Lab 10: SMS Dashboard Lab 10: SMS Dashboard In this lab, students will practice modifying the SMS Dashboard Estimated time to complete this lab: 40 Minutes LAB OBJECTIVES Modify the Dashboard to show attacks Exercise 1: Modify the Dashboard to Monitor the Perimeter Network Modify three dashboard widgets for the Perim Device into the left column. 1 On the SMS, click View > Dashboard > View 2 Close all of the widgets by hovering the mouse over the time and clicking X on each widget 3 You now have a clean palette 4 In the upper right you will see four icons. Click on the button that looks like a refresh button (rotating arrow). 5 Read the information box and click Cancel. That button is used to restore the dashboard to the default view. 6 Click the Show Palette icon in the top right corner (paintbrush) Modify the dashboard widgets for the Perimeter. 7 Create a widget to view Top 5 Attacks – Perim Segment Group – All attack categories/Severities Navigate to Inspection and drag Top Attacks into the widget area Click the wrench icon on the widget - In the General Section · · - Change the Time period to: Last 15 Minutes Event Criteria · · · - In the name field, add -Perim at then end for easy identification Expand Filter Criteria and select the box Filter Category - All Verify all the options are checked for Filter Severity Expand Device, Segment, Rule Criteria and Add Perim Segment Group. Click OK Display As: Table Click OK 8 Create a widget to view Top 5 Destinations (Attack Destination)– Perim Segment Group – All attack categories/Severities Navigate to Inspection and drag Top 5 Attack Dests into the widget area Click the wrench icon on the widget - In the General Section · In the name field, add -Perim at then end for easy identification © 2023 Trend Micro Inc. Education 53 Lab 10: SMS Dashboard · - Event Criteria · · · - Change the Time period to: Last 15 Minutes Expand Filter Criteria and select the box Filter Category - All Verify all the options are checked for Filter Severity Expand Device, Segment, Rule Criteria and Add Perim Segment Group Display As: Pie Click OK 9 Create a widget to view Top 5 Sources (Attack Source) – Perim Segment Group – All attack categories/Severities Navigate to Inspection and drag Top 5 Attack Sources into the widget area Click the wrench icon on the widget - In the General Section · · - Change the Time period to: Last 15 Minutes Event Criteria · · · - In the name field, add -Perim at then end for easy identification Expand Filter Criteria and select the box Filter Category - All Verify all the options are checked for Filter Severity Expand Device, Segment, Rule Criteria and Add Perim Segment Group Display As: Table Click OK Exercise 2: Modify the Dashboard to Monitor the Core Network Modify three dashboard widgets for the Core 10 Create a widget to view Top 5 Attacks – Core Segment Group – Vulnerabilities and Exploits/ Major Navigate to Inspection and drag Top Attacks into the widget area Click the wrench icon on the widget - In the General Section · · - Change the Time period to: Last 7 Days Event Criteria · · · - In the name field, add -Core at then end for easy identification Expand Filter Criteria and select Exploits and Vulnerabilities Verify only Major and Critical Filter Severity is checked Expand Device, Segment, Rule Criteria and Add Core Segment Group Display As: Table Click OK 11 Create a widget to view Top 5 Destinations – Core Segment Group – All attack categories/Critical 54 Navigate to Inspection and drag Top Attack Dests into the widget area © 2023 Trend Micro Inc. Education Lab 10: SMS Dashboard Click the wrench icon on the widget - In the General Section · · - Change the Time period to: Last 7 Days Event Criteria · · · - In the name field, add -Core at then end for easy identification Expand Filter Criteria and select Filter Category -All Verify only Critical Filter Severity is checked Expand Device, Segment, Rule Criteria and Add Core Segment Group Display As: Choose how you would like it displayed Click OK 12 Create a widget to view Top 5 Sources – Core Segment Group – All attack categories/Critical Navigate to Inspection and drag Top Attack Sources into the widget area Click the wrench icon on the widget - In the General Section · · - Change the Time period to: Last 7 Days Event Criteria · · · - In the name field, add -Core at then end for easy identification Expand Filter Criteria and select Filter Category -All Verify only Critical Filter Severity is checked Expand Device, Segment, Rule Criteria and Add Core Segment Group Display As: Choose how you would like it displayed Click OK Exercise 3: Modify the Dashboard to Monitor the DMZ Network Modify three dashboard widgets for the DMZ using similar steps as above 13 Create a widget to view Top 5 Attacks – DMZ Segment Group – Vulnerabilities and Exploits/Major 14 Create a widget to view Top 5 Destinations – DMZ Segment Group – All attack categories/Critical 15 Create a widget to view Top 5 Sources – DMZ Segment Group – All attack categories/Critical Exercise 4: Modify the Dashboard to Monitor Various Options 1 Expand SMS / Device and add a widget for Software Update Status 2 Add a widget for Geographical Destinations 3 Add a widget for Top Attack Geo Dests © 2023 Trend Micro Inc. Education 55 Lab 10: SMS Dashboard Exercise 5: Generate Traffic to Test 1 Use Utility (mRemoteNG) to verify that traffic is being blocked by vTPS-Perim Run attacks Run replay_pcaps 2 Use Attacker (mRemoteNG) to verify that the pings to the Victim-DMZ start again ping -c12 10.10.12.100 3 Use Attacker (mRemoteNG) to verify that the pings to Victim-Core start again 4 ping -c12 10.10.11.100 Note: Adjust the time frame as needed so that data shows up. Remember that the dashboard updates information every five minutes. 5 Click on an event in the Top 5 Attacks widget in the upper left. Maximizing the SMS will bring up SMS Events with the event shown in the results area Are the results what you expected?___________________________________________________ Click on one of the events to view the details Exercise 6: Access SMS Web Dashboard and Create a Widget 1 Open a browser to your SMS IP address and create a widget https://192.168.3.202/d/Dashboard Login with SuperMan/Trend11++ (if asked) Click Confirm on the Warning pop-up Window Click New Widget Widget Template: Top N Filters click Next Top N Data: Top 10 Aggregated Filters: Source IP Address Time Period: Last 7 Days Widget Type: Area Chart Click Next Widget Title: Leave as default and click Create 2 Click the gear in the widget and modify just to be familiar with the SMS Web Dashboard 3 Close the browser when finished 56 © 2023 Trend Micro Inc. Education Lab 11: Maintenance and Performance Lab 11: Maintenance and Performance In this lab, students will work with the instructor to monitor the performance of the devices using the SMS client. Estimated time to complete this lab: 45 Minutes LAB OBJECTIVES Review Tier Stats using the SMS View Historical Graphs from the SMS Exercise 1: Review Inspection Events 1 From the Attacker - run following command: for e in $(seq 30); do ping -c 20000 -f 10.10.11.100; ping -c 20000 -f 10.10.12.100; done 2 From the Utility Server - run the following commands Run perf_http_rate 8 Use a second connection and run the command: for e in $(seq 30); do attacks 1; done Note: Reference your Student Guide as needed. 3 Select Devices > All Devices > Member Summary > System Health Click Refresh Review Health Stats and note anything other than a Normal State - Is anything in a Critical State?____________________________________________________ Look at shelf level view. Is everything Green?_______________________________________ Click the Temperature and Memory Tabs to be familiar How come nothing is in the Temperature tab?______________________________________ 4 Select Devices > All Devices > vTPS-core > Events > Performance Review the various graphs. You may need to change your time frame and Click Refresh Are you seeing a graph for Deep Packet Inspection? Tiers (Ratio to next tier)? Note the following data In the Performance Data tab: - Total Packets (Incoming):________________________________________________________ Total Packets (Outgoing):________________________________________________________ Blocked:________________________________________________________________________ Permit action:__________________________________________________________________ Rate Limited:___________________________________________________________________ © 2023 Trend Micro Inc. Education 57 Lab 11: Maintenance and Performance - Dropped:________________________________________________________________________________________ 5 Click the tab for Tier Stats and Record the following: Note: Tier 1 - Rx Mbps_________________________Tx Mbps____________________________________ Received Mbps is used throughput related to inspection throughput license. 6 Review Port Health > Statistics Review Total In: Bytes and Total Out: Bytes for the Enabled Ports Are you seeing any discards or errors?________________________________________________ 7 Click the Historical Graphs Tab and review the Enabled Ports 8 Select Events > Traffic Are you seeing any small packets (~64 bytes)?_________________________________________ What other packet sizes?____________________________________________________________ What Frame Types are you seeing?___________________________________________________ In the Protocols Section Are you seeing any ICMP traffic?_____________________________________________________ What about TCP?___________________________________________________________________ What about UDP?___________________________________________________________________ 9 Click on one of the inspection devices in the left window pane. On the Device > Right Click and Select > Export TSR and save the report to your Desktop 10 Repeat steps 4-9 for vTPS-Perim and vTPS-DMZ 58 © 2023 Trend Micro Inc. Education Lab 12: Best Practices Lab 12: Best Practices In this lab, students will explore the TPS Best Practices documents on the trend Micro Website Estimated time to complete: 25 Minutes OBJECTIVES Be familiar with TippingPoint Best Practices Exercise 1: Research TPS Best Practices 1 Open a browser from your laptop and perform a search for “tippingpoint tps best practice” 2 Select the TippingPoint Support Documentation & Best Practice 3 Select and open the Best Practice: TPS-Series document from the list 4 The document will open and can be viewed in the browser 5 Download the document to your local drive 6 Explore the Table of Contents 7 What is the name used for L2FB?________________________________________________________ 8 Do you see Troubleshooting Tips?________________________________________________________ 9 Do you see Troubleshooting Commands?_________________________________________________ 10 Can you find the reset to factory defaults?________________________________________________ 11 How do you perform a password reset?___________________________________________________ 12 What are Flow Management Filters?______________________________________________________ 13 What are the two types of Flow Management Filters?_______________________________________ 14 What are the Flow Management Filter speed options?______________________________________ 15 Run some of the commands to be familiar with them. 16 What is the Do’s and Don’ts Table?_______________________________________________________ 17 How many deployment guides can you find for the latest release?___________________________ Exercise 2: End of Course Survey (Please complete) 1 www.surveymonkey.com/r/TrendMicroTraining © 2023Trend Micro Inc. Education 59 Lab 12: Best Practices 60 © 2023 Trend Micro Inc. Education

2023-09-18--TP Cert Pro 1.0.pdf

Document Details

Tags

Related

Full Transcript

Upgrade to continue