Fidelis Xps User manual

User Guide

Version 6.0

Fidelis XPS™, version 6.0

User Guide, version 6.0

Revised March 2010

Users are granted permission to copy and/or distribute this document in its original electronic form and print

copies for personal use. This document cannot be modified or converted to any other electronic or

machine-readable form in whole or in part without prior written approval of Fidelis Security Systems, Inc.

While we have done our best to ensure that the material found in this document is accurate, Fidelis

Security Systems, Inc. makes no guarantee that the information contained herein is error free.

Fidelis XPS includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.

Fidelis Security Systems

4416 East West Highway, Suite 310

Bethesda, MD 20814

Fidelis XPS User Guide Version 6.0 Table of Contents iii

Table of Contents

Preface............................................................................................................................................. 1

Intended Audience....................................................................................................................... 1

Technical Support........................................................................................................................ 2

Available Guides.......................................................................................................................... 2

Fidelis XPS™ Overview.................................................................................................................. 3

Fidelis XPS Modules.................................................................................................................... 3

CommandPost ........................................................................................................................ 4

Direct....................................................................................................................................... 4

Internal.................................................................................................................................... 4

Proxy....................................................................................................................................... 4

Mail.......................................................................................................................................... 5

Web Walker............................................................................................................................. 5

Connect................................................................................................................................... 5

Fidelis XPS Policies..................................................................................................................... 5

Prebuilt Policies....................................................................................................................... 5

Custom Policies ...................................................................................................................... 6

Chapter 1 Getting Started .............................................................................................................. 7

Access CommandPost................................................................................................................. 7

Change your Account .................................................................................................................. 7

Access the Guides....................................................................................................................... 8

Lock Icon ..................................................................................................................................... 8

CommandPost Navigation........................................................................................................... 8

System Status.............................................................................................................................. 8

Logout.........................................................................................................................................10

Using Non-ASCII Characters in Fidelis XPS...............................................................................10

Chapter 2 The Dashboard.............................................................................................................11

The Radar Page .........................................................................................................................11

What is an event? ..................................................................................................................11

What is an alert? ....................................................................................................................11

What is alert radar?................................................................................................................11

Uses of Alert Radar................................................................................................................12

Current Status Frame.............................................................................................................13

Information Flow Map™ Page ....................................................................................................14

The Information Flow Map......................................................................................................15

Controls in the Left Panel.......................................................................................................17

Fidelis XPS User Guide Version 6.0 Table of Contents iv

Filtering and Sorting Criteria...................................................................................................19

Chapter 3 Understand and Manage Alert Workflows .................................................................22

Access to Alerts and Quarantined E-Mails..................................................................................22

Handle Alerts..............................................................................................................................22

The Alert Workflow Log...............................................................................................................23

Manage a Single Alert.................................................................................................................23

Change Status .......................................................................................................................23

Change Alert Group ...............................................................................................................24

Manage Multiple Alerts ...............................................................................................................24

Chapter 4 Understand and Manage Alerts ..................................................................................25

Alert Report.................................................................................................................................26

Alert Quick Summary .............................................................................................................26

Filter Alerts.............................................................................................................................27

Navigate Alert Pages..................................................................................................................27

Alert Actions................................................................................................................................28

Alert Labels............................................................................................................................28

Export Alerts to Excel.............................................................................................................28

Purge Alerts ...........................................................................................................................29

Alert Report Page Controls.........................................................................................................29

System Reports for Alerts ......................................................................................................30

Search for Alerts ....................................................................................................................30

Duration..................................................................................................................................35

Include or Exclude Incoming Alerts........................................................................................35

Customize Alert Report...............................................................................................................36

Group.....................................................................................................................................36

Group Details.........................................................................................................................38

Create PDF Reports for Alerts....................................................................................................38

Trending......................................................................................................................................39

Alert Details ................................................................................................................................41

Alert Highlighting....................................................................................................................43

Scroll through Alert Details.....................................................................................................44

Download Text File.................................................................................................................44

Find Similar Alerts..................................................................................................................44

Manage Label ........................................................................................................................45

Purge this Alert.......................................................................................................................45

Alert Compression..................................................................................................................45

Decoding Path and Channel Attributes ..................................................................................45

Forensic Data.........................................................................................................................47

Recorded TCP Session..........................................................................................................47

Tune Rules from an Alert............................................................................................................49

Fidelis XPS User Guide Version 6.0 Table of Contents v

Chapter 5 Understand and Manage Quarantined E-Mails..........................................................52

Understand Fidelis XPS Mail Quarantine....................................................................................52

The Quarantine Report...............................................................................................................53

Take Actions on Quarantined E-Mails.........................................................................................54

Deliver or Discard Quarantined E-Mail........................................................................................54

Search Quarantined E-Mails.......................................................................................................54

Search Quarantined E-Mails using Duration...............................................................................56

Advanced Search for Quarantined E-Mails.................................................................................57

Quarantine Details......................................................................................................................58

Chapter 6 Manage Reports ...........................................................................................................59

Create Custom Reports..............................................................................................................60

Search....................................................................................................................................60

Filters .....................................................................................................................................62

Duration..................................................................................................................................63

Columns.................................................................................................................................64

Group By................................................................................................................................66

Custom Report Controls.........................................................................................................66

Run Custom Reports ..................................................................................................................67

Edit Custom Reports...................................................................................................................67

Copy Custom Reports.................................................................................................................67

Save and Schedule Reports.......................................................................................................68

Save.......................................................................................................................................68

Save and Schedule................................................................................................................68

Delete Reports............................................................................................................................69

Chapter 7 Create and Use Quick Reports....................................................................................70

Define Quick Reports..................................................................................................................70

Create Quick Reports .................................................................................................................73

Create PDFs for Quick Reports..................................................................................................74

Schedule Quick Reports.............................................................................................................74

Chapter 8 Network Reports ..........................................................................................................75

TCP Resets ................................................................................................................................77

Application Protocols ..................................................................................................................78

IP Defragmenter .........................................................................................................................79

Inline Module ..............................................................................................................................80

Network Statistics .......................................................................................................................81

TCP Processor ...........................................................................................................................82

Proxy...........................................................................................................................................83

Mail.............................................................................................................................................84

Connect ......................................................................................................................................85

Web Walker................................................................................................................................85

Fidelis XPS User Guide Version 6.0 Table of Contents vi

Chapter 9 Manage Users, Roles, and Groups.............................................................................86

Access Control in CommandPost...............................................................................................87

Small Security Teams.................................................................................................................88

Define User Profiles....................................................................................................................88

Add or Edit a Local User.............................................................................................................89

Delete a User..............................................................................................................................91

Define Alert Management Groups ..............................................................................................92

Add or Edit an Alert Management Group ...............................................................................92

Delete an Alert Management Group.......................................................................................93

Define User Roles.......................................................................................................................93

Access Roles .........................................................................................................................94

Add or Edit a Custom Role.....................................................................................................95

Delete a Custom Role............................................................................................................96

Chapter 10 Configure Fidelis XPS Components.........................................................................97

The Component Page.................................................................................................................97

Component Information ..............................................................................................................97

Status Lights ..........................................................................................................................97

Details....................................................................................................................................97

License Messages..................................................................................................................98

Component Buttons................................................................................................................98

Add a Sensor..............................................................................................................................99

Edit a Sensor..............................................................................................................................99

License...................................................................................................................................99

Expiration.............................................................................................................................100

System Monitor ....................................................................................................................100

Logs .....................................................................................................................................102

Configure CommandPost..........................................................................................................103

User Authentication..............................................................................................................103

Email Configuration..............................................................................................................107

User Notification...................................................................................................................108

LDAP Configuration..............................................................................................................109

LDAP Reports ......................................................................................................................111

Alert Storage ........................................................................................................................112

CommandPost Language Configuration ..............................................................................113

Diagnostics...........................................................................................................................114

Archive.................................................................................................................................115

Configure Sensors....................................................................................................................116

Sensor Run Time Information ..............................................................................................116

Sensor Config Page.............................................................................................................116

Direct and Internal................................................................................................................117

Fidelis XPS User Guide Version 6.0 Table of Contents vii

Proxy....................................................................................................................................122

Mail.......................................................................................................................................123

Web Walker..........................................................................................................................125

Connect................................................................................................................................127

EMail Relayhost ...................................................................................................................129

Sensor Language Configuration...........................................................................................129

Chapter 11 Version Control ........................................................................................................131

Fidelis Release Naming Conventions.......................................................................................131

Update Fidelis XPS...................................................................................................................132

Prepare to Update................................................................................................................132

Run Update..........................................................................................................................132

Update Progress..................................................................................................................133

Schedule Update......................................................................................................................134

Cancel Scheduled Jobs............................................................................................................135

Chapter 12 Configure Exports....................................................................................................136

Export Methods.........................................................................................................................136

Fidelis Archive......................................................................................................................136

EMail and Syslog .................................................................................................................136

SNMP Trap and ArcSight.....................................................................................................138

Verdasys Digital Guardian....................................................................................................138

IBM SiteProtector.................................................................................................................138

Define Exports..........................................................................................................................139

Available Export Buttons......................................................................................................140

Testing Export Communication ............................................................................................140

Delete Exports ..........................................................................................................................140

Chapter 13 Audit..........................................................................................................................141

Access Audit.............................................................................................................................141

Search for Audit Entries............................................................................................................142

Search Terms.......................................................................................................................142

Notes about Search Options................................................................................................143

Time Periods........................................................................................................................143

Chapter 14 Backup and Restore.................................................................................................144

Accessing the Command Line Interface ...................................................................................144

Backup and Restore CommandPost.........................................................................................144

Backup CommandPost.........................................................................................................144

Restore CommandPost........................................................................................................145

Backup and Restore a Sensor..................................................................................................146

Chapter 15 Archive......................................................................................................................147

Export Archive Data .............................................................................................................147

Import Archive Data..............................................................................................................147

Fidelis XPS User Guide Version 6.0 Table of Contents viii

Index.............................................................................................................................................149

List of Tables

Table 1. Critical conditions................................................................................................................ 9

Table 2. High severity conditions...................................................................................................... 9

Table 3. Controls .............................................................................................................................16

Table 4. Filter Lists ..........................................................................................................................20

Table 5. Actions list options.............................................................................................................24

Table 6. System Reports.................................................................................................................30

Table 7. Alert search fields..............................................................................................................32

Table 8. Sections in Alert Details.....................................................................................................42

Table 9. Decoding paths..................................................................................................................46

Table 10. Quarantined E-mail: search fields....................................................................................55

Table 11. Quarantined E-mail: advanced search fields ...................................................................57

Table 12. Search Fields...................................................................................................................60

Table 13. Filters...............................................................................................................................62

Table 14. System report columns....................................................................................................64

Table 15. Quick reports ...................................................................................................................71

Table 16. Determine user access....................................................................................................90

Table 17. User access levels...........................................................................................................94

Table 18. General parameters.......................................................................................................119

Table 19. Advanced parameters....................................................................................................120

Table 20. Proxy parameters ..........................................................................................................122

Table 21. Mail parameters.............................................................................................................124

Table 22. Web Walker parameters................................................................................................125

Table 23. Connect: General parameters........................................................................................127

Table 24. Alert Export keywords....................................................................................................137

Table 25. Audit Log columns .........................................................................................................142

Fidelis XPS User Guide Version 6.0 Preface 1

Preface

This guide describes how to use the Fidelis XPS™CommandPost™ console to monitor and

manage security alerts, to configure sensors, and to create and maintain CommandPost users

This guide contains the following chapters:

The Overview describes Fidelis XPS: the CommandPost Management Console and other

moudules. This section also briefly describes prebuilt and custom policies.

Chapter 1 Getting Started describes how to access and navigate CommandPost, change account

information, and access more information.

Chapter 2 describes the and how to use alert radar and Information Flow Map.

Chapter 3 describes how to manage alert workflows.

Chapter 4 describes the alert report and how to use alert features.

Chapter 5 describes the quarantine management list and how to manage quarantined e-mails.

Chapter 6 describes how to manage Custom Reports.

Chapter 7 describes how to create and use Quick Reports.

Chapter 8 describes how to use network reports.

Chapter 9 describes how to create and modify user information.

Chapter 10 describes how to configure CommandPost and Fidelis XPS sensors.

Chapter 11 descries how to update and manage Fidelis XPS versions.

Chapter 12 describes how to configure exports.

Chapter 13 describes the Audit feature and how to run it from the CommandPost GUI.

Chapter 14 describes how to backup and restore CommandPost and sensors.

Chapter 15 describes how to Archive alert and session data on the CommandPost.

Intended Audience

This information is intended for network system administrators familiar with networking, computer

security, and with the security requirements and practices of their enterprises. This help system

and related guides are intended for users that fit into at least one of the following major categories:

•The alert and quarantine managers are frequent users of the system, likely to visit the

CommandPost GUI several times each day. Both roles are usually filled by system

administrators responsible for reviewing alerts (or quarantined e-mails) and managing any

action required within the enterprise. Alert and quarantine management require high level

data analysis and the ability to delve into the details of any single violation.

•The network IT manager will be the first to touch the CommandPost, but is expected to rarely

use Fidelis XPS after initial installation. The IT manager might need to adjust sensor network

settings and CommandPost to sensor communications, manage CommandPost users and

their credentials, and monitor network statistics to verify connectivity.

Fidelis XPS User Guide Version 6.0 Preface 2

Technical Support

For all technical support related to this product, check with your site administrator to determine

support contract details. Contact your reseller or if you have a direct support contract, contact the

Fidelis Security support team at:

Phone: +1 301.652.7190*

Toll-free in the US: 1.800.652.4020*

*Use the customer support option.

E-mail: support@fidelissecurity.com

Web: https://portal.fidelissecurity.com

Available Guides

The following guides are available:

The Guide to Creating Policies describes how to define policies and the rules and fingerprints that

policies contain.

The Guide to Prebuilt Policies describes policies that ship with Fidelis XPS and the rules and

fingerprints that these policies contain. This guide also indicates which rules and fingerprints might

need to be configured for your enterprise.

The Enterprise Setup and Configuration Guide describes how to set up and configure Fidelis XPS

hardware.

Release Notes are updated with each release to provide information about new features, major

changes, and bugs corrected.

Fidelis XPS User Guide Version 6.0 Overview 3

Fidelis XPS™ Overview

Since 2002, organizations have chosen the Fidelis Extrusion Prevention System®, Fidelis XPS™,

to solve their biggest data leakage challenges—safeguarding intellectual property and identity

information, complying with government and industry privacy regulations, and enabling visibility and

control of their networks. Built on a patented deep session inspection™ platform, Fidelis XPS is the

industry's only next-generation data leakage prevention solution with the power to deliver

comprehensive prevention over all 65,535 ports and all channels, complete visibility and control,

and the lowest total cost-of-ownership to stop network data leakage on gigabit-speed networks.

Simply deployed as a context-aware network appliance, Fidelis XPS gives global enterprises

unequalled accuracy, security, and performance.

Enterprises use Fidelis XPS to protect against leakage of sensitive information and to enforce

corporate network usage policies. Sensitive information examples include trade secrets, budgets,

contracts, merger and acquisition activity, consumer information, research, and many other forms.

Enforcement of network usage policies includes usage of corporate resources for personal

activities, proper handling of sensitive data, and proper usage of network security measures in

place for web proxies, e-mail gateways, and more.

The Fidelis Extrusion Prevention System product family includes multiple Fidelis XPS sensors—

each designed to address the most demanding network environments—and the CommandPost™

management console. Refer to Fidelis XPS Modules.

DLP or extrusion prevention is also done through the use of policies that map Fidelis XPS

technology to laws and regulations so that business infrastructure requirements are met. Refer to

Fidelis XPS Policies.

Fidelis XPS Modules

Fidelis XPS modules and the appliances on which they reside include several types of sensors

placed within your network and a management console. The sensors can be deployed to specific

areas of the network to provide control and visibility as needed. This section describes how an

enterprise might deploy Fidelis XPS modules and provides an overview of all available sensors and

the CommandPost console.

Figure 1. Fidelis XPS Modules

Fidelis XPS User Guide Version 6.0 Overview 4

CommandPost

The CommandPost module is the management console and offers web-based enterprise

administration and strong third-party product integration. CommandPost collects, aggregates, and

stores data from multiple sensors.

You can access the web-based, CommandPost GUI from anywhere on your network to:

•Visually monitor and analyze network alerts and other data in real time.

•Enable, disable, or customize policies and rules as required.

•Add, configure, and manage sensors and the console itself.

•Create CommandPost users using the granular access control capabilities in several user

authentication mechanisms including integration with a user directory server.

•Export information to a third party network alert aggregation system.

•Use the built-in reports or customize reports to your requirements. Reports can be scheduled

for automatic delivery or run in real time with click-through drill down capability.

For information about setting up CommandPost, refer to chapters 2 and 4 in the Enterprise Setup

and Configuration Guide. To get started using CommandPost, refer to Getting Started. For more

information about CommandPost's configuration features, refer to Configure CommandPost.

Direct

The Direct module is used to monitor direct-to-Internet traffic and provides prevention on all ports

and all application protocols. Products with the Direct module are typically deployed at the network

perimeter, inline or out-of-band to monitor applications and protocols at multi-gigabit speed.

Fidelis offers products with the Direct module ranging from 25 Mb/s to 2.5Gb/s.

For more details, refer to Direct and Internal. For information about setting up and configuring

Direct, refer to chapter 5 in the Enterprise Setup and Configuration Guide.

Internal

The Internal module addresses internal traffic to ensure protection for your enterprise's databases,

file shares, and user directories. Products with Internal capability are typically deployed in the

network core to provide visibility and control of information leaving data centers or transmitted

between divisions. The Internal provides prevention on all ports and all protocols.

Fidelis XPS offers products with Internal modules ranging from 25 Mb/s to 2.5 Gb/s.

For more details, refer to Direct and Internal. For information about setting up and configuring this

sensor, refer to chapter 5 in the Enterprise Setup and Configuration Guide.

Proxy

The Proxy module offers an interface to a third party HTTP proxy using the Internet Content

Adaptation Protocol (ICAP). ICAP is a lightweight and extensible point-to-point protocol used for

requesting services for content inspection.

The Proxy module offers the following advantages for HTTP traffic:

•Prevention can be accomplished by redirecting the user to a customizable web page that

states their violation and other applicable information.

•When combined with an ICAP-enabled SSL proxy, the Proxy module can access unencrypted

data destined to secure web sites.

Refer to Proxy. For information about setting up and configuring this sensor, refer to chapter 6 in

the Enterprise Setup and Configuration Guide.

Fidelis XPS User Guide Version 6.0 Overview 5

Mail

The Mail module provides graceful control of your enterprise's e-mail traffic. The Mail module

supports monitoring and prevention similar to the Direct module, but also offers the ability to

quarantine and to redirect messages to secure e-mail gateways. You can deploy products with the

Mail module in an SMTP path in MTA mode or with a Milter-enabled e-mail gateway.

For more details, refer to Mail . For information about setting up and configuring this sensor, refer to

chapter 7 in the Enterprise Setup and Configuration Guide.

Web Walker

The Web Walker module is used to scan all content on one or more internal web sites and analyze

the data against your extrusion policies. Deploying products with the Web Walker module in your

environment will notify you if sensitive material is available on your web site.

For more details, refer to Web Walker. For information about setting up and configuring this sensor,

refer to chapter 8 in the Enterprise Setup and Configuration Guide.

Connect

The Connect module provides content inspection services to any application that provides a Simple

Content Inspection Protocol (SCIP) interface. SCIP is a TCP-based, client-server communication

protocol that provides the ability to submit information for content analysis and retrieve results.

For more details, refer to Connect. For information about setting up and configuring this sensor,

refer to chapter 9 in the Enterprise Setup and Configuration Guide.

Fidelis XPS Policies

A policy is a set of rules that guide business practices within an enterprise. Some examples include

determining acceptable use of network resources, preventing transmission of sensitive information,

and ensuring compliance with privacy laws.

Fidelis XPS provides policy-based enforcement that maps rules to your enterprise's content

disclosure or network use policies.

Prebuilt Policies

Fidelis XPS ships with multiple policies that are grouped into one of the following categories:

•Compliance.

•Protection of digital assets and sensitive information.

•Managing insider use of the Internet.

All prebuilt policies will require some level of configuration, as described in the Guide to Prebuilt

Policies.

Compliance

Fidelis XPS can be used to enforce policies to comply with federal and state privacy laws and

industrial security standards. Such laws and standards include HIPAA, GLBA, PCI and many

others. The following policies use rules that can prevent inappropriate transmission of this

information:

•Identity Leakage

•HIPAA

•PCI

•Financial Information

Fidelis XPS User Guide Version 6.0 Overview 6

Protection of Digital Assets and Sensitive Information

Fidelis XPS can be used to enforce policies pertaining to corporate sensitive information. These

policies are:

•Digital Asset Protection (DAP) provides the capability to detect and prevent sensitive

materials being leaked through the network.

•U.S. Federal Government provides enforcement of Department of Defense Directive 5200.1

Managing Insider Use of the Internet

Fidelis XPS can be used to enforce corporate policy pertaining to the acceptable use of Internet

resources. The policies in this category are:

•Application Management (AM) allows enforcement of unauthorized applications, such as

peer-to-peer file sharing, instant messenger, access to web-based e-mail systems, and many

others.

•Unauthorized Traffic (UT) is the detection and prevention of users who circumvent corporate

security measures by using unauthorized proxies, defeating firewall rules, and using

unauthorized encryption methods

•Inappropriate Content enforces policies regarding offensive material or language on the

corporate network.

In addition, the File Transfer Management policy can apply to each major category. Using this

policy and customizing it appropriately enables you to manage the types of files transferred over

the network.

For more detailed information about each policy, refer to the Guide to Prebuilt Policies.

Custom Policies

In addition to the prebuilt policies, it is possible to use the rich policy creation engine to define any

network security policy required within your enterprise. Policies are a collection of rules, which are

based on some definition of network traffic. The definition can be one or more of the following

methods of identifying network traffic:

•Content refers to the textual content of an e-mail message, an IM chat, a file, or any other

container of information. Fidelis XPS offers eleven methods to describe sensitive information,

which include methods to register and methods to profile the information. Registration refers

to the process of locating the sensitive information in its original format, sending it to

CommandPost, and registering the content. Profiling refers to methods to describe sensitive

information without the need to locate it.

•Location refers to the sender or the recipient of the information.

•Channel refers to all other aspects of network communication including the application

protocol, attributes (such as URL, FTP user name, and social networking application modes

of operation), the time of day and day of the week, the length of the communication, and

many other parameters.

Using the combination of configured prebuilt and custom policies, an administrator is able use

Fidelis XPS to enforce all corporate policies for network usage and confidentiality.

For information about editing or creating policies and rules for your enterprise, refer to the Guide to

Creating Policies.

Fidelis XPS User Guide Version 6.0 Getting Started 7

Chapter 1 Getting Started

Fidelis XPS is a real-time, extrusion prevention system that detects and prevents network abuse

and extrusions. It reassembles and analyzes traffic on your computer network. Fidelis XPS

accomplishes this though its sensors and the CommandPost management console. CommandPost

enables you to manage and configure the sensors that detect network abuse and extrusions.

This chapter provides information on how to get started using CommandPost including: accessing

and navigating CommandPost, changing your account information, and where to find more

information.

Access CommandPost

You can access CommandPost from anywhere on your network, by using a web browser that

supports SSL. Communications between the sensors and CommandPost and between

CommandPost and the web-based GUI are encrypted SSL communications.

CommandPost has been verified with Microsoft Internet Explorer versions 6, 7 and 8 and with

Mozilla Firefox versions 1, 2, and 3.

For CommandPost to work properly, your client workstation must have the following installed:

•Adobe Flash Player – obtain a recent version of Adobe Flash Player free of charge from the

Adobe web site at www.adobe.com.

•WinSCP – available free of charge from the WinSCP web site at www.winscp.net. WinSCP

transfers files to CommandPost for policy creation and verification. All other aspects of

CommandPost function properly without WinSCP.

•Allow pop-up windows from the CommandPost server.

•Enable Javascript execution in your browser.

Change your Account

From your browser, navigate to the IP address of the console device and log in with the user name

and password that Technical Support provides. The CommandPost Radar page displays.

Change the password for this account immediately after your first log in.

Note: Access to account information is determined based on the CommandPost

configuration for user authentication. Questions should be addressed to your

CommandPost system administrator.

To do this:

1. Click the Account link at the top right corner. The Change Account dialog box displays.

Figure 2. Change Account Information

2. Enter your old password and then enter your new password.

3. Re-enter your new password.

4. You can change the full name and the e-mail address associated with this account.

Fidelis XPS User Guide Version 6.0 Getting Started 8

5. Click Change. CommandPost saves the new password, name, and e-mail address. If you

changed the password, the system will log you out.

6. Log in with your new password.

7. Add a new user for each CommandPost user. Fidelis recommends adding at least one new

user, even if you are the only one accessing the system. Refer to Users for more information.

Access the Guides

Click the help icon at the top of the CommandPost GUI. The Fidelis XPS WebHelp system

displays. Click the PDF Downloads link in the Table of Contents to display the Guides page with its

links to the PDF files for the guides, the release notes, and the redistribution notice.

The information in the User Guide and The Guide to Creating Policies is accessible in WebHelp.

Lock Icon

Fidelis XPS CommandPost and sensors communicate over encrypted SSL connections, using self-

signed certificates and an internal authentication method. This mode can be overridden by

installing externally generated certificates that use the Public Key Infrastructure (PKI). Refer to the

Enterprise Setup and Installation Guide for information about installing PKI certificates to run in this

mode.

When operating with PKI certificates, a lock icon appears at the top right of the CommandPost

menu bar. You can mouse over the lock icon to see the expiration date for the certificate.

CommandPost Navigation

With the exception of Radar, clicking a main menu option in the CommandPost GUI displays

subnavigation menus. A highlighted option from the subnavigation menu indicates which page is

currently accessed. CommandPost navigation is "sticky" meaning that if you later return to the

same major heading, the page last accessed displays.

Note: Users need permissions to see many of the menu options. If a user does not

have the appropriate permissions for a menu option, that option does not display.

Refer to User Roles.

System Status

System Status provides information about Fidelis XPS components and their status that you can

access from any GUI page. The diamond next to System Status reflects the status of the

component with the highest severity. Mouse over the System Status diamond to see the list of

components. The component list that displays is CommandPost and all sensors that have been

registered which are within the user’s access privileges. Refer to Define User Profiles. Mouse over

a component in the list to see a message about that component's status. Each component has a

green, yellow, or red diamond next to it to indicate the severity of the component's status.

Note: Users need permissions to see system status. Refer to User Roles.

Green indicates that the component is operational.

A red diamond indicates a condition with critical severity. The following table describes some of the

more common conditions that can cause system status messages with this severity.

Fidelis XPS User Guide Version 6.0 Getting Started 9

Table 1. Critical conditions

Condition Description

Invalid License Contact Technical Support for a new license.

Sensor has lost connection

Sensor has not communicated

in the last 10 minutes

Sensors can lose connectivity with the CommandPost for a number of

reasons.

Insufficient disk space, alerts &

sessions not being inserted This can occur if CommandPost cannot insert alerts or sessions into

the data store.

Unable to make space for

alerts/sessions, alerts &

sessions not being inserted

This can occur if CommandPost cannot delete alerts or sessions from

the data store when operating at space limitations.

Process is having difficulties

starting The process manager sends this notification if it cannot start one of the

server processes on the sensor or on CommandPost.

Disk space on partition is gone The process manager runs on sensors and checks the disk periodically.

A yellow diamond indicates a condition with high severity. The following table describes some of

the more common conditions that can cause system status messages with this severity.

Table 2. High severity conditions

Condition Description

High stress levels Fidelis XPS sensors reassemble packets into sessions in the sensor

memory.Stress is an indication of the amount of memory currently

consumed by the sensor for reassembly. As stress increases, the

sensor's ability to analyze all traffic diminishes. There are several

reasons for increased stress:

1. When the incoming data is missing packets, stress will be high. In

this situation, the sensor cannot efficiently reassemble sessions. In high

stress situations with high packet loss, the sensor may be inoperable.

Packet loss is the most common culprit in high sensor stress and must

be remedied within the enterprise network.

2. When sustained network bandwidth exceeds the rating of the sensor,

stress may be high. The remedy is to analyze the sensor model and

whether it is rated to handle the observed network bandwidth.

3. When network bandwidth exceeds the rating of the sensor for small

bursts, stress may rise temporarily. The sensor can withstand busts as

indicated by momentary rises in the stress level.

Policy update required

This occurs when policy assignments on CommandPost are not sent to

the sensors by a policy update . The sensor will be executing the last

policy download, not the assignments shown on CommandPost. Refer

to chapter 9 in the Guide to Creating Policies.

Fidelis XPS User Guide Version 6.0 Getting Started 10

Condition Description

License refresh required

License expired

License expires within one day

License expires in [number of]

days

Demo mode

License error

Ensure that you entered the license key for the component. Refer to

License. Contact Technical Support if you require a new license.

No sensor registered Register each sensor with the CommandPost. Refer to Add a Sensor.

[number of] alerts & [number of]

sessions deleted to create space CommandPost deletes alerts from the data store when operating at

space limitations.

Database maintenance running,

alerts are being spooled This occurs when database maintenance takes place on

CommandPost. Refer to Alert Storage to schedule this maintenance.

Rate of logging too high, spooler

cannot keep up A sensor sends this message if it cannot write alerts to the spool file

fast enough.

Logout

To securely log out of CommandPost, click the logout link at the top of the page. Logging out will

end your browser session to CommandPost.

Note: If inactive for 15 minutes, CommandPost will log you out.

Using Non-ASCII Characters in Fidelis XPS

Fidelis XPS supports the use of non-ASCII characters in most input fields.The fields that do not

allow Unicode are: e-mail addresses, host names, domain names, login names, and server

directory names. CommandPost user names and passwords also do not support Unicode

characters.

Fidelis XPS User Guide Version 6.0 Dashboard 11

Chapter 2 The Dashboard

The Dashboard enables you to access either the Fidelis XPS Radar page or the Information Flow

Map page.

All users can access the Radar or the Information Flow Map page.

Both the Radar and the Information Flow Map pages require the Adobe Flash Player. Refer to

Getting Started for details.

The Radar Page

CommandPost’s unique Radar page is a real-time graphical representation of alerts occurring on

your network.

To access this page, Click Dashboard>Radar.

The Radar page refreshes with new alert data periodically. Alerts are caused by events on your

network.

What is an event?

When a Fidelis XPS sensor detects an extrusion of sensitive information or security breach, it

generates an event. An event can be generated as the result of a match to a specific rule and can

result in generating an alert, preventing the session, throttling the session, quarantining e-mail,

rerouting e-mail, or combinations of these actions.

What is an alert?

An alert is the recorded and displayed incidence of an event. Alerts are generated only if the alert

action for an event is enabled in the violated rule. Alerts are transferred to and stored by

CommandPost.

Figure 3. The Radar page

What is alert radar?

Alert Radar graphically represents alerts occurring on your network, grouped by common

characteristics identified by CommandPost’s Adaptive Alert Classifier which uses artificial neural

networks technology.

Fidelis XPS User Guide Version 6.0 Dashboard 12

What are alert clusters?

CommandPost’s Adaptive Alert Classifier groups related network alerts into an alert cluster.

Clusters are a visual presentation of similar alerts. When creating a cluster, CommandPost

considers the sender and receiver of the information transfer, the time of the transfer, the sensor on

which the alert was detected, the rule violated, and the priority of an alert.

CommandPost creates clusters based on similar information, but not necessarily equivalent or

related information. For example, alerts with similar, but not equal, source IP addresses may be

grouped in a single cluster, which may be indicative of a problem generated by a location rather

than an individual. Also, alerts from a similar time period during normal working hours may be

grouped together while others occurring during non-working hours may be grouped into a different

cluster.

A cluster is represented by a dot or a line on the alert radar. The line represents a cluster that

contains several alerts over time. The line connects the first and most recent alerts within the

cluster. A dot represents a single alert or several alerts that were detected at the same time.

The clusters are intended as a visual representation of alert activity and are not necessarily

presented in the best form for investigation into network behavior. CommandPost offers many

features for investigative purposes, including the Alerts and Alert Details pages, the Quarantine and

Quarantine Details pages, reports, searches, filtering, and sorting.

What does the Radar show?

Alert clusters requiring immediate attention are in red. The orange-

colored alerts represent alerts with a high severity. Alerts with medium

severity are colored in blue and green and symbolize a low-level alert.

The shape of the alert cluster on the radar corresponds to its

duration—an alert grouping that appears as a point has a succinct

duration and an alert grouping over a longer duration may appear as a

line. Severity is determined, per rule, when the rule is created.

What is a time horizon?

The Alert Radar shows data over a configurable time horizon. As the radar beam sweeps over the

alert cluster, each alert cluster is identified by rule. Mousing over the alert cluster displays a pop-up

containing more information including:

•The rule violated by the alerts in the cluster.

•Sensor: provides the name of the sensor that detected the alert.

•Source address: indicates the sender’s IP address.

•Destination address: indicates the receiver’s IP address.

•Duration: provides the time difference between the oldest and newest alerts in the cluster.

As you mouse over the radar and change the horizon, you will notice a change to the key in the

lower right hand corner of the page. The numbers listed here refer to the number of alert clusters,

per severity level, that fall into the current time horizon. If any portion of a radar line falls within the

horizon, this cluster is included in the key.

Uses of Alert Radar

Alert Radar allows network security personnel to monitor at a glance significant alerts occurring on

the network.

The maximum time horizon can be set from 1 hour to 96 days by selecting from the pull-down

options at the top of the alerts table and clicking Go. Moving the mouse out from the radar’s center

allows you to examine data within that time horizon. As the mouse moves out, the number of alert

clusters displayed by severity changes in real time.

Table of contents

Popular Security System manuals by other brands

Honeywell Home

Honeywell Home Touchscreen 6290W user guide

Swann

Swann SW351-WSA operating instructions

Whelen Engineering Company

Whelen Engineering Company 295HFSA5 installation guide

HOME8

HOME8 ActionView quick start guide

Highway Safety Group

Highway Safety Group EA401 user manual

CADDX

CADDX Ranger 8000 Operator's manual

Energeeks

Energeeks EG-CIPBAT001 Quick installation guide

Keeper

Keeper Nova Siren installation instructions

SDC

SDC EP17624TJ installation instructions

HAI

HAI Omni installation manual

Gigaset

Gigaset elements motion Series Simple Start Guide

GRI

GRI 289N-2 manual

DMP Electronics

DMP Electronics 1135 installation guide

HomeRemote

HomeRemote HRDS1 installation guide

SKILLQUBE

SKILLQUBE qubeAVpro Instructions for use

Hochiki

Hochiki CHQ-BS Programming instructions

Doro

Doro Welbeing CareIP Mobile How to install

Honeywell Home

Honeywell Home PROSiXFOB Installation and setup guide

Fidelis XPS User manual

Popular Security System manuals by other brands