STRM Administration Guide

Transcription

1 Security Threat Response Manager Release 20.2 Juniper Networks, Inc. 94 North Mathilda Avenue Sunnyvale, CA USA Published:

2 Copyright Notice Copyright 20 Juniper Networks, Inc. All rights reserved. Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. The following terms are trademarks or registered trademarks of other companies: Java TM and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. All specifications are subject to change without notice. Juniper Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. FCC Statement The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 5 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not installed in accordance with Juniper Networks installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 5 of the FCC rules. These specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures: Reorient or relocate the receiving antenna. Increase the separation between the equipment and receiver. Consult the dealer or an experienced radio/tv technician for help. Connect the equipment to an outlet on a circuit different from that to which the receiver is connected. Caution: Changes or modifications to this product could void the user's warranty and authority to operate this device. Disclaimer THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT, SUBJECT TO THE MODIFICTAIONS SET FORTH BELOW ON THIS PAGE, ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR JUNIPER NETWORKS REPRESENTATIVE FOR A COPY. Release 20.2 Copyright 20, Juniper Networks, Inc. All rights reserved. Printed in USA. Revision History September 204 The information in this document is current as of the date listed in the revision history. END USER LICENSE AGREEMENT The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement ( EULA ) posted at as modified by the following text, which shall be treated under the EULA as an Entitlement Document taking precedence over any conflicting provisions of such EULA as regards such software: As regards software accompanying the STRM products (the Program ), such software contains software licensed by Q Labs and is further accompanied by third-party software that is described in the applicable documentation or materials provided by Juniper Networks. 2

3 For the convenience of Licensee, the Program may be accompanied by a third party operating system. The operating system is not part of the Program, and is licensed directly by the operating system provider (e.g., Red Hat Inc., Novell Inc., etc.) to Licensee. Neither Juniper Networks nor Q Labs is a party to the license between Licensee and the third party operating system provider, and the Program includes the third party operating system AS IS, without representation or warranty, express or implied, including any implied warranty of merchantability, fitness for a particular purpose or non-infringement. For an installed Red Hat operating system, see the license file: /usr/share/doc/redhat-release-server-6server/eula. By downloading, installing or using such software, you agree to the terms and conditions of that EULA as so modified.

4 4

5 CONTENTS ABOUT THIS GUIDE Audience Documentation Conventions Technical Documentation Requesting Technical Support OVERVIEW Supported Web Browsers Enabling Compatibility View for the Microsoft Internet Explorer Web Browser... 5 About the User Interface Admin Tab Overview Deploying Changes Updating User Details Resetting SIM About High Availability (HA) Monitoring STRM Systems with SNMP USER MANAGEMENT User Management Overview Role Management Creating a User Role Editing a User Role Deleting a User Role Managing Security Profiles Permission Precedences Creating a Security Profile Editing a Security Profile Duplicating a Security Profile Deleting a Security Profile User Account Management Creating a User Account Editing a User Account Deleting a User Account Authentication Management Authentication Overview Before You Begin Configuring System Authentication

6 Configuring RADIUS Authentication Configuring TACACS Authentication Configuring Active Directory Authentication Configuring LDAP Authentication Configuring Your SSL Certificate User Role Parameters Security Profile Parameters User Management Window Parameters User Management Window Toolbar User Details Window Parameters MANAGING THE SYSTEM License Key Management Updating Your License Key Exporting Your License Key Information Restarting a System Shutting Down a System Access Setting Management Configuring Firewall Access Updating Your Host Setup Configuring Interface Roles Changing Passwords Time Server Configuration Configuring Your Time Server Using RDATE Manually Configuring Time Settings for Your System MANAGING HIGH AVAILABILITY Adding an HA Cluster Editing an HA Cluster Removing an HA Host Setting an HA Host Offline Setting an HA Host Online Restoring a Failed Host HA Status s HA Wizard Parameters Advanced HA Wizard Parameters SETTING UP STRM Network Hierarchy Best Practices Acceptable CIDR Values Defining Your Network Hierarchy Automatic Updates About Automatic Updates Viewing Pending Updates Configuring Automatic Update Settings

7 Scheduling an Update Clearing Scheduled Updates Checking for New Updates Manually Installing Automatic Updates Viewing Your Update History Restoring Hidden Updates Viewing the Autoupdate Log Configuring System Settings Configuring Your IF-MAP Server Certificates Configuring IF-MAP Server Certificate for Basic Authentication Configuring IF-MAP Server Certificate for Mutual Authentication Event and Flow Retention About Retention Buckets Configuring Retention Buckets Managing Retention Bucket Sequence Editing a Retention Bucket Enabling and Disabling a Retention Bucket Deleting a Retention Bucket Configuring System Notifications Configuring the Console Settings Custom Offense Close Reasons About the Reason for Closing List Box Adding a Custom Offense Close Reason Editing Custom Offense Close Reason Deleting a Custom Offense Close Reason Index Management About Indexes Enabling Indexes MANAGING REFERENCE SETS Reference Set Overview Adding a Reference Set Editing a Reference Set Deleting Reference Sets Viewing the Contents of a Reference Set Adding a New Element to a Reference Set Deleting Elements From a Reference Set Importing Elements into a Reference Set Exporting Elements From a Reference Set MANAGING AUTHORIZED SERVICES Authorized Services Overview Viewing Authorized Services Adding an Authorized Service Revoking Authorized Services Customer Support Authenticated Service Dismissing an Offense

8 Closing an Offense Adding Notes to an Offense MANAGING BACKUP AND RECOVERY Backup and Recovery Overview Backup Archive Management Viewing Backup Archives Importing a Backup Archive Deleting a Backup Archive Backup Archive Creation Configuring Your Scheduled Nightly Backup Creating an On-Demand Configuration Backup Archive Backup Archive Restoration Restoring a Backup Archive Restoring a Backup Archive Created on a Different STRM System USING THE DEPLOYMENT EDITOR Deployment Editor Requirements About the Deployment Editor User Interface Menu Options Toolbar Functions Configuring Deployment Editor Preferences Building Your Deployment Event View Management STRM Components Adding Components Connecting Components Forwarding Normalized Events and Flows Renaming Components System View Management About the System View Page Software Version Requirements Encryption Adding a Managed Host Editing a Managed Host Removing a Managed Host Configuring a Managed Host Assigning a Component to a Host Configuring Host Context Configuring an Accumulator NAT Management About NAT Adding a NATed Network to STRM Editing a NATed Network Deleting a NATed Network from STRM Changing the NAT Status for a Managed Host Component Configuration

9 Configuring a Flow Processor Configuring an Event Collector Configuring an Event Processor Configuring the Magistrate Configuring an Off-Site Source Configuring an Off-Site Target MANAGING FLOW SOURCES Flow Source Overview NetFlow IPFIX sflow J-Flow Packeteer Flowlog File Napatech Interface Flow Source Management Adding a Flow Source Editing a Flow Source Enabling and Disabling a Flow Source Deleting a Flow Source Managing Flow Source Aliases About flow Source Aliases Adding a Flow Source Alias Editing a Flow Source Alias Deleting a Flow Source Alias CONFIGURING REMOTE NETWORKS AND SERVICES Remote Networks and Services Overview Default Remote Network Groups Default Remote Service Groups Best Practices Managing Remote Networks Adding a Remote Networks Object Editing a Remote Networks Object Managing Remote Services Adding a Remote Services Object Editing a Remote Services Object SERVER DISCOVERY Server Discovery Overview Discovering Servers FORWARDING EVENT DATA Event Forwarding Overview Add Forwarding Destinations

10 Configuring Bulk Event Forwarding Configuring Selective Event Forwarding Forwarding Destinations Management Tasks Viewing Forwarding Destinations Enabling and Disabling a Forwarding Destination Resetting the Counters Editing a Forwarding Destination Delete a Forwarding Destination Managing Routing Rules Viewing Rules Editing a Routing Rule Enabling or Disabling a Routing Rule Deleting a Routing Rule STORING AND FORWARDING EVENTS Store and Forward Overview Viewing the Store and Forward Schedule List Creating a New Store and Forward Schedule Editing a Store and Forward Schedule Deleting a Store and Forward Schedule A B C ENTERPRISE TEMPLATE Default Rules Default Building Blocks VIEWING AUDIT LOGS Audit log Overview Viewing the Audit Log File Logged Actions EVENT CATEGORIES High-Level Event Categories Recon DoS Authentication Access Exploit Malware Suspicious Activity System Policy CRE Potential Exploit SIM Audit VIS Host Discovery Application Audit

11 INDEX

12

13 ABOUT THIS GUIDE The STRM Administration guide provides you with information for managing STRM functionality requiring administrative access. Audience This guide is intended for the system administrator responsible for setting up STRM in your network. This guide assumes that you have STRM administrative access and a knowledge of your corporate network and networking technologies. Documentation Conventions Table - lists conventions that are used throughout this guide. Table - Icons Icon Type Information note Information that describes important features or instructions. Caution Warning Information that alerts you to potential loss of data or potential damage to an application, system, device, or network. Information that alerts you to potential personal injury. Technical Documentation You can access technical documentation, technical notes, and release notes directly from the Juniper Customer Support website at Once you access the Juniper Customer Support website, locate the product and software release for which you require documentation. Your comments are important to us. Please send your comments about this guide or any of the Juniper Networks documentation to: techpubs-comments@juniper.net. Include the following information with your comments: Document title

14 4 ABOUT THIS GUIDE Page number Requesting Technical Support Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support contract, or are covered under warranty, and need postsales technical support, you can access our tools and resources online or open a case with JTAC. JTAC policies For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at Product warranties For product warranty information, visit JTAC Hours of Operation The JTAC centers have resources available 24 hours a day, 7 days a week, 65 days a year. Self-Help Online Tools and Resources For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: Find CSC offerings: Search for known bugs: Find product documentation: Find solutions and answer questions using our Knowledge Base: Download the latest versions of software and review release notes: Search technical bulletins for relevant hardware and software notifications: Join and participate in the Juniper Networks Community Forum: Open a case online in the CSC Case Management tool: To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool: Opening a Case with JTAC You can open a case with JTAC on the Web or by telephone. Use the Case Management tool in the CSC at Call JTAC ( toll-free in the USA, Canada, and Mexico). For international or direct-dial options in countries without toll-free numbers, visit us at

15 2 OVERVIEW This overview includes general information on how to access and use the STRM user interface and the Admin tab. Supported Web Browsers You can access the Console from a standard web browser. When you access the system, a prompt is displayed asking for a user name and a password, which must be configured in advance by the STRM administrator. Table -2 Supported Web Browsers Web browser Supported versions Mozilla Firefox 0.0 Due to Mozilla s short release cycle, we cannot commit to testing on the latest versions of the Mozilla Firefox web browser. However, we are fully committed to investigating any issues that are reported. Microsoft Windows Internet 8.0 Explorer, with Compatibility View 9.0 Enabled For instructions on how to enable Compatibility View, see Enabling Compatibility View for the Microsoft Internet Explorer Web Browser. Enabling Compatibility View for the Microsoft Internet Explorer Web Browser Step Step 2 To enable Compatibility View for the Microsoft Internet Explorer 8.0 and 9.0 web browser: Press F2 to open the Developer Tools window. Configure the following compatibility settings: Table - Microsoft Internet Explorer Web Browser Compatibility settings Browser version Option Internet Explorer 8.0 Browser Mode From the Browser Mode list box, select Internet Explorer 8.0. Document Mode From the Document Mode list box, select Internet Explorer 7.0 Standards.

16 6 OVERVIEW Table - Microsoft Internet Explorer Web Browser Compatibility settings (continued) Browser version Option Internet Explorer 9.0 Browser Mode From the Browser Mode list box, select Internet Explorer 9.0. Document Mode From the Document Mode list box, select Internet Explorer 7.0 Standards. About the User Interface You must have administrative privileges to access administrative functions. To access administrative functions, click the Admin tab on the STRM user interface. The Admin tab provides access to the following functions: Manage users. See User management. Manage your network settings. See Managing the system. Manage high availability. See Managing high availability. Manage STRM settings. See Setting Up STRM. Manage references sets. See Managing reference sets. Manage authorized services. See Managing authorized services. Backup and recover your data. See Managing backup and recovery. Manage your deployment views. See Using the deployment editor. Manage flow sources. See Managing flow sources. Configure remote networks and remote services. See Configuring remote networks and services. Discover servers. See Server discovery. Configure syslog forwarding. See Forwarding event data. Managing vulnerability scanners. For more information, see the Managing Vulnerability Assessment Guide. Configure plug-ins. For more information, see the associated documentation. Manage log sources. For more information, see the STRM Log Sources Users Guide. Admin Tab Overview The Admin tab provides several tab and menu options that allow you to configure STRM. The Admin tab includes the following functionality: System Configuration - Provides access to administrative functionality, such as automatic updates, backup and recovery, Console configuration, global system notifications, network hierarchy, system and license management, system settings, reference set management, user management, authentication, and authorized services.

17 Deploying Changes 7 Data Sources - Provides access to log source management, forwarding destinations, routing rules, custom event and flow properties, event and flow retention buckets, flow sources management, and vulnerability scanner management. Remote Networks and Services Configuration - Provides access to STRM remote networks and services. Plug-ins - Provides access to plug-in components. This option is only displayed if there are plug-ins installed on your Console. The Admin tab also includes the following menu options: Table -4 Admin Tab Menu Options Menu option Deployment Editor Deploy Changes Advanced Opens the Deployment Editor window. For more information, see Using the deployment editor. Deploys any configuration changes from the current session to your deployment. For more information, see Deploying Changes. The Advanced menu provides the following options: Clean SIM Model - Resets the SIM module. See Resetting SIM. Deploy Full Configuration - Deploys all configuration changes. For more information, see Deploying Changes. Deploying Changes When you update your configuration settings using the Admin tab, your changes are saved to a staging area where they are stored until you manually deploy the changes. About this Task Each time you access the Admin tab and each time you close a window on the Admin tab, a banner at the top of the Admin tab displays the following message: Checking for undeployed changes. If undeployed changes are found, the banner updates to provide information about the undeployed changes. If the list of undeployed changes is lengthy, a scroll bar is provided to allow you to scroll through the list. The banner message also recommends which type of deployment change to make. The two options are: Deploy Changes - Click the Deploy Changes icon on the Admin tab toolbar to deploy any configuration changes from the current session to your deployment. Deploy Full Configuration - Select Advanced > Deploy Full Configuration from the Admin tab menu to deploy all configuration settings to your deployment. All deployed changes are then applied throughout your deployment.

18 8 OVERVIEW CAUTION When you click Deploy Full Configuration, STRM restarts all services, which results in a gap in data collection for events and flows until deployment completes. After you deploy your changes, the banner clears the list of undeployed changes and checks the staging area again for any new undeployed changes. If none are present, the following message is displayed: There are no changes to deploy. Step Step 2 Step Procedure Click View Details. The details are displayed in groups. Choose one of the following options: To expand a group to display all items, click the plus sign (+) beside the text. When done, you can click the minus sign (-). To expand all groups, click Expand All. When done, you can click Collapse All. Click Hide Details to hide the details from view again. Perform the recommended task. Recommendations might include: From the Admin tab menu, click Deploy Changes. From the Admin tab menu, click Advanced > Deploy Full Configuration. Updating User Details Step Step 2 You can access your administrative user details through the main STRM interface. Procedure Click Preferences. Optional. Update the configurable user details: Parameter Password Password (Confirm) Enable Popup Notifications Type a new address. Type a new password. Type the new password again. Popup system notifications are displayed at the bottom right corner of the user interface. To disable popup notifications, clear this check box. For more information on the pop-up notifications, see the STRM Users Guide. Step If you made changes, click Save.

19 Resetting SIM 9 Resetting SIM Using the Admin tab, you can reset the SIM module, which allows you to remove all offense, source IP address, and destination IP address information from the database and the disk. This option is useful after tuning your deployment to avoid receiving any additional false positive information. About this Task The SIM reset process can take several minutes, depending on the amount of data in your system. If you attempt to navigate to other areas of the STRM user interface during the SIM reset process, an error message is displayed. Step Step 2 Step Step 4 Procedure Click the Admin tab. From the Advanced menu, select Clean SIM Model. Read the information on the Reset SIM Data Module window. Select one of the following options: Option Soft Clean Hard Clean Closes all offenses in the database. If you select the Soft Clean option, you can also select the Deactivate all offenses check box. Purges all current and historical SIM data including offenses, source IP addresses, and destination IP addresses. Step 5 Step 6 Step 7 Step 8 If you want to continue, select the Are you sure you want to reset the data model? check box. Click Proceed. When the SIM reset process is complete, click Close. When the SIM reset process is complete, reset your browser.

20 20 OVERVIEW About High Availability (HA) The High Availability (HA) feature ensures availability of STRM data in the event of a hardware or network failure. Each HA cluster consists of a primary host and a standby secondary host. The secondary host maintains the same data as the primary host by either replicating the data on the primary host or accessing a shared external storage. At regular intervals, every 0 seconds by default, the secondary host sends a heartbeat ping to the primary host to detect hardware or network failure. If the secondary host detects a failure, the secondary host automatically assumes all responsibilities of the primary host. HA is not supported in an IPv6 environment. For more information on managing HA clusters, see Managing high availability. Monitoring STRM Systems with SNMP STRM supports the monitoring of our appliances through SNMP polling. STRM uses the Net-SNMP agent, which supports a variety of system resource monitoring MIBs that can be polled by Network Management solutions for the monitoring and alerting of system resources. For more information on Net-SNMP, refer to Net-SNMP documentation.

21 2 USER MANAGEMENT When you initially configure STRM, you must create user accounts for all users that require access to STRM. After initial configuration, you can edit user accounts to ensure that user information is current. You can also add and delete user accounts as required. User Management Overview A user account defines the user name, default password, and address for a user. For each new user account you create, you must assign the following items: User role - Determines the privileges the user is granted to access functionality and information in STRM. STRM includes two default user roles: Admin and All. Before you add user accounts, you must create additional user roles to meet the specific permissions requirement of your users. Security profile - Determines the networks and log sources the user is granted access to. STRM includes one default security profile for administrative users. The Admin security profile includes access to all networks and log sources. Before you add user accounts, you must create additional security profiles to meet the specific access requirements of your users. Role Management Creating a User Role Using the User Roles window, you can create and manage user roles. Before you can create user accounts, you must create the user roles required for your deployment. By default, STRM provides a default administrative user role, which provides access to all areas of STRM. Before You Begin Users who are assigned an administrative user role cannot edit their own account. This restriction applies to the default Admin user role. Another administrative user must make any account changes. Step Step 2 Step Procedure Click the Admin tab. On the navigation menu, click System Configuration > User Management. Click the User Roles icon.

22 22 USER MANAGEMENT Step 4 Step 5 Step 6 Step 7 Step 8 On the toolbar, click New. Configure the following parameters: a In the User Role Name field, type a unique name for this user role. b Select the permissions you want to assign to this user role. See Table 2-. Click Save. Close the User Role Management window. On the Admin tab menu, click Deploy Changes. Editing a User Role You can edit an existing role to change the permissions assigned to the role. Step Step 2 Step Step 4 About this Task To quickly locate the user role you want to edit on the User Role Management window, you can type a role name in the Type to filter text box, which is located above the left pane. Procedure Click the Admin tab. On the navigation menu, click System Configuration > User Management. Click the User Roles icon. In the left pane of the User Role Management window, select the user role you want to edit. Step 5 On the right pane, update the permissions, as necessary. See Table 2-. Step 6 Step 7 Step 8 Click Save. Close the User Role Management window. On the Admin tab menu, click Deploy Changes. Deleting a User Role If a user role is no longer required, you can delete the user role. About this Task If user accounts are assigned to the user role you want to delete, you must reassign the user accounts to another user role. STRM automatically detects this condition and prompts you to update the user accounts. To quickly locate the user role you want to delete on the User Role Management window, you can type a role name in the Type to filter text box, which is located above the left pane. Step Step 2 Step Procedure Click the Admin tab. On the navigation menu, click System Configuration > User Management. Click the User Roles icon.

23 Managing Security Profiles 2 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 In the left pane of the User Role Management window, select the role you want to delete. On the toolbar, click Delete. Click OK. If user accounts are assigned to this user role, the Users are Assigned to this User Role window opens. Go to Step 7. If no user accounts are assigned to this role, the user role is successfully deleted. go to Step 8. Reassign the listed user accounts to another user role: a From the User Role to assign list box, select a user role. b Click Confirm. Close the User Role Management window. On the Admin tab menu, click Deploy Changes. Managing Security Profiles Permission Precedences Security profiles define which networks and log sources a user can access and the permission precedence. Using the Security Profile Management window, you can view, create, update, and delete security profiles. Permission precedence determines which Security Profile components to consider when the system displays events in the Log Activity tab and flows in the Network Activity tab. Permission precedence options include: No Restrictions - This option does not place restrictions on which events are displayed in the Log Activity tab and which flows are displayed in the Network Activity tab. Network Only - This option restricts the user to only view events and flows associated with the networks specified in this security profile. Log Sources Only - This option restricts the user to only view events associated with the log sources specified in this security profile. Networks AND Log Sources - This option allows the user to only view events and flows associated with the log sources and networks specified in this security profile. For example, if an event is associated with a log source the security profile allows access to, but the destination network is restricted, the event is not displayed in the Log Activity tab. The event must match both requirements. Networks OR Log Sources - This option allows the user to only view events and flows associated with the log sources or networks specified in this security profile. For example, if an event is associated with a log source the security profile allows access to, but the destination network is restricted, the event is

24 24 USER MANAGEMENT displayed in the Log Activity tab. The event only needs to match one requirement. Creating a Security Profile Before you add user accounts, you must create security profiles to meet the specific access requirements of your users. About this Task STRM includes one default security profile for administrative users. The Admin security profile includes access to all networks and log sources. To select multiple items on the Security Profile Management window, hold the Control key while you select each network or network group you want to add. If, after you add log sources or networks, you want to remove one or more before you save the configuration, you can select the item and click the Remove (<) icon. To remove all items, click Remove All. Step Step 2 Step Step 4 Step 5 Step 6 Step 7 Step 8 Procedure Click the Admin tab. On the navigation menu, click System Configuration > User Management. Click the Security Profiles icon. On the Security Profile Management window toolbar, click New. Configure the following parameters: a In the Security Profile Name field, type a unique name for the security profile. The security profile name must meet the following requirements: - Minimum of three characters - Maximum of 0 characters b Optional. Type a description of the security profile. The maximum number of characters is 255. Click the Permission Precedence tab. In the Permission Precedence Setting pane, select a permission precedence option. See Permission Precedences. Configure the networks you want to assign to the security profile: a b c d Click the Networks tab. From the navigation tree in the left pane of the Networks tab, select the network you want this security profile to have access to. Choose one of the following options: - From the All Networks list box, select a network group or network. - Select the network group or network in the navigation tree. Click the Add (>) icon to add the network to the Assigned Networks pane. Repeat for each network you want to add.

25 Managing Security Profiles 25 Step 9 Step 0 Step Step 2 Configure the log sources you want to assign to the security profile: a Click the Log Sources tab. b From the navigation tree in the left pane, select the log source group or log source you want this security profile to have access to. Choose one of the following options: - From the Log Sources list box, select a log source group or log source. - Double-click the folder icons in the navigation tree to navigate to a specific log source group or log source. c Click the Add (>) icon to add the log source to the Assigned Log Sources pane. d Repeat for each log source you want to add. Click Save. Close the Security Profile Management window. On the Admin tab menu, click Deploy Changes. Editing a Security Profile You can edit an existing security profile to update which networks and log sources a user can access and the permission precedence. About this Task To quickly locate the security profile you want to edit on the Security Profile Management window, you can type the security profile name in the Type to filter text box, which is located above the left pane. Step Step 2 Step Step 4 Step 5 Step 6 Step 7 Step 8 Procedure Click the Admin tab. On the navigation menu, click System Configuration > User Management. Click the Security Profiles icon. In the left pane, select the security profile you want to edit. On the toolbar, click Edit. Update the parameters as required. Click Save. If the Security Profile Has Time Series Data window opens, select one of the following options: Option Keep Old Data and Save Hide Old Data and Save Select this option to keep previously accumulated time series data. If you choose this option, issues might occur when users associated with this security profile views time series charts. Select this option to hide the time-series data. If you choose this option, time series data accumulation restarts after you deploy your configuration changes.

26 26 USER MANAGEMENT Step 9 Step 0 Close the Security Profile Management window. On the Admin tab menu, click Deploy Changes. Duplicating a Security Profile If you want to create a new security profile that closely matches an existing security profile, you can duplicate the existing security profile and then modify the parameters. About this Task To quickly locate the security profile you want to duplicate on the Security Profile Management window, you can type the security profile name in the Type to filter text box, which is located above the left pane. Step Step 2 Step Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 0 Deleting a Security Profile Procedure Click the Admin tab. On the navigation menu, click System Configuration > User Management. Click the Security Profiles icon. In the left pane, select the security profile you want to duplicate. On the toolbar, click Duplicate. In the confirmation window, type a unique name for the duplicated security profile. Click OK. Update the parameters as required. Close the Security Profile Management window. On the Admin tab menu, click Deploy Changes. If a security profile is no longer required, you can delete the security profile. About this Task If user accounts are assigned to the security profiles you want to delete, you must reassign the user accounts to another security profile. STRM automatically detects this condition and prompts you to update the user accounts. To quickly locate the security profile you want to delete on the Security Profile Management window, you can type the security profile name in the Type to filter text box, which is located above the left pane. Step Step 2 Step Step 4 Step 5 Procedure Click the Admin tab. On the navigation menu, click System Configuration > User Management. Click the Security Profiles icon. In the left pane, select the security profile you want to delete. On the toolbar, click Delete.

27 User Account Management 27 Step 6 Step 7 Step 8 Step 9 Click OK. If user accounts are assigned to this security profile, the Users are Assigned to this Security Profile window opens. Go to Step 7. If no user accounts are assigned to this security profile, the security profile is successfully deleted. Go to Step 8. Reassign the listed user accounts to another security profile: a b From the User Security Profile to assign list box, select a security profile. Click Confirm. Close the Security Profile Management window. On the Admin tab menu, click Deploy Changes. User Account Management Creating a User Account When you initially configure STRM, you must create user accounts for each of your users. After initial configuration, you might be required to create additional user accounts or edit existing user accounts. You can create new user accounts. Before You Begin Before you can create a user account, you must ensure that the required user role and security profile are created. About this Task When you create a new user account, you must assign access credentials, a user role, and a security profile to the user. User Roles define what actions the user has permission to perform. Security Profiles define what data the user has permission to access. You can create multiple user accounts that include administrative privileges; however, any Administrator Manager user accounts can create other administrative user accounts. Step Step 2 Step Step 4 Step 5 Procedure Click the Admin tab. On the navigation menu, click System Configuration > User Management. Click the Users icon. On the User Management toolbar, click New. Enter values for the following parameters: a b In the Username field, Type a unique user name for the new user. The user name must contain a maximum 0 characters. In the field, type the user s address. The address must meet the following requirements:

28 28 USER MANAGEMENT Step 6 Step 7 Step 8 Step 9 Editing a User Account c d e f - Must be a valid address - Minimum of 0 characters - Maximum of 255 characters In the Password field, type a password for the user to gain access. The password must meet the following criteria: - Minimum of five characters - Maximum of 255 characters In the Confirm Password field, type the password again for confirmation. Optional. Type a description for the user account. The maximum number of characters is 2,048. From the User Role list box, select the user role you want to assign to this user. g From the Security Profile list box, select the security profile you want to assign to this user. Click Save. Close the User Details window. Close the User Management window. On the Admin tab menu, click Deploy Changes. You can edit an existing user account. About this Task To quickly locate the user account you want to edit on the User Management window, you can type the user name in the Search User text box, which is located on the toolbar. Procedure Step Click the Admin tab. Step 2 On the navigation menu, click System Configuration > User Management. Step Click the Users icon. Step 4 On the User Management window, select the user account you want to edit. Step 5 On the toolbar, click Edit. Step 6 Update parameters, as necessary. See Table 2- Step 7 Click Save. Step 8 Close the User Details window. Step 9 Close the User Management window. Step 0 On the Admin tab menu, click Deploy Changes.