Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

TippingPoint Frequently Asked Questions (FAQ)

    • Updated:
    • 18 Jul 2017
    • Product/Version:
    • Platform:
Summary
This article answers frequently asked questions about TippingPoint products.
Details
Public
Table of Contents
--------------------------

 TippingPoint Support
 IPS
 TPS/vTPS
 NGFW
 SMS
 DV/ThreatDV
 General
 
TippingPoint Support:

1. Q: How do I contact the TippingPoint Support?

A: TippingPoint Support is available twenty-four hours per day and seven days per week by telephone, email or online support request. For a complete list of international phone numbers, visit our Support Contact information page.


2. Q: How do I create an online support request?

A: Online support request are managed via the Trend Micro TippingPoint Self-Service Portal (SSP). The SSP facilitates case management for the Trend Micro TippingPoint customer community. You can use this site to:

  •  Create new cases
  •  Review open cases
  •  View closed cases

In addition, you can also search for solutions to a problem or general information about your Trend Micro TippingPoint product. You can access the Self-Service Portal at the following URL: https://na4.salesforce.com/sserv/login.jsp?orgId=00D3000000002Hh


3. Q: Where can I find my Customer ID Number?

A: Your Customer ID Number can be found on the billing invoice that arrived with the order. In some cases, the Customer ID Number is not included in the invoice document. If you are unable to locate the Customer ID Number, contact TippingPoint Support. and they will be able to provide your Customer ID Number. Please have your Certificate Serial Number available when you call or email.


4. Q: What information should I provide to TippingPoint Support when opening a case?

A: When contacting TippingPoint Support, please have the following information ready:

  • Customer ID
  • IPS/SMS Certificate Serial Number
  • OS Version
  • Device Model
  • Full System Log (via the LSM)
  • Full Audit Log (via the LSM)
  • Technical Support Report (via the LSM)
  • SMS Diagnostics (SMS GUI)

Please also provide the output from the following CLI commands:

IPS

  • show version
  • show mfg-info
  • show health
  • debug disk stat (not for N-Platform)

SMS

  • version
  • get sys
  • get health

5. Q: How do I create Tech Support Report?

A: In order to generate a Tech Support Report, perform the following steps;

NOTE: Before using the Tech Support feature, you must configure Email and SMTP server settings on the IPS device from the Email Server page.

  1.  Log in to the IPS Local Security Manager (LSM) from your browser.
  2.  From the LSM to System→Tech Support Report.
  3.  Enter the email address of the recipient. (Most commonly this will be your email address)
  4.  Enter a description. (Optional)
  5.  Check the Include Snapshot check box. (Optional)

Caution: Including a snapshot may generate an e-mail that is too large for the destination server to accept.

  1.  Click the Send Report button
  2.  Attach the resulting ZIP file to your case.

NOTE: You can also generate the report from the CLI by running the following commands:

tech-support-report <email address> "<description>"
tech-support-report <email address> "<description>" -include-snapshot


6. Q: How do I run the SMS Diagnostic Tool?

A: In order run the SMS Diagnostics, perform the following steps;

  1. 1. Log in to the SMS from a client.
  2. 2. On the SMS Menu bar, navigate to Tools→Diagnostics. The SMS Diagnostic Toolkit (Log Utils) window opens.
  3. 3. In the Diagnostic Toolkit (Log Utils) dialog box, select the Log Utils tab.
  4. 4. In the Log Utils tab, select the Create Logs Zip File… button.
  5. 5. In the resulting Save window, navigate to where you wish to save the diagnostic file.
  6. 6. Attach the resulting ZIP file to your case. 

IPS

7. Q: How do I find the Certificate Serial Number of my IPS?

A: The Certificate Serial Number can be found by connecting via SSH or serial console to the device and running the following Command Line Interface (CLI) command:

show version

If the device is not accessible via the CLI, the Certificate Serial Number can also be found on a white sticker on the underside of the IPS.


8. Q: How can I recover the password to my IPS?

A: You cannot recover the SuperUser password of an IPS, but you can reset it to a new value or create a new login with SuperUser privileges.

Caution: This procedure requires a reboot operation which will disrupt traffic! 

  1.  Connect to the IPS via the console port. The serial port connection settings are as follows: Speed: 115200 - Databits: 8 - Parity: None – Stop bits: 1
  2.  Reboot the IPS.
  3.  After the IPS completes its initial startup screens the TippingPoint splash screen is displayed in ASCII characters. You should see something similar to the following:
  4.  Type the word mkey (lower case) within 3 seconds of seeing the word "Loading". NOTE: If you don't type mkey before the three dots "..." appear after the word "Loading" you will have to restart and try again.
  5.  If you were successful, then you will be prompted to specify the security level for the initial "SuperUser" account and password creation.
  6.  Enter the desired username for the SuperUser account.
  7.  Enter your new password.

Once the new username and password has been accepted, the IPS will complete the boot process and you will be able to login to the IPS with the new credentials.


9. Q: How do I perform a Factory Reset on the IPS?

A: To perform a factory reset, connect to the IPS via SSH and log in using a SuperUser account. From the CLI, issue the following command:

debug factory-reset

Once issued you will get the following response:

WARNING!!!

This command WILL reset IPS to factory shipped configuration.

Removes changes to configuration & filters.
Removes logs, updates, rollbacks, and user accounts.

You CANNOT recover data after this command has been issued. The IPS will automatically reboot and OBE will be displayed when finished.

Type the word 'COMMIT' to continue:

Type the word "COMMIT" in uppercase and press Enter.

NOTE: The IPS will reboot during this procedure and will interrupt traffic flow through the IPS. Do NOT interrupt this process. The process is complete when the IPS prompts you to "Press any key to begin the Initial Setup Wizard or use the LCD panel". This process can take a long time to complete.


10. Q: What happens if I exceed the maximum rated bandwidth of my IPS?

A: The IPS is capable of handling short traffic spikes above the maximum rated bandwidth with minimal packet loss. However, exceeding the maximum rated bandwidth of the IPS for periods of time can lead to system performance degradation, congestion, adaptive filter configuration, and Layer 2 Fallback.


11. Q: If I upgrade the TOS on my IPS will it cause a loss of network connectivity?

A: Trend Micro TippingPoint IPS devices provide the ability to perform a TOS software upgrade without interrupting traffic through the IPS segments. During the reboot process each segment continues to handle traffic based on the Intrinsic Network (HA) Layer-2 Fallback settings configured for the segment (Permit All or Block All). No traffic is inspected during the reboot phase but traffic inspection will resume once the system completes the reboot process.


12. Q: Why do my rate limiting action sets appear to be inaccurate at times?

A: A rate limiting action set defines a maximum bandwidth that can be used by traffic that matches filters assigned to that action set. Incoming traffic in excess of the defined rate limit for the filter that the traffic matches is dropped. If two or more filters use the same rate limiting action set, then all packets matching these filters share the bandwidth. For example, if filters 164 (ICMP Echo Request) and 161 (ICMP Redirect Undefined Code) use the same 10 Mbps action set, then both "Echo Requests" and "Redirect Undefined Codes" filters share the 10 Mbps "pipe" as opposed to each filter getting a dedicated 10Mbps pipe.

Rate limits are not implemented exactly according to rate. Higher rates are less precise. For example, on a 5000E device the observed rate on a 125Mbps limiter could be closer to 130Mbps.


13. Q: How many entries can the IPS System/Audit log hold?

A: There are not a specific number of entries that a System or Audit log can hold. There is, however, a specific log file size which is defined as 4 Mbytes.


 14. Q: Why do I see isValid errors in the IPS system log and what do they mean?

A: The IsValid errors messages are informational messages and as such do not impact or reduce the IPS’s security posture. These errors occur when there is a data mismatch between the IPS and the SMS. There can be a number of reasons for these messages:

  1. The SMS attempts to push a security profile to the ANY-ANY zone pair when that zone pair already has an existing security profile configured i.e. all pairs are defined (1A-1B, 1B-1A, 2A-2B, 2B-2A, etc.) therefore the ANY-ANY pair can never be valid.
  2.  A version mismatch between the Digital Vaccine on the SMS and IPS.
  3. An inconsistency with the RepDV database and/or the RepDV filters.
  4.  Attempting to distribute a security profile to a non-existing segment.
  5.  Attempting to distribute a security profile on to the ANY-ANY segment but that segment already has an existing security profile configured.
  6.  Attempting to create a new segment while the device was performing a profile distribution.
  7.  Digital Vaccine Toolkit (DVT) package problem. (Deactivating the DVT usually resolves this issue). 

NOTE: DVT was formerly known as Custom Shield Writer (CSW).

To resolve these issues, reset the IPS filters from the SMS client and then redistribute the profile. To reset the filters, login to the SMS client and navigate to the Devices menu. Select the IPS that is posting the error messages and right click. From the menu displayed, select Edit > Device Configuration. On the first screen of the Device Configuration screen, click the Reset IPS Filters button and then click OK to the pop-up window. Once the Filter Reset is complete, push the profile back down to the IPS and it will stop posting the error messages.

 

NOTE: Resetting the IPS filters will not cause a loss in network traffic, however all custom Action Sets, Virtual Segments, User defined filters and Traffic Management Rules will be lost. Resetting the filters causes the device to run with all filters set to recommended settings for the short amount of time in between the completion of the reset and your redistribution of the profile.


15. Q: Why is my vulnerability scanner reporting SSL and/or SSH vulnerabilities when scanning the IPS management port?

A: Trend Micro TippingPoint’s N-Platform Intrusion Prevention Systems (IPS) implement customized versions of SSH & SSL that advertise standard banners in order to best interoperate with all SSH & SSL clients. The SSH & SSL implementations within Trend Micro TippingPoint IPS models have been customized due to the fact that they have been ported to the VxWorks operating system. Therefore, there are no perfectly equivalent OpenSSH or OpenSSL version numbers with which to compare.

Vulnerability assessment tools indicate that N-Platform management port may be vulnerable to certain types of exploits. Trend Micro TippingPoint has revisited its analysis of these potential vulnerabilities against the SSH & SSL implementations available in the most current TOS release for our N-Platform models. These TOS versions use the third party libraries SSHield 2.2.0 and SSlimSecure 2.2.0 from Team F1, which are based on OpenSSH 3.5p1 and OpenSSL 0.9.8e respectively. After conclusion of the analysis, Trend Micro TippingPoint’s N-Platform IPS models are not susceptible to any of the SSH or SSL vulnerabilities.

It is important to note that the IPS is an inline Layer 2 device with no MAC address or IP address in the data path. Any potential vulnerability could only be exploited on its management port. Trend Micro TippingPoint therefore recommends that all customers secure network access to the management port of their IPS using an ACL or management VLAN.

Also important to highlight is that vulnerability assessment scanning tools generally read the advertised banner version and simply infer potential vulnerabilities that could be present. Only a tool that actually attempts to exploit an SSH or SSL weakness could provide a definitive statement as to the vulnerability of a product. Trend Micro TippingPoint is not aware of any SSH or SSL attacks having been successfully launched against any of our customers’ IPS systems.

 

16. Q: Where can I view the system log of my IPS?

A: The system log of an IPS can be viewed via the CLI, LSM, or SMS.

To view the system log via the CLI, SSH or serial console into the device and run the following command:

show log sys

Other logs can be viewed using the show log command as well. To see all of the available logs and viewing options, type the following:

show log ?

To view the system log using the LSM, log into IPS via the HTTPS webpage and click on the System Log link under the Health section of the System Summary page. You can also see the system log by expanding the Events menu on the left, expanding Logs and clicking on the System Log link.

To view the IPS system log using the SMS client click on the Devices button at the top of the client and expand All Device, expand your IPS name and expand Events in the tree menu on the left. Then select System Log from the menu, choose the date range you wish to view and click the Refresh button.


TPS/vTPS 

17. Q: What is the default IP address for the TPS management port?

A: The TPC/vTPS appliance ships with a default IP address of 192.168.10.1/24. However, you can use the System Management Port page to modify the default configuration to match your corporate IP addressing standard or security policy for management devices. The management port resides on a separate virtual router to the network ports. 


18. Q: How can I recover the password to my TPS device?

A: You cannot recover the SuperUser password of an TPS device, but you can reset it to a new value or create a new login with SuperUser privileges.

Caution: This procedure requires a reboot operation which will disrupt traffic!

  1. Connect to the TPS device via the console serial port using a null modem cable. The terminal emulator software must be set to 115200bps, 8 Data Bits, No Parity, 1 Stop Bit. (115200, 8, N, 1)
  2. Reboot the TPS device.
  3. As the device is rebooting, watch for the word "Loading". You should see something similar to the following:
Starting keystore....................................[ OK ]
Starting health monitoring...........................[ OK ]
Starting fast path...................................[ OK ]
Starting TippingPoint OS.............................[ OK ]
Starting segments....................................[ OK ]
Starting XMS.........................................[ OK ]
Starting certificate status monitoring...............[ OK ]
Loading configuration................................[ OK ]
Starting process monitoring..........................[ OK ]
Updating boot counts.................................[ OK ]

Loading .....

  1.  Type the word mkey within 3 seconds of seeing the word "Loading" and press <Enter>. Note: if you do not type mkey before the dots "….." appear after the word Loading you will have to reboot the device and try again.
  2.  If successful, you will see the following prompts;
Welcome to Super User Password Recovery

Please enter the Super User account username and password. Password recovery will create a new super user account, or will reset the password on an existing super user account.

Spaces are not permitted in username or password.

Minimum password requirements currently configured on the system are:XXX

Maximum: The password must contain 8 characters or more, at least 2 alpha characters, at least 1 digit, and at least 1 non-alphanumeric character
  1.  Enter Super User username: Type the account name you would like to reset or type a new account name and press <Enter>.
  2.  Enter Super User password: Enter your new password and press<Enter>.
  3.  Verify Super User password: Re-type the password to verify and press <Enter> again.
  4.  You will see the following information
Saving information ...Done
TippingPoint Threat Protection System ready
TippingPoint Operating System
Model Number : 440T (IPS)
Serial Number : 440T-XXXX-XXXX
Build : 4.1.0.4472 Fri May 20 19:07:48 UTC 2016
Digital Vaccine: 3.2.0.8846
Hardware Rev : B309
IPM Version : 1.d (working)
 
NGFW

19. Q: What is the default IP address for the NGFW management port?

A: The NGFW appliance ships with a default IP address of 192.168.10.1/24. However, you can use the System→Management Port page to modify the default configuration to match your corporate IP addressing standard or security policy for management devices. The management port resides on a separate virtual router to the network ports.


20. Q: How can I recover the password to my NGFW device?

A: You cannot recover the SuperUser password of an NGFW device, but you can reset it to a new value or create a new login with SuperUser privileges.

Caution: This procedure requires a reboot operation which will disrupt traffic!

  1.  Connect to the NGFW device via the console serial port using a null modem cable. The terminal emulator software must be set to 115200bps, 8 Data Bits, No Parity, 1 Stop Bit. (115200, 8, N, 1)
  2.  Reboot the NGFW device.
  3.  As the device is rebooting, watch for the word "Loading". You should see something similar to the following:
Checking firmware.......... .........................[ OK ]
Starting syslog daemon...............................[ OK ]
Configuring system...................................[ OK ]
Configuring system firewall..........................[ OK ]
Starting platform daemons............................[ OK ]
Starting keystore....................................[ OK ]
Starting health daemon...............................[ OK ]
Starting fast path...................................[ OK ]
Testing Hardware Encryption..........................[ OK ]
Starting TippingPoint OS.............................[ OK ]
Starting segments....................................[ OK ]
Starting process monitoring..........................[ OK ]
Loading .....
  1. Type the word mkey within 3 seconds of seeing the word "Loading" and press <Enter>. Note: if you do not type mkey before the dots "….." appear after the word Loading you will have to reboot the device and try again.
  2. If successful, you will see the following prompts;
Welcome to Super User Password Recovery

Please enter the Super User account username and password. Password recovery will create a new super user account, or will reset the password on an existing super user account.

Spaces are not permitted in username or password.

Minimum password requirements currently configured on the system are:

Maximum: The password must contain 8 characters or more, at least 2 alpha characters, at least 1 digit, and at least 1 non-alphanumeric character
  1. Enter Super User username: Type the account name you would like to reset or type a new account name and press <Enter>.
  2. Enter Super User password: Enter your new password and press<Enter>.
  3. Verify Super User password: Re-type the password to verify and press <Enter> again.
  4. You will see the following information
Saving information ...Done
TippingPoint firewall ready
TippingPoint Operating System
Model Number : S1020F
Serial Number : X-NGF-S1020F-GENERIC-001
Build : 1.0.1.3974 Wed Aug 28 19:07:48 UTC 2013
Digital Vaccine : 3.2.0.15176
Hardware Rev : A905
IPM Version : 1.d (working)
 
SMS

21. Q: How can I recover the password to my SMS?

A: If you need to recover your SMS password, the SMS provides two options to reset the password.

Note: Both of these methods reset the password to the serial number (CERT) of the SMS. The serial number can be found on the bottom of SMS unit on the white sticker, or by pressing Alt-F12 from the login screen (press Alt-F12 to return to the main login screen).

Method 1:

Note: Connection to the SMS server with a local keyboard and monitor is required to complete the reset, a serial connection will not work.

  1. Attach a console and cable to the SMS and reboot the system.
  2. Watch for the prompt "Press any key to enter the menu." This prompt only appears for 2 seconds during boot process. Press any key before the countdown timer reaches 0.
  3.  If successful, the system will display the following:

GRUB

  1.  Select the Password Recovery option by using the Up/Down arrow keys and press Enter. The SMS will complete its boot sequence.
  2.  After the SMS completes the boot sequence, the factory SuperUser account is reactivated and the password is the serial number (CERT) of your SMS.
 

Method 2:

1. Attach a console and cable to the SMS and reboot the system.

2. Watch the system boot sequence, when the "Starting mgmt:" prompt is displayed, press the letter P (capital or lowercase). IMPORTANT! The P must be entered within three seconds to trigger password recovery. If this method of password recovery is successfully initiated, the "Password recovery enabled" message is displayed.

Example;
Initializing...
Calling the system activity collector (sadc):.......... [OK]
Ip6tables: Applying firewall rules:.....................[OK]
Iptables: Applying firewall rules:......................[OK]
Bringing up loopback interface:.........................[OK]
Bringing up interface eth0:.............................[OK]
Starting system logger:.................................[OK]
Starting kernel logger:.................................[OK]
Starting rpcbind:.......................................[OK]
Starting RPC idmapd:....................................[OK]
Starting system message bus:............................[OK]
Starting acpi daemon:...................................[OK]
Starting HAL daemon:....................................[OK]
Starting ipmi drivers:..................................[OK]
Starting sshd:..........................................[OK]
ntpd: Synchronizing with time server:...................[OK]
Starting ntpd:..........................................[OK]
Starting crond:.........................................[OK]

Starting mgmt: P

Password recovery enabled

3. When the SMS completes the boot sequence, the factory SuperUser account is reactivated and the password is the serial number (CERT) of your SMS.

Trend Micro TippingPoint highly recommends changing the password immediately following the reset. Once logged in, the password can be changed with the "getpasswd" command.


22. Q: How do I find the certificate serial number of my SMS?

A: The Certificate Serial Number can be viewed by connecting via SSH to the device and running the following command:

get sys

In addition, the SMS Certificate Serial Number can also be found on a white sticker on the device.


23. Q: How do I perform a Factory Reset on the SMS?

A: To perform a factory reset of the SMS, SSH into the SMS and log in using a SuperUser account. From the CLI issue the following command:

factoryreset

NOTE: Issuing this command will cause all information and settings on the SMS to be completely lost. If you require any data from the SMS, it must be backed up prior to issuing the command in order to be recovered. It is strongly recommended that you perform a complete SMS backup and export the file to a safe location prior to running this command. When the SMS finishes the factory reset process, it will need to be reconfigured using the Initial Setup Configuration Procedure by connecting a monitor and keyboard or by connecting via the Serial Console.


24. Q: Where can I find the system log of my SMS?

A: The system log of an SMS can be viewed using the SMS client by clicking the Admin button at the top and expanding General in the tree menu on the left. Select System Log from the menu, choose the date range you wish to view, and click the Refresh button.

 

25. Q: Can I rollback an SMS upgrade if I find issues with the new version?

A: No. Once an SMS has been upgraded to a new TOS version there is not a way to roll-back the upgrade. The only roll-back that can be performed is on TOS patches.


26. Q: If I have received an error message and am unable to distribute a profile to the IPS, how can I fix this?

A: The number one cause of this issue has historically been poor network communication on the management ports of either the IPS or SMS due to duplex mismatch with the network switch. Please check the management port settings on the IPS, SMS and their link partners to ensure that they are matching. Both sides should be set to Auto-negotiate, according to best practices. If Auto-negotiate does not work between the link partners, then set both sides to the same speed and duplex.

If this action does not resolve the issue, reset the IPS filters from the SMS client and redistribute the profile. To reset the filters, login to your SMS client and navigate to the devices menu. Select the IPS that is posting the error messages and open the Edit Configuration window. There is a Reset IPS Filters button on the first screen of the Edit Configuration page. Click this button and then click OK on the pop-up. Once the Filter Reset has been completed push your profile back down to the IPS and the IPS will no longer post the error messages.

 

NOTE: Resetting the IPS filters will not cause a loss in network traffic, however all custom Action Sets and Traffic Management Rules will be lost. The resetting of the filters causes the device to run with all filters set to recommended settings for the short amount of time in between the completion of the reset and your redistribution of the profile.


27. Q: If the SMS loses contact with the IPS, will I lose the alerts from the IPS during that time?

A: No. Alerts are stored on the IPS in the Block and Alert logs. Once communication between the IPS and SMS is re-established the alerts that occurred during the outage time will be retrieved from the IPS by the SMS.


28. Q: Why did I receive an error when trying to set up a rate limit for 50Kbps on my IPS?

A: The SMS works at a policy level rather than a device level. Therefore, the SMS presents a uniform set of rates from 50Kbps to 1000Mbps. Some rates are not available on all devices. If you attempt to use a rate limit that is not available for a specific model of IPS you will receive an error message. The SMS User’s Guide contains a table of the supported rates for each IPS model. This guide can be downloaded from the Threat Management Center at https://tmc.tippingpoint.com.  


29. Q: I'm getting an error message that the connection to the TMC is refused. How can I fix this?

A: To correct the TMC connection refused error, check the following:

  1. Make sure that DNS is properly configured on the SMS or IPS.
  2. Ensure that no proxy servers or content filters are altering or prohibiting the connection to TMC.
  3. On very rare occasions this problem can occur due to RX errors. If you see RX errors in the System Log, check to make sure that any ports that are getting these RX errors are configured to match their link partner. If Auto-negotiate is not possible then ensure that both the IPS and its link partner speed and duplex settings are a match. Also verify that there is no damage to the physical layer connection.

30. Q: Why is the SMS memory utilization high??

A: By design, the SMS uses all available memory so a high memory usage is normal. This happens as the SMS pre-allocates (caches) memory for often used data and binaries (TOS and SMS database) so it is common to see memory utilization above 90%. As long as the CPU utilization is not high the device is functioning as designed.


Digital Vaccine (DV) \ ThreatDV

31. Q: Why are there so many different versions of the DV? Which one should I use?

A: There are many DV versions because new filters are constantly being added to protect against the latest vulnerabilities. This means that you want to use the latest DV version available. The DV version number is the last 4 digits of the Digital Vaccine package. In addition to the different DV version numbers the DV name consists of a number that designates the base TOS that the DV should be installed on. The base TOS release numbers are the first 3 digits separated by periods. The current base TOS release numbers are 2.5.2, 3.2.0 and 4.0.0.

DV VersionDescription
2.5.2The 2.5.2 DV runs on the TippingPoint Intrusion Prevention System (IPS) with TOS v2.5.2 to TOS v3.1.x.
3.2.0The 3.2.0 DV runs on the IPS with TOS 3.2.0 to TOS 3.9.x, all TippingPoint NextGeneration Firewall (NGFW), and the TippingPoint Threat Protection System(TPS) with TOS v4.0.0 to TOS v4.2.x.

4.0.X

The 4.0.x DV only runs on the TippingPoint Virtual Threat Protection System(vTPS) platform.
Note: The vTPS does not currently support pre-disclosed ZDI filters.

We recommend that you download the same DVs for all of your managed devices. For example, if the weekly DV is #DV8771, and the Security Management System (SMS) manages a vTPS and a 440T TPS, after downloading the DVs, the DV Inventory should include the following versions:

  •  3.2.0.8771 for the 440T device
  • 4.0.0.8771 for the vTPS

If the DV version does not match, click Download from TMC and review the list of available DVs.


32. Q: Are filter specific settings preserved for filters that are modified in a DV?

A: Filters that are overridden retain their filter specific settings even though they have been modified in a DV. The only time filter specific settings are not preserved is when a filter is actually removed by a DV.

NOTE: If a filter is configured to use Recommended Settings and the DV modifies the default action for that filter, the action the filter takes will change.


33. Q: What is ThreatDV?

A: ThreatDV is a premium subscription service that includes both the reputation feed and the new Malware Filter Package. The Reputation Feed identifies and delivers suspect IPv4, IPv6 and Domain Name System (DNS) security intelligence feeds from a multi-vendor, global reputation database so that customers can actively enforce and manage reputation security policies using the Trend Micro TippingPoint Next Generation Intrusion Prevention System (NGIPS) Platform. The addresses are tagged with reputation, geographic, and other identifiers for ready and easy security policy creation and management. The Reputation Feed provides the addresses and tags multiple times a day (two hours on average) in the same manner as standard Digital Vaccines.


34. Q: What is a Malware Filter Package?

A: The ThreatDV Malware Filter Package is a new advanced threat protection set of filters available to subscribers of the Threat Digital Vaccine (ThreatDV) service now available from DVLabs. The Malware Filter Package uses a different technology than the Digital Vaccine filters to provide more targeted malware protection. The Malware Filters alert on a wide range of currently active malware families. These filters are designed to detect post-infection traffic such as bot activity, phone-home, command-and-control, data exfiltration, and anonymous proxy, among others. The Malware Filter Package includes a large set of filters that are refreshed on a schedule basis, but independently of the regular Digital Vaccines.

 
General

35. Q: Where can I get the Management MIB files?

A: Management MIB files are available for download from the Trend Micro Threat Management Website (https://tmc.tippingpoint.com).

  • Documentation→Products→IPS→MIB Files
  • Documentation→Products→SMS→ MIB Files
  • Documentation→Products→NGFW→ MIB Files
  • Documentation→Products→TPS→ MIB Files

36. Q: How do I capture packets with the IPS?

A: The Network Tools page includes the Traffic Capture feature. This feature enables you to capture a selection of traffic received by the device, including traffic that trigger filters and traffic that does not trigger any filters.

  1.  From the LSM menu, click Network > Network Tools.
  2.  Specify the required parameters in the Traffic Capture Details section.
  3.  Click Start.

 

NOTE: The traffic capture will Start immediately, and will Stop when the specified thresholds are reached or when you click Stop.

You can then click the floppy disk icon and download the capture file. The capture file will include those packets that were sent to Tier Three for additional inspection (suspicious or malicious flows). Trend Micro TippingPoint recommends that you also have additional tools, such as WireShark, available to capture traffic flows before and after the IPS in the event that the Trend Micro TippingPoint Support needs to examine the effect of the IPS on the traffic flow for troubleshooting purposes.

 

NOTE: You can capture up to 10,000,000 packets, 10 MB (10,000,000 bytes), or 100 files of IPv4 and IPv6 traffic.

 

37. Q: How do I perform traffic captures from the Command Line Interface (CLI)?

A: The debug traffic-capture CLI command uses TCPDUMP expressions to define the traffic captures. TCPDUMP is free distributed software under the BSD license. You can find a complete listing of command expressions in the Trend Micro TippingPoint Command Line Interface (CLI) reference documentation. For further information access the Packet Capture Guide on the TMC.


38. Q: What data should I backup for disaster recovery?

A: For the most comprehensive backup protection we suggest regularly creating and saving IPS snapshots, SMS backups, and Security Profiles. Export each of these to a secure location external to the devices each time a change is made to one of your TippingPoint products.


39. Q: How do I get an account for the Threat Management Center (TMC)

A: Before you can get an account in the TMC, you will need to have the following;

  1. Access the TMC web site. (https://tmc.tippingpoint.com/TMC)
  2. From the menu click on "Login". From the pop-up window, select "Create". The Create New Trend Account page is displayed.
  3. Fill out the required information.
    1. Username - 4-25 characters, no email addresses, no periods and no special characters besides underscores.
    2. Password - Minimum 8 characters, at least one upper and one lower case, with numbers.
    3. Customer ID – If you do not know this, contact tippingpoint.support@trendmicro.com
    4. Device Certificate Number (CERT)
    5. First Name
    6. Last Name
    7. Email Address
    8. Company
    9. Country Code
    10. State
    11. City
    12. Contact Number
  4. Click Submit
  5. Accept the EULA
  6. You will now be taken to the Trend Micro TippingPoint authentication website. Please ensure that you login to complete the process.

40. Q: What is ThreatLinQ and how do I get an Account on it?  

A: Trend Micro TippingPoint created ThreatLinQ to collect and analyze information about the security posture of the Internet. ThreatLinQ presents this information to TippingPoint customers and acts as a portal for the DVLabs team to provide additional information about TippingPoint IPS filters. This information helps customers make decisions about how, why, and when to enable different TippingPoint filters.

ThreatLinQ is also designed to provide Trend Micro TippingPoint customers with extra security information about Filter IDs and attack activity by country, TCP ports, and IP addresses. Because this data is concentrated in one easy-to-use dashboard, customers can access security information quickly and easily.

Access to ThreatLinQ is available if you have an active Threat Management Center (TMC) account. To obtain a TMC account, follow the instructions in the preceding question’s answer in this FAQ.


41. Q: Where can I get the latest product documentation?

A: The most current product documentation can be found on the TippingPoint Threat Management Center (TMC) website: https://tmc.tippingpoint.com

Log in to the website and click on the navigation link for documentation. Follow the menus to the appropriate product type and download the Adobe PDF file for the manual that you are seeking.


42. Q: Where can I get the Visio Stencils files?

A: Visio Stencils are available for download from our TMC website at the following locations;

  • Documentation→Products→IPS→Visio Stencils
  • Documentation→Products→SMS→Visio Stencils
  • Documentation→Products→NGFW→Visio Stencils
  • Documentation→Products→TPS→Visio Stencils
  • Documentation→Products→ATA→Visio Stencils

 

Premium
Internal
Rating:
Category:
Configure; Troubleshoot
Solution Id:
TP000085110
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.