Wildfire Upload in a two ESM DMZ Setup

Reply
L2 Linker

Wildfire Upload in a two ESM DMZ Setup

Hi,

 

Can someone explain how in a DMZ environment a DMZ agent sends its files to be checked to the Wildfire Cloud?
Does the ESM have to be installed with the console, mostly the internal ESM, have access to the BITS folder on the DMZ ESM, if so why?
Doesn't the DMZ Agent send its files to the DMZ ESM, which loads them into the Wildfire Cloud itself? The internal ESM only receives the event, whether the upload took place or not and the Verdict.
Which ports must be open from the internal ESM to the DMZ ESM and which ports must be open in the opposite direction?

thx for reply

Fabio

L4 Transporter

Re: Wildfire Upload in a two ESM DMZ Setup

Can someone explain how in a DMZ environment a DMZ agent sends its files to be checked to the Wildfire Cloud?

The ESM core in the DMZ sends the file to wildfire, the database stores the transaction, the console displays some of the details (like the Hash, and the verdict associated with the hash)


Does the ESM have to be installed with the console, mostly the internal ESM, have access to the BITS folder on the DMZ ESM, if so why?

im not sure i understand the questions, but ill do my best to answer; In any environment, you on need a single console. This console should be installed on the internal network. the DMZ core does need to be configured to allow bits traffic and have a matching quarintine folder setup. 


Doesn't the DMZ Agent send its files to the DMZ ESM, which loads them into the Wildfire Cloud itself? The internal ESM only receives the event, whether the upload took place or not and the Verdict.

correct.


Which ports must be open from the internal ESM to the DMZ ESM and which ports must be open in the opposite direction?

443/80(depending on SSL or not), 1433.  1433 just needs to be inbound

L2 Linker

Re: Wildfire Upload in a two ESM DMZ Setup

Hi efrancis,

 

Ok there is no connection required between the internal ESM and DMZ ESM Core on port 80/443 for BITS files transfer. The ESM Core can handle the upload to the wildfire, without the internal esm, if i understand you correct.

 

thx

Highlighted
L4 Transporter

Re: Wildfire Upload in a two ESM DMZ Setup

Each of the cores and the single console do not communicate with eachother at all. the only pieces that shares a connection to the core and console, is the database. Each piece stands alone from eachother

L2 Linker

Re: Wildfire Upload in a two ESM DMZ Setup

Hi All,

 

i have now the answer for my own question:

 

Every esm need a connection to all BITS folder (BITS should go over Port 443). Because on all esm servers are sheduled tasks running which search for pending files on all BITS folder to upload to wildfire . Therefore all ESM servers need a wildfire connection. Additionally every esm access this BITS folders with a https:// adress, therefore you have to check, that on all esm you trust the certificate if you have an own CA, also if the esm and BITS folder is on the same esm host. DMZ servers are mostly not in a domainjoin and does not trust the own CA, then you have to import an intermediate certificate. 

 

I hope you understand now the process which is used in ESM to upload Wildfire samples.

 

Fabio

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!