- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-08-2018 08:22 AM
Hi,
Can someone explain how in a DMZ environment a DMZ agent sends its files to be checked to the Wildfire Cloud?
Does the ESM have to be installed with the console, mostly the internal ESM, have access to the BITS folder on the DMZ ESM, if so why?
Doesn't the DMZ Agent send its files to the DMZ ESM, which loads them into the Wildfire Cloud itself? The internal ESM only receives the event, whether the upload took place or not and the Verdict.
Which ports must be open from the internal ESM to the DMZ ESM and which ports must be open in the opposite direction?
thx for reply
Fabio
03-16-2018 05:51 AM
Hi All,
i have now the answer for my own question:
Every esm need a connection to all BITS folder (BITS should go over Port 443). Because on all esm servers are sheduled tasks running which search for pending files on all BITS folder to upload to wildfire . Therefore all ESM servers need a wildfire connection. Additionally every esm access this BITS folders with a https:// adress, therefore you have to check, that on all esm you trust the certificate if you have an own CA, also if the esm and BITS folder is on the same esm host. DMZ servers are mostly not in a domainjoin and does not trust the own CA, then you have to import an intermediate certificate.
I hope you understand now the process which is used in ESM to upload Wildfire samples.
Fabio
03-08-2018 08:33 AM
Can someone explain how in a DMZ environment a DMZ agent sends its files to be checked to the Wildfire Cloud?
The ESM core in the DMZ sends the file to wildfire, the database stores the transaction, the console displays some of the details (like the Hash, and the verdict associated with the hash)
Does the ESM have to be installed with the console, mostly the internal ESM, have access to the BITS folder on the DMZ ESM, if so why?
im not sure i understand the questions, but ill do my best to answer; In any environment, you on need a single console. This console should be installed on the internal network. the DMZ core does need to be configured to allow bits traffic and have a matching quarintine folder setup.
Doesn't the DMZ Agent send its files to the DMZ ESM, which loads them into the Wildfire Cloud itself? The internal ESM only receives the event, whether the upload took place or not and the Verdict.
correct.
Which ports must be open from the internal ESM to the DMZ ESM and which ports must be open in the opposite direction?
443/80(depending on SSL or not), 1433. 1433 just needs to be inbound
03-08-2018 08:42 AM
Hi efrancis,
Ok there is no connection required between the internal ESM and DMZ ESM Core on port 80/443 for BITS files transfer. The ESM Core can handle the upload to the wildfire, without the internal esm, if i understand you correct.
thx
03-08-2018 08:44 AM
Each of the cores and the single console do not communicate with eachother at all. the only pieces that shares a connection to the core and console, is the database. Each piece stands alone from eachother
03-16-2018 05:51 AM
Hi All,
i have now the answer for my own question:
Every esm need a connection to all BITS folder (BITS should go over Port 443). Because on all esm servers are sheduled tasks running which search for pending files on all BITS folder to upload to wildfire . Therefore all ESM servers need a wildfire connection. Additionally every esm access this BITS folders with a https:// adress, therefore you have to check, that on all esm you trust the certificate if you have an own CA, also if the esm and BITS folder is on the same esm host. DMZ servers are mostly not in a domainjoin and does not trust the own CA, then you have to import an intermediate certificate.
I hope you understand now the process which is used in ESM to upload Wildfire samples.
Fabio
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!