cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6184
Views
0
Helpful
6
Replies

Tetra Update Serve

ccalin
Cisco Employee
Cisco Employee

Hi Experts,

I am interested in a detailed documentation on how to set the Local AMP Update Server for Tetra definitions. More exactly the customer has some specific questions as follows:

1) If a local update server is used, and an endpoint is not in the company LAN, how can we guarantee that definitions are updated?

2) What is the difference between self-hosting mode and fetch-only mode?

3) When a separate HTTP server is used, where should the files be put? On the document root directory?

4) Should the updater be periodically changed/updated itself?

Thank you in advance

6 Replies 6

Marvin Rhoads
Hall of Fame
Hall of Fame

Bump.

I also have a customer interested in using the Tetra offline engine with their AMP Private Cloud deployment. They are running in Cloud Proxy mode if that makes a difference.

From what's implied in the FireAMP Private Cloud Deployment Guide, the TETRA updates will be fetched by the Private Cloud server and then deployed to the endpoints from there (assuming the offline engine is enabled in the policy that's active on said endpoints).

In my customer case they've put the Private Cloud server in the DMZ so that off-premises (and off-VPN) endpoints can reach it any time they have an Internet connection.

Of course we can test and confirm what's happening but it would be nice to have the process documented so that the information is at hand ahead of time when advising the customer.

Hi Marvin,

Thank you for your feedback. For AMP Private Cloud, TETRA definition updates (along as other updates: DFC, Spero, IOC, etc)  are delivered through Content Updates of the AMP PC itself. With Proxy mode, this is "easier", Air gap mode requires the use of amp-sync utility on a Linux host exposed to the Internet with connectivity to the update servers.


Are you asking about TETRA specific connectivity requirements from roaming machines to AMP PC in the DMZ?

User Guide/Deployment Strategy Guides for AMP PC as well:

https://docs.amp.cisco.com/FireAMPPrivateCloudDeploymentStrategy-latest.pdf

https://docs.amp.cisco.com/FireAMPPrivateCloudConsoleUserGuide-latest.pdf

Evgeny,

Thank you for your reply. You answered my earlier question.

Correct me if I'm mistaken, but I believe the Tetra updates will continue to take place per the defined policy as long as the remote endpoints have inbound tcp/443 access to the AMP PC server in the DMZ.

Also, since the guide specifies that we should never enable Tetra for Windows servers, must clients continue to use a separate third party AV solution on those platforms?

Marvin,

That's correct regarding TETRA updates, as long as AMP PC is reachable from the endpoint (whether on-prem or roaming) and the policy is configured accordingly, TETRA updates should take place.

As for enabling TETRA on Windows servers - it's not required to disable TETRA, though may be recommended on a case by case basis. The key here is to baseline the servers before and after enabling TETRA, and understand what to exclude from processing. But this does not mean, that a separate 3rd party AV solution wouldn't require a similar level of accuracy, this just has to do with high File I/O on the servers.

Another note for the servers is to /skipdfc 1 (the same case by case basis may apply though).

emirolyu
Cisco Employee
Cisco Employee

Hi Cosmina,


To answer the specific questions:

1) FQDN of the update server can be made available publically, so that roaming endpoints can get definition updates. If necessary, customers can deploy a separate update server for roaming endpoints. Configured via AMP Windows policy.

2) Self-hosting mode allows to periodically download TETRA defs from AMP servers to a user-specified location, and host them using the built-in HTTP server. With fetch-only mode, customers are responsible for setting up an HTTP server such as Apache, Nginx, or IIS to serve the downloaded definition updates to clients. Fetch-only mode is recommended for production use, while self-hosting is applicable for small deployments or POCs.

3) The key requirement is to use a directory where the user account that is executing the update utility can write. MIRRORDIR setting is used to specify the location. Other than that, it can be location selected by the user.

4) Nothing immediate, however as further enhancements are incorporated into the Update Server, it may be necessary to change or update it.

Further details are available in the User Guide, however, if you have follow-up questions, please let us know:  Cisco AMP for Endpoints

avoytenk
Cisco Employee
Cisco Employee

Hi Cosmina,

More details of local AMP update server setup and common gotchas for IIS and Apache are described here https://techzone.cisco.com/t5/Advanced-Threat/AMP-TETRA-On-Prem-Server-Configuration-Steps-Common-Gotchas/ta-p/1168217

What i observed as well - if policy using local Tetra update server is set up using proxy, despite the fact local AMP update server is inside of the Cu network, all traffic AMP4E agent will sent to proxy and Proxy will than route it to local AMP update server (So proxy must be configured appropriately).

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: