Manage Network Security instances

Manage Network Security instances in your VPC using CloudWatch, the CLI, and the Network Security management interface. Unlike other TPS and vTPS offerings, the LSM is not supported for Network Security. AWS CloudWatch is a tool, provided by Amazon, that enables you to manage your instances within your Amazon account. Use the CLI and the Network Security management interface in conjunction with CloudWatch to monitor and scale your Network Security instances.

CloudWatch

CloudWatch is an Amazon tool that provides the following services:

  • Application monitoring.
  • System-wide visibility of your Network Security deployment.
  • Resource optimization such as auto scaling to add or remove instances.
  • Operational health.

You can also set up your CloudWatch system to send logs to an S3 bucket or to a Slack channel. An AWS IAM role must be attached to the EC2 instance that you are using for Network Security.

For more information about CloudWatch, refer to the AWS CloudWatch documentation page.

Enable CloudWatch logs


NOTE

Your Network Security virtual appliances must use version 2020.10.0 or later to successfully configure CloudWatch logs using APIs.


Use the following APIs to enable and support CloudWatch logging features in your environment.

To enable the management interface to configure the CloudWatch log settings to the Network Security virtual appliance:

POST /api/appliances/{id}/cloudwatchlogconfig

To enable the management interface to retrieve the CloudWatch log settings from the Network Security virtual appliance:

GET /api/appliances/{id}/cloudwatchlogconfig

Learn more about these APIs in the API Reference.

CloudWatch log streaming using APIs scripts

To configure CloudWatch log streaming, you must use APIs. Some strategic scripting enables you to streamline this configuration.

Before you begin

Make sure you have the following resources before you continue:

  • Deploy at least one Network Security virtual appliance using version 2020.10.0 or later. Learn more.
  • Create a Trend Micro Cloud One API key to authenticate API calls. Learn more.
  • Download and install curl.
  • Install jq for Bash. The Bash script uses jq to parse JSON data. To verify your installation, run the jq --version command from your terminal.

1. Determine the IDs of your managed virtual appliances

Before you begin configuring your CloudWatch log settings, determine the IDs of your managed virtual appliances. You will use these IDs to enable and disable CloudWatch logs on your the appliances.

To retrieve a list of all your managed appliances, enter the following in curl. Replace <API Key> with the your Trend Micro Cloud One API key and <Region> with the Trend Micro Cloud One region of your account.

apiKey="<API Key>"
region="<Region>" # For example: "us-1"
url="https://network.${region}.cloudone.trendmicro.com/api/appliances"

curl --location --request GET "${url}" \
--header "Authorization: ApiKey ${apiKey}" \
--header "api-version: v1"

This generates an output similar to the following:

{
    "next": null,
    "totalCount": 1,
    "appliances": [{
        "ID": 1,
        "instanceId": "i-xxxxxxxxxxxee0d24",
        "provider": "AWS",
        "hostName": "i-xxxxxxxxxxx0d24",
        "tosVersion": "5.5.0.10625",
        "dvVersion": "4.0.0.9442",
        "auxDv": {
            "Malware": {
                "Version": null
            }
        },
        "providerMetadata": [{
            "key": "accountId",
            "value": "XXXXXXXXXXXX"
        }, {
            "key": "availabilityZone",
            "value": "sa-east-1a"
        }, {
            "key": "instanceType",
            "value": "c5n.2xlarge"
        }, {
            "key": "region",
            "value": "sa-east-1"
        }, {
            "key": "vpc",
            "value": "vpc-xxxxxxxxxxxx06a00"
        }]
    }]
}

This output indicates that you have a single Network Security virtual appliance managed by the Trend Micro Cloud One service, and the appliance has an ID of 1.

Learn more about the structure of this appliance object output.

2. Configure CloudWatch log settings on your appliance

You can enable the following appliance logs to be streamed to CloudWatch:

  • System logs
  • Audit logs
  • Host logs
  • ipsAlert logs
  • ipsBlock logs
  • reputationBlock logs
  • reputationAlert logs
  • Quarantine logs
  • SSL (TLS) logs

The following curl example shows how to stream an appliance's ipsBlock logs to CloudWatch. In the example:

  • You can specify a name for the CloudWatch Log Group variable and the Stream variable, or accept the default values. This example specifies network-security-block-events for the Log Group Name, but accepts the default Stream name.
  • Replace <Region> with the Trend Micro Cloud One region of your account.
  • Replace <API Key> with the your Trend Micro Cloud One API key.
  • Replace <Appliance ID> with the ID of your appliance.
region="<Region>" # For example: "us-1"
apiKey="<API Key>"
applianceID="<Appliance ID>"

curl --location --request POST "https://network.${region}.cloudone.trendmicro.com/api/appliances/${applianceID}/cloudwatchlogconfig" \
--header "Authorization: ApiKey ${apiKey}" \
--header "api-version: v1" \
--header "Content-Type: application/json" \
--data-raw '{
  "logTypes": [
    {
      "logGroupName": "network-security-block-events",
      "logName": "ipsBlock",
      "enable": true
    }
  ]
}'

Learn more about the structure of this output.

3. Verify your CloudWatch log configuration

The following curl example shows how to verify your CloudWatch log configuration. In the example:

  • Replace <Region> with the Trend Micro Cloud One region of your account.
  • Replace <API Key> with the your Trend Micro Cloud One API key.
  • Replace <Appliance ID> with the ID of your appliance.
region="<Region>" # For example: "us-1"
apiKey="<API Key>"
applianceID="<Appliance ID>"

curl --location --request GET "https://network.${region}.cloudone.trendmicro.com/api/appliances/${applianceID}/cloudwatchlogconfig" \
--header "Authorization: ApiKey ${apiKey}" \
--header "api-version: v1"

An API response similar to the following indicates that the only log type enabled is ipsBlock:

{
    "next": null,
    "totalCount": null,
    "logTypes": [
        {
            "logGroupName": "ips",
            "logStreamName": "system_{instance_id}",
            "logName": "system",
            "enable": false
        },
        {
            "logGroupName": "ips",
            "logStreamName": "audit_{instance_id}",
            "logName": "audit",
            "enable": false
        },
        {
            "logGroupName": "ips",
            "logStreamName": "host_{instance_id}",
            "logName": "host",
            "enable": false
        },
        {
            "logGroupName": "network-security-block-events",
            "logStreamName": "ipsBlock_{instance_id}",
            "logName": "ipsBlock",
            "enable": true
        },
        {
            "logGroupName": "ips",
            "logStreamName": "ipsAlert_{instance_id}",
            "logName": "ipsAlert",
            "enable": false
        },
        {
            "logGroupName": "ips",
            "logStreamName": "reputationBlock_{instance_id}",
            "logName": "reputationBlock",
            "enable": false
        },
        {
            "logGroupName": "ips",
            "logStreamName": "reputationAlert_{instance_id}",
            "logName": "reputationAlert",
            "enable": false
        },
        {
            "logGroupName": "ips",
            "logStreamName": "quarantine_{instance_id}",
            "logName": "quarantine",
            "enable": false
        }
        {
            "logGroupName": "network-security-block-events",
            "logStreamName": "sslInspection_{instance_id}",
            "logName": "sslInspection",
            "enable": false
        }
    ]
}

In addition, the response confirms that network-security-block-events matches the Log Group variable name you specified earlier, and the Stream name variable displays the default value ipsBlock_{instance_id}. When the log stream is created, this {instance_id} value will be replaced by the actual ID of your virtual appliance.

Learn more about the structure of this output.

Complete configuration example

The API script that follows enables ipsBlock and ipsAlert logs on all of your managed virtual appliances. To execute this script:

  1. Ensure that you have completed your prerequisites.

  2. Paste the following example code to a .sh file (for example, cloudwatch-api-script.sh), replacing <API Key> with the your Trend Micro Cloud One API key and <Region> with your Trend Micro Cloud One account's region, then save:

    region="<Region>" # For example: "us-1"
    apiKey="<API Key>"
    url="https://network.${region}.cloudone.trendmicro.com/api/appliances"
    
    echo "Getting list of appliances"
    response=$(curl --location --request GET ${url} \
                    --header "Authorization: ApiKey ${apiKey}" \
                    --header "api-version: v1" \
                    --silent)
    
    parsed=$(echo "${response}" | jq '.appliances')
    len=$(echo "$parsed" | jq '. | length')
    echo "Number of appliances found: $len"
    
    if [[ ${len} == 0 ]]; then
        echo "Try deploying an appliance using CloudFormation Script."
        exit
    else
        appliance="$(echo "${parsed[@]}" | jq -r .[].ID)"
        for id in ${appliance}
        do echo "Configuring AWS CloudWatch log settings on the NSVA ID: $id"
        curl --location --request POST "${url}/${id}/cloudwatchlogconfig" \
            --header "Authorization: ApiKey ${apiKey}" \
            --header "api-version: v1" \
            --header "Content-Type: application/json" \
            --data-raw '{
            "logTypes": [
                {
                    "logGroupName": "network-security-block-events",
                    "logName": "ipsBlock",
                    "enable": true
                },
                {
                    "logGroupName": "network-security-alert-events",
                    "logName": "ipsAlert",
                    "enable": true
                }
            ]
            }'
        done
    fi
  3. Run the script using one of the following methods:

    • sh cloudwatch-api-script.sh
    • bash cloudwatch-api-script.sh

4. View logs in CloudWatch

After successfully configuring CloudWatch logs on your virtual appliance, follow these steps to view the logs using the AWS Management Console:

  1. Open the AWS CloudWatch console: https://console.aws.amazon.com/cloudwatch/.
  2. Select Log groups from the navigation pane.
  3. Select the log group that you want to review.

Troubleshooting tips

Status codes generally fall into three classes:

  • 2xx codes indicate success
  • 4xx codes indicate client errors
  • 5xx codes indicate server errors

The status code for all the preceding APIs you run should be 200.

If a client or server status code is returned, consider the following possibilities:

  • 400 client code errors – Indicates an invalid payload for your API's POST method. Examine the API's response code for a detailed explanation of the error in the "additional details" field. Learn more about GET and SET payload APIs.
  • 401 client code errors – Indicates an invalid API key, and displays an "Authorization Required" message. Verify that your API key is correct, and try calling the API again.
  • 503 server code errors – Indicates that a scheduled or unscheduled outage prohibited your server from handling your request. Allow some time for the outage to end and the server to restore before calling the API again.

Command Line Interface

In addition to CloudWatch, you can use the CLI to configure and manage Network Security. Access the CLI directly through the system console or remotely through SSH.

The functionality for the Network Security CLI is similar to the standard TPS offering. For a complete list of the TPS CLI commands, refer to the TPS CLI Reference in the Online Help Center.

There are a few commands, described below, that are not supported for Network Security.

Unsupported commands

  • clear users all [locked|ip-locked]
  • clear users (NAME|A.B.C.D|X:X::X:X) [locked]
  • create|edit|delete|replace|update virtual-segments
  • edit certificates
  • edit gen hostname | https
  • edit snmp
  • edit set terminal
  • edit show terminal
  • fips-mode-enable
  • ping6 (X:X::X:X|HOSTNAME) [count INT] [maxhop INT] [from X:X::X:X] [datasize INT]
  • setup
  • show fips-mode
  • show route [ipv6]
  • show snmp
  • show users [locked|ip-locked]
  • sms manage
  • sms unmanage
  • traceroute6 X:X::X:X [from X:X::X:X]
  • keystore on-device|sms-managed
  • master-key (set [device-generated-key|passphrase]|reset-keystore)
  • show user-disk
  • user-disk (encryption (enable|disable) | format | mount | unmount)
  • show aaa capabilities USERNAME
  • show aaa login-banner