In this installment of the Tips and Insights series, Nate Hancock demonstrates how to configure the home net variable within FireEye’s Network Security system.
Hi my name is Nate Hancock and I am a Support Engineer at FireEye. The home net variable can help resolve false positive alerts by identifying subnets in your own network. Today we are going to demonstrate how to configure the home net variables. The home net variable can be very useful in configuring the appliance to recognize the IP addressing in your home network. It’s a variable that could be configured on the NX to identify your local IP address and it can be added by a single IP address or IP range or multiple address ranges, depending on your environment. The reason configuring the home net is important is because the NX is what we call traffic agnostic. Meaning that it doesn’t actually determine whether the traffic is coming in or going out, it analyzes all traffic the same. That could present a problem if we have a potential threat that’s coming from the outside in our traffic coming from the outside in that can potentially generate an alert, even though it’s not. So. for example, let’s say you’re doing some penetration testing from the outside. Testing on the firewall. It’s coming in, that could potentially be flagged as malicious and it can generate alerts in your environment unintentionally. And this depending on the testing and the scanning. Even scanning some of those ports can generate this type of traffic Depending on this, this can actually generate quite a few alerts and quickly become a problem on your NX appliance. Configuring the home net variable, and I’ll show you how to do that in just a moment, will basically tell the NX appliance to ignore traffic coming from the outside and connecting in to a host within that address range. To set this, we’re going to come in and first, let’s go ahead and look at the home net. To look at the home net we do show home net. And that shows IP addressing zero. Net mask zero. So on this particular appliance, there is no home net set. So to set the home net we can do home net IP and then whatever your IP address range is. Let’s say it’s 10.18 .0.0 /16.
Now, if we go back and look at show home net That now shows the IP address and it resolves the net mask. Maybe we want to add more than one home net. We can go home net 192 .168 .1.0/24 And that maybe that’s a wireless network in your IP addressing. And then we have another one. Let’s say that’s at 172. 42 .0.0/ 16 and hit enter.
Now, if we go to show home net now, you’ll notice that before we had the 10.18.0.0 listed is the home net we went in and added these other two and it actually overwrites the variable. So we have to when we enter these, if you have multiple address ranges in your environment, they all need to be added at the same time because it’s going to configure that variable all at once. So in this case the 172.42 and the 192.168.1 addresses overwrote the 10.0 address. If we want to disable the home net for whatever reason, maybe you use it periodically when you’re testing. But you can go in and do no home net IP and that will disable the home net variable.
Now that you know how to configure the home net variable, you can reduce the number of false positives in tuned for more FireEye tips and insights.