WEBVTT

1
00:00.000 --> 00:03.440
In this video, you and I get a chat with the logic and concept regarding

2
00:03.440 --> 00:04.080
administrative

3
00:04.080 --> 00:08.740
domains on the 40 analyzer. And the acronym for that is an ADOM, administrative

4
00:08.740 --> 00:09.040
domain.

5
00:09.040 --> 00:12.560
Now, why in the world would we want to have an ADOM and what does it do for us?

6
00:12.560 --> 00:13.200
Let's imagine we

7
00:13.200 --> 00:18.010
have a building and let's imagine that building has let's say four floors. So

8
00:18.010 --> 00:19.920
for one, two, three,

9
00:19.920 --> 00:23.640
and four. And I know in some parts of the world, you know, the first floor is

10
00:23.640 --> 00:24.560
like the ground floor,

11
00:24.560 --> 00:27.520
then the first floor starts here or whatever. But for this purpose, I'm going

12
00:27.520 --> 00:27.920
to go ahead and

13
00:27.920 --> 00:30.600
just say this is floor number one, floor number two, floor number three, and a
WEBVTT
X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000

13
00:27.920 --> 00:30.600
just say this is floor number one, floor number two, floor number three, and a

14
00:30.600 --> 00:31.360
floor number four.

15
00:31.360 --> 00:34.690
And let's also imagine we have some security guards that are responsible for

16
00:34.690 --> 00:35.680
the various floors.

17
00:35.680 --> 00:39.800
So let's say we have security guard A and security guard B. And then

18
00:39.800 --> 00:40.880
furthermore, let's imagine that

19
00:40.880 --> 00:45.850
we have security guard A to be responsible for floors three and four. And we

20
00:45.850 --> 00:47.280
want security guard B

21
00:47.280 --> 00:51.730
to be responsible for floors two and one like that. So how would we control

22
00:51.730 --> 00:53.280
that? Well, one option

23
00:53.280 --> 00:57.330
is we simply give security guard A the keys to three and four. And we have

24
00:57.330 --> 00:58.560
security guard B,

25
00:58.560 --> 01:02.430
the keys to one and two, and then put them in charge of those respective floors
WEBVTT
X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000

25
00:58.560 --> 01:02.430
the keys to one and two, and then put them in charge of those respective floors

26
01:02.430 --> 01:03.120
. Well, on the

27
01:03.120 --> 01:06.650
40 days, we have something similar to that. Also, we have virtual domains where

28
01:06.650 --> 01:07.120
we could

29
01:07.120 --> 01:10.900
carve up a firewall into multiple virtual domains and then give different

30
01:10.900 --> 01:12.240
administrators access

31
01:12.240 --> 01:16.240
and responsibility for those individual virtual domains. Or we could give

32
01:16.240 --> 01:17.440
access, for example,

33
01:17.440 --> 01:22.160
to one group of administrators, we could give access to these three firewalls

34
01:22.160 --> 01:22.480
if they're not

35
01:22.480 --> 01:25.760
split up into virtual domains, just to manage all three of them. Think of that

36
01:25.760 --> 01:26.320
like team A,

37
01:26.320 --> 01:30.000
as far as the administrative team, and then for the branch firewall over here,
WEBVTT
X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000

37
01:26.320 --> 01:30.000
as far as the administrative team, and then for the branch firewall over here,

38
01:30.000 --> 01:30.800
maybe we're giving

39
01:30.800 --> 01:34.550
that to a different team and we'll call that team B. So the logic is the same.

40
01:34.550 --> 01:35.520
We're segmenting

41
01:35.520 --> 01:39.230
the control management, for example, these floors and obviously firewalls to

42
01:39.230 --> 01:40.240
individual teams or

43
01:40.240 --> 01:44.250
individual people or groups. So the next logical piece is if all of these

44
01:44.250 --> 01:45.840
devices, for example,

45
01:45.840 --> 01:49.600
the firewall one, firewall two and firewall three are all setting their logs

46
01:49.600 --> 01:51.200
over to the 40 analyzer

47
01:51.200 --> 01:54.860
and branch firewall one is also saying it's logs or the 40 analyzer. We

48
01:54.860 --> 01:56.160
probably want to put similar

49
01:56.160 --> 01:59.280
people in charge of being able to work with and use those logs in that

50
01:59.280 --> 02:00.880
information. So on the 40
WEBVTT
X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000

50
01:59.280 --> 02:00.880
information. So on the 40

51
02:00.880 --> 02:05.070
analyzer, though, we carve that out and give certain groups access to that

52
02:05.070 --> 02:05.840
reporting and that

53
02:05.840 --> 02:10.880
information is by creating on the 40 analyzer logical administrative domains.

54
02:10.880 --> 02:11.440
And then when we

55
02:11.440 --> 02:14.930
bring the firewalls in, for example, these three, we assign them to, for

56
02:14.930 --> 02:16.160
example, one

57
02:16.160 --> 02:20.380
administrative domain, where these administrators have access to that and can

58
02:20.380 --> 02:21.360
do reports and look

59
02:21.360 --> 02:24.150
at logs and do threat hunting and so forth. And then we have this firewall over

60
02:24.150 --> 02:25.200
here said is logging

61
02:25.200 --> 02:27.590
information to a different administrative domain and then give the

62
02:27.590 --> 02:28.960
administrators here access to

63
02:28.960 --> 02:32.290
that administrative domain. And that's how we can keep it sorted out. So
WEBVTT
X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000

63
02:28.960 --> 02:32.290
that administrative domain. And that's how we can keep it sorted out. So

64
02:32.290 --> 02:33.120
regarding ADOMs,

65
02:33.120 --> 02:36.340
here's how it works. When we set up the 40 analyzer, the first thing we're

66
02:36.340 --> 02:37.680
going to need to do is to

67
02:37.680 --> 02:41.560
enable administrative domains, we can start carving it out and having different

68
02:41.560 --> 02:42.640
devices report

69
02:42.640 --> 02:46.030
and send their logs to different administrative domains. And the first one we

70
02:46.030 --> 02:47.120
're going to have

71
02:47.120 --> 02:51.910
is the root ADOM. And that's actually the literal name of it called root ADOM.

72
02:51.910 --> 02:52.320
And then it happens

73
02:52.320 --> 02:56.730
when you enable ADOMs on the 40 analyzer. And so perhaps we have these three

74
02:56.730 --> 02:57.680
firewalls we're going

75
02:57.680 --> 03:01.240
to put in the root ADOM. And then for our next ADOM, maybe we call it for the
WEBVTT
X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000

75
02:57.680 --> 03:01.240
to put in the root ADOM. And then for our next ADOM, maybe we call it for the

76
03:01.240 --> 03:02.720
branch firewall here.

77
03:02.720 --> 03:07.920
Perhaps we name it BR1 for branch number one dash ADOM or something similar. So

78
03:07.920 --> 03:08.480
that way when we see

79
03:08.480 --> 03:12.350
it, we'll realize what it's for. Then this firewall here, we can add that and

80
03:12.350 --> 03:13.680
have it report to this

81
03:13.680 --> 03:17.490
40 analyzer to the specific administrative domain called BR1 ADOM. We also have

82
03:17.490 --> 03:18.800
the ability to delete

83
03:18.800 --> 03:22.210
administrative domains. But before we do that, we'd have to remove any firew

84
03:22.210 --> 03:23.200
alls that are reporting

85
03:23.200 --> 03:26.650
in or say their logs to that administrative domain before deleting it. And we

86
03:26.650 --> 03:27.280
can also move

87
03:27.280 --> 03:31.470
devices to different ADOMs. Let's say we create a new ADOM called new ADOM,
WEBVTT
X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000

87
03:27.280 --> 03:31.470
devices to different ADOMs. Let's say we create a new ADOM called new ADOM,

88
03:31.470 --> 03:32.800
just for grins here.

89
03:32.800 --> 03:36.560
And let's imagine that we have these firewall one that's running for a year.

90
03:36.560 --> 03:37.360
And it's reporting to

91
03:37.360 --> 03:41.400
the root ADOM. And then after a year, we move it and we move it instead of

92
03:41.400 --> 03:42.640
going to the root ADOM,

93
03:42.640 --> 03:47.120
it starts forwarding its logs to the new ADOM. Now by default, all those logs

94
03:47.120 --> 03:47.360
that it's been

95
03:47.360 --> 03:51.720
sending for the year are still going to be found for historical purposes in the

96
03:51.720 --> 03:52.880
root ADOM. And then

97
03:52.880 --> 03:56.720
any new logs would then be sent to the new ADOM. So here's what I propose to do

98
03:56.720 --> 03:57.840
in the next video.

99
03:57.840 --> 04:02.310
Let's go ahead and we'll enable ADOM support at the 40 analyzer. And then we'll
WEBVTT
X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000

99
03:57.840 --> 04:02.310
Let's go ahead and we'll enable ADOM support at the 40 analyzer. And then we'll

100
04:02.310 --> 04:02.640
go ahead and

101
04:02.640 --> 04:06.560
create a new ADOM. And then we'll start moving some of the firewalls around

102
04:06.560 --> 04:07.360
into the different

103
04:07.360 --> 04:10.890
administrative domains. So I'll see you in the next video as we start working

104
04:10.890 --> 04:11.920
with administrative

105
04:11.920 --> 04:14.000
domains on the 40 analyzer.